Artifact updates

Android

Google Maps

Snapchat

Windows

Adium

Chromium Browsers

Dropbox

Remote Desktop Protocol

ShimChache

Windows Mail

iOS

Apple Wallet

Facebook Messenger

Instagram

Signal

Significant Locations

Twitter

macOS

Chromium Browsers

Cross-platform

Custom Artifact

Google Searches

Skype

Videos

Artifacts

Apple Pay: Updated support to recover transaction histories for cards associated with the Apple Pay wallet. [iOS 11]

Chromium browsers | Windows: Updated support for recovering credit card information and timestamps. [79.0]

Chromium browsers | MacOS: Updated support for recovering credit card information and timestamps. [79.0]

Custom artifacts: Added support for plotting custom artifacts in World Map view.

Device Information | Android: Added support for recovering the advertising ID of the device.

DropBox | Windows: Updated decryption support. [83.4]

Facebook Messenger | iOS: Groups now list sender names instead of IDs.

Google Maps | Android: Updated support to recover latitude and longitude data. [10.32]

Google Searches | All Platforms: Updated support to recover the load date and time of the previous page.

Instagram | iOS: Added support for recovering posts. [111.0]

Pinterest | iOS: Updated support to recover pin descriptions, timestamps, linked websites, images, and pinner ID. [20]

ScreenTime | iOS: Added support for recovering visited domains.

ShimCache | Windows: Added support for parsing the executed flag.

Signal | iOS: Updated support for recovering local users, contacts, and group members. [3.2]

Snapchat | Android: Updated support for recovering photos, videos and audio recordings sent in chats. [10.72]

Twitter | iOS: Updated support to recover direct messages and users. [8.5]

VK | Android: Updated carving support to recover messages and user information. [5.47]

VK | iOS: Updated carving support to recover messages and user information. [5.47]

Videos | All platforms: The Carved Videos artifact is now deprecated and carved results are displayed in the Videos artifact.

Cloud

You can now recover data from Uber user accounts, such as Trip Info.

Processing

AXIOM Process now uses the latest version of the Passware SDK to improve McAfee encrypted drive decryptions, as well as resolve the issue of unencrypted HFS+ drives being falsely detected as encrypted.

For searches of FAT file systems, AXIOM Process will now automatically deduplicate results from unallocated space if they are covered by a range of space that's occupied by a known deleted file.

The “Sources to process” table in AXIOM Process has been updated for consistency with AXIOM Examine.

To better identify which files were unable to be fully processed, the “Search complete” screen now lists the file name rather than the entire file path.

When you enable the Dynamic App Finder, AXIOM Process displays the “Search complete” screen so that you can immediately view the scan summary.

Examining

Custom artifacts now appear in the World map view in AXIOM Examine.

Project VIC exports now contain a Source ID so that you can find out which evidence source the picture or video came from.

You can now edit the column filters from the Filters bar.

Remote acquisition

Remote acquisition is available with a valid Magnet AXIOM Cyber license. For more information, visit magnetforensics.com/products/magnet-axiom-cyber/.

When you connect to an outdated agent, it will now update automatically.

Security enhancements to the connection between the agent on the target computer and the workstation running Magnet AXIOM.

When viewing individual memory processes to acquire, you can now view a process’s parent process, which can help you identify hidden malicious processes.

Bug fixes

AXIOM Process was unable to acquire data from Google Activity. -CAO-2717

Email addresses retrieved from Office 365 audit logs were not appearing in the Identifiers refined results artifact. -CAO-2722

IMAP/POP mail acquisition has been improved to capture messages in all selected top level folders and one level of subfolders. -CAO-2729

In some cases with a large amount of media files, media categorization would time out and not complete successfully. Media categorization will no longer time out, but you can now cancel a scan during media categorization. -AXP-5684

Previously, when you loaded memory using the Volatility Framework, AXIOM Process pre-selected the first listed Volatility profile. -AXP-3871

When processing an image of a FAT file system, AXIOM Process would sometimes appear to stop processing or performance was degraded. -AXP-3622

Sometimes, AXIOM Process would crash when attempting to process an Apple warrant return .zip file. If AXIOM Process is unable to process the warrant return file, you’ll now be prompted to repair the warrant return by extracting the contents and then re-zipping the extracted folder. -CAO-2452

Sometimes, AXIOM Process would crash when attempting to acquire Facebook account data. -CAO-2685

Sometimes, AXIOM Process would return an error when attempting to process a Google warrant return .zip file. If AXIOM Process is unable to process the warrant return file, you’ll now be prompted to repair the warrant return by extracting the contents and then re-zipping the extracted folder. -CAO-2721

Sometimes, portable cases would fail to be created when they contained a large amount of media items or chat threads. -AXE-7817

When an image was processed, temp files were being stored in the location where AXIOM Process was installed, rather than in the case folder or the custom location you configured. -AXP-5910

When the Dynamic App Finder was enabled, the Case Information.txt log file incorrectly showed that it was not enabled. -AXP-1195

When you tagged files with matching hash values in AXIOM Process, these tags would appear in the File system explorer in AXIOM Examine, but the corresponding artifacts would not get tagged. -AXE-7812

Known issues

To search for information about known issues, visit the knowledge base at support.magnetforensics.com.