Magnet User Summit 2023 Recap

As another amazing trip to Nashville comes to a close it’s time to reflect on the past few days of what went down at the Magnet User Summit (excluding daily tacos and hot chicken πŸ™‚). This was my seventh MUS (yes I’ve been to them all!) and third in Music City USA, although this year’s conference was in a new location downtown. The Magnet User Summit isn’t just about showcasing the latest and greatest software from the company but also a networking  and reunion for me. Being surrounded by like-minded practitioners and examiners makes for great conversations. Here are just a few of my thoughts from the week.

Pre-Conference PAC

I was able to take part in a pre-conference workshop as part of the AXIOM Cyber Product Advisory Council. Alongside about 20+ other customers from various companies large and small, I got to take in how others are using the products as well as give some feedback back to the product teams. They also previewed a roadmap for AXIOM Cyber for things to come in the next year (some of the features were introduced in v7.0).


This year’s conference featured two keynotes. The first was presented by Magnet’s own Jad Saliba and Geoff Macgillivray talking product updates a plenty (the whole gamut of products got the yearly version bump from AXIOM, AXIOM Cyber, REVIEW and OUTRIDER). They also brought out Grayshift’s David Miles to talk about their new product VeraKey geared towards consent based mobile collections. DME’s Jimmy Schroering also came out to talk about a new product called WITNESS which appeared to be a reworking of their DVR Examiner product.

The second keynote was from DFIR journeyman Brett Shavers discussing his trials and tribulations through the course of his career. One thing I learned is that mistakes will inevitably happen but it’s how you learn from those mistakes and improve yourself will only lead to greater success.


There were so many great talks that I was able to attend this year. I’m a big fan of the more technical presentations so naturally I gravitated towards the following:

Brandon Epstein showed off research on Apple Airdrop and correlated a share back to a phone number of the sender. The hilarious part was his live demo of calling someone he was able to get a number from the previous day while collecting some sysdiagnose logs.

Jessica Hyde dove into tools that can be used to analyze LevelDB, which is such an untapped artifact for evidence. I can’t wait to dive into these further to see what other items can be pulled from them.

Aaron Sparling walked through steps to collect from and analyze data from Tails. I’m an amateur in Linux forensics so getting a baseline of how to work on something of this nature is very beneficial.

Patrick Beaver took us down an adventure of VR analysis collections from an Oculus headset. I am now picturing someone having to wear the device while trying to fumble through menus to get an acquisition from it. At the end of the day it’s running Android so at least I’m pretty familiar with the general basics of collecting from it.

Chris Vance did his talk on Biomes, the latest and greatest incarnation of Apple’s artifact storage and somewhat replacement of KnowledgeC. I’m curious to see how Apple continues to migrate to these formats and how tools will further support parsing them. You can follow Chris and his latest installments in the Mobile Unpacked webinar series.

Capture The Flag

You should know by now that I’m a CTF junkie so naturally I had to compete again this year. 2.5 hours of grinding through ciphers and an Android dump and I was able to win 3rd place! It was nice to just hangout, drink some beers and have a blast with the other competitors.

I’m looking forward to going through the questions again and hopefully writing some blogs for solutions in the near future, stay tuned!


I was able to partake in two different lab exercises while attending.  The first lab involved using the new free tool Magnet RESPONSE. I was able to beta test it a bit a few months back but I never realized it was updated since then. Getting to utilize a free tool for quick triage can be vital to investigations so I’m curious to see how well it fares against other tools in the field. The room had plenty of feedback which will be very beneficial for future update considerations and additions.

The second one involved fileless threats and using DumpIt to pull down RAM and then ingested the dumps into AXIOM for parsing. The integration of Comae will be a great addition to pulling out artifacts from memory so I’m planning on playing with AXIOM Cyber v7 and these features soon.

The third lab was actually one that Jessica Hyde and myself put on about tips and tricks for competing in the capture the flag event. We had a fun interactive session and even got some great feedback on how our workshop benefitted some competitors after they played this week which is awesome to see people succeeding after attending our session.


One of my favorite parts of going to an in-person conference event is being able to interact with the attendees and staff. It’s always nice to meet new people, reconnect with old friends, and even meet people face to face that I’ve talked with virtually for years. I met a few people that said they used some of my scripts and have benefitted from them for casework which makes me giddy to keep contributing back to the community.

I can’t say enough about the whole Magnet team and how much respect I have for the organization as a whole. I’m really thankful that they understand their customers and take feedback seriously to improve the tools and services they provide to help better support the critical investigations we all perform. I’m looking forward to seeing what else they have in store in the years to come especially with the merging of Grayshift into the fold. Here’s to hoping to make it back for MUS 2024!