Using Magnet AXIOM for Your Forensic Analysis
With the exponential growth of digital data in forensic examinations, it becomes vital to examiners to leverage advanced analysis techniques to minimize the time it takes to cull through the vast amounts of evidence. Having Magnet AXIOM in your toolkit can help streamline that analysis on all your casework!
We integrated a variety of features into AXIOM to help you efficiently surface the relevant data of your case, maximizing your time and allowing for more thorough end of case reporting. Best of all, these features work across all evidence sources, be it computer, mobile, cloud or memory. Regardless of if you are in law enforcement or in the corporate environment, here are some ways you can fully utilize AXIOM’s analysis capabilities.
Connections
If you haven’t tried out Connections, you might be missing out on an incredibly streamlined way to analyze your evidence. The Connections feature in AXIOM gives you a visual representation of how your artifacts are related in your case. Using the properties of each artifact, called artifact attributes, you can show relationships between an attribute of your choosing, such as a filename or hash value, to other related artifacts in your case.
Very quickly, you can connect the dots between mobile devices, cloud sources, external storage devices, and both Mac and Windows operating systems that you might be reviewing in your case. Connections makes it very easy to identify how important files moved between evidence sources, who has accessed them, how individuals communicated, and with what applications. Utilizing Connections is a fast and efficient way to find the relevant entries in heavily populated artifacts such as the UsnJrnl, $Logfile, Windows Event Logs, SRUM data, Office 365 Audit Logs, or FSEvents. See Connections in action here:
Enhanced Timeline
Magnet AXIOM’s Enhanced Timeline view allows for an incredibly comprehensive compilation of all of the dates and timestamps parsed out in your case. This includes timestamps reported by the file system, but also because AXIOM takes the artifact first approach to processing data, any timestamps parsed from the artifacts in your case will also be included. This is incredibly important to really be able to understand the activity the occurred on your evidence, especially considering artifacts that have numerous timestamps parsed from them, such as LNK or prefetch files, chat records, or logs.
Examiners can take advantage of our different time filters as well, to really help narrow down to the most relevant data in their case. Using the relative time filter, examiners are able to set timestamps of interest as the anchor, and decide to view a specific period of time both before and after that timestamp. While reviewing the output of your processed case in the Artifacts explorer, the relative time filter can be set which can take you directly to the Timeline view if you choose.
Additionally, AXIOM has an absolute time filter, in which we separate the ability to filter on dates and times. This allows for granular date/time filtering to ensure you only see the times needed for your case.
Read more about our Timeline Explorer here and then check it out for yourself!
Advanced Filtering
Within AXIOM Examine, we’ve added the ability to perform advanced filtering of your data, including allowing for multiple search terms, proximity searches, and an include/exclude function. This will help you surface the data you need in your investigation that much quicker. As shown below, examiners can perform string searches or utilize regular expressions. Additionally, they can add more granular filter features, such as specifying whole words only or case sensitivity. This advanced filtering options can be run globally against your case, or only against a specific column that you’re interested in. See it in action here!
Magnet.AI
Magnet.AI helps you quickly identify chats and pictures of interest in your case by using machine learning models that have been trained with real data sets. Content of interest discovered by Magnet.AI will be tagged, such as vehicles, weapons, documents, sex-related content, and more, giving examiners a convenient starting point in an investigation. Examiners have the option to choose which AI models they wish to run on their case, making sure the time spent processing is relevant to the type of case being worked. With that in mind, regardless of if you are in the Law Enforcement or Corporate environment, there is likely to be a useful Magnet.AI module for you! Check out an example here!
Media Categorization and Officer Wellness
Although specific to our Law Enforcement customers, this feature of Magnet AXIOM is definitely worth noting. Our media categorization capability comes with increased compatibility with Project VIC/CAID hash sets. We’ve incorporated more metadata from these hash sets, such as known offender or victim, or if the file was validated by Project VIC, and they can easily be imported from either json or text format in AXIOM Process.
