New in Magnet AXIOM 1.2.4.8574 - February 28, 2018
Mobile and desktop artifacts
- iOS and Android messaging: In artifacts where the Local User was represented by an evidence number, 'Local User' has been added as a prefix for clarity (i.e. Local User <Evidence Number>) [iMessage/SMS/MMS Messages, iOS Call Logs, Kik Messenger for iOS, SMS/MMS Messages, Call Logs, Kik Messenger for Android]
- Android MMS: If there are multiple attachments within an Android MMS message, all of them are now recovered. The additional attachments are only available if the source evidence is an Android logical acquisition that was created by Magnet AXIOM or Magnet ACQUIRE.
- Skype Chat Messages: Now supports the recovery of the attachment file name and file size and added carving support for the latest versions [Skype 7.4 and 11.19+ for Windows, Skype 7.58 for macOS]
- Skype Calls: Updated carving support so that calls can be recovered in the latest versions [Skype 11.19.865 for Windows, Skype 7.58 for macOS]
- Facebook Messenger: You can now recover the latitude and longitude associated with messages [Messenger 127.0.0.18.81 - 145.0.0.25.203 for Android]
- iOS 11: Now includes support for displaying previews of HEIC files.
- Android Messages: Improvements to how attachments are recovered and displayed [Android Messages 2.2, 2.3]
- Android SMS: Updated carving support.
- Android Accounts: Updated support for Nougat Accounts information.
Cloud artifacts
- You can now add more cloud evidence directly from AXIOM Examine, using passwords and tokens recovered by the program.
- SharePoint: Retrieve lists and list items from sites.
- SharePoint: Recovery of Pages sub-service, and ability locate a specific Page by pasting its URL into the search bar.
- Google: Ability to select sub-services such as activity, timeline locations, connected apps, recent devices, and passwords, and acquire them from a Google account.
- One Drive: Select single folders.
AXIOM Process features
- Powershell 5.1 is now installed with Magnet AXIOM if the system doesn't have a recent enough version of Powershell. Installing Powershell forces a restart of your computer so the changes can take effect.
- You can now use a known password to decrypt a McAfee encrypted computer image.
- When acquiring advanced Android images, you can now select "Other" if the device manufacturer isn't listed.
- New recovery methods have been added that allow AXIOM to bypass the lock on some LG devices and create a physical image.
- Advanced MTP recovery methods have been implemented that allow AXIOM to image some versions of Samsung devices that are locked.
- When acquiring a quick image of a mobile device, imaging activities are now available in the image log file. This includes information about what was successfully acquired and what failed to acquire.
AXIOM Examine features
- AXIOM Examine and AXIOM Process now feature fully localized interfaces in all supported languages. Artifact names and fragments are also translated.
- You are now able to add new Cloud evidence to a case using a password or token that gets recovered from the Cloud Passwords and Tokens artifact.
Fixed issues
- Only the first 140 characters of Twitter Direct Messages were appearing in AXIOM Examine, followed by an ellipsis. -CAO-1074
- Sometimes, when acquiring Twitter Users from a Twitter account, the user would receive an error. -CAO-1073
- Sometimes, AXIOM would crash while waiting for SharePoint content from a large account to load. -CAO-1058
- Some Microsoft services were not appearing as options to select while setting up a cloud acquisition. -CAO-1034
- Sometimes, when the server was unavailable while attempting to acquire a Microsoft account, AXIOM would have an error and the acquisition wouldn't be completed. -CAO-1031
- When you ran a cloud acquisition using a system that did not have Powershell installed, you were not able to recover Office 365 Audit Logs. Now, Powershell is included in the AXIOM installation if it's missing from your system. -CAO-1030
- When opening, the program would take a significant amount of time to load. -AXP-2916
- Files recovered from the $Recycle.bin area were previously marked as inaccessible to the user, but are now accessible. -AXP-2810
- Sometimes issues might occur while attempting to parse the SOFTWARE registry hive. -AXP-2683
- When scanning encrypted or unencrypted Cellebrite images, an error message appeared even though the search returned valid hits. -AXP-1917
- Sometimes, when AXIOM Process and AXIOM Examine were being run at the same time, the user would receive an error. -AXE-5202
- In the File system explorer, Microsoft Office Excel (.xlsx), Word (.docx), and Powerpoint (.pptx) documents weren't showing previews. -AXE-5143
- AXIOM Examine didn't show some recovered Android SMS/MMS attachments in the chat thread previews. -AXE-4456
- Certain Usenet files were failing to be exported.
-AXE-4395
- Sometimes, previews of artifacts in the Rebuilt Webpages category loaded slowly or failed to load. -AXE-4250
- Sometimes, when acquiring an image of an iOS device, the program would crash and the user would receive an error stating that Imaging may not have completed successfully due to a null value on the acquisition path. -MMI-769
- Sometimes, agent data would not be acquired during Samsung quick imaging. -MMI-765
- One of the resource files in Magnet AXIOM, that contains the list of known malware URLs, was being quarantined by Antivirus programs. Because the file was no longer in the correct folder, Magnet AXIOM would crash. The resource files should no longer be quarantined. -ARTC-309
- Samsung Text Logs can now be found in the Chat category when you view evidence (previously located under Mobile).
-ART-9249
- In some cases, carving for EML artifacts was off, resulting in some emails being missed. -ART-9139
- iOS iMessage, SMS, and MMS: Recipient and Sender fragment data was appearing multiple times. -ART-7736
- Japanese and Korean characters were not appearing correctly in certain Operating System and Internet Explorer artifacts. -ART-3330
Known issues
- When you process an encrypted iTunes backup and provide the password to decrypt it, the data might still appear in its encrypted form in AXIOM Examine. Workaround: Extract the iOS image from the compressed container to a different location on your computer. In AXIOM Process, perform a File and Folders scan. (In the EVIDENCE SOURCES section, click MOBILE > IOS > LOAD EVIDENCE > FILES and FOLDERS.)
- Magnet AXIOM crashes when out of disk space. Workaround: Check the amount of disk space available for the case and acquisition directories before you start processing.
- In older versions of AXIOM Examine (earlier than 1.1.0), if you attempt to open a case that was processed using AXIOM Process version 1.1.0 or later, you may experience unexpected results.
- In some situations, antivirus software is known to prevent Magnet AXIOM from creating a portable case. For example, if Malware URLs are part of the evidence being exported, the portable case might not get created successfully. Workaround: Turn off the antivirus software and create the portable case. Turn on the antivirus software again.