Axiom Cyber Changelog

With the release of AXIOM Cyber, we’ve added the ability to sign-in to an AWS account using session credentials.

Unlike security credentials, which can be reused, and potentially allow a user to access the AWS account indefinitely, session credentials can only be used while the session is active, and if they’re tied to a role, you can limit a session duration to 1-12 hours.

Organizations use session credentials as an added security measure to limit ongoing access to an AWS account. Should access to the AWS account be required again, new session credentials would need to be provided.

Along with these new sign-in features, we’ve significantly improved the useability of the sign-in page to better align it with how data is configured in AWS.

Automatically Create Animated Maps from Geolocation Data

As with many things, seeing is believing. To help add important context to your reports and testimony in court, we have introduced Animated Maps in Magnet AXIOM and AXIOM Cyber.

With Animated Maps, you can show the user’s movement based on the geolocation information from device data, combining location and timestamp data to show the path they took during a given time frame. The ability to easily animate map routes mitigates time-consuming and labour-intensive manual processes required to display location evidence in an engaging and visually appealing format.

To learn more about Animated Maps, check out the blog “Moving in the Right Direction with Animated Maps.”

New and Updated Artifacts

We’re continually adding and updating artifacts based on the applications you’re coming across in your investigations.

This release includes new and updated artifacts, including:

NEW

• Edge Chromium
  (iOS, macOS, Windows)

   

  • Edge Chromium Current Session
  • Current Tabs
  • Last Sessions
  • Last Tabs
• Journals (iOS)
• Voice Mail (iOS)

UPDATED

• Apple Mail (iOS)
• Call Logs (Android)
• Chrome (Android)
  • Chrome Current Sessions
  • Current Tabs
  • Last Sessions
  • Last Tabs
• Chrome Cookies
  (iOS, macOS, Windows)
• Chrome Logins (Windows)
• Chrome Web Visits
  (Android, iOS, Linux, macOS, Windows)
• Digital Wellbeing Events (Android)
• Facebook Messenger Messages (Android)
• Instagram Direct Messages (iOS)
• Telegram (iOS)
• Telegram Chats
• Messages
• User artifacts
• WeChat (Android)

Artifact updates

Android

• Aloha Browser Autofill Profiles
• Aloha Browser Bookmarks
• Aloha Browser History
• DuckDuckGo Bookmarks
• Session Communities NEW
• Session Groups NEW
• Session Messages NEW
• Session Users NEW
• Snapchat Messages
• Telegram Messages
• Telegram Users
• Videos

Windows

• User Accounts-icon User Accounts
• Videos-icon Videos

iOS

• Apple Mail
• Biome Safari Page View
• Biome Siri Execution
• Biome Siri UI Usage
• Biome User Activity
• Device Information
• Facebook Messenger
• iCloud Local Files
• iMessage/SMS/MMS
• Installed Applications
• Session Communities NEW
• Session Groups NEW
• Session Messages NEW
• Session Users NEW
• Snapchat
• Telegram Messages
• TikTok Media
• Videos
• WebKit Browser Web History (Carved)
• WhatsApp

Automatic image creation when loading evidence from Files and Folders

AXIOM will automatically create an image (.zip) of selected local Files and Folders. Manage and share the case while maintaining a connection to a static evidence source image. Automatic image creation is available for the following sources:

• Computer
• Mobile
• Vehicle

Add custom fields to exports

When you create a portable case or PDF report, you can now add custom fields that will appear along with the default case details. Use these fields to include information that is important to your investigation, such as an outside agency case number, lab case number, reviewing examiner, and more.

Create a report of evidence source details

From the case dashboard, you can now create a PDF report of summary information about an evidence source. Depending on the device type, this report can include device details, wallpaper, user accounts, and an artifact type summary.

