AX300 Advanced Mobile Forensics Microlearning
Magnet Axiom Advanced Mobile Forensics (AX300 Microlearning) details the use of Magnet Axiom’s advanced mobile analysis capabilities. Students will learn advanced analysis techniques and leverage Magnet Axiom Examine to become proficient in investigating advanced aspects of full file system extractions of both iOS and Android devices.
Description
Magnet Axiom Advanced Mobile Examinations (AX300) is an expert-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to improve their mobile device investigations.
This course details the use of Magnet Axiom’s advanced mobile analysis capabilities. Students will learn advanced analysis techniques and leverage Magnet Axiom Examine to become proficient in investigating advanced aspects of full file system extractions of both iOS and Android devices. These lessons will build the participants’ ability to understand more advanced concepts of iOS and Android, such as advanced media analysis, pattern of life artifacts (including Biomes), third-party application analysis and social media platforms. This will all be conducted using analysis of multiple different file types including system logs, Plist files and SQLite databases.
Microlearning is designed to be consumable in very short lessons for those who are on the go and have little time to dedicate hours or days to learning. Single lesson microlearning lessons are the core of this learning modality.
What to expect
Micro lessons
Course introduction and scenario – Welcome to the course! In this topic, we will discuss the current landscape of mobile device forensics. We will cover file storage types and detail the course scenario that underpins the rest of the topics.
Understanding the file system structure & acquisition of the iOS file system – See how the iOS file system is structured while discussing traditional acquisition methods of the file system.
Identifying previous devices wipes – Very few items persist on an iOS device after a factory reset—discover how you can identify previous iOS device resets.
Apple Directory Services Identifier – Unique identifiers are key, discover the use cases of Apple’s DSID.
Apple advanced data protection for iCloud – Apple has continued to release enhanced privacy and security features, one of the latest being Apple advanced data protection for iCloud. Learn how this feature could impact your data returns.
FindMy artifacts – Apple's FindMy network empowers users to track their devices and items in the event of loss or theft. Students will discover what artifacts are derived from the FindMy data on an iOS device.
Apple CarPlay – The iPhone is now an extension of vehicle infotainment systems in supported vehicles. Discover what artifacts can be recovered surrounding CarPlay.
Apple Health – iOS devices have become a treasure trove of health-related data. From steps, workouts and heart rate, Apple Health can provide an additional layer of insight towards any investigation. Students will learn what artifacts are derived from Apple Health and the SQLite databases storing the data.
Snapshots & device wallpapers – Applications sent to the background as part of iOS’s multitasking operation is another datapoint for iOS examinations, and the device wallpaper could be within your investigative scope. Students will learn about the origin of this artifact and how they’re stored and presented within AXIOM.
Photos media information – Photos on an iOS device can take on additional attributes, such as hidden, favorites, placed in an album, or imported by third-party applications. In this topic, see how an iOS device is handling this data within the Photos.sqlite database and how this comes together in an artifact.
iCloud Share Photo Library – Alongside Photos media information, media on an iOS device could be within the iCloud Photo Library ecosystem where media can be synced between devices, primarily stored within iCloud. Discover how to identify iCloud Share Photo Library media.
WebKit browser web history – WebKit is a browser engine created by Apple. While it powers other browsers, it serves a unique functionality within iOS device with in-app browsing. Learn more about the WebKit browser web history artifact.
iCloud Private Relay – Apple has recently introduced iCloud+, with it comes a variety of features only available for subscribers. This includes what is essentially a VPN within the Safari browsers. Students will learn about iCloud Private Relay, its functionality, and potential impacts to investigations.
KnowledgeC – Prior to iOS 16, KnowledgeC data, which was primarily stored within a database, was the go-to area for discovering rich pattern of life data about an iOS device. KnowledgeC is still utilized, which is explored in this topic.
Biomes – From iOS 16 and onward, the majority of the pattern-of-life data stored in KnowledgeC has migrated to Biomes, which has enabled even more artifacts than previously known with KnowledgeC. In this topic, students will explore the artifacts while exploring the new SEGB files storing this data.
Biomes continued – This topic continues the in-depth discussion of pattern-of-life data stored within Biomes on iOS 16 devices and newer.
AirDrop – Within the Apple ecosystem, devices are also to create an ad-hoc network for file and media sharing called AirDrop. Students will discover the functionality and parameters around AirDrop and the artifacts within Axiom.
PowerLog – iOS devices are tracking battery usage across the device, what applications are using the battery and certain components of the device, along with total amounts of data being transmitted or received. In this topic, students will explore PowerLog artifacts and the data therein.
Third-party application analysis (installed apps & permissions) - Being able to recognize characteristics of third-party applications is critical when evaluating applications. Establishing characteristics of these applications such as identifiers and permissions will be discussed.
