How To Use Magnet AXIOM In Mac USB Investigations

Hey everyone, Trey Amick from Magnet Forensics here. Today we’re talking about Mac USB investigations, and what happens when we’ve been alerted that a USB has been inserted into an end point.

Different organisations handle USB policies differently. Some have alerting mechanisms in place for when USBs are detected, while others may encrypt the drive when it’s inserted into the end point. Other organisations may block the external drive from being mounted altogether, or may only allow specific external drives to be used by employees. Lastly, we have some organisations that tell staff it’s against policy to use USBs, but don’t take any additional steps to further protect the end point.

The different evidence [inaudible], but depending on the organisation you may be faced with identifying a USB that’s been inserted into a Mac in question for a possible data exfil. This investigation hinges on possible insider threats, where the associate may have attempted to copy files to a USB.

Here we have a MacBook Air image already processed in AXIOM. We’re going to go ahead and check the OS information. We can identify that for our report by going to the Artifacts view; we’ll navigate on down to Operating System, and we will look for ‘Operating System Information.’


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

We can confirm that it’s 10.14.4 – I’m going to go ahead and add this as a tag. And since this case hinges on USB information, I’m actually going to keep scrolling down, and we’re going to start with the USB connection history, with 235 hits.

Now we can see all the different USB connections, and with there being 235 hits – which seems rather high – we’re going to actually try and identify some of this information.

And right off the bat, I’m seeing a lot of the same vendor ID codes here, with 0x5ac. So I want to be able to identify that.

There’s nobody saying that we can’t use open-source intelligence gathering methods for our investigations, so I’m actually going to use a website to detect what that information is for that vendor information. And as we can see here, that is actually coming back to Apple, with a lot of their different product information pieces. So now we’ve confirmed that, we know that a lot of these hits are actually coming from Apple.

Let’s go ahead and we’re going to sort now on the serial number. We’re going to go ahead and get all of them grouped together. And now that we do that, we can start identifying what’s going on here.

So these first three: we’re getting the exact same serial number, vendor ID, product information. And this organisation in particular allows their employees to use one specific drive; and I’d be willing to bet that’s going to be this drive.

But just like we did before, we can check on that by using the same database and loading it in. And sure enough, we can see that it is a G-Tech Western Digital hard drive. So we can validate that they are using this drive on this machine, and that’s been approved by their organisation.

Next, though, as we look through the list here we see a couple of additional pieces to this USB history, and we can see that we’ve got a couple of identifiers here that… we need to identify what’s going on.

So the next one we’re going to take a look at is the 984 that’s on the list, 4/15. And when we go back to the same database, we can actually look and see that this is coming back to an Apricorn SATA wire, 2.5″. Now this tells me that this validates what was found in the IT system: that this machine was used and dropped off, and IT did support this machine on 4/15. And also we can identify this information using the same ID database. And then I further looked at it, and sure enough, there is the cable that the IT personnel use.

Lastly, on this list we can see that there’s one additional hit, and I want to go ahead and confirm that. And when I do, I can see that this is a Seagate drive, which is typically used for IT for this particular organisation.

So those I’m good with, and I understand what’s going on. But as we keep looking down now, we see we have this 0x90c, with a product ID of x1000. So one last time we’re going to actually look at this database, and when we do that we can see that this is coming back to a Silicon Motion, formerly of a different company, and that these are a USB disk and flash drives, looking at the same vendor information and product ID. So over here, let’s go ahead and dig a little bit further into what’s going on here.

This has happened on 4/26, approximately around the time when we got that alert. We do have a serial number, so that’s good. But let’s actually go over to the right-hand side of AXIOM now and build a quick relative time filter off this information.

So let’s go ahead and change this from two minutes, let’s actually say three minutes, and let’s keep our view in the current explorer, and let’s see everything that happened on this machine within three minutes before or after this USB being connected.

From here, we’ve got some more information we can look at. So let’s go ahead and hop over to file system events, or FS events.

From here there’s a couple of different options we can do. I’m actually going to build a quick filter off of flags, and I’m going to go ahead and say ‘Mount.’ So now we’re looking for mount points that are within three minutes before or after that original USB being connected.

And as I can see here, we’ve got several pieces here. Now typically, these are probably going to be coming from dmgs that are being mounted on the machine. Now we’ve identified an additional volume called ‘untitled,’ so let’s see if we can take that a little bit further and figure out what’s going on there.

So I’m actually going to go ahead and kill this first filter on the mount point; and next I’m actually going to go ahead and reset my relative time filter. We’re going to scroll right back down, though, and look under ‘Operating System’; and let’s look in one last place.

Let’s actually go on down, and we’ve already looked at USB connection information; we’ve already looked now at the file system events; let’s look at the volume information.

And from the volume information page, we can see that we’ve got a bunch of different volumes listed here, including the G-Drive that we’ve already identified as what they use, and are allowed to use, in this organisation. But sure enough, we do see this ‘Untitled’ volume one more time.

Now, one thing I love about AXIOM is that you really can dig in deep, and what I mean by that is we can actually go to the evidence information and click on the source link, which is going to take us to the Apple finder plist.

We’re going to let AXIOM load this in very quickly. We have that plist selected, so I’m going to let AXIOM expand that information out. And sure enough, right off the bat we can see recent move and copy destinations: we have a file, volumes, and titles. So this is telling me something was connected, we have the evidence to back that up; we are good to go that we have identified, more likely than not, what set off that original alert.

From here, we finish our report on this investigation, and then decide with investigation if we need to interview the associate and possibly locate that USB, to identify what was potentially placed on that.

Thanks for joining today, and as always if you have questions or would like to see additional features added on to AXIOM, please don’t hesitate to reach out. Thanks, have a great day.

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 12:44 pm

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 12:00 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...