Identifying Unique Devices and Systems in Magnet AXIOM Investigations
The Identifiers artifact has been a staple for Magnet AXIOM users for quite some time. The premise of this artifact is relatively simple, yet quite helpful in most investigations: Identifiers will search through all of the recovered artifacts for anything that might uniquely identify a person or user. This could be a real name, username, alias, email address, phone number, etc. — anything that might help an examiner further in their investigation. It can do this by tying additional digital evidence (such as matching up a computer and phone, or assisting and corroborating any open source intelligence) that may have also been gathered to part of the larger investigation.
Anything that might help uniquely identify a person of interest in an investigation can be quite helpful. Traditionally, our Identifiers artifact has been focused around people identifiers, but the same value could be stated for identifying devices as well. There are many times in past investigations where tracking devices have proved useful. Tracking IP addresses and hosts through a network intrusion is vital even on an internal network where there may be lateral movement. Or identifying a specific mobile device on a Wi-Fi access point via it’s MAC address can also be quite helpful. Tracking when a mobile device connects and disconnects from a given Wi-Fi network also helps track the person in possession of the device which has certainly helped me in many past investigations.
New in Magnet AXIOM 3.11, we’ve added a new artifact to track unique devices by their attributes such as IP address, MAC address, serial numbers, hostname, etc. This new artifact is called “Identifiers – Device” and to avoid confusion we’ve renamed the existing Identifiers artifact to “Identifiers – People”. Both can be found under the Refined Results category.
Both sets of identifiers can make use of the Profiles feature in AXIOM as well. Profiles allow you to build a profile around a particular person (or device) and assign additional identifiers to it. For example, if you identify an email address for your suspect and you also know their real name or alias, you can build a profile pairing these identifiers together allowing you to view any artifact that’s tied to either identifier. Same can be now done for device identifiers where you can tie a specific hostname, IP address, MAC, etc., to a profile and allow any related artifacts to be filtered on when any one of the identifiers are matched.
The Identifiers export also functions with the new device identifiers as well allowing you to export a list of identifiers outside of AXIOM for further analysis.
Personally, this new artifact is one I’ve wanted to do for quite some time and am glad we were finally able to add it in. I think it will be quite helpful to examiners and will speed up the process of collecting this valuable information for your investigations.
As always, if you have any questions or feedback feel free to reach out to me at jamie.mcquaid@magnetforensics.com.