In AXIOM Examine, examiners can quickly filter and view items of interest based on the additional metadata tags from the Project VIC and CAID hash sets. Manual analysis of files is also now easier than ever. AXIOM allows for the categorization of newly identified files of interest either one at a time or in bulk. In addition, our Officer Wellness features allow for blurring illegal media thumbnails, automatically muting audio on videos, setting reminders to take breaks during analysis, and keeping track of grading progress, which aims to help reduce overexposure to the difficult content that investigators have to endure.
Dynamic App Finder and Custom Artifacts
Analyzing mobile devices applications on both iOS and Android platforms can prove challenging as it is impossible for commercial tools to support them all. In AXIOM, we try to alleviate some of this pain by including the Dynamic App Finder in AXIOM Process. If you choose, AXIOM will search for SQLite databases from applications that are not currently supported as a normal artifact. The Dynamic App Finder will look for databases that contain certain types of data, such as geolocational data, URLs, email addresses, etc, and allows the examiner to review this data when processing is complete. When you review the output, any recovered data that might be relevant to your case can then be added as an artifact, and can also be processed in future cases as well!
The data added to your case from the Dynamic App Finder can be configured as a Custom Artifact to run on future cases, but that isn’t the only way to add Custom Artifacts to AXIOM. Within AXIOM Process, you can easily add custom file types for AXIOM to parse as an artifact. This is a great way to ensure file types that you might see time and again in your investigations are being readily recovered for easy review, even if AXIOM does not currently support it as an artifact type.
Additionally, AXIOM allows for the import of specialized custom artifacts that can either be written by you, or downloaded for free from our customer portal! Our Artifact Exchange contains a collection of custom artifacts written by the DFIR community, for the DFIR community, in either Python or XML format, written for recovery of evidence that AXIOM does not currently support. If you come across evidence that you want to create your own custom artifact for, there are guides to walk you through the process. We encourage you to submit any of your newly written artifacts to the Artifact Exchange to share with the rest of the DFIR community!
SQLite Viewer
Whether to validate findings from a forensic tool, or to examine artifacts from an application that may not yet be supported, examiners are often forced to dig into SQLite databases regardless of the type of investigation they are working. In AXIOM Examine, we have implemented an enhanced SQLite Viewer, with features that can make that analysis easier, including the ability to hide and filter on columns, search tables, and perform custom SQL queries. You can convert and decode data stored within the database to multiple different formats, such as ASCII, hex, Unicode, Boolean values, and various date/time formats. Finally, examiners can view or save cells that contain BLOB data, such as pictures, music, or video files, and can even view cells that contain binary plists internally in AXIOM’s built-in plist viewer. Read more about our SQLite Viewer here!
Source Linking Artifacts to File System and Registry
Magnet AXIOM takes the artifact-first approach, but it is often useful to view files and parsed data in their native format. With source linking found in AXIOM Examine, you can easily click the source link from Artifact view, which will take you to the exact location of where that artifact was parsed from in the File System or Registry Explorer. This allows the examiner to perform further analysis of that location, to determine if any additional files or registry keys might be of interest to the case. In File System view, you even have the option to view the data in hex or text format, and highlight data that AXIOM will then decode for you as seen in the screen shot below, further verifying your results.
Conversation View and Chat Bubbles
There are multiple great ways to review chat messages that AXIOM recovers in your case. In the Artifacts explorer, you can switch to conversation view, which will thread together messages parsed from the same conversation for easier review.
The chat preview in AXIOM Examine will also show the selected chat messages in chat bubbles. This is a great way to illustrate chat data to nontechnical stakeholders, as it is a very familiar way of viewing this type of data and can therefore allow for further understanding of your reporting.
World Map View
The Artifacts explorer lets you switch to World Map View to visualize where your digital evidence has been. Any artifacts that contain geolocational data will be plotted on the map, so you can see exactly where in the world the artifacts are reporting from and can track details of the movements of your digital evidence. This can be vital to your examination and increase the impact of reporting that you do on this data.
Conclusion
As you can see, Magnet AXIOM comes jam packed with tons of analysis features to allow you dig deeper in all of your examinations. Try it out for yourself! If you’re not already using AXIOM, you can request a free 30-day trial today.