Artifacts

• Aloha Browser Autofill Profiles, Aloha Browser Bookmarks, Aloha Browser History | Android: Updated parsing support to recover missing data. [v4.1.4]
• Biome Safari Page View, Biome Siri Execution, Biome Siri UI Usage, Biome User Activity | iOS: Updated parsing support to recover data from iOS 17.
• DuckDuckGo Bookmarks | Android: Updated parsing support to recover data from v5.153.
• Facebook Messenger | iOS: Updated carving support to recover the group name. [v408.1] NEW
• iCloud Local Files | iOS: Added parsing support to recover iCloud Local Files from iOS devices.
• iMessage/SMS/MMS | iOS: Updated the Attachments fragment to Attachment Path, to more accurately reflect the recovered data.
• Installed Applications | iOS: Updated parsing support to recover application icons.
• Session Communities | Android, iOS: Added parsing support for Session Communities.
• Session Groups | Android, iOS: Added parsing support for Session Groups.
• Session Messages | Android, iOS: Added parsing support for Session Messages.
• Session Users | Android, iOS: Added parsing support for Session Users.
• Snapchat Messages | Android: Updated carving support for Snapchat Messages. [v12.68.0.26, v12.20.0.33]
• Telegram Messages | Android: Updated parsing support to recover the correct message type.
• Telegram Messages | iOS: Updated parsing support to indicate if a message is a secret chat.
• Telegram Users | Android: Updated parsing support.
• User Accounts | Windows: Updated parsing support to recover whether or not Auto Logon was enabled by the user.
• Various artifacts: Minor performance improvements during processing.
• Videos | All platforms: Updated parsing support to recover higher quality, dynamic video frames.

Cloud

• AXIOM now supports the use of alias email address when acquiring Microsoft 365 and Teams cloud platforms.
• The Case folder now contains a Cloud Data Source Selection Summary.txt, detailing the user selected cloud data sources.

Processing

• AXIOM will now create an image (.zip) when adding evidence using the Files and Folders workflow for local files.
• exFAT source evidence items will now capture: Cluster (Cluster number), Cluster count, Physical location (Offset where the file begins), and Physical sector.
• Improved linking to evidence sources that reference 8.3 file paths on Windows filesystems. NEW

Examining

• On the case dashboard, portable cases now include a link to Making a Case, a free online training course for investigators and other portable case stakeholders.
• You can now add custom fields to PDF reports and portable cases.
• You can now create a PDF report of evidence source summary information, which can include device details, wallpaper, user accounts, and an artifact type summary.
• When exporting to a load file, you can now choose to export related items for chat artifacts.

Data enrichment and analytics

• You can now enable Enhanced picture categorization of video to improve Magnet.AI picture categorization potential. For more information, log in to the Support Portal to read Video thumbnail collage creation process.

Bug fixes

• In cases with large amounts of media evidence, performance issues and crashes sometimes occurred when hovering over media to view a preview. -EXM-2934
• In some portable cases, the timeline explorer couldn’t be built. -EXM-3061
• Sometimes, portable cases were missing data and couldn’t locate the source if the original source image was moved to a different location. -EXM-2827
• Sometimes, the SQLite viewer didn’t include the WAL file for a database. -EXM-2568
• When saving files and folders as a ZIP file, the timestamps weren’t being preserved. -EXM-3181
• Some Apple Mail evidence was being duplicated. -MARS-870
• Some carved hits weren’t being recovered from WeChat Messages for Android. -MARS-1461 NEW
• Some iOS TikTok metadata files were being incorrectly recovered as TikTok media files. -MARS-1152
• Sometimes, temp files from Snapchat artifact recovery weren’t being removed from the AXIOM case folder. -MARS-1508
• Sometimes, the title and URL didn’t match for Webkit Browser Web History (Carved) artifacts. -MARS-1706
• Sometimes, WhatsApp artifacts were being attributed to the wrong user. -MARS-1818
• Previously, AXIOM was unable to acquire Google passwords. -CA-1732
• Previously, conversations from a WhatsApp QR Code acquisition would not be displayed in Examine if the conversation name was empty. -CA-1733
• Previously, conversations in a Google Chat Takeout were not displayed in a thread format. -CA-1638
• Previously, O365 Audit log acquisitions may have failed (timed out). -CA-1592
• Previously, WhatsApp QR code acquisitions may not have included the message type for a conversation. -CA-549
• Resolved chat threading for Snapchat Warrant returns with an updated format. -CA-1168
• Updated the Chrome extension to resolve WhatsApp Google Drive backup acquisitions issues. -CA-1729

Artifacts:

• Device Information | iOS: Added parsing support for iOS Device Information.
• DJI Media | Android: Added parsing and carving support for DJI Media.
• DJI Media | iOS: Added carving support for DJI Media.
• DJI User Information | Android: Added parsing support for DJI User Information.
• Edge Chromium Autofill | macOS, Windows: Updated parsing support to decrypt plaintext values.
• Executive Object Callbacks | Windows Memory: Added parsing support for Executive Object Callbacks.
• Facebook Messenger Messages | Android: Updated carving support. [v386]
• Facebook Messenger Messages | iOS: Updated carving support to recover Group Name in Group Messages. [v408.1]
• Find My Items | iOS, macOS: Updated parsing support to include the owner.
• ICQ 10 Messages | Windows: Updated parsing support to include the ICQ ID of the sender or recipient.
• Instagram Direct Messages | Android, iOS: Updated parsing support to recover Chat ID and Thread ID.
• iOS Message Preferences | iOS: Updated parsing support to include blocked users and whether SMS forwarding is enabled.
• Network Interfaces | iOS: Added parsing support to recover data from iOS Network Interfaces.
• Private MAC Addresses | iOS: Added parsing support for Private MAC Addresses – iOS.
• Various Biome artifacts | iOS: Added parsing support for iOS 17.

