MAGNET ACQUIRE

USER GUIDE
2.0.3
CONTENTS
Magnet ACQUIRE 4
System requirements 4
Acquiring drives 5
Supported drives 5
Acquire an image of a drive 5

Acquiring an Android device 6

Access to data on Android devices 6
Supported acquisition methods for Android devices 6
Preparing an Android device for image acquisition 7
Turn on USB debugging for Android devices 8
Downgrading apps 9
Bypassing passwords to obtain full images of locked devices 9
Device drivers for popular Android device manufacturers 9

Acquire an image of a mobile device 10

Recover evidence using TWRP 10

Acquiring an iOS device 11

Access to data on iOS devices 11
Supported acquisition methods for iOS devices 11
Prepare an iOS device for image acquisition 12
Connecting to a device using SSH 13

Acquire an image of a mobile device 13

Acquiring media and files through MTP 14
Open an image in Magnet IEF 15
Configure your output destination 15
More Help 15
 User Guide

MAGNET ACQUIRE
As the use of mobile devices continues to increase, it's important to efficiently acquire as much inform-
ation as possible from those devices. Magnet ACQUIRE offers a new approach to the acquisition of mobile
device images. By using several different methods of extraction, Magnet ACQUIRE can retrieve as much
data as possible, given the enhanced security on iOS and Android. Magnet ACQUIRE can also capture
images from common storage drives, including HDD, SSD, SD and USB flash, and other external devices.

SYSTEM REQUIREMENTS
To get the best performance from Magnet ACQUIRE, make sure your computer meets the following min-
imum system requirements:

ITEM REQUIREMENT

Operating system Windows 7 or later

Software framework Microsoft .NET 4.8.0 or later

Memory 8 GB RAM

Storage The storage device requires enough space for storing images and cases from devices
with large amounts of data (in some cases, these might be TBs in size)

Mobile devices* iOS devices: Latest version of iTunes

Android devices: Mobile device drivers from each manufacturer (available through Win-
dows Update or from the device manufacturers' websites)

*If you're using Magnet ACQUIRE to create forensic images of mobile devices, you'll need to install this soft-
ware.

Using Magnet ACQUIRE on a virtual machine is not currently supported.

4
 User Guide

ACQUIRING DRIVES
Depending on your time constraints and the type of data you are acquiring, there are four types of images
that you can acquire.

IMAGE TYPE DESCRIPTION

Full A logical image that searches all areas of a drive or image for arti-
facts and copies all files and folders into a single, compressed file.
This method does not include deleted files and/or content.

Full E01 A physical image of the drive. This method copies the entire con-
tents of the drive into a single .E01 file. This option typically takes
longer.

Full Raw A physical image of the drive. This method copies the entire con-
tents of the drive into a single .raw file. This option typically takes
longer.

Quick A logical image that contains important files for forensic analysis.
This method copies files into a single, compressed file. This method
searches the most common areas of your computer where evid-
ence can be found. This option is typically the fastest.

SU PPORTED D RI V ES
Note: Magnet ACQUIRE cannot detect and image network-attached storage (NAS) devices over the
network. If the computer running Magnet ACQUIRE is connected directly to the NAS through a
USB cable, detection of the device and imaging will work as expected.

ACQ U I RE AN I M AG E OF A D RI V E
1. Connect the drive to your computer.
2. Select the drive that you want to acquire an image of and click Next.
3. Select the type of image that you want to acquire and click Next.
4. Make any necessary changes to how the evidence folder will be created and click Acquire.

5
 User Guide

ACQUIRING AN ANDROID DEVICE

For Android devices running version 2.1 and later, there are two types of images that you can acquire.

IMAGE TYPE DESCRIPTION

Full A physical or file-system logical image that copies the entire contents of a device into
a single file (either a .raw file or a .zip file, depending on the device). With a full image,
you have a higher chance of recovering data from unallocated space (deleted files).

Quick A comprehensive logical image that contains both user data and some native applic-
ation data. This method copies files into a single, compressed file. A quick image
attempts multiple acquisition methods to acquire as much information as possible
from the device, as quickly as possible, so that you can start examining the evidence
right away.

If you are unable to acquire a quick or full image, you can acquire media for some devices.

ACCESS TO D ATA ON AND ROI D D EV I CES

The type of image that you can acquire from a device depends on the level of access that you have. Acquir-
ing a full image requires that you have privileged access to the device. Privileged access indicates that you
have an enhanced level of permissions which allow you to interact with the device in ways that a regular
user can't.

