User Guide Contents

USER GUIDE CONTENTS

What's new 4 About Magnet OUTRIDER 5 Getting started with Magnet OUTRIDER 6 System requirements 6 Use Magnet OUTRIDER on a dongle 6 Use a trial license of Magnet OUTRIDER 6 Understanding changes made to the system 7 Detecting Bitlocker encrypted drives 8 Scanning a target 9 Scan a computer 9 Encryption screening 9 Scan an external drive 10 Scan a folder 10 Configuring scan options 11 Locate files and apps settings 11 Collect artifacts and scan browser history settings 13 CSAM Detection Technology settings 14 Scan options 15 Reporting options 16 Miscellaneous options 16 Adding keywords and NCMEC report data to a search 17 Import a keyword list or NCMEC report data 17 View a keyword list or NCMEC report data 17 Export a keyword list or NCMEC report data 18 Reviewing scan results 19 Mark a CRC CSAM hit as a false positive 19 Starting a new scan 20 Supported application categories 20 Viewing and exporting scan reports 22 View scan reports 22 Navigating your scan report folder 22 Contents of scan reports 23 View and export an error list 23 Exporting filename keyword hits and CRC CSAM hits 25 Export filename keyword hits or CRC CSAM hits 25 Export a list of saved hits 25 Updating Magnet OUTRIDER 27 Update Magnet OUTRIDER manually 27 Automatically check for updates 27 User Guide

WHAT'S NEW

VERSION DESCRIPTION

2.1.0 l Updated Configuring scan options with information about scanning connected networks, new supported operating system artifacts, and customizing case and report locations.

2.0.0 l Updated Reviewing scan results with information about new supported apps.

l Updated Scanning a target with information about scanning specific folders.

l Updated Adding keywords and NCMEC report data to a search with information about regex keywords and NCMEC report data.

l Updated Reviewing scan results with information about reporting false positive hits using CRC CSAM detection technology.

l Updated Viewing and exporting scan reports with information about new features in scan reports.

l Updated and reorganized Configuring scan optionswith information about new con- figuration options.

l Updated Getting started with Magnet OUTRIDER with current system requirements.

1.5.0 l Initial version

4 User Guide

ABOUT MAGNET OUTRIDER

Use Magnet OUTRIDER at the beginning of your investigation to quickly assess your potential evidence sources, including computers, drives, and specific folders, and determine which computers to prioritize in your investigation. Rather than performing an in-depth search of a drive, which can be time-consuming, Magnet OUTRIDER helps triage and preview content by quickly scanning target devices for contraband content and applications.

Magnet OUTRIDER scans the file names on a target for potential dark web, P2P, cloud storage, encryption, anti-forensics, gaming, messaging, virtual machine, VPN, and cryptocurrency apps and files. You can view the list of supported apps and files in Magnet OUTRIDER.

Magnet OUTRIDER also scans file names for keyword matches using keyword and regex keyword lists. Depending on the keyword list you use, Magnet OUTRIDER can help identify files that contain CSAM or other flagged content. A keyword list with CSAM-related keywords is included in Magnet OUTRIDER for law enforcement agencies. You can also import NCMEC CyberTip reports to use URLs, file names, and IP addresses from the reports as keywords for locating files or matching on browser history.

For scans of live systems, Magnet OUTRIDER can collect operating system artifacts, capture RAM, take a screenshot of the desktop, and obtain the external IP address for the system.

Law enforcement customers can also use technology from the Child Rescue Coalition (CRC) in Magnet OUTRIDERto quickly identify known CSAM content even if no keyword hits were found in file names. This technology analyzes all of the files scanned by Magnet OUTRIDER (not including files found in ZIP files) using hashes from law enforcement CSAM databases in the United States and Canada.

After a scan completes, you can review the items of interest in the app, export evidence, and view a sum- mary report generated by the app.