Remote Acquisition:

• AXIOM Cyber now supports TLS 1.3 authentication.
• The AXIOM Cyber agent template is now a signed binary, reducing the occurrences of being quarantined by antivirus tools.

Cloud:

• Added support for parsing hits for Google Chat from Google Takeout.

Processing:

• AXIOM GRAYKEY/VERAKEY Discovery service updated to restart automatically.
• Enhanced capabilities with exFAT and Recovered deleted files.
• Improvements to processing of .zip files with long file names.

Examination:

• You can now upload cases from AXIOM Examine to Magnet REVIEW SaaS.

Data Enrichment and Analytics:

• Improved Magnet.AI picture categorisation of video still frame collages.

Bug Fixes:

• Improved YARA Rules logging to capture long running processes. -ENGN-10419
• Previously, AXIOM Process may have crashed during attempts to process temp files that were removed prematurely. -ENGN-10593
• Previously, VERAKEY devices were unable to register with the AXIOM GRAYKEY/VERAKEY Discovery service. -ENGN-10424
• Security – CVE-2023-4863/CVE-2023-5217: Updated CefSharp libraries to address vulnerabilities where a crafted HTML page could allow an attacker to perform an out of bounds memory write, or potentially exploit heap corruption. -ENGN-10452
• Data from multiple Signal artifacts wasn’t being correctly decrypted or acquired. -MARS-1686
• Some Android Signal temporary files weren’t being acquired. -MARS-1696
• Some data was being incorrectly included in the Text column for iOS Facebook Messenger Messages. -MARS-1690
• Some iMessages/SMS/MMS for iOS 17 weren’t being parsed. -MARS-1671
• Added support for Apple Warrant Return Contact cards (.vcfs). -CA-450
• Previously, AXIOM may not have recovered all media from a Snapchat warrant return due to updated warrant return format. -CA-295
• Previously, AXIOM was unable to acquire iCloud backups. -CA-1612
• Previously, AXIOM would not allow multiple iCloud backup evidence sources in a single case. -CA-1519
• Previously, AXIOM would not reattempt an acquisition if an internal server error response was received from the provider. -CA-1518
• Previously, you could not sign into Slack to perform a live acquisition. -CA-1216
• Excluded fields were still being displayed in load file exports. -EXE-279

Updates & Features:

• Facebook Contacts on Android now has improved support for recovering data. [394.1.0.51]
• Facebook Messenger Messages on iOS can now find group names in group messages. [408.1]
• iOS Messages Preferences get parsing support.
• iOS Owner Information now easily recovers DSID from com.apple.itunescloud.plist. [iOS 16.5.1]
• Safari Downloads on Android, iOS, and macOS can now retrieve download timestamps.
• Signal Messages on Android has better support for recovering missing messages. [6.28.5]
• Signal Users on Android can recover more user data. [6.28.5]
• Snapchat Chat Messages on Android now recovers story replies. [12.20.0.33]
• Tinder Accounts on Android can now fetch profile picture URLs. [14.3.1]

New Features:

• Remote acquisition now allows you to include file and folder listings in the acquisition.
• Cloud: You can now acquire shared drives from Google Workspace. Authenticate using client credentials for Microsoft user accounts.

Enhancements:

• AXIOM can resolve Git URLs to a valid repo.
• In the Registry explorer, you can quickly collapse items by right-clicking.
• Highlight and view protobuf data in the Hex/Text Card by right-clicking.
• The Magnet.AI weapons category now searches for 3D printed weapons and parts in media.

Bug Fixes:

• Android devices with modified iSerial properties are no longer selectable as evidence sources to prevent vulnerabilities.
• AXIOM can now read uninitialized file extents in ext4 images.
• AXIOM Examine settings no longer crash after multiple attempts to close the Settings window.
• Building the Media explorer won’t crash AXIOM Examine anymore.
• Android TikTok Draft Media is now correctly reported as unpublished.
• No more missing data from iOS Telegram Messages. [v9.5.4]
• Instagram Direct Messages and Group Members from multiple sources now display correct sending and receiving users.
• Google Photos acquisition will no longer fail with ‘too many requests.’