Release Notes

Magnet AXIOM 3.7.0.16279 November 04, 2019

Artifact updates

Android

Call Logs

Chatous NEW

Contacts

Pinterest NEW

Snapchat Messages

Windows

Locally Accessed Files

One Drive

Outlook

Viber

iOS

Chatous NEW

Facebook Messenger

Mail

Owner Information

PowerLog Battery Level

Snapchat

Telegram

Wickr Me NEW

macOS

Operating System Information

Cross-platform

.webM

Encryption / Anti-Forensics Tools

Human Trafficking URLs

Tor and Onion URLs

Videos

AFF4 image support

Magnet AXIOM now includes support for loading and processing Advanced Forensic File (AFF4) physical images acquired from a macOS computer with a T2 chip using MacQuisition.

• Starting in 2017, macOS computers have the Apple T2 security chip which provides hardware-assisted encryption for data stored on the system.
• You can load and process a supported AFF physical image in AXIOM Process.
• More details...

Google warrant returns

Google warrant returns can contain useful information about the owner of the Google account.

• Import and process the Google warrant returns as part of your case.
• Recover content such as account information, browsing history, chats, all media included in the package from Google Drive and Google Photos, and more!
• More details...

KTX file preview support

What's new in the AXIOM Cyber beta program

Artifacts

• .webm | All platforms: You can now parse and carve .webm videos.
• Call Logs | Android: Added parsing support for Call Logs from key-value pairs recovered from an ADB backup.
• Chatous | Android: Added support for the Chatous app, including messages and chat partners.
• Chatous | iOS: Added support for the Chatous app, including messages and chat partners.
• Contacts | Android: Added support for recovering deleted contacts.
• Custom artifacts: A new custom artifact has been uploaded this month:
  • Fake GPS (Android) - Alexis Brignoni
• Encryption/Anti-forensics: The list of flagged programs for the Encryption/Anti-forensics refined result has been updated with additional programs.
• Facebook Messenger | iOS: Now identifies queued messages (sent but not yet received).
• Facebook Messenger | iOS: Updated support to recover calls in the latest versions. [225]
• Encryption/Anti-forensics: The list of flagged programs for the Encryption/Anti-forensics refined result has been updated with additional programs.
• Human Trafficking URLs | All platforms: Added a new refined result that identifies website URLs that are associated with human trafficking.
• Locally Accessed Files | Windows: Recover information about local files that were accessed by the File Explorer.
• OneDrive | Windows: Added support for recovering Business accounts.
• Open Applications | iOS: Added support for parsing .ktx files that contain snapshots of open applications. [iOS 13]
• Operating System Info | macOS: Updated support for the latest versions. [macOS 10.14.5, 10.15]
• Outlook | Windows: Implemented performance improvements to reduce scan times.
• Owner Information | iOS: Now includes the setup date and type of setup for the device. [iOS 12]
• Pinterest | Android: Added parsing support for the Pinterest app, including accounts, direct messages, following, boards, and pins.
• PowerLog Battery Level | iOS: Recover battery level information.
• SnapChat | iOS: Decrypt Memories recovered from images acquired using GrayKey. My Eyes Only snaps can also be recovered and decrypted if the snaps have been viewed locally and are available in the application's media cache.
• Snapchat Messages | Android: Recovered messages now come with metadata about any media that they include.
• Snapchat Stories | iOS: Added parsing support for stories.
• Telegram Channel Chats | iOS: Some of the fragments in this artifact have been renamed to more accurately describe their contents. Started By (Peer User Name) has been updated to Last Sender. Started By (Peer ID)has been updated to Last Sender ID. Start Date/Time has been updated to Last Message Date/Time. First Message has been updated to Last Message.
• Tor and Onion URLs | All platforms: Added a new refined result that identifies Tor and .onion websites.
• USB Connection History | macOS: Performance improvements to significantly reduce RAM and CPU use when processing the USB Connection History for macOS.
• Viber | Windows: Updated support to recover messages in the latest versions. [9.9.4.417]
• Videos | All platforms: Added ability to parse .m4a videos.
• Wickr Me | iOS: Recover and decrypt Wickr messages in images acquired using GrayKey.
• WiFi SSID and Passwords | Android: Added parsing support for WiFi SSID and Passwords from key-value pairs recovered from an ADB backup.