Note: If Magnet OUTRIDER returns a result of No hits found, the drive isn't necessarily clear of relevant apps, keyword matches, or CSAM content. Some users are capable of hiding files from the application. However, using Magnet OUTRIDER's quick scanning capabilities can help to prioritize between multiple target devices.

5 User Guide

GETTING STARTED WITH MAGNET OUTRIDER

If your organziation has purchased Magnet OUTRIDER, you'll receive a USB dongle that you can take with you on your investigations to use Magnet OUTRIDER on a computer. If you're using a trial license of Magnet OUTRIDER, you'll receive a an installation file and license key in an email from Magnet Forensics.

System requirements

You can run Magnet OUTRIDER on a computer as long as it meets the following requirements.

ITEM MINIMUM REQUIREMENT

Operating system Windows 7 or later

Software framework Microsoft .NET Framework 3.5 or later

Memory 2 GB RAM

Use Magnet OUTRIDER on a dongle

Take the USB dongle that you received from Magnet Forensics on your investigations so that you can use Magnet OUTRIDER on a computer. The first time you use Magnet OUTRIDER, you'll be asked if you agree to send diagnostic data to Magnet Forensics and to confirm your agreement with the End User License Agree- ment.

1. Connect the Magnet OUTRIDER dongle to a computer. 2. In the File Explorer, browse to the USB drive and double-click Start Magnet Outrider.bat. 3. If a dialog appears asking if Magnet OUTRIDER can make changes to the device, click Yes.

Use a trial license of Magnet OUTRIDER

If you've signed up for a trial license of Magnet OUTRIDER, you'll need to install the application on a USB drive that you provide or on a computer. Once you've installed Magnet OUTRIDER, activate the trial license that you received from Magnet Forensics.

6 User Guide

Install a trial version of Magnet OUTRIDER

1. Open the email that you received from Magnet Forensics and save the MagnetOUTRIDER_Setup_ vXXX.exe installation file to your computer or to your USB drive. 2. In your File Explorer, browse to the installation file and double-click it. 3. In the Setup window, accept the End User License Agreement and click Next. 4. On the Destination Location screen, click Browse... and select the USB drive as the installation location. 5. Click Next, and then click Install.

1. After the installation completes, select the option to Launch Magnet OUTRIDER, and then click Finish. 2. If a dialog appears asking if Magnet OUTRIDER can make changes to your device, click Yes. 3. In the Register Magnet OUTRIDER dialog, paste the license key from the email. 4. If you want to send diagnostic data for Magnet Forensics to use to improve the application, select Help improve Magnet Outrider by opting in to send diagnostic data. 5. Select the option to agree to the End User License Agreement (EULA). 6. Click Register.

Take the USB dongle that you installed Magnet OUTRIDER on to your investigations so that you can use Mag- net OUTRIDER on a computer.

Understanding changes made to the system

To maintain the integrity of forensic evidence, Magnet OUTRIDER does not modify or create any files on the system where it is run. However, a few files will be created automatically by the Windows system. If you run Magnet OUTRIDER on a system and then examine evidence from the system more closely using a forensic tool such as Magnet AXIOM, you'll find registry keys and prefetch files in the evidence that were created when you connected the USB drive and ran Magnet OUTRIDER.

7 User Guide

ITEM DESCRIPTION

Registry keys When you connect your Magnet OUTRIDER USB dongle to a target's computer, some registry keys will be created. These registry keys will match the hardware ID of the USB drive that you connected.

Prefetch files When you run Magnet OUTRIDER on a computer, Prefetch files are created by Windows. The following Prefetch files can be found at C:\Local Disk\Win- dows\Prefetch.

l Each time you open the program, a file will be created whose file name begins with "MAGNETOUTRIDER.VXXX.EXE".

l If encryption is detected on the computer, a file will be created whose file name begins with "EDD.EXE".

Detecting Bitlocker encrypted drives

When you open Magnet OUTRIDER, the application automatically checks the computer and its attached drives for Bitlocker encryption. If Magnet OUTRIDER detects a drive that has been encrypted and password- locked using Bitlocker, you'll be notified of which drive has been detected as a Bitlocker locked drive. A drive cannot be scanned if it is encrypted using Bitlocker.

If the Bitlocker pop-up window appears before your scan, choose one of the following options.

l If you know the drive password, click Yes. In the Bitlocker window that appears, provide the password and click Unlock.

l If you don't know the drive password, click No to skip that drive in your scan.

8 User Guide

SCANNING A TARGET

Use Magnet OUTRIDER to scan computers, external drives, and specific folders. You can narrow or broaden the range of your scan by configuring scan options or adding keywords, regex keywords, or NCMEC report data to your search.

If necessary, you can stop a scan at any time. When you stop a scan, Magnet OUTRIDER generates scan reports based on the evidence that it has already scanned and saves these reports to the case folder. For more information, see Viewing and exporting scan reports.

Scan a computer

You can scan the computer and all attached drives that you've connected the Magnet OUTRIDER dongle to. When you scan a computer, Magnet OUTRIDER screens for live encryption, scans file names of running processes and all files and drives attached to the system, obtains the external IP address for the system (if one exists), and any applicable scan options that you configure.

1. In the Case number / reference field, provide a number to assign to your case, and then click Next. 2. Select I am scanning this computer (including all attached drives). 3. If you recently inserted or removed a drive from the computer that you are running Magnet OUTRIDER on, click Refresh to update the list of drives detected on the system. 4. If applicable, select the drives that you want to scan. 5. Click Next. 6. Configure scan settings applicable to your investigation. 7. Add any keywords, regex keywords, or NCMEC report data that you would like Magnet OUTRIDER to search for during the scan. 8. Click Start.

Encryption screening

In addition to checking for Bitlocker encrypted drives when you start the application, Magnet OUTRIDER screens for live encryption after you start scanning a computer. If live encryption or signs of live encryption are detected on the computer or drives, Magnet OUTRIDER will alert you. If Magnet OUTRIDER does not detect encryption, the scan will begin right away.

9 User Guide

If Magnet OUTRIDER does not detect encryption on the computer or drives, that doesn't guarantee that no encryption is present at all on the system, as Magnet OUTRIDER may not be able to detect certain types of encryption.

If decryption is detected, you can choose to continue with the scan or close Magnet OUTRIDER. To view the encryption details, click View details. This report on encryption, including available recovery keys and passwords for detected Bitlocker drives, will be automatically placed in the case folder.

Tip: If encryption is detected, do not shut your device down unless you have the password to decrypt the encrypted containers or drives. Consider saving files or creating a live forensic image of the drive while the computer is on and you have decrypted access tot he data.

Scan an external drive

You can scan external drives that do not have a USB interface or to scan USB drives that are not already connected to the target computer. Connect these drives to a forensic workstation using a forensic write- blocker that you've connected the Magnet OUTRIDER dongle to. Magnet OUTRIDER will search for the file names of all files on the selected drives in addition to any applicable scan options that you configure.

By default, the system drive is not selected.

1. In the Case number / reference field, provide a number to assign to your case, and then click Next. 2. Select I am scanning attached (external) drives only. 3. If you recently inserted or removed a drive from the computer that you are running Magnet OUTRIDER on, click Refresh to update the list of drives detected on the system. 4. If applicable, select the drives that you want to scan. 5. Click Next. 6. Configure scan settings applicable to your investigation. 7. Add any keywords, regex keywords, or NCMEC report data that you would like Magnet OUTRIDER to search for during the scan. 8. Click Start.

Scan a folder

You can scan one or more specific folders to narrow the focus of your scan, especially if Magnet OUTRIDER is scanning computers or servers with a large quantity of storage attached.

10 User Guide

You can also use this option to scan mobile extractions, such as ZIP and TAR file images. Before scanning the extraction using Magnet OUTRIDER, extract the image to a folder, and then select only that folder as Magnet OUTRIDER will scan any subfolders and files.

1. In the Case number / reference field, provide a number to assign to your case, and then click Next. 2. Select I am scanning one or more specific folders. 3. Click Add folder. 4. Select the folder that you would like to scan, and then click Okay. 5. Click Next. 6. Configure scan settings applicable to your investigation. 7. Add any keywords, regex keywords, or NCMEC report data that you would like Magnet OUTRIDER to search for during the scan. 8. Click Start.

Configuring scan options

Locate files and apps settings

SETTING DESCRIPTION

Use keyword list to locate files Use the loaded keyword lists to locate file name-based keyword hits.

For information about loading keyword lists, see Adding keywords and NCMEC report data to a search.

Only match on "whole Search for whole word matches rather than partial instances of keywords. word" matches Enabling this option reduces the number of false positive hits as system or program files could be matched as partial hits on keywords. For example, the file name “msg_qwihr35yowlji90.dat” would be considered a hit for the keyword “5yo" if you did not enable this option.

Make sure that word bounding characters exist on either side of the keyword. The following file names would be matched for the keyword "5yo": “5yo.jpg”, “downloaded 5yo.mp4”, “5yo_new.png”, “first_5yo-file.avi”. However, “msg_ qwihr35yowlji90.dat” would not be matched as it does not have word bound- ary characters surrounding the keyword.

This option is enabled by default.

11 User Guide

SETTING DESCRIPTION

Use regex keyword list to loc- Use the loaded regex keyword lists to locate file name-based keyword hits ate files using regular expressions.

For information about loading keyword lists, see Adding keywords and NCMEC report data to a search.

Locate apps of interest (built-in Search for known application executable files to locate apps of interest in cat- lists) egories such as dark web apps, encrypted apps, and more.

For a complete list of supported apps, in Magnet OUTRIDER, click View supported apps.

Locate files of interest for Locate files of interest such as cryptocurrency wallet files, cloud storage optional collection purposes decryption key files, and more.

For a complete list of supported files, in Magnet OUTRIDER, click View supported apps and review the Built-in file collection list.

12 User Guide

Collect artifacts and scan browser history settings

SETTING DESCRIPTION

Collect various operating sys- Collect operating system artifacts: tem related artifacts (live sys- l USB device history tem scan only) l Recently accessed Logged-on users

l Extended drive info, routing, firewall settings, saved Wi-Fi networks

l Mapped network drives (persistent only)

l User accounts and info

l Operating system information - installed date, saved Wi-Fi passwords, registered owner, and time zone setting

l List of installed apps

l Active network connections

l List of scheduled tasks

l List of Windows services

l Prefetch files (basic info)

l Running processes

l List of Wi-Fi networks currently visible

This option will only run when you've selected the "I am scanning this computer" option, and it does not add much time to the overall scan.

Search browser history for Scan browser history from Chrome, Firefox, and Edge (Chromium based) URLs or keywords browsers for keyword hits. Magnet OUTRIDER might also find hits for other Chrome-based browsers.

URLs or page titles containing keyword or regex hits or NCMEC report URL hits will be displayed and saved to the report.

Deleted, incognito, and private browser history is not currently supported.

Collect RAM (live system scan Prior to starting the scan, capture the live system’s RAM using the Magnet only) RAM Capture tool.

The capture is saved to the report folder as a file named “RAMCapture.bin”.

This option will only run when you've selected the "I am scanning this computer" option.

13 User Guide

SETTING DESCRIPTION

Save a screenshot of the Prior to starting the scan (but after capturing RAM, if enabled), capture a desktop (live system scan screenshot of the desktop. only) The screenshot is saved to the report folder as a PNG file named "DesktopScreenshot.png”.

This option will only run when you've selected the "I am scanning this computer" option.

Only minimize the OUTRIDER Only minimize the Magnet OUTRIDER application before capturing a screen- window before capturing the shot of the desktop. Otherwise, all windows are minimized to capture the screenshot entire desktop and its background photo and desktop icons.

This option will only run when you've selected the "I am scanning this computer" option.

Scan connected network (if If the live system is currently connected to a network (Wi-Fi or wired), Magnet applicable) for devices (live sys- OUTRIDER will scan the network to locate devices and try to determine their tem scan only) IP address, MAC address, hostname (if applicable), and the device man- ufacturer.

This option will only run when you've selected the "I am scanning this computer" option.

CSAM Detection Technology settings

SETTING DESCRIPTION

Run Child Rescue Coalition Complete a secondary scan using CSAM detection technology from the Child CSAM Detection after initial Rescue Coalition (CRC) that can detect known CSAM—even if no keyword hits scan were found in file names.

This technology analyzes all of the files scanned by Magnet OUTRIDER (not including files found in ZIP files) using hashes from law enforcement CSAM databases in the United States and Canada.

CRC CSAM detection technology is available to law enforcement customers only.

14 User Guide

SETTING DESCRIPTION

Scan all file types/extensions, Scan all file types using the CRC CSAM detection technology, regardless of not just media extension.

By default, only media files with the following extensions are scanned: .jpg, .mp4, .png, .bmp, .gif, .avi, .mpg, . wmv, .jpeg, .mov, .m4v, and .flv.

Depending on the number of files present on the computer or drive and the speed of the hardware, turning on this setting can significantly increase scan time. Consider turning on this option if you suspect that the user might be hiding files by changing the file extensions.

Save thumbnails of CSAM hits Include thumbnails of CSAM hits in the scan reports. Otherwise, only the file to report names/paths will be saved in the report.

Scan options

SETTING DESCRIPTION

Scan file names within ZIP files Scan files that are stored within a ZIP archive file to locate keyword or regex (one level deep) keyword hits, even if the ZIP file is password-protected.

Note: Only file names are scanned. The file content within ZIP files is not ana- lyzed (using the CRC CSAM Detection or otherwise).

Obtain external IP address of Obtain the external IP address of the computer that Magnet OUTRIDER is run- this computer (live system ning on. scan only) If you've imported NCMEC CyberTip Report data that contains IP addresses, the obtained IP address is also compared against the imported IP addresses, providing an indication if a match is found.

This option will only run when you've selected the "I am scanning this computer" option.

Use legacy method to locate For drives with NTFS file systems, locate files and folders using operating files/folders using built-in oper- system commands and APIs instead of natively parsing the Master File Table. ating system commands This option is slower than the native parsing, does not locate alternate data stream file names, and might miss certain system protected files and folders.

15 User Guide

Reporting options

SETTING DESCRIPTION

Create a PDF version of the Create a PDF report along with the default HTML report. default HTML report

Logo/agency crest for report Select a logo or agency crest to include at the top of the report.

Note: If the file you browse to is moved from its original location, you will need to re-link it.

Location for case/report files Select the location where you want to store your case and report files.

Miscellaneous options

SETTING DESCRIPTION

Keep parsed timestamps in If this option is enabled, any records that contain timestamps will keep the UTC, do not apply the local sys- timestamps in UTC time, and will not apply the local system time zone offset. tem time zone offset If it is not enabled, the timestamps will be saved with the local system’s time zone offset applied.

Automatically check for new Automatically check for updates every time you open Magnet OUTRIDER. releases of OUTRIDER on star- Magnet OUTRIDER is occasionally updated to fix bugs, add features, update tup app lists, and improve the performance of the application. For more information, see Updating Magnet OUTRIDER.

Automatically gather and send You can choose to share information about how you use Magnet OUTRIDER diagnostic information to help with Magnet Forensics. This information can help us improve our products. improve Magnet OUTRIDER The type of information that gets sent can include data about how long it took to perform a scan and the processing options you used in the scan. The information that gets sent never includes actual data from the evidence sources that you search.

By default, the collection of diagnostic information is turned off. When you activate Magnet OUTRIDER, you can choose to enable the collection of diagnostic information. If you do not want to select this option at this time, you can change this setting later in Magnet OUTRIDER.

16 User Guide

Adding keywords and NCMEC report data to a search

You can use keywords, regex keywords, and NCMEC report data to enhance your scan.

Import keyword lists and regex keywords lists to locate file name-based keyword hits. Magnet OUTRIDER scans for file name keyword matches using the keyword lists or regular expressions. Depending on the keyword list you use, Magnet OUTRIDER can help identify files that contain CSAM or other content. A keyword list with CSAM-related keywords is included in Magnet OUTRIDER for law enforcement agencies.

You can also import NCMEC CyberTip reports to use URLs, file names, and IP addresses from the reports as keywords for locating files or matching on browser history. When scanning a live system using the "I am scanning this computer" option, Magnet OUTRIDER matches the IP addresses in the report against the external IP address obtained from the live system.

Import a keyword list or NCMEC report data

You can load custom keywords, regular expressions, or NCMEC report data in Magnet OUTRIDER.

Keywords and regular expressions must be in .txt files and each keyword or regular expression must be on a separate line. NCMEC CyberTip reports must be .xml files.

1. On the Configure scan options screen, click Import keyword list, Import regex keyword list, or Import NCMEC report data. 2. Browse to the file you want to import. 3. Click Open. 4. Follow the on-screen-instructions.

Tip: On the USB drive where Magnet OUTRIDER is installed, you also have the option to add or remove keywords or regular expressions from the .txt file or any other .txt file in the MagnetOutrider\keywords or MagnetOutrider\keywords-regex folders. Any changes that you make to these files will be automatically loaded to Magnet OUTRIDER.

View a keyword list or NCMEC report data

To view the loaded keyword list, the regex keyword list, or imported NCMEC data, on the Configure scan options screen, click View keywords, View regex keywords, or View imported NCMEC data.

17 User Guide

The keywords that Magnet OUTRIDER uses to locate hits in file names are loaded from any .txt file in the MagnetOutrider\keywords folder.

The regular expressions that Magnet OUTRIDER uses to locate hits in file names are loaded from any .txt file in the MagnetOutrider\keywords-regex folder.

Export a keyword list or NCMEC report data

1. On Configure scan options page, click View keywords, View regex keywords, or View imported NCMEC data. 2. Click Export to. 3. Select a location to save the file to and click Save. 4. Click OK.

18 User Guide

REVIEWING SCAN RESULTS

As Magnet OUTRIDER scans a device, you can start to review hits in their corresponding application categories. Category names will be displayed in bold where there are hits that you have not viewed. You can click an application category to view new hits or to refresh a category. Within an application category, double click a hit to view it's location on the computer or drive that was scanned.

Warning: Opening files on a live system can change timestamps or modify data associated with the accessed files.

If you enabled the CRC CSAM detection feature, the CSAM detection scan will run on applicable files that were discovered during the initial scan. If there are hits in the CRC CSAM Hits category, make sure you val- idate these hits as it's possible to recover false positives. You can easily verify the hits by reviewing the displayed thumbnail and mark hits as false positives as necessary.

It's possible that Magnet OUTRIDER will be unable to recover all hits. Magnet OUTRIDER might not return hits if:

l The file names do not match any of the loaded keywords

l Support isn't available for the detection of an application

l You have not enabled or disabled certain advanced settings

Please note that if Magnet OUTRIDER does not recover any hits, this does not guarantee that the system is clean.

Mark a CRC CSAM hit as a false positive

If you enabled the CRC CSAM detection feature, you can mark false positive CRC CSAM hits locally so that they are not flagged in future scans. Additionally, you have the option of sending the false positive data to Magnet Forensics, which sends the file ID/hash so that we can filter the false positive results for other Mag- net OUTRIDERusers in future releases. Sending false positive data to Magnet Forensics requires an internet connection.

