How To Use AXIOM In Malware Investigations: Part II

Hey everyone, Tara Nelson here with Magnet Forensics. Today I’m going to give a little insight into how AXIOM can help with some of your day-to-day investigations. In this video we’re going to talk a little bit about malware investigations.

There is a Part I to this segment, in which I focus on reviewing memory as part of a malware investigation in AXIOM, so if you haven’t seen that yet, I encourage you to go check it out. This video will focus on additional key features that AXIOM has to offer that could also be useful in a malware examination.

To start off, I’ve identified this process of interest, named ‘Fake Intel’, through our Volatility output from memory, that I believe could be malicious.

Because we also have the end point loaded into our case, we can quickly see if there’s any correlating artifacts on the operating system that might be useful to our examination.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

So I’m going to go ahead and search for that name up here, and hit Enter. And then I can switch to our operating system artifacts. And you can see that there’s a few places where this process appears on the end point: there are prefetch files; there’s references in Windows event logs – you can see that highlighted when I scroll down here – and here we can also see this Fake Intel executable in the AutoRun Items.

So it’s always pretty key to try and determine how malware maintains persistence on the infected workstation, and one of the common locations that is used is the run key in the user’s registry hive.

So we can see here pretty easily that this potentially malicious executable file, that’s referenced in the run key of this user’s NT registry hive, will be launched each time the user logs in from the location in the user’s Temp folder.

Doing analysis within AXIOM allows us to use some additional features within the tool, such as building a timeline of activity to see the different types of events that happen when this incident occurred.

The timeline in AXIOM includes file system dates and times, as well as the timestamps associated with the artifacts that are parsed out. So I’m going to go ahead and build a timeline out of this modified registry key date and time. I’m going to see what happens one minute before and after, and it’s going to open in the Timeline explorer.

When I click ‘OK’, as you can see as I’m scrolling through, there are artifacts here as part of this timeline that are both from the infected operating system, and we can also see activity from the memory image as well.

So you can really see the advantage of having all your evidence sources in one interface, to be able to correlate all of this data and really get an idea of the events that occurred in your evidence during a malware incident.

AXIOM also allows you to build connections, to give you an idea of how artifact attributes in your case are related across all of your evidence items.

So you can see I’m able to build connections off of anything that you see this little icon next to it. So I click that, and I build it off of that file name of interest. And now you can see it gives a representation of related artifacts: some are from the memory, and some are also from the operating system as well.

So those are just a couple of tips of how AXIOM can help in a malware examination. We hope you try it out. Thanks for watching, everyone.

Leave a Comment

Latest Videos

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles