How To Parse AirDrop Artifacts In Magnet AXIOM

Hey everyone, Trey Amick from Magnet Forensics here. Today we’re going to be looking at a new set of artifacts specific to Mac investigations, which will be released as part of the AXIOM 3.8 release.

Today we’re going to be looking at dedicated AirDrop artifacts that AXIOM can now parse out. AirDrop is a service for Apple’s iOS and MacOS operating systems, introduced back in MacOS 10 Lion and iOS 7. So it’s been around for a little bit.

As we know, AirDrop allows for the transfer of files between Mac computers and iOS devices over wifi and Bluetooth connections.

I’m going to start first in AXIOM and we’re going to look at how we’ve been handling AirDrop investigations and some of the artifacts that we’ve used to work through those investigations.

Right now I’m looking at the Quarantined Files artifacts that we have, and I’m looking here and you can see that we have a sharingd event that’s listed as part of the application. And when we look, we can see that we have a quarantine file identifier. And as we scroll over, we get a little bit of information, such as the sender’s name.

So it gives us a little bit of information, knowing that there’s been some AirDrop activity on this system.

Then I’m going to jump from Artifact view on over to File System view. And in File System view I’ve selected just a random jpg, and when I look down the right-hand side on the details panel, we get a lot of good information just from the spotlight attributes. And as we keep scrolling down, way down here, you can see we have some information such as the kMDItemUserSharedReceivedTransport, and you can see we have the com.apple.AirDrop.

So that’s telling us that this file was moved to this computer via AirDrop. So good information, and this is how we’ve typically been working AirDrop investigations for the past several years.

Now we’re going to be taking it a step further, just from… instead of looking at the extended attributes and spotlight metadata in the Quarantined Events database, or looking at the specific log, we’re now actually going to go ahead and dive straight into the new artifacts that we have inside of AXIOM.

So I’ve got a separate case open, and as you can see on the left-hand side we have several different new AirDrop artifacts. And we’re going to start with Discoverability.

And here you can see we have it set, whether it’s been for everyone, whether it’s been turned off, whether AirDrop has been turned on for contacts only. So now you can see when people are switching their AirDrop discoverability based on how they’re manipulating their system.

It’s important to note that AirDrop will actually toggle the status without any sort of activity from the user. So keep that in mind, so when you’re looking through here, if you’re seeing pieces in here that are going from ‘Everyone’ to ‘Off’ with about a one-second delay, as you can see right here, that’s probably going to be indicative of the system doing that, not the actual suspect or the individual that you’re investigating. So you’re going to need to pay attention to these timestamps to see what’s going on here. But we want to make sure that we provide all of that data. So just keep that in mind when you’re looking at the Discoverability artifact that we now have.

Moving on down, we have AirDrop incoming transfers. What’s great about this is, you can see we have item types here; we have the number of items being sent via AirDrop, because obviously someone can select more than one file to send in AirDrop at a time. You can see whether it’s a file or not; you get the sender information, the sender device; and the destination, whether it’s going to Photos or to their Downloads folder. So you get a lot of information here. So let’s take a look at some of this.

Also, one other area I want to point out is, you can see the status here. What’s important about this is, as you can see, we have incomplete; we have accepted; we have declined. So good information to know what’s going on there when you’re trying to determine how those files are being moved.

We’ve selected one of those files; let’s look on the right-hand side here, you can see the destination folder of where that would be. As a part of this, you can actually see obviously the user that was associated with that AirDrop and where it was going to be saved to, and as you can see here this was shown as incomplete.

You can also see the transfer start and finish times, along with the sender ID that we have, and obviously you can build connections off this. You can also build relative time filters off this as well, which is great.

As a part of our AirDrop artifacts we are actually just pulling out bits and pieces of the log that are important to this particular account. So as you can see, for this one we do have the information for you to validate.

So as you can see, as part of the transaction log we have the information that we’re pulling the transfer start information from, and the sender ID log as well, so good information to have for your investigations.

Let’s click on another one: let’s go ahead and click on ‘Accepted’. And you can see we have a little bit more information. You can see we have the sender’s name; we have the sender’s device; where it was downloaded to; obviously we have the transfer start time and end time as well, which once again, those timestamps are going to be based off the UTC of the first entry of the log for this AirDrop artifact, and the last entry of the log for this particular piece of evidence.

We can see whether or not it was… if I was the sender, or if we had it set to auto-accept from those senders. And as you look through here you get all the raw data that we’ve pulled out of this piece of evidence.

Moving along, let’s look at the AirDrop outgoing transfers. So really good information in this artifact as well; let’s put this as to why this might be important here for your investigation. So perhaps you’re looking to see if maybe, in a corporate scenario, your individual exfilled data from your company that might be privileged information. For law enforcement, once again, how are files being used? Whether they be contraband or something that’s illegal, or [indecipherable] activity. This can be a really easy way to find this out.

So here we’ve got, as you can see, the item names – we actually get the file names associated with that – and if we click on here, you can see we’ve got a jpeg, we can see that this is, we’ve desgnated this as a jpeg. Whether or not this is a file, we can sometimes get some of the recipient information, along with the device and the status.

Now what’s important about the status here: you have accepted, and you also have declined/incomplete. Unfortunately, we cannot differentiate between cancelled, declined and timed-out transfers, so we go ahead and label all those as a declined/incomplete. So we don’t know whether that transfer just timed out, or if the user specifically declined that. But we went ahead, and you can see when it is accepted versus not being transferred, so we do have that information there.

But for this jpeg, let’s go ahead and look on the right-hand side here, and see some of the information we have. As you can see, just like with the incoming transfers, we have the transfer start and end times; once again, that’s going to be based off the UTC time of the first log entry and the last log entry.

And as we scroll down here we get the transaction ID, and we can also see the log information for the files that were being transferred for this. So here you can see this was a jpeg; we also can see that as a part of this we do have a video that was transferred as well: this BAD_VIDeo.MP4, which once again if we’re looking inside this artifact we can see here is that same MP4.

So we went ahead, even though this AirDrop piece of evidence for this transaction log actually had multiple pieces of evidence in it, we went ahead and separated out those pieces of artifacts for you.

So some really good information here. It’s also important to note, when we’re looking at the details panel here, we see this verifiable identity. This is going to be important, because this is – for outgoing transfers – this is going to be a flag that’s set by the system, whether or not the recipient is a contact or not. So if they’re not a contact, the system will show as a no, and if the recipient is a contact, you will actually see this as a verified contact. So keep that in mind as well, when you’re looking at these AirDrop transfers.

As we’re looking at these outgoing transfers, you can also see here we have a folder with pictures. And as this is classified, this is not a file, this is a folder, and when we look at this in the details panel you can see we do show you the file name, which is obviously the folder name of another folder with pictures. So keep that in mind.

And looking down here as well, we can also see here we do have a zip archive that is classified as a file. And when looking at this, we do show you the raw data once again of what that file name is. So it’s great that you can see this information broken out in column view, but that we also give you the ability to actually look inside the transaction log to get all that raw data that you might want to look through manually.

Lastly, let’s go ahead and look at the AirDrop background activity. And this is going to be basically a running list of everything that’s been going on from the unified log, as you can see here where we’re pulling that from, the trace v3 log.

And looking through here you can see, when we’re looking for the scanning mode, which obviously we have a separate artifact for, but this is basically just going to be a separate log of everything that was going on, that was AirDrop activity in the back end.

So keep in mind that this is good activity to kind of scroll through to see what’s going on as far as the scanning mode’s been changed. Let’s keep looking here, where you can see the AirDrop server has been enabled, and what port it was enabled on as well for your system.

And you can also see, as we’re looking through here, the AirDrop connections and when those have been closed.

So once again, this is a great set of artifacts for your Mac investigations. And this will be for Mac-to-Mac AirDrop, or for iOS-to-Mac AirDrop activity right now. We will be looking at adding iPhone-to-iPhone AirDrop activity, we will be doing some further research on that, but for right now this will be Mac-to-Mac or iPhone-to-Mac for AirDrop activity. So keep that in mind.

Hope you enjoyed, and we’ll see you next time. Thanks.

Leave a Comment