1. Select one or more records. 2. Right-click the record(s), and then select Mark as false positive or Mark as false positive and send to Magnet.

19 User Guide

Starting a new scan

Before starting a new scan, make sure that you have saved or exported any scan results that you would like to keep. For information on exporting from Magnet OUTRIDER see Viewing and exporting scan reports and Exporting filename keyword hits and CRC CSAM hits.

When you are ready to start a new scan, click Start Over.

Supported application categories

Magnet OUTRIDER can detect the presence of many applications on a target. To view a complete list of supported applications, in Magnet OUTRIDER, click View supported apps.

CATEGORY DESCRIPTION

Anti-forensics Detect Anti-Forensics applications such as CCleaner, Eraser, Folder Lock and more. apps

Cloud storage apps Detect Cloud Storage applications such as DropBox, Box Drive, Google Drive and more.

CRC CSAM hits Detect known CSAM related files. If there are hits in this category, it is important to val- idate them as there may be false positives. For easy verification, a thumbnail is displayed next to each hit.

Cryptocurrency Detect Cryptocurrency applications such as Bitcoin Core Client, Monero Client, Tron Wallet apps and more.

Dark Web apps Detect Dark Web applications such as Freenet, i2p, Tor, and more.

Encryption apps Detect Encryption applications such as AES Crypt, AxCrypt, BestCrypt and more.

Filename keyword Detect files with names that match any of the keywords in the loaded keyword list. Any hits P2P search terms that are found in the loaded keyword list will also be displayed in this category.

Gaming apps Detect gaming applications such as Roblox, Minecraft, Fortnite, and more.

Messaging apps Detect messaging applications such as Skype, WhatsApp, FB Messenger, and more.

20 User Guide

CATEGORY DESCRIPTION

P2P apps View recovered P2P GUIDs from eMule or Shareaza.

View recovered search terms that have been used to conduct searches on P2P networks through the Ares, Shareaza, and eMule P2P applications. Search terms can be recovered for all three applications when scanning a live system, while eMule search terms can also be recovered from attached drives.

Virtual Machine Detect Virtual Machine applications such as VirtualBox, Windows Virtual PC and more. apps Detect Android emulators such as Bluestacks, Nox, MEmu, and Genymotion.

Detect virtual disk files such as Microsoft Virtual Hard Disk (VHD), VirtualBox Virtual Disk Image (VDI), VMware Virtual Machine Disk (VMDK), and more.

VPN apps Detect Virtual Private Network applications such as Surfshark, NordVPN, Hotspot Shield, Private Internet Access, and more.

21 User Guide

VIEWING AND EXPORTING SCAN REPORTS

When Magnet OUTRIDER finishes scanning a computer, there are multiple reports that you can view and create to gain insight into the results of the scan.

View scan reports

When the scan completes, a dialog box appears with the location of the scan report. Browse to this location in the computer's File Explorer, then click Ok to exit the dialog box. You can find this report later in your case folder, located at the install location of Magnet OUTRIDER.

Navigating your scan report folder

Depending on the scan options that you enabled, you might not have some of the files or folders listed below.

FILE / FOLDER DESCRIPTION

Collected_OS_Artifacts Contains .txt files with collected operating system artifacts.

DesktopScreenshot.png The captured screenshot of the desktop.

keyword_list_used_for_this_scan.txt Lists all of the keywords that were used in the scan to search for files of interest.

Live System Encryption Report.txt Lists the details of encryption detected during the scan.

ramcapture.bin The live system's RAM captured using the Magnet RAM Capture tool.

Report.html Lists information about the hits that were found during the scan, in HTML format.

Report.pdf Lists information about the hits that were found during the scan, in PDF format.

