Installation and upgrade notes
- You must use the 4.0 CLI with Magnet REVIEW 4.0 to ingest cases. Attempting to ingest using previous versions of the CLI will result in errors. For more information, see the Uploading evidence > Upload evidence using the Magnet REVIEW CLI section of the Magnet REVIEW Admin Guide.
- Before you can configure the display of artifacts or view artifacts displayed with the new default arrangement in Magnet REVIEW 4.0, you must ingest at least one case using the 4.0 CLI.
- For on-premises deployments, Magnet REVIEW now supports MySQL 8.0 as the datastore for user data and case metadata. The datastore is now deployed outside of the Kubernetes cluster. (Previously, the data store was Percona, which was deployed within the cluster.)
- Magnet REVIEW now supports deployments on Azure US Government cloud.
New and updated features for end users
- When you view an artifact category other than Media, the details for all artifacts in that category appear in a table. The initial display contains four columns that represent the highest prioritized details for each artifact, as determined by your administrator.
- In PDF and Excel reports, artifact hits are now sorted within the artifact category by the date and time that has been configured for the multi-artifact view.
- Individual reports can now be deleted.
- Media and Files artifact categories now display in the multi-artifact gallery view.
- When navigating to Media or Files (Gallery View), artifacts without thumbnails or that are unsupported mime-types, will display a placeholder icon indicating why they cannot be displayed.
- Audio files that are supported and can be previewed within Magnet REVIEW are now playable in gallery view.
- The Magnet REVIEW Item ID no longer appears in the Evidence table when viewing the hits for a single artifact.
- The date/time stamp in report chat thread previews are now in the correct format.
- The filename for generated reports now contains the date the report was generated and the case name.
- The gallery view now uses the filename as the evidence item label by default. (Previously, the label was the Item ID.)
- When a user creates an Excel report, Magnet REVIEW creates a workbook for each evidence source included in the report. Worksheets within the workbook are based on the artifact, such as videos, Instagram, and WhatsApp. Instant messages are now split into native messages and recents.
- Users with the correct permissions can delete individual evidence sources from a case, or delete an entire case (including any case reports). These delete events are captured in the audit log.
- The evidence source overview now includes more high-level information about the evidence source that can help provide a starting point for the investigation. The information that's captured on the device dashboard is as follows:
- Device information, such as the manufacturer, model, and SIM card
- Extraction information
- Recent and frequent communications
- Most frequently recovered identifiers
- Installed applications
- Chat thread previews are now included in generated reports. Filters that are applied to a report will affect the messages that are displayed in the chat preview.
- Local timestamps are now stored as date/time objects rather than strings, which allows them to be sorted and filtered like any other timestamps. The values are interpreted as a UTC date/time and are highlighted with "needs validation" to allow for further investigation into their accuracy.
- Hidden artifact fragments can no longer be returned in search results and filters.
- Added support for displaying HEIC file previews.
New and updated features for administrative users
- Magnet REVIEW now supports the configuration of primary and secondary artifact and column configuration, column ordering and multi-artifact view configuration. These views can be distinctly configured per source type (AXIOM, Physcial Analyzer, XRY).
- Artifact, column, and multi-artifact view configurations can be exported.
- Audit exports can now be deleted.
- For each artifact category, administrative users can configure the columns for the artifact details in the multi-artifact view.
- Default artifact prioritization, artifact column prioritization, and multi-artifact column configurations for AXIOM data are now applied.
- Memory management during case export from AXIOM 6.2 is now improved, and "out of memory" errors no longer occur.
- The audit log can be exported to a .csv file for import into Microsoft Excel.
- Applied a fix to Open Distro for Elasticsearch to mitigate issues with the Log4Shell vulnerability.
- The Magnet REVIEW upload CLI now contains includes the run summary in the log when the --log argument is specified.
- You can now configure the priority for both artifacts and artifact columns. Artifacts and columns with primary priority have a potential importance to an investigation and are therefore always displayed for the user. Artifacts or columns that have secondary priority aren't displayed by default. The user can still view secondary items by clicking view more.
Bug fixes
- Unauthorized users were able to delete cases and evidence ingested in Magnet REVIEW version 3.11 or earlier. -MR-2822
- Users were unable to mark an individual comment that they created as private. -MR-2992
- When a user deleted a case or an evidence source, it may have taken longer than expected for Magnet REVIEW to update and reflect the change. -MR-2758
- When internal certificates are renewed, services that were previously not picking them up (requiring a manual restart) are now automatically restarted. -MR-2510
- If an Active Directory user was created in Magnet REVIEW but did not have the appropriate group membership in AD/ADFS that maps to a Magnet REVIEW role, the user management pages would no longer function. -MR-3234
Known issues
- An issue with the Filmstrip previewer service is causing them to exceed their memory limits, which cause the pods to be terminated.
Workaround: Configure the maximum number of video requests to be 2 or less and the Filmstrip previewer pod should not get into a state where it runs out of memory.
- In evidence uploaded from Cellebrite Physical Analyzer, duplicate artifact fragments can be generated if an XML element from the Cellebrite export contains a nested element of the same type.
- For cases created in Magnet REVIEW 3.x, sorting on columns that do not have values for every artifact may cause paging issues when the entire column is blank for that page.
- Keyword searches applied by the user don't get highlighted in PDF previews if the content exists in the table of contents, links, or occurs over multiple lines.
- When the user previews a picture or PDF attachment in the artifact hit details view, the audit log incorrectly records the action as a download event. PDF documents can trigger multiple download requests on hit details page open.
- When the same user applies tags in quick succession, it can cause subsequent tag requests to throw an error.
- Bulk actions for applying tags or comments do not immediately update the tag color stripe or update the comment counter in the UI. A webpage refresh can sometimes be required for this to take effect.
- Switching to full screen in a document preview sometimes causes some UI elements to resize off the screen. This occurs most frequently with larger documents.