New in Magnet AXIOM 2.1.0.9727 - May 24, 2018
Highlights
Windows 10 Timeline Activity: You can now recover information from the Timeline on Windows 10 to uncover a user's activities on their system, such as web history, document usage, media access, and so on.
Mobile and desktop artifacts
- Chrome: Updated carving support for web history. [Windows]
- Keychain: Added parsing support for Keychain files recovered in a GrayKey image. [iOS]
- WhatsApp: Added support to recover the administrator of group conversations. [Android]
- Gmail: Updated carving support. [Gmail 7.6.18 on Android]
- Jump Lists: Updated parsing of DestList attributes for new versions of Windows. [Windows 10]
- Added support for recovering Content Provider artifacts when ingesting a Logical Android image that was acquired using UFED. Artifact coverage includes SMS, MMS, Call Logs, Contacts, and Calendar Events. [Android]
AXIOM Process features
- When you load segmented images into AXIOM Process, a window now appears to indicate whether a segment was successful or unsuccessful.
- You can now perform a full disk decryption on FileVault2 encrypted drives with a known password.
- You can now use a known password and PIM, or a dictionary attack, to decrypt a VeraCrypt encrypted computer image.
- The device activity log for acquisitions will now be written to the running directory while the acquisition is running and will be copied to the acquisition output directory upon completion.
- During the device acquisition setup process, you can now retry steps that include searching devices or installing drivers.
Fixed issues
- When clicking a pin in the World map view, the "add a tag/comment" option was missing. -AXE-2788
- While scanning the $BadClus:$Bad alternate data stream, AXIOM Process would re-scan previously searched clusters, and recover duplicate artifacts. -AXP-83
- Searching for an MFT reference number in the search bar (one that was recovered from a $LogFile Analysis artifact), yielded no search results. -AXE-5570
- You can now load multiple cloud images and Google Takeout .zip files as separate evidence sources in AXIOM Process. -CAO-1339
- Previously, if you selected Box.com folders from an Enterprise Administrator account or a Co-Administrator account and not individual files, AXIOM Process would only acquire information from Box.com folders. -CAO-1387
- If a FAT file system contained deleted directories overwritten by large files, AXIOM Process would hang while writing File System information. -AXP-1775
- Sometimes when processing a Android mobile device, the agent would crash and not all information would be processed. -MMI-843
- In the Most Recently Used recent files and folders artifact, the file/folder link attribute was making an incorrect path interpretation assumption. -JET-2219
- In Most Recently Used folder access and Most Recently Used opened and saved files artifacts, some items were not recovered on Windows 10 images. -JET-2266
- In all Most Recently Used artifacts, identical items were wrongfully deduplicated when recovered from different registry locations. -JET-2267
Known issues
- In some situations, antivirus software is known to prevent Magnet AXIOM from creating a portable case. For example, if Malware URLs are part of the evidence being exported, the portable case might not get created successfully. Workaround: Turn off the antivirus software and create the portable case. Turn on the antivirus software again.
- Magnet AXIOM crashes when out of disk space. Workaround: Check the amount of disk space available for the case and acquisition directories before you start processing.
- When you process an encrypted iTunes backup and provide the password to decrypt it, the data might still appear in its encrypted form in AXIOM Examine. Workaround: Extract the iOS image from the compressed container to a different location on your computer. In AXIOM Process, perform a Files and Folders scan. (In the Evidence sources section, click Mobile > iOS > Load evidence > Files and Folders.)
- In older versions of AXIOM Examine (earlier than 1.1.0), if you attempt to open a case that was processed using AXIOM Process version 1.1.0 or later, you may experience unexpected results.
View the Release Notes for previous versions