New in Magnet AXIOM 2.0.0.9322 - April 25, 2018

Memory analysis

With the new memory analysis functionality, you can load memory dumps into AXIOM Process and scan them for computer artifacts and 21 new Volatility artifacts. Use these artifacts to learn about a user's activities on the system, such as which processes were running at certain times or which files were opened.

Case dashboard

The new Case dashboard view provides a high-level overview of your case, evidence sources, and artifacts, all on one screen when you open your case. The dashboard also highlights useful places to start, such as tagged items, keyword matches, and evidence types.

Magnet.AI photo and chat categorization

Now until the end of 2018, you can use the Magnet.AI module in AXIOM for free. Magnet.AI uses trained machine learning models to categorize chats and pictures, and find content that might be of interest in your case. Use Magnet.AI to search the evidence for possible sexual conversations, grooming/luring, child abuse material, nudity, weapons, or drugs.

Load GrayKey images

You can now load images that have been acquired using Grayshift's GrayKey tool, allowing you to review evidence from locked iOS devices.

New Windows OS Artifacts

With the addition of 25 new operating system artifacts, gain insight into a user's computer activity, including their use of files, folders, programs, and network. You can also discover the presence of malware and other intruders on the user's computer.

Mobile and desktop artifacts

LINE: Messages are now located in the Chat artifact category and pictures are located in the Media artifacts category. [Android, iOS]

Memory: Added support for memory artifacts corresponding to the following Volatility commands: apihooks, clipboard, cmdhistory, connections, connscan, dlllist, filescan, getsids, handles, imageinfo, ldrmodules, malfind, modscan, modules, netscan, pslist, psscan, psxview, sockets, sockscan, timeliner.

LINE: Ability to view LINE messages in a conversation view. [Android, iOS]

Android Device Information: Root access is now required to access the Android ID from Android 6.0.

Snapchat Snaps: Updated carving support for sent snaps. [Snapchat 10.2.1 and 10.2.7 for Android]

AmCache: Ability to recover information about recently run programs, executed files, loaded drivers, and connected devices. [Windows 8, 8.1, 10]

System Services: Ability to recover a list of services that were running in the background. [Windows XP, Vista, 7, 8.1, 10]

CSV Documents: Ability to parse .csv files. [All platforms]

Scheduled Tasks: Ability to recover the list of scheduled tasks and their execution conditions. [Windows XP, Vista, 7, 8.1, 10]

MUICache: Ability to recover information about which programs and executables have been run on a system. [Windows XP, Vista, 7, 8, 8.1, 10]

Remote Desktop Protocol: Ability to recover the history of remote connections, including remote IP addresses and user names used. [Windows XP, Vista, 7, 8, 8.1, 10]

SRUM: Scan the System Resource Usage Monitor and recover recent system activity relating to application utilization, network connections, push notifications, and energy usage. [Windows 8, 8.1, 10]

AutoRun Items: Ability to recover lists of processes that automatically execute when specific conditions are met, for example when launching a browser or opening a document. [Windows XP, Vista, 7, 8, 8.1, 10]

Known DLLs: Ability to recover the list of trusted DLLs on a user's computer. [Windows XP, Vista, 7, 8, 8.1, 10]

Most Recently Used: Ability to recover user's recently opened and saved files, recent documents, run commands, and the last opened folder. [Windows XP, Vista, 7, 8, 8.1, 10]

$LogFile Analysis: Recover transaction logs for creating, renaming, and deleting files and folders on a system. [Windows XP, Vista, 7, 8, 8.1, 10]

Windows Event Logs: Added classification for events pertaining to RDP and Scheduled Task activities.

Instagram Posts: Updated support for recovering Instagram posts. [Instagram 10.30 on Android]

Added carving support for MMS/RCS messages on Android, whereas previously, only SMS was supported.

Cloud artifacts

You can now access Cloud services through a proxy server.

You can now find cloud tokens, user names, and passwords in the Cloud Accounts Information artifact after logging into an account.

You can now acquire iCloud Mail messages and attachments.

You can now acquire files and folders from other Box.com accounts with administrator credentials.

You can now process Google Contacts Takeout images.

You can now process Google Calendar Takeout images.

AXIOM Process features

You can now load iPhone images that have been acquired using Grayshift's GrayKey tool, in .zip format.

If you need to see the profile that was selected, and other information from a KDBG scan when processing a memory dump, you can locate these results in the case information.txt file within your case folder.

You can now bypass passwords and bootloader locks on supported Motorola devices to perform a physical acquisition by using recovery images.

Sometimes, when the same evidence number was entered for multiple iOS and Android devices acquired with using MTP or iOS quick imaging, the images were being saved to the same location.

Fixed issues

Sometimes, when the relative date/time filter was cleared or changed, AXIOM Examine would crash. -AXE-5207

Sometimes, when attempting to review evidence, AXIOM Examine would crash. -AXE-4752

.Zip files that contained a directory without a name were unable to be loaded. -AXP-3127

Some Japanese, Korean, and Chinese characters were not appearing correctly in email attachments and case reports. -AXE-5146

Sometimes, when the time zone setting was changed and then the Registry explorer was opened, AXIOM Examine would crash. -AXE-5293

In some situations a corrupt ESE database caused the program to crash. -AXP-3199

Some Android devices would experience failures after rooting was automatically attempted on devices that were not supported. -MMI-816

Some Android Gmail messages were not being fully recovered. -ART-9104

Known issues

Magnet AXIOM crashes when out of disk space. Workaround: Check the amount of disk space available for the case and acquisition directories before you start processing.

In some situations, antivirus software is known to prevent Magnet AXIOM from creating a portable case. For example, if Malware URLs are part of the evidence being exported, the portable case might not get created successfully. Workaround: Turn off the antivirus software and create the portable case. Turn on the antivirus software again.

When Gmail attachments include a long file name, only the first 25 characters are displayed in the case folder.

In older versions of AXIOM Examine (earlier than 1.1.0), if you attempt to open a case that was processed using AXIOM Process version 1.1.0 or later, you may experience unexpected results.

When you process an encrypted iTunes backup and provide the password to decrypt it, the data might still appear in its encrypted form in AXIOM Examine. Workaround: Extract the iOS image from the compressed container to a different location on your computer. In AXIOM Process, perform a Files and Folders scan. (In the Evidence sources section, click Mobile > iOS > Load evidence > Files and Folders.)