Axiom Cyber Changelog
Axiom Cyber Update - 8.0.0 - 08/04/2024
Artifact updates
Comae memory analysis
Support for Comae memory analysis for AXIOM customers with any AXIOM term license.
Acquire AWS EC2 Multi-Volume Snapshots
- Acquire snapshots within the same account or a security account context.
- Support for Windows instances, encrypted volumes, and volumes exceeding 1 TB, instances with multiple volumes, and more!
New mobile view
The new mobile view in AXIOM Examine shows you a visual representation of a mobile device’s wallpaper and installed apps. Click an app to view its associated artifacts and learn more about the user’s activity.
Improvements to route view
We’ve made improvements to animated maps and routes in the route view of AXIOM Examine.
- Choose a default distance and time for your route settings.
- Generate as many routes as you want without a limit. Note that generating a large number of routes might take a significant amount of time.
Standalone MFT parsing and file system view (CYBER ONLY)
You can now process standalone MFT (Master File Table) data from Windows machines, and view them in the File system explorer in AXIOM Examine. Use this feature to quickly triage computers with suspicious activity.
Export chats and attachments to RSMF (CYBER ONLY)
Create RSMF (Relativity Short Message Format) exports to upload chat messages and their attachments for legal reviewers on the Relativity e-discovery platform.
Improved performance and data recovery for Chrome Cache Records
We’ve improved performance in AXIOM Process when acquiring data from Chrome Cache Records. Additionally, we’ve updated parsing to recover more data from this artifact.
Introducing Magnet Copilot
In AXIOM 8.0, we’re introducing Magnet Copilot, a free add-on that allows you to gain insights into your AXIOM cases from a pop-up in AXIOM Examine.
- Upload conversational, web search, and picture data, and ask questions about it. Answers are returned along with citations that link into relevant data within the case.
- Upload a picture for analysis to determine if it was potentially generated by Stable Diffusion, Midjourney, or DALL-E 3.
- Analyze a video to determine its origin and authenticity via an integration with Medex Forensics.
- Quickly narrow in on results by transforming a natural language query into a set of AXIOM filters.
To get started, click the Magnet Copilot button to the right of the filters bar in AXIOM Examine.
Update to Magnet Exhibit Builder 1.1
We’ve made improvements to Magnet Exhibit Builder for all AXIOM Premier users.
Note that Magnet Exhibit Builder currently requires you to manually update. To learn how, sign in to the Support Portal to read the article Update to Magnet Exhibit Builder 1.1.
Artifacts
- Arlo Secure Cached Media | Android, iOS: Added parsing support for Arlo Secure Cached Media.
- Arlo Secure Device Information | Android, iOS: Added parsing support for Arlo Secure Device Information.
- Arlo Secure User Information | Android, iOS: Added parsing support for Arlo Secure User Information.
- Audio, Videos | All platforms: Updated parsing support to recover .ogg, .oga, and .opus files.
- Blink Cached Media | Android, iOS: Added parsing support for Blink Cached Media.
- Blink Device Information | Android, iOS: Added parsing support for Blink Device Information.
- Blink User Information | Android, iOS: Added parsing support for Blink User Information.
- Chrome Affiliations | Android, iOS, macOS, Windows: Added parsing support for Chrome Affiliation.
- Chrome Cache Records | iOS, macOS, Windows: Updated parsing support to improve performance and recover more data.
- Chrome Logins | Windows: Updated parsing support to allow for password extraction and decryption of data.
- Device Information | iOS: Updated parsing support to recover the IMSI associated with the device.
- EML(X) Files | iOS: Added parsing support for EML(X) Files from iOS devices.
- Facebook Messenger End-to-End Encrypted Chats | Android, iOS: Added parsing support for Facebook Messenger End-to-End Encrypted (E2EE) chats.
- iMessage/SMS/MMS | iOS: Updated parsing and carving support to recover message reactions.
- Instagram Direct Messages | iOS: Updated parsing support when recovering attachments, and updated information in the Artifact Reference Guide.
- Instagram Posts | Android: Updated parsing support to recover missing data. [v224.2.0.20]
- Installed Applications | iOS: Updated parsing support to remove duplicate hits.
- MEGA Chat | iOS: Updated parsing support to recover missing data. [v8.1.1]
- Ring Cached Media | Android, iOS: Added parsing support for Ring Cached Media.