SavedFiles.zip Contains the files that you chose to save after the scan completed.

You can save files from the Filename Keyword Hits and CRC CSAM Hits categories.

22 User Guide

FILE / FOLDER DESCRIPTION

ScanInfo.txt Lists the status, location, and MD5 hash (for future verification) of files that you chose to save after the scan completed.

Contents of scan reports

Depending on the scan option that you selected before beginning your scan, the Report.html and Report.pdf scan reports will contain different information.

INFORMATION COMPUTER EXTERNAL DRIVE FOLDER SCAN SCAN SCAN

Live system information ●

l Encryption detection

l Desktop screenshot

l RAM captured

Drives scanned ● ●

Folders scanned ●

Located applications ● ● ●

Keyword hits ● ● ●

CSAM detection ● ● ●

Web related hits ● ● ●

Operating system related inform- ● ation

Error list ● ● ●

View and export an error list

You can view and export a list of the error messages that were encountered during the scan.

23 User Guide

1. After the scan completes, click View Errors. 2. In the Error List dialog box, click Export to. 3. Browse to a location where you want to save the error list and enter a file name. 4. Click Save.

24 User Guide

EXPORTING FILENAME KEYWORD HITS AND CRC CSAM HITS

You can save files that were found in the Filename Keyword Hits and CRC CSAM Hits categories. Consider saving files to preserve evidence in case of complications with the original drive or files. You can also scan these saved files using a forensic tool, such as Magnet AXIOM.

Export filename keyword hits or CRC CSAM hits

After you complete a scan with the applicable advanced search settings enabled, you can export files from the Filename Keyword Hits and CRC CSAM Hits categories.

1. After the scan completes, click Filename Keyword Hits or CRC CSAM Hits. 2. Select one of the options below.

l Select the files that you want to save and click Save Selected Files.

l Click Save All Files. This might take a long time. If you're sure you want to save all files, click Yes in the dialog that appears. 3. In the dialog that appears, read the number of files saved, items skipped, and errors encountered. Then, click Ok.

In the Save Files window, you can check the status of the saved files, the location where they have been saved, and MD5 hash values for each file—which can be used later for verification. To reference this log later, open the ScanInfo.txt file in your case folder.

If you want to review which files you've saved, as well as the location where they've been saved, click View List of Saved Files. If you attempt to save a file that's already been saved, Magnet OUTRIDER detects that the file is already saved and skips this file.

Export a list of saved hits

You can export a list of the files that you've saved.

1. After you've saved all the Filename Keyword or CRC CSAM hits that you want to, click View List of Saved Files. 2. In the Detail View window, click Export to.... 3. Browse to the location where you want to save the file and enter a file name.

25 User Guide

4. Click Save. 5. In the dialog that lists where the file was saved, click Ok.

26 User Guide

UPDATING MAGNET OUTRIDER

Magnet OUTRIDER is occasionally updated to fix bugs, add features, update app lists, and improve the performance of the application. Click Check for Updates at least once every three months to check if a new update has been released.

Note: Magnet OUTRIDER can only check for updates on a computer with internet access.

Update Magnet OUTRIDER manually

1. In Magnet OUTRIDER, click Check for Updates. 2. If an update is found, click Yes. 3. When the Update Downloaded window appears, click Ok to restart Magnet OUTRIDER and complete the update. 4. When Magnet OUTRIDER restarts and successfully updates, read the release notes in the window that appears, and then click Ok.

Automatically check for updates

1. In Magnet OUTRIDER, on the Configure scan option screen, scroll to Misc options. 2. Select Automatically check for new releases of Outrider on startup.

If this option is selected once, Magnet OUTRIDER will remember that you have selected this option. You do not need to select this option every time you launch a scan.

27 User Guide

Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Magnet Forensics.

Magnet Forensics

2220 University Ave. E., Suite 300

Waterloo, ON, N2K 0A8

1 (519) 342-0195

This document was published on 11/19/2020.