Introduction of Magnet Tool

In today’s digitally connected world, forensic investigators and cybersecurity professionals rely heavily on tools that can extract and analyze data from a variety of digital sources. Among the most powerful and versatile of these are magnet tools. These tools are essential for gathering forensic evidence from a broad range of devices, including RAM (Random Access Memory), mobile devices, and web browsers. Whether it’s to uncover volatile data from a running system, extract information from a mobile device, or reconstruct a user’s online activity through browser data, magnet tools serve as indispensable aids in the forensic investigation process.

These tools work by extracting data from different devices and environments in a way that ensures forensic integrity, allowing investigators to piece together evidence for use in legal cases or cybersecurity incidents. This comprehensive approach enables professionals to recover everything from deleted messages to browsing histories, giving them a detailed picture of what was happening on a particular system or device at a specific time.

Utility of Magnet Tools

Magnet tools are used in three main areas of digital forensics:

  1. RAM Forensics:
    • RAM (Random Access Memory) holds temporary data that is crucial for understanding what was happening on a system before it was shut down. RAM forensics is used to capture volatile data, including running processes, network connections, encryption keys, and other sensitive information that would otherwise be lost when the machine is powered off.
  2. Mobile Forensics:
    • Mobile devices store vast amounts of personal data, including call logs, messages, photos, videos, GPS locations, app data, and social media activity. Mobile forensics is used to extract this data from smartphones and tablets, allowing investigators to recover both active and deleted data, including potentially encrypted files.
  3. Browser Forensics:
    • Browsers hold a wealth of information about a user’s online activities, from their browsing history and cookies to login credentials and cached files. Browser forensics is used to extract and analyze this data to help investigators reconstruct a user’s online behavior.

Utility of RAM Forensics

RAM forensics is a key part of incident response and forensic analysis because it allows investigators to capture data that would otherwise be lost. The data stored in RAM is highly volatile and is wiped once the system is turned off, making it essential to capture this information while the system is still running. This data can include:

  • Running Processes: Information about processes that were actively running at the time of the capture.
  • Network Connections: Details of open network connections, including IP addresses and ports, which can help trace network activity.
  • Decryption Keys: Sometimes decryption keys for encrypted files or communications are stored in RAM, allowing investigators to decrypt otherwise inaccessible data.
  • Credentials: Passwords and other sensitive information that may be temporarily stored in plaintext in memory.

Use Cases: RAM forensics is often used in malware analysis, investigating cyberattacks, and detecting unauthorized activities on a system. For example, if a system is compromised by malware, investigators can analyze the RAM to understand how the malware operates, what processes it has launched, and which files it has accessed.


Utility of Mobile Forensics

Mobile devices have become one of the primary sources of data in criminal and cybersecurity investigations. They store a vast amount of personal and transactional data that can provide crucial insights during an investigation. Mobile forensics focuses on extracting data from smartphones and tablets and can recover:

  • Call Logs and Messages: Details of calls made and received, SMS messages, and multimedia messages.
  • App Data: Information from installed apps, including social media, email, and messaging apps, which can reveal communication patterns.
  • GPS Data: Location data that can track the movements of a user over time, often crucial in criminal investigations.
  • Deleted Data: Even data that has been deleted from a device can often be recovered, including deleted messages, files, and app data.

Use Cases: Mobile forensics is often used in law enforcement investigations, where it can help track criminal activity or prove a suspect’s location at a given time. It is also used in cybersecurity investigations, where mobile devices may have been used as part of a larger cyberattack.


Utility of Browser Forensics

Browsers are the gateway to the internet, and as such, they store a vast amount of data about a user’s online activities. Browser forensics focuses on extracting and analyzing this data to help investigators reconstruct a user’s browsing history, downloads, and online communications. The data that can be extracted includes:

  • Browsing History: The list of websites visited, which can provide a timeline of a user’s online activity.
  • Cookies: Small data files that track a user’s activity across the web, which can reveal which websites a user has interacted with.
  • Login Credentials: Saved usernames and passwords for online accounts, which can provide access to additional data sources.
  • Cached Files: Temporary files that were downloaded during web browsing, which can include images, videos, and other content.

Use Cases: Browser forensics is often used in fraud investigations, where online transactions need to be traced. It can also be used in cases involving illegal downloads, intellectual property theft, or to uncover the browsing habits of employees suspected of violating company policies.


How Magnet Tools Work

1. RAM Forensics: How It Works

  • Live Capture: When performing RAM forensics, magnet tools are used to capture a live snapshot of the data stored in the memory of a running system. This process involves the extraction of all the data that is currently in RAM. Once the snapshot is taken, the system’s power can be turned off without losing the volatile data.
  • Data Parsing: After the RAM data is captured, it is parsed to identify key artifacts such as running processes, network connections, open files, and encryption keys. Specialized analysis tools like Volatility or Rekall are often used in conjunction with magnet tools to analyze the raw memory dump.
  • Forensic Analysis: Investigators can then analyze the extracted data to look for signs of malware, running processes, or any unauthorized network connections. They can also search for decryption keys or other sensitive data stored temporarily in RAM.

Example: If a machine has been infected with malware, RAM forensics can help capture the memory of the system to reveal the malware’s active processes, giving investigators insights into how the malware operates and what data it might be accessing or transmitting.

Let’s start our tool:-

You just need to download it from the magnet axiom official website.

After installation you see this kind of interface and then you have to fill these credentials.

After reading all of this agreements you have to accept it.

This is the main user interface of the magnet ram capture.

After this you have to share the path of your Ram.

We can split this one gigabyte per one mminute gigabyte.