- Ring Device Information | Android, iOS: Added parsing support for Ring Device Information.
- Ring User Information | Android, iOS: Added parsing support for Ring User Information.
- Signal Messages | Android: Updated parsing support to recover sender name and recipient name.
- Signal Messages | iOS: Updated parsing support to recover more accurate sender and recipient data about local users.
- Unified Logs | iOS, macOS: Added parsing support for Unified Logs. Note that enabling this artifact can significantly increase processing time, so it is deselected by default in AXIOM Process.
- Windows Search – Calendar | Windows: Added parsing support for Windows Search – Calendar.
- Windows Search – Contact | Windows: Added parsing support for Windows Search – Contact.
- Windows Search – Document | Windows: Added parsing support for Windows Search – Document.
- Windows Search – Image | Windows: Added parsing support for Windows Search – Image.
- Windows Search – Internet Explorer | Windows: Added parsing support for Windows Search – Internet Explorer.
- Windows Search – Outlook | Windows: Added parsing support for Windows Search – Outlook.
Cloud
- AXIOM now supports acquiring AWS EC2 instances as snapshots.
- Updated the Download Your Data import process for Instagram to capture Media hits from the new format.
Processing
- The option to use Comae for memory analysis has been extended to AXIOM term licenses.
- AXIOM Cyber now offers processing standalone MFT files as a new evidence source.
Examining
- The default color for CAID Category 8 has been changed to white, for consistency with CAID standards.
- The preview of audio files now plays correctly.
- The version of Magnet AXIOM is now included in PDF and HTML reports.
- There is no longer a limit to the number of routes you can generate at a time in route view.
- You can now edit evidence numbers after adding evidence sources to a case.
- You can now set a default distance and time setting when generating routes.
- You can now export chat messages and attachments to RSMF and upload them to Relativity for legal reviewers.
Bug fixes
- Previously, AXIOM Process may not have automatically detected the keychain from a Fastrak extraction. -ENGN-11374
- Previously, parsing volume shadow copies within an E01 image may not have completed if the volume shadow copy’s catalog was corrupt. -ENGN-11323
- Previously, the CSAM category may have been included when importing a CAID hast list. -ENGN-11089
- Sometimes, in Project VIC exports, the total media files count was showing the number of files in the case rather than in the export. -EXM-2988
- Sometimes, removing evidence from a case wasn’t working. -EXM-3420
- Sometimes, the download button for PDF previews wasn’t working. -EXM-3308
- Sometimes, when opening a .db file in the File system explorer, AXIOM Examine would crash. -EXM-2664
- Sometimes, when trying to open a case, an error message would appear that the case couldn’t be found at the selected location. -EXM-2936
- When trying to filter on evidence source in the Media explorer, a warning would appear to reselect the filter. -EXM-3388
- iVe Events, Trackpoints, and Waypoints were not being correctly tracked in route view. -MARS-2102
- Some hits were being incorrectly reported as Chrome Extensions. -CARS-775
- Sometimes, data from Edge Chromium Autofill Profiles wasn’t being decrypted. -CARS-33
- Sometimes, the direction of incoming or outgoing Android MMS messages from UFED Agent evidence sources was being incorrectly reported. -MARS-2057
- Previously, AWS Authentication using External ID may have failed to authenticate. -CA-1893
- Previously, Slack attachments may have have failed to download due to authentication token refresh errors. -CA-730
- Updated the Instagram, Download Your Data import process to capture Instagram Comments from the new format. -CA-1196
Axiom Cyber Update - 7.10.0 - 29/02/2024
With the release of AXIOM Cyber, we’ve added the ability to sign-in to an AWS account using session credentials.
Unlike security credentials, which can be reused, and potentially allow a user to access the AWS account indefinitely, session credentials can only be used while the session is active, and if they’re tied to a role, you can limit a session duration to 1-12 hours.
Organizations use session credentials as an added security measure to limit ongoing access to an AWS account. Should access to the AWS account be required again, new session credentials would need to be provided.
Along with these new sign-in features, we’ve significantly improved the useability of the sign-in page to better align it with how data is configured in AWS.
Automatically Create Animated Maps from Geolocation Data
As with many things, seeing is believing. To help add important context to your reports and testimony in court, we have introduced Animated Maps in Magnet AXIOM and AXIOM Cyber.
With Animated Maps, you can show the user’s movement based on the geolocation information from device data, combining location and timestamp data to show the path they took during a given time frame. The ability to easily animate map routes mitigates time-consuming and labour-intensive manual processes required to display location evidence in an engaging and visually appealing format.
To learn more about Animated Maps, check out the blog “Moving in the Right Direction with Animated Maps.”
New and Updated Artifacts
We’re continually adding and updating artifacts based on the applications you’re coming across in your investigations.
This release includes new and updated artifacts, including:
NEW
- Edge Chromium
(iOS, macOS, Windows)- Edge Chromium Current Session
- Current Tabs
- Last Sessions
- Last Tabs
- Journals (iOS)
- Voice Mail (iOS)
UPDATED
- Apple Mail (iOS)
- Call Logs (Android)
- Chrome (Android)
- Chrome Current Sessions
- Current Tabs
- Last Sessions
- Last Tabs
- Chrome Cookies
(iOS, macOS, Windows) - Chrome Logins (Windows)
- Chrome Web Visits
(Android, iOS, Linux, macOS, Windows) - Digital Wellbeing Events (Android)
- Facebook Messenger Messages (Android)
- Instagram Direct Messages (iOS)
- Telegram (iOS)
- Telegram Chats
- Messages
- User artifacts
- WeChat (Android)
Axiom Cyber Update - 7.9.0 - 31/01/2024
Artifact updates
Android
- Aloha Browser Autofill Profiles
- Aloha Browser Bookmarks
- Aloha Browser History
- DuckDuckGo Bookmarks
- Session Communities NEW
- Session Groups NEW
- Session Messages NEW
- Session Users NEW
- Snapchat Messages
- Telegram Messages
- Telegram Users
- Videos
Windows
- User Accounts-icon User Accounts
- Videos-icon Videos
iOS
- Apple Mail
- Biome Safari Page View
- Biome Siri Execution
- Biome Siri UI Usage
- Biome User Activity
- Device Information
- Facebook Messenger
- iCloud Local Files
- iMessage/SMS/MMS
- Installed Applications
- Session Communities NEW
- Session Groups NEW
- Session Messages NEW
- Session Users NEW
- Snapchat
- Telegram Messages
- TikTok Media
- Videos
- WebKit Browser Web History (Carved)
Automatic image creation when loading evidence from Files and Folders
AXIOM will automatically create an image (.zip) of selected local Files and Folders. Manage and share the case while maintaining a connection to a static evidence source image. Automatic image creation is available for the following sources:
- Computer
- Mobile
- Vehicle
Add custom fields to exports
When you create a portable case or PDF report, you can now add custom fields that will appear along with the default case details. Use these fields to include information that is important to your investigation, such as an outside agency case number, lab case number, reviewing examiner, and more.
Create a report of evidence source details
From the case dashboard, you can now create a PDF report of summary information about an evidence source. Depending on the device type, this report can include device details, wallpaper, user accounts, and an artifact type summary.
Artifacts
- Aloha Browser Autofill Profiles, Aloha Browser Bookmarks, Aloha Browser History | Android: Updated parsing support to recover missing data. [v4.1.4]
- Biome Safari Page View, Biome Siri Execution, Biome Siri UI Usage, Biome User Activity | iOS: Updated parsing support to recover data from iOS 17.
- DuckDuckGo Bookmarks | Android: Updated parsing support to recover data from v5.153.
- Facebook Messenger | iOS: Updated carving support to recover the group name. [v408.1] NEW
- iCloud Local Files | iOS: Added parsing support to recover iCloud Local Files from iOS devices.
- iMessage/SMS/MMS | iOS: Updated the Attachments fragment to Attachment Path, to more accurately reflect the recovered data.
- Installed Applications | iOS: Updated parsing support to recover application icons.
- Session Communities | Android, iOS: Added parsing support for Session Communities.
- Session Groups | Android, iOS: Added parsing support for Session Groups.
- Session Messages | Android, iOS: Added parsing support for Session Messages.
- Session Users | Android, iOS: Added parsing support for Session Users.
- Snapchat Messages | Android: Updated carving support for Snapchat Messages. [v12.68.0.26, v12.20.0.33]
- Telegram Messages | Android: Updated parsing support to recover the correct message type.
- Telegram Messages | iOS: Updated parsing support to indicate if a message is a secret chat.
- Telegram Users | Android: Updated parsing support.