Cloud

• When you acquire data from a Slack workspace, AXIOM Cloud now only processes the public channel information for the channels the target is a member of rather than all public channels in the workspace. All private channels, group chat, and direct messages are also acquired.
• You can now load a .zip file provided by Google for warrant returns as a Cloud evidence source. In addition to providing information about the owner of the account, this release includes artifacts for account information, browsing history, chats, devices, login history, search history, and all media and documents included in the package including Google Drive and Google Photos.

Processing

• AXIOM Process now includes support for loading and processing Advanced Forensic File (AFF4) physical images acquired from macOS computers with a T2 security chip using MacQuisition.
• AXIOM Process now supports adding Volatility profiles for Windows 10 17763 and 18362.
• Updated support for the PhotoDNA library.
• When previewing the value of an extended attribute in the APFS metadata card, the value now displays in UTF-8 encoding instead of Hex.
• When acquiring an iOS device that is protected with a PIN code, you’re now prompted enter the PIN code on the device to remove the backup encryption password.
• For Android 8.0 and higher, you can now recover key-value pairs from an ADB backup.

Examining

• In HTML and PDF reports that include a Media categorization summary section, the reports now include columns for tracking the number of unique pictures and videos in each category and the total number of unique media items.

Bug fixes

• AXIOM Examine no longer includes artifacts from Refined results when counting the total number of categorized media files in VICS JSON exports. -AXE-7397
• For some Google and Slack Cloud artifacts, AXIOM was not reporting location data. -CAO-2505
• If you loaded a warrant return from Snapchat that was issued around September 2019, AXIOM Cloud did not process the chats provided by Snapchat due to a change in warrant return format. -CAO-2456
• If you tried to decrypt a McAfee-encrypted image of a full drive, AXIOM Process would detect the encryption type as TrueCrypt instead of McAfee. -AXP-3671
• Improvements to reduce the number of .zip-related crashes for cloud acquisitions. -CAO-2415
• In some cases, if you loaded an iTunes backup using the iCloud backup workflow in AXIOM Cloud, AXIOM did not return any hits. -CAO-2544
• Picture categorization for categories that required more processing time stopped responding when Magnet.AI encountered a picture in the case that was larger than 20 MB. -AE-932
• Previously, AXIOM Process did not parse Registry transaction logs. -AXP-5551
• Previously, if you removed and re-added an AXIOM Cloud license (for example, removing and reconnecting a dongle or disconnecting and reconnecting to the license server), the Cloud evidence source option appeared greyed out in AXIOM Process. -CAO-2516
• Previously, when searching the evidence from a Facebook warrant return, you were unable to use a picture file name to find where the picture appeared in a chat thread. -CAO-2550
• When there are changes to the number of hashes in the hash database, AXIOM Process now optimizes the hash database to reduce overall processing time. -AXP-5735
• When you processed a Facebook warrant return created in February 2017, AXIOM was unable to parse messages in the warrant return. -CAO-2529
• Android SMS messages weren't being carved properly from some sources. -MA-1039
• Browser plugin entries that include Google in the name were being reported as the Google Searches refined result. -COMP-521
• Mail | iOS: Updated support to recover messages on the latest version. [iOS 13] -MA-1018
• Searches on the Google support website were showing up in the Google Searches refined result. -COMP-235
• Some group member IDs were missing from iOS Snapchat artifacts. -MA-1022
• The ShimCache was only being recovered if it was found at its default location. Now, it can be recovered anywhere on the system. -COMP-480
• When processing an AD1 image that contained a .zip file, AXIOM would report an error while processing the .zip file, and the search would not complete fully. -AXP-4889

Known issues

• To search for information about more known issues, visit the knowledge base at support.magnetforensics.com.