Hey everyone, Tarah Melton here, and today we’re going to walk through a workflow that you can use alongside a new artifact in AXIOM 4.4 that will help you present data output from Magnet’s free too, the Magnet Web Page Saver.
The Magnet Web Page Saver, or WPS, will capture how web pages look at a specific point in time, with tons of features including the ability to save LinkedIn embedded images and videos from those captured web pages that you can then process and hash within Magnet AXIOM afterwards.
So let’s walk through this workflow really quick.
First, I’m here in AXIOM Examine, and suppose you’re analysing your internet-related artifacts in your case, and you want to further analyse the data hosted on those artifacts that you’re seeing. With this workflow, I’m going to show you how you can easily export those URLs from AXIOM, import them into WPS, and then import the output from WPS back into AXIOM to add to your examination.
From AXIOM you can export the internet activity of interest; in this case I’m going to use a template I have created. I can either right click and choose ‘Create export / report’ from the artifacts list, or I can go up to the top file menu and choose that there as well.
Going through the report building steps for a CSV export, I will click ‘Next’, and then in the items to include I am going to go ahead and use this template that I have created for WPS.
If you click ‘Manage templates’ in the top right, you will have the ability to create and edit and import some specific templates for artifacts that you can manage and share within your own lab. And same with the templates for specific columns that you want to include.
I’ll click ‘Edit’ here just to show you what I have selected for this specific template. You can see I have selected only specific artifacts related to web activity for use in WPS. But you can create specific templates for whatever you need to use in your lab, whatever fits your specific use cases.
I’ll close out of these windows, and you can see I’ve selected this template for WPS. And when I click ‘Next,’ only those artifacts that I have selected from that template are going to be included.
Next I’m going to choose a column template as well. This is only going to include the pre-selected columns for each of these artifacts that you want to export in your report.
I’m going to go ahead and finalise this export. And you can see that it is exporting to CSV now. And I have that exported CSV open over here, and as I scroll through, you can see there’s URLs from all of those specified artifacts, along with the additional columns that I had specified in my templates.
Now open the Magnet Web Page Saver. Again, this is a free tool that you can download from Magnet’s resource center. I have the ability to import URLs from either a text or CSV file. And just to note, in CSV files it doesn’t matter if there is additional data in that spreadsheet like we have in our export. It’s only going to pull in those listed URLs.
So I’m going to navigate to the exported CSV that we exported from AXIOM, and now those URLs are listed here to be captured with WPS. I’m going to go ahead and save that. And then I’ll click on the options here. And what I want to point out is, if you’re going through this workflow, to make sure to check this box next to the SQLite output. This will output the data pulled by WPS into a SQLite database file, including the images pulled from those web pages, for easy import into AXIOM.
Now I’ll save that. And when I click ‘Start,’ I just have to give it an output path, and once I do you’ll see that it’ll start iterating through that imported URL list and start capturing those web pages.
So I already have some output from a previous pull of WPS, as you can see here, and I’m going to transition back to AXIOM and I want to add a new evidence to the case that I’ve been working. So I’m going to navigate to the Process menu, and I’m going to say ‘Add new evidence to case.’ And then within AXIOM Process, I’m going to go ahead and add that SQLite database from WPS as an evidence item. So I’m going to go to ‘Windows,’ ‘Load evidence,’ ‘Files and folders,’ and then browse to that db. And then I’m going to go ahead and name that ‘WPS Output.’
And then down in the list of artifacts, we now have under the web-related category this Magnet Web Saver artifact to select. Previously you could select it as a custom artifact to bring this data into your case, but this integrated artifact adds even more capability.
So I’ve already processed this database, so back in Examine I’ll just filter for that processed evidence from WPS. And here’s the output. You will see that there is three separate artifacts: we have captured HTML, captured media, and then also captured web pages, which will display the captured web page in the Preview pane.
And for many of these artifacts, you are able to use additional features in AXIOM, like building connections from this output.
This workflow with this new artifact in version 4.4 in AXIOM is super helpful when you want to deepen your analysis of internet-related activity in your examination. Also, don’t hesitate to check out the resource center on the Magnet Forensics website for more blogs, how-to videos and webinars for even more specifics of creating and utilizing reporting templates; using the Magnet Web Page Saver and other free tools; and more. And please let us know if you have any comments or questions.
Thanks for watching.