After this steps just start this configurations.

After these steps you have a image of your ram.

2. Mobile Forensics: How It Works

  • Data Extraction: Magnet tools connect to mobile devices via USB, Wi-Fi, or by accessing cloud backups. The tool can extract both user data (contacts, messages, call logs) and system data (app logs, GPS data, etc.). Depending on the level of access, the tool may use logical extraction (copying available data) or physical extraction (creating a bit-by-bit image of the entire storage).
  • Logical vs Physical Extraction:
    • Logical Extraction: This method extracts accessible data like photos, messages, and app data without accessing the underlying file system.
    • Physical Extraction: This involves creating an image of the device’s entire storage, allowing access to deleted files, encrypted data, and more.
  • Decryption: Magnet tools are often capable of bypassing encryption or recovering encrypted data, making them invaluable in cases where the suspect has tried to hide or protect sensitive information.

Example: In a criminal investigation, investigators might use a magnet tool to extract data from a suspect’s smartphone, recovering deleted messages or extracting GPS data to track the suspect’s movements.

Let’s start our mobile forensics with magnet axiom free tool

First go to magnet axiom official website for install it.

Your device is connected to the computer where where you are running the application then select he device you want to analyse and press NEXT.

Device you want to analyse and press next then select the full option for the image type this will attempt to root the device and then capture a full image of the disk 

Press next,and acquire and the capture will begin .

Once the capture is finished each category will say successfull.

You can load this disk image file into your software of choice such as autopsy and you will be able to examine.


3. Browser Forensics: How It Works

  • Data Acquisition: Magnet tools gather browser artifacts such as browsing history, bookmarks, cookies, saved login credentials, and cached files from web browsers like Chrome, Firefox, and Safari.
  • Reconstruction: The tool then organizes the extracted data into a timeline, allowing investigators to reconstruct the user’s online activities. This includes websites visited, searches made, and files downloaded.
  • Keyword Search: Magnet tools allow investigators to search for specific keywords or filter data by date and time to focus on the most relevant information.
  • Cross-Browser Analysis: These tools support the analysis of data from multiple browsers, ensuring that no important information is missed regardless of the browser the user was using.

Example: During an insider threat investigation, investigators can use a magnet tool to analyze the suspect’s browsing history to uncover suspicious downloads, visits to unauthorized websites, or interactions with competitors.

Let’s start our practical on it

  • We are going to run through the setup and running of the new google chrome authenticator that was added in axiom 6.0 I’ve opened up axiom process and title in a new case and named it axiom google chrome authenticator.  
  • We are gonna move to evidence sources and because we are collecting from the google cloud 
  • We are gonna click on cloud and then aquire evidence 
  • You have proper search authorization ,this is just a reminder to make sure that you either have consent or warrant for go out and grep somebody’s cloud information.
  • I am going to click on google 
  • And here’s the new google chrome authentication with this we are going to click on next
  • And its going to bring up a window.
  • This is a new window that we are going to navigate through this is an incognito window. & we need to download the new extension from magnet forensics need to only download in the proper workflow.
  • Click on three dot and click on extensions and this is the extension page.
  • We are gonna click on three line over here and at the very bottom we are going to go open the chrome web store. 
  • Within the chrome web store we are going to search for magnet forensics.
  • And here’s the magnet cloud authenticator .

we are going to click on this and we’re going to add this to chrome.

once this added to chrome we do not want to turn on sync so go ahead and cross that out.so cross that out. Once it’s in we are going to click back on the extensions page. C:\Users\kamal\AppData\Local\Packages\5319275A.WhatsAppDesktop_cv1g1gvanyjgm\TempState\C950CDE9B3F83F41721788E3315A14A3\WhatsApp Image 2024-10-14 at 12.00.34_dbcdada2.jpg

And we are gonna go to the authenticator extension right here.

we need to click on details.and scroll down on the bottom  and you are and you are gonna click on allow incognito.once you have done this you can go ahead 

And close this set of windows back to our original authentication window we’are going  to hit refresh .

At this point it’s going to allow us to signin to a google account so I’m going to put in the email and password for the google account that I want to collect from.

 And here it shows that this will allow you to collect all these different things from this google account.want to make sure that you trust google friends or magnet forensics to collect all this information and click allow.

And you have authenticated the account and now you can close the browser and return to axiom process.just as warning don’t open any other tabs within this window if you do any tabs tha you open could be written to that user account.

It will continue signing in once you’re in here now you can select the data that you you would like to acquire.

We are going to ahead and collect everything the google account.

We are going to select all account activity & google drive activity and the google apps.which include gmail messages google photo’s hangouts and even the calender.and then we hit next.

You can even select a specific date range if you’d like if you have a limited search that you need to conduct .

Once you hit next,you’ll see all this is ready to process if you need to add any additional information to be collected you can .

We are going to go to processing artefact details analysing the data.

And we’re going to begin processing.

once your process is incomplete you’ll be able to see that scan has been completed and you can open up examine

You can open examine.

And we can hop over to our artifacts viewand begin to examine the results that we’he collected

Conclusion

Magnet tools have revolutionized digital forensics by providing a comprehensive way to capture, extract, and analyze data from various sources like RAM, mobile devices, and web browsers. These tools are invaluable in law enforcement, cybersecurity, and corporate investigations, enabling professionals to uncover crucial evidence that may have otherwise been lost or hidden. Whether it’s capturing volatile memory data during a cybersecurity breach, extracting messages and app data from a mobile device in a criminal investigation, or reconstructing a user’s web activity for a fraud case, magnet tools empower investigators with the insights they need to uncover the truth and take informed action.

Leave A Comment