Third-party application analysis (finding the data) - Once you’ve built a profile around an application’s characteristics, being able to identify where the application data is stored within the file system helps with manual examination of the data should it be deemed necessary. Students will explore how to manually examination applications from the file system in this topic.
iOS Files app – Since iOS 13, the iOS Files app has been present, enabling users to store files locally on their iOS device, in iCloud Drive, or through third-party cloud storage providers. The iOS Files app will be discussed along with its usage.
iCloud Drive - iCloud Drive allows users to store content in the Cloud. This topic will explore the differences in iCloud Drive storage such as files stored in iCloud, but not available on the local device.
Common iOS applications & LinkedIn – In this module, students will learn about popular iOS applications expected during examinations. This topic will also cover the first communication/social networking artifacts of interest in our scenario, LinkedIn.
Discord – With a wide user base, Discord is a popular communication application for millions of users. Students will discover how AXIOM handles iOS Discord artifacts.
Telegram – Telegram, with an international appeal, has maintained a large user base allowing direct and group communication between users. How Axiom handles these artifacts will be covered.
WhatsApp – As one of the world’s most popular chat applications owned by Meta, WhatsApp, with its native end-to-end encryption nature, has remained consistent as a top messaging application. Students will discover how WhatsApp artifacts are handled within Axiom and how they’re stored within the file system.
Snapchat –Students will discover the functionality of the Snapchat application and how Axiom handles artifacts derived from the application.
Acquisition of the Android file system – In this first topic of Android, students will discuss the acquisition of the Android file system and the parameters needed to meet in order to accomplish an acquisition.
Understanding the full file system structure – During this topic, students will explore the file system structure of the Android operating system and the particular directories of interest while examining Android devices.
Android users & secure folder – Android enables devices to have multiple users with separate applications and user preferences. Additionally, the Secure Folder functionality of Samsung devices allows users to further encrypt their data in isolated segments of the file system. This topic will discuss how these attributes are displayed in Axiom and considerations around them.
Previous devices wipes & device information – Being able to determine when an Android device was previously factory reset or set up empowers the examiner with time focused data to place into a timeline of interest. Discover the artifacts around reset and activation times.
Android device information – This topic discusses the general Android device information including identifiers, advertising ID, timezone information, and more.
Connected devices – Bluetooth devices such as vehicles and wearables can provide additional datapoints for an investigation.
Accounts information – Android devices can maintain account information should the application be given adequate permissions by the developer. See the difference between credential and device encrypted accounts information.
Samsung device health services – Unique to Samsung devices, Samsung has an application that purely tracks battery usage, CPU usage, and network usage. How this data can be attributed to particular application and the usage will be discussed.
Gallery and media files – Exploration of the DCIM directory is a common starting point for media files that exist on an Android device. This data, along with Motion Photos and a comparison to how applications can freely store data within this directory will be demonstrated.
Web-Related (Chrome) - Web browsers have fairly similar functionality but may vary in particular features based on the development of the browser, considering that many browsers share the Chromium image, we will start by exploring Chrome-related web artifacts on an Android device.
Web-related (Samsung browser & Brave) - Two additional web browsers will be explored in this topic, and the similarities between them. Web browsing looks different on Android as, depending on the manufacturer and Android OS version, will have different default browsers. This topic will discuss the similarities and differences between web browsers.
Gmail – Developed by Google, Gmail continues to be one of the most popular email services globally, especially on Android devices where Gmail is default. This topic will cover artifacts derived from Gmail and the way they are stored within the File System Explorer.
Messaging on Android – SMS and MMS messaging on Android is much different in comparison to iOS, where the user may have multiple applications that will handle SMS/MMS messaging over the lifespan of the device. RCS messaging and the mmssms.db database will be discussed in this topic and how the Android device is storing messaging data not only in the databases of the applications, but also stored separately by the device itself.
Other files of importance & application activity – When applications are sent to the background, image snapshots are created and recoverable within Axiom. This, and other directories of importance from the Android file system will be discussed.
Google Play Store & Installed Applications – Being able to identify installed applications on an Android device and how they were downloaded is often the first steps of examination both first- and third-party applications. In this topic, students will explore the Installed Applications artifact and Google Play Store-related artifacts, including searches within Google Play, Google Play installations, and how to identify applications installed from alternative sources.
App permissions and folder structure – Building a “profile” around characteristics of third-party applications including app permissions is critical to establish whether or not you must manually examine the app’s data from the file system.
Google File application – Similar to the previously discussed iOS Files application, the Google Files application offers users the ability to manage files on their device with the inclusion of additional features such as “Clean Up Junk” and “Nearby Share” which is similar to Airdrop. The Google Files application has to be examined similar to an unsupported third-party application, which will be discussed in this topic.
Intro to third-party apps, Facebook Messenger, and Instagram – Common third-party Android applications will be discussed in this topic and how Magnet Axiom presents the data therein, starting with two Meta-owned applications: Facebook Messenger and Instagram.
WhatsApp – Discover how Magnet AXIOM organizes WhatsApp messages, group chats, and account information.
Signal & Android location information – See how Magnet Axiom handles Signal-related artifacts and Android location information.
Cloud service providers - Certain cloud providers could have additional features not present on other platforms. While Mega is an end-to-end encrypted cloud provider, the service also maintains Mega chat, which will be explored.