- User Accounts | Windows: Updated parsing support to recover whether or not Auto Logon was enabled by the user.
- Various artifacts: Minor performance improvements during processing.
- Videos | All platforms: Updated parsing support to recover higher quality, dynamic video frames.
Cloud
- AXIOM now supports the use of alias email address when acquiring Microsoft 365 and Teams cloud platforms.
- The Case folder now contains a Cloud Data Source Selection Summary.txt, detailing the user selected cloud data sources.
Processing
- AXIOM will now create an image (.zip) when adding evidence using the Files and Folders workflow for local files.
- exFAT source evidence items will now capture: Cluster (Cluster number), Cluster count, Physical location (Offset where the file begins), and Physical sector.
- Improved linking to evidence sources that reference 8.3 file paths on Windows filesystems. NEW
Examining
- On the case dashboard, portable cases now include a link to Making a Case, a free online training course for investigators and other portable case stakeholders.
- You can now add custom fields to PDF reports and portable cases.
- You can now create a PDF report of evidence source summary information, which can include device details, wallpaper, user accounts, and an artifact type summary.
- When exporting to a load file, you can now choose to export related items for chat artifacts.
Data enrichment and analytics
- You can now enable Enhanced picture categorization of video to improve Magnet.AI picture categorization potential. For more information, log in to the Support Portal to read Video thumbnail collage creation process.
Bug fixes
- In cases with large amounts of media evidence, performance issues and crashes sometimes occurred when hovering over media to view a preview. -EXM-2934
- In some portable cases, the timeline explorer couldn’t be built. -EXM-3061
- Sometimes, portable cases were missing data and couldn’t locate the source if the original source image was moved to a different location. -EXM-2827
- Sometimes, the SQLite viewer didn’t include the WAL file for a database. -EXM-2568
- When saving files and folders as a ZIP file, the timestamps weren’t being preserved. -EXM-3181
- Some Apple Mail evidence was being duplicated. -MARS-870
- Some carved hits weren’t being recovered from WeChat Messages for Android. -MARS-1461 NEW
- Some iOS TikTok metadata files were being incorrectly recovered as TikTok media files. -MARS-1152
- Sometimes, temp files from Snapchat artifact recovery weren’t being removed from the AXIOM case folder. -MARS-1508
- Sometimes, the title and URL didn’t match for Webkit Browser Web History (Carved) artifacts. -MARS-1706
- Sometimes, WhatsApp artifacts were being attributed to the wrong user. -MARS-1818
- Previously, AXIOM was unable to acquire Google passwords. -CA-1732
- Previously, conversations from a WhatsApp QR Code acquisition would not be displayed in Examine if the conversation name was empty. -CA-1733
- Previously, conversations in a Google Chat Takeout were not displayed in a thread format. -CA-1638
- Previously, O365 Audit log acquisitions may have failed (timed out). -CA-1592
- Previously, WhatsApp QR code acquisitions may not have included the message type for a conversation. -CA-549
- Resolved chat threading for Snapchat Warrant returns with an updated format. -CA-1168
- Updated the Chrome extension to resolve WhatsApp Google Drive backup acquisitions issues. -CA-1729
Axiom Cyber Update - 7.7.0.38007 - 14/11/2023
Artifacts:
- Device Information | iOS: Added parsing support for iOS Device Information.
- DJI Media | Android: Added parsing and carving support for DJI Media.
- DJI Media | iOS: Added carving support for DJI Media.
- DJI User Information | Android: Added parsing support for DJI User Information.
- Edge Chromium Autofill | macOS, Windows: Updated parsing support to decrypt plaintext values.
- Executive Object Callbacks | Windows Memory: Added parsing support for Executive Object Callbacks.
- Facebook Messenger Messages | Android: Updated carving support. [v386]
- Facebook Messenger Messages | iOS: Updated carving support to recover Group Name in Group Messages. [v408.1]
- Find My Items | iOS, macOS: Updated parsing support to include the owner.
- ICQ 10 Messages | Windows: Updated parsing support to include the ICQ ID of the sender or recipient.
- Instagram Direct Messages | Android, iOS: Updated parsing support to recover Chat ID and Thread ID.
- iOS Message Preferences | iOS: Updated parsing support to include blocked users and whether SMS forwarding is enabled.
- Network Interfaces | iOS: Added parsing support to recover data from iOS Network Interfaces.
