Artifact updates
Android
Call Logs
Naver Whale
NEW
WhatsApp
WiFi Profiles
iOS
Call Logs
Screen Time
NEW
WhatsApp
Windows
QQ
NEW
USB 3.1 devices
NEW
Windows 10 Mail
NEW
Cloud
- Load users and file/folder views faster for Box.com and Office 365 acquisitions
Performance
- Scan unencrypted iOS backups and Graykey images faster
- HTML exports take less time to build
- Reduced the amount of time it takes to create portable cases
Evidence quality
- Improved deduplication of carved and parsed pictures
- Identify whether artifacts come from a deleted source
Workflow and usability
- Improved progress reporting for physical acquisitions
- Configure additional Magnet.AI settings before you start a scan
- Open artifacts and files for viewing in external apps
- Delete system-defined tags and reassign their keyboard shortcuts to custom tags
- Added more file attributes to Column view in the Filesystem explorer
More details...
Artifacts
- Email Attachments: Updated the 'Email' section in AXIOM Examine to display recovered data from Email Attachments in a clearer way.
- KakaoTalk | Android: Updated parsing support to decrypt chat logs. [8.0.3]
- Keychain: Added support for Base64 encoding which allows keychain data to be displayed correctly when it’s recovered from a GrayKey image. [iOS 12]
- Location History: Added parsing support to recover Apple Maps Trips from a GrayKey image. [iOS 11]
- Mail | Windows: Added support for recovering emails and attachments from the native mail application in Windows. [Windows 10]
- Naver Whale | Android: Added support for recovering the browser history from Naver Whale. [8.8.6]
- Pictures: Improved performance and better deduplication, resulting in less data noise and faster scan times. [All platforms]
- QQ | Windows: Updated parsing support to decrypt the database, recover messages, and create a memory dump. [9.0.6]
- SMS/MMS | Android: Updated carving support to better recover chat threading hits.
- Safari | iOS: Now differentiates between the different types of bookmarks (bookmarks, favorites, and reading list items). [iOS 11]
- Screen Time: Get a list of the apps installed on the user’s device, or on other devices that use the same Apple ID or are part of the same family account. [iOS 12]
- USB Devices: Added support for USB 3.1. [Windows 10]
- WhatsApp | Android: Added a new WhatsApp Chats artifact which contains information about each individual chat session open on the device. This artifact includes missed calls and unseen messages which aren’t captured under WhatsApp Messages. [2.17.223]
- WhatsApp | Android: Improvements to the WhatsApp Messages artifact to better differentiate between the different types of messages (broadcast, individual, group). [2.18.267]
- WhatsApp | Android: Indicate when a user joins or leaves the group chat in the chat thread view. [2.18.267]
- WhatsApp | Android: Updated parsing support for group messages to recover group description and group profile picture. [2.18.267]
- WhatsApp | Android: Updated parsing support to recover starred messages and location user information such as profile photo, phone number, WhatsApp version, last shared location, current status, and push name. [2.18.267]
- WhatsApp | iOS: Added a new WhatsApp Chats artifact which contains information about each individual chat session open on the device. This artifact includes missed calls and unseen messages which aren’t captured under WhatsApp Messages. [2.18.10]
- WhatsApp | iOS: Now includes a Conversation ID attribute so that deleted messages can be attributed to a session. [2.11]
- WhatsApp | iOS: Updated parsing and carving support to better recover messaging hits, recover starred messages, and to identify if messages are of individual, group, or broadcast type. [2.18.81]
- WhatsApp | iOS: Updated parsing support for group messages to recover creator ID and name. [2.18.267]
- WiFi Profiles: Add support for the parsing WiFi profiles from WifiConfigStore.xml. [Android 7 and 8]
Cloud
- Performance improvements to searching for specific users by name or email address when you're logged in to a Cloud Office 365 or Box.com account with administrative privileges.
- When loading all user accounts from a cloud platform source, you now have the option to cancel the operation.
Magnet.AI
- In AXIOM Process, you can now configure Magnet.AI to categorize chats immediately after your case finishes processing.
Processing
- Performance improvements have been made to decrease the shutdown time for AXIOM Process.
- To improve performance times and decrease disk usage when processing iOS images, AXIOM Process no longer copies unencrypted iOS backups to the local file system.
- You can now locate decrypted iOS backups in your case folder.
- Many types of full acquisitions, including drives and some types of mobile devices, now display progress reporting while they run.
Examining
- In the File system explorer, you can now sort and filter on artifact columns for MFT modified, MFT record number, parent MFT record number, security ID, cluster, cluster count, physical location, physical sector, and source attributes. These attributes are also included when you export evidence in AXIOM Examine.
- Performance improvements and file size reduction when you export a portable case.
- You can now delete System and Magnet.AI tags, and you can reassign keyboard shortcuts to other tags.
- You can now export evidence to HTML up to 2.5 times faster.
- You can now open files from the File system explorer and the source file from artifact hits in an external viewer.
Bug fixes
- If you opened a portable case in AXIOM Examine and the language was set to Turkish, Korean, Vietnamese, Traditional Chinese, or Simplified Chinese, not all explorers were available. -AXE-6077
- In some cases, creating an export that contained an attachment could cause the export to fail. -AXE-6162
- Sometimes a Project VIC JSON export would not include recovered MAC times. -AXE-5320
- When viewing a PDF artifact, AXIOM Examine sometimes failed to display a preview of the PDF file correctly. -AXE-6128
- Doing an ADB acquisition of an SD card on an Android device might have resulted in MAC times being written incorrectly. -MMI-362
- During a scan, some types of artifacts might cause AXIOM to run indefinitely. -ARTC-599
Known issues
- In some cases, if you attempt to open a case that was processed using a newer version of AXIOM Process in an older version of AXIOM Examine, an error messages appears or you may experience unexpected behavior. Workaround: Update Magnet AXIOM Examine to the latest version.
- In some situations, antivirus software is known to prevent Magnet AXIOM from creating a portable case. For example, if Malware URLs are part of the evidence being exported, the portable case might not get created successfully. Workaround: Turn off the antivirus software and create the portable case. Turn on the antivirus software again.
- Magnet AXIOM crashes when out of disk space. Workaround: Check the amount of disk space available for the case and acquisition directories before you start processing.
- When you process an encrypted iTunes backup and provide the password to decrypt it, the data might still appear in its encrypted form in AXIOM Examine. Workaround: Extract the iOS image from the compressed container to a different location on your computer. In AXIOM Process, perform a Files and Folders scan. (In the Evidence sources section, click Mobile > iOS > Load evidence > Files and Folders.)