On Android devices, having root access gives you enhanced permissions so that you can run apps that
need access to certain system settings, flash custom images to the device, and more.

For full images, if an Android device is not rooted, Magnet ACQUIRE attempts to gain privileged access to
the device using tested rooting methods. Magnet ACQUIRE creates a log file documenting the process, and
indicates which roots are tried and whether any are successful.

SU PPORTED ACQ U I SI T I ON M ETHOD S FOR AND ROI D D EV I CES

Full images are formatted as .raw files and quick images are formatted as .zip files.

OS METHOD EVIDENCE

FULL Android 2.1 and Linux Recover a full physical image of the device’s flash
later** DD command memory. Evidence collected includes all files,
folders, user data, native data, and unallocated
space.

6
 User Guide

OS METHOD EVIDENCE

QUICK Android 2.1 to 8+ Android Debug Contents of any external storage (for example, an
Bridge (ADB) SD card).
mode

Android 2.1 to 8+ Agent application Call logs, SMS/MMS, browser history, and user dic-
tionary.

Android 4.0 and ADB backup / Third-party application user data. Some native
later agent application device data including SMS/MMS, browser history,
calendar, call logs, BT devices, WiFi hot spots, user
accounts, and user dictionary. Contents of any
external storage (for example, an SD card).

Android (Samsung MTP bypass Pictures, videos, and any other files discoverable
models only) via MTP.

** Requires a rooted device. In some cases, Magnet ACQUIRE can root the device for you.

PREPARI NG AN AND ROI D D EV I CE FOR I M AG E ACQ U I SI TI ON

Before you acquire an image from an Android device, verify that your computer and device are set up cor-
rectly.

To make sure Magnet ACQUIRE can connect to the Android device and acquire the most complete forensic
image possible, there are several options that you need to set.

Tip: If you don't want your search criteria to be saved in the recent search history on the device, don't
use the magnifying glass on the mobile device to search for settings or other information.
l Turn on the device.
l Connect the device to the computer using a sync cable (not a charging cable).
l Charge the device to at least 50%.
l Unlock the device.
l Turn on airplane mode.
l Verify the device is running Android 2.1 or later.
l Set the USB option to charging. On some devices, you must set this option each time the USB cable
is reconnected or the device is restarted.
l Turn off USB mass storage (on devices with micro SD capabilities). If this option is turned on, the
device might unmount the SD card, resulting in less data being acquired during a quick image.

7
 User Guide

l Turn on USB debugging/developer mode. On most devices, you turn on developer mode by tapping
on the build number until the "You are now a developer" message appears on the screen.
l Verify that USB debugging/develper mode is in turned on. On some devices, you must turn this set-
ting on after you turn on USB debugging/developer mode. In Settings > Developer options, turn on
USB debugging.
l Set the screen to stay awake. In Settings > Developer options, turn on Stay awake.
l Trust the computer that the device is connected to. When you connect the device to the computer,
follow the device's on-screen instructions.
l Turn off the Verify apps via USB or Verify apps: Block or warn setting. In Settings > Developer
options, turn off Verify apps via USB. The wording of the setting might vary depending on the device
manufacturer.
l Allow the installation of applications from unknown sources. In Settings > Security, turn on
Unknown Sources. The wording of the setting might vary depending on the device manufacturer.

Tip: You must turn on USB debugging mode before you receive a prompt to trust the computer. To
revoke the trust setting, in Settings > Developer options tap Revoke USB debugging authorizations.

Turn on USB debugging for Android devices

Depending on the type of Android device, there are different ways to turn on USB debugging or developer
mode. Here's how you can turn on USB debugging for a few popular devices:

TYPE OF DEVICE TURN ON USB DEBUGGING

Android 2.x+ In Settings > Applications > Development, tap the Enable USB Debugging option.

Android 4.2+ In Settings > About phone, tap the Build Number field approximately 7 times until
"You are now a Developer" displays on the screen.

HTC One (M7/M8/M9) In Settings > About > Software information > More > Build number, tap the Build
Number field approximately 7 times until "You are now a Developer" displays on
the screen.

LG G2/G3 In Settings > About phone > Software information > Build number, tap the Build
Number field approximately 7 times until "You are now a Developer" displays on
Samsung Galaxy
the screen.

Stock Android In Settings > About phone, tap the Build Number field approximately 7 times until
"You are now a Developer" displays on the screen.

8
 User Guide

Downgrading apps
Some newer mobile device apps block access to their data. You can choose to temporarily install a pre-
vious version of the app that provided access to the data, acquire the evidence, and then install the original
app back on the device again.

Warning: There are risks associated with app downgrading. You might change data on the device
when you use this feature.

1. On the Options menu, click Preferences.

2. In Acquire settings, select App downgrading.
3. Click Okay.

Bypassing passwords to obtain full images of locked devices

If a mobile device is locked or you cannot gain privileged access to it, you can use a third-party recovery
package like TWRP to try to obtain a full physical image of that device. Magnet ACQUIRE supports TWRP
version 2.8 and later.

Warning: There are risks associated with using third-party recovery packages. You might:
l void the device warranty
l turn off the Knox security platform on Samsung devices
l render the device completely or partially inoperable ("brick" the device)

To learn more about TWRP, visit twrp.me/about/.

To download TWRP recovery packages, visit twrp.me/devices/.

Device drivers for popular Android device manufacturers

If you're connected to the Internet while using Magnet ACQUIRE, Magnet ACQUIRE attempts to download
the appropriate drivers for the mobile device that you're imaging. If the correct driver can't be found, you
might have to visit the device manufacturer's website to download the driver. Here are the links to down-
load drivers for a few popular devices:
l HTC: www.htc.com/us/software
l LG: www.lg.com/us/support
l Motorola: support.motorola.com
l Nexus: developer.android.com

9
 User Guide

l Samsung: developer.samsung.com
l Sony: developer.sony.com/develop/drivers/

ACQ U I RE AN I M AG E OF A M OB I LE D EV I CE
1. Connect the mobile device to your computer using a sync cable.
2. Start Magnet ACQUIRE.
3. Select the device that you want to acquire an image of and click Next.
4. Select the type of image that you want to acquire and click Next.
5. Make any necessary changes to how the evidence folder will be created and click Acquire.

Tip: If the device that you want to image doesn't appear in the list, click The device that I'm looking for
is not showing up and follow the instructions in the troubleshooting wizard.

Recover evidence using TWRP

Magnet ACQUIRE supports TWRP version 2.8 and later.

Warning: If the bootloader is locked, do not use TWRP to recover data. For Samsung devices, connect
only one device at a time.

1. In Magnet ACQUIRE, in the Choose your device window, click The device I’m looking for isn’t show-
ing up.
2. Select Try advanced recovery options (TWRP).
3. Put the device into download mode. For example, on a Samsung device, turn the power off. Press
and hold the Power + Home + Volume Down keys at the same time. Release the keys when the
screen flickers and you see a warning message. Press the Volume Up key to go to the Recover
mode screen.
4. Download the appropriate TWRP recovery package from twrp.me/devices.
5. Follow the instructions for installing and using the TWRP recovery package.
6. In Magnet ACQUIRE, browse to the TWRP file.
7. Select a Full image type and complete the acquisition wizard.

10
 User Guide

ACQUIRING AN IOS DEVICE

Magnet ACQUIRE can obtain a quick image from iOS devices (version 5.0 and later) and full images from
jailbroken iOS devices.

ACCESS TO D ATA ON I OS D EV I CES

The type of image that you can acquire from a device depends on the level of access that you have. Acquir-
ing a full image requires that you have privileged access to the device. Privileged access indicates that you
have an enhanced level of permissions which allow you to interact with the device in ways that a regular
user can't. Gaining privileged access to an iOS device is often achieved by jailbreaking the device.

On iOS devices, a jailbreak uses an exploit or security vulnerability in the software to give you enhanced
permissions to the operating system. For early iOS versions, these permissions allowed you to get a full
image of the device, but for iOS 5.0 and later, the encryption allows only a logical image to be obtained.

Jailbreaks are often discovered after the release of a new iOS version. The timing of their availability
depends on how difficult it is to find the vulnerability in the software. For many modern iOS devices, there
are no public jalilbreaks available. You should monitor public jailbreaks to stay current.

SU PPORTED ACQ U I SI T I ON M ETHOD S FOR I OS D EV I CES

Both full images and quick images from an iOS device are formatted as .zip files.

OS METHOD EVIDENCE

FULL iOS 5 to 10+ ** SSH For jailbroken iOS devices, AXIOM Process Magnet
ACQUIRE recovers a full logical file system dump
that includes all of the files, folders, user data, and
native data.

11
 User Guide

OS METHOD EVIDENCE

QUICK iOS 5 to 11+ iTunes backup pro- Third-party application user data.
cess
Some native device data, including: SMS/MMS and
iMessage, calendar, and call log.

iOS 5 to 11+ Apple File Conduit Camera pictures, ringtones, and iTunes books.

iOS 8 and earlier File relay Some native device data, including: complete
photo album, SMS/MMS and iMessage, address
book, typing cache, geolocation cache, application
screen shots, WiFi hot spots, voicemail, and native
email metadata.

** Requires a jail-broken device.

PREPARE AN I OS D EV I CE FOR I M AG E ACQ U I SI TI ON

Before you acquire an image from an iOS device, verify that your computer and device are set up correctly.

To allow Magnet ACQUIRE to connect to the iOS device and acquire the most complete forensic image pos-
sible, there are several options that you need to set.

Tip: If you don't want your search criteria to be saved in the recent search history on the device, don't
use the magnifying glass on the mobile device to search for settings or other information.
l Verify your computer is running the latest version of iTunes.
l Turn on the device.
l Connect the device to the computer using a sync cable (not a charging cable).
l Charge the device to at least 30%.
l Unlock the device.
l Turn on airplane mode.
l Verify that the device is running iOS 5 or later.
l Turn off screen lock or set it to the maximum amount of time.
l Set the screen timeout or sleep mode to stay awake, or to the maximum amount of time.
l Trust the computer that the device is connected to. When you connect the device to the computer,
follow the device's on-screen instructions. On iOS 8 and later, to revoke trust, tap Settings > General
> Reset > Reset Location & Privacy.

12
 User Guide

Connecting to a device using SSH

When Magnet ACQUIRE detects that SSH is present on an iOS device, it attempts to connect to the device
automatically by using the default SSH credentials (username: root, password: alpine).

If the SSH credentials are not set to the default values, you must change the credentials on the device back
to the defaults before you can acquire and scan the device.

ACQ U I RE AN I M AG E OF A M OB I LE D EV I CE
1. Connect the mobile device to your computer using a sync cable.
2. Start Magnet ACQUIRE.
3. Select the device that you want to acquire an image of and click Next.
4. Select the type of image that you want to acquire and click Next.
5. Make any necessary changes to how the evidence folder will be created and click Acquire.

Tip: If the device that you want to image doesn't appear in the list, click The device that I'm looking for
is not showing up and follow the instructions in the troubleshooting wizard.

13
 User Guide

ACQUIRING MEDIA AND FILES THROUGH MTP

Using the media transfer protocol (MTP), you can acquire media and files—including pictures, videos,
audio files, documents, downloads, application data, and user data—from a media device. If other acquis-
ition methods don't work for smartphones, MTP can sometimes bypass certain encryption methods and
passwords so you can obtain a logical acquisition of the device.

You can use the MTP option with media devices that support the media transfer protocol (MTP), including:
digital cameras, feature phones, and smartphones like Android, iOS, BlackBerry, and Windows Phone.

14
 User Guide

OPEN AN IMAGE IN MAGNET IEF

1. Start Magnet IEF.
2. Click Mobile.
3. Click the OS of the device image.
4. Click Images.
5. Browse to the location where you saved the image and click Open.
6. Select a search type from the Search Type drop-down list and click OK.
7. You can choose other types of searches, or click NEXT to proceed with your current selection.
8. On the Artifacts window, select the artifacts that you would like Magnet IEF to look for and click
NEXT.

CONFI G U RE Y OU R OU TPU T D ESTI NATI ON

Note: The folder that you select as the output destination must be on a drive that has a few GB of free
space and is accessible to Magnet IEF.

1. Enter the destination information, including the output path and case folder name.
2. Enter the case information , including the case number, examiner's name, evidence numbers, notes
and logo.
3. Optionally, select Enable Keyword Search Alerts > Configure to use keywords, including GREP, that
check recovered artifacts as they are found. You can elect to be alerted by an audible or email alert.
4. Assign an image file with your agency logo for your final report.
5. Click Find Evidence.
Magnet IEF starts the search, and opens Report Viewer and the Search Status window. The Report
Viewer displays artifacts as Magnet IEF recovers them.
6. In the Search Status dialog, click Show Summary to view the Case Information report.

More Help
l Search Using Keywords
l Hide Duplicate Data in Search Results

15
Copyright 2021 Magnet Forensics. All rights reserved.

Information in this document is subject to change without notice. The software described in
this document is furnished under a license agreement or nondisclosure agreement. The
software may be used or copied only in accordance with the terms of those agreements.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted
in any form or any means electronic or mechanical, including photocopying and recording
for any purpose other than the purchaser's personal use without the written permission of
Magnet Forensics.

Magnet Forensics

2220 University Ave. E., Suite 300

Waterloo, ON, N2K 0A8

1 (519) 342-0195

This document was published on 12/15/2021.