- Private MAC Addresses | iOS: Added parsing support for Private MAC Addresses – iOS.
- Various Biome artifacts | iOS: Added parsing support for iOS 17.
Remote Acquisition:
- AXIOM Cyber now supports TLS 1.3 authentication.
- The AXIOM Cyber agent template is now a signed binary, reducing the occurrences of being quarantined by antivirus tools.
Cloud:
- Added support for parsing hits for Google Chat from Google Takeout.
Processing:
- AXIOM GRAYKEY/VERAKEY Discovery service updated to restart automatically.
- Enhanced capabilities with exFAT and Recovered deleted files.
- Improvements to processing of .zip files with long file names.
Examination:
- You can now upload cases from AXIOM Examine to Magnet REVIEW SaaS.
Data Enrichment and Analytics:
- Improved Magnet.AI picture categorisation of video still frame collages.
Bug Fixes:
- Improved YARA Rules logging to capture long running processes. -ENGN-10419
- Previously, AXIOM Process may have crashed during attempts to process temp files that were removed prematurely. -ENGN-10593
- Previously, VERAKEY devices were unable to register with the AXIOM GRAYKEY/VERAKEY Discovery service. -ENGN-10424
- Security – CVE-2023-4863/CVE-2023-5217: Updated CefSharp libraries to address vulnerabilities where a crafted HTML page could allow an attacker to perform an out of bounds memory write, or potentially exploit heap corruption. -ENGN-10452
- Data from multiple Signal artifacts wasn’t being correctly decrypted or acquired. -MARS-1686
- Some Android Signal temporary files weren’t being acquired. -MARS-1696
- Some data was being incorrectly included in the Text column for iOS Facebook Messenger Messages. -MARS-1690
- Some iMessages/SMS/MMS for iOS 17 weren’t being parsed. -MARS-1671
- Added support for Apple Warrant Return Contact cards (.vcfs). -CA-450
- Previously, AXIOM may not have recovered all media from a Snapchat warrant return due to updated warrant return format. -CA-295
- Previously, AXIOM was unable to acquire iCloud backups. -CA-1612
- Previously, AXIOM would not allow multiple iCloud backup evidence sources in a single case. -CA-1519
- Previously, AXIOM would not reattempt an acquisition if an internal server error response was received from the provider. -CA-1518
- Previously, you could not sign into Slack to perform a live acquisition. -CA-1216
- Excluded fields were still being displayed in load file exports. -EXE-279
Axiom Cyber Update - 02/10/2023
Updates & Features:
- Facebook Contacts on Android now has improved support for recovering data. [394.1.0.51]
- Facebook Messenger Messages on iOS can now find group names in group messages. [408.1]
- iOS Messages Preferences get parsing support.
- iOS Owner Information now easily recovers DSID from com.apple.itunescloud.plist. [iOS 16.5.1]
- Safari Downloads on Android, iOS, and macOS can now retrieve download timestamps.
- Signal Messages on Android has better support for recovering missing messages. [6.28.5]
- Signal Users on Android can recover more user data. [6.28.5]
- Snapchat Chat Messages on Android now recovers story replies. [12.20.0.33]
- Tinder Accounts on Android can now fetch profile picture URLs. [14.3.1]
New Features:
- Remote acquisition now allows you to include file and folder listings in the acquisition.
- Cloud: You can now acquire shared drives from Google Workspace. Authenticate using client credentials for Microsoft user accounts.
Enhancements:
- AXIOM can resolve Git URLs to a valid repo.
- In the Registry explorer, you can quickly collapse items by right-clicking.
- Highlight and view protobuf data in the Hex/Text Card by right-clicking.
- The Magnet.AI weapons category now searches for 3D printed weapons and parts in media.
Bug Fixes:
- Android devices with modified iSerial properties are no longer selectable as evidence sources to prevent vulnerabilities.
- AXIOM can now read uninitialized file extents in ext4 images.
- AXIOM Examine settings no longer crash after multiple attempts to close the Settings window.
- Building the Media explorer won’t crash AXIOM Examine anymore.
- Android TikTok Draft Media is now correctly reported as unpublished.
- No more missing data from iOS Telegram Messages. [v9.5.4]
- Instagram Direct Messages and Group Members from multiple sources now display correct sending and receiving users.
- Google Photos acquisition will no longer fail with ‘too many requests.’