AXIOM 2.7 From Magnet Forensics
Posted Friday December 14, 2018 (10:58:55)
by Jade James
Magnet Forensics started with software called Internet Evidence Finder (IEF), which predominantly helps investigators to carve internet-related artifacts from digital media, and then built on that to produce AXIOM. Magnet AXIOM 2.7 is a complete digital investigation platform which can recover most types of digital evidence from various sources including computers, smartphone devices, cloud services, IoT devices and more.
Magnet AXIOM analyses all the data within one case file, meaning you can add evidence from different sources into one case. This enables you to make connections between artifacts and have key evidence quickly available.
AXIOM is one tool but comes as two components: Process and Examine. You can use AXIOM Process to upload your pre-existing images or use it to acquire new images. AXIOM Process can also search drives, files and folders and other sources to find evidence. Using the many options given, you can really narrow down and focus your search by adding keywords, choosing whether to open and search archive files and mobile backups, calculating hashes and filtering out known hashes, categorising pictures and videos and a lot more other features.
You then use AXIOM Examine after the processing is complete to view the evidence that AXIOM has carved for you. The user friendly interface allows you to view the results by artifact and discover connections between evidence sources. Using the different views available, such as file-system or registry, you can start to really understand where the evidence was found within a system. AXIOM Examine allows you to tag items which can be looked at later and export your findings as reports.
New Features of AXIOM 2.0
AXIOM Case Dashboard
When you start up AXIOM 2.0, if you are familiar with previous versions then you will notice there is a new AXIOM Case Dashboard. This dashboard gives you the high-level details of your investigation, the evidence sources, and an overview of the digital evidence.
Magnet.AI was first introduced with AXIOM 1.1 and has been enhanced in the latest version of AXIOM. As well as searching for conversations that may contain grooming or child exploitation content, the Magnet.AI module now automatically flags potential child exploitation, pornography, weapon, drugs and nudity images. It also reviews text-based evidence to uncover potential sexual conversations. This functionality reduces the time and exposure needed by investigators to review individual photos which could be of a distressing nature.
From my understanding, Magnet.AI uses machine learning, an application of artificial intelligence (AI) that provides systems the ability to automatically learn and improve from experience without being explicitly programmed at each step.
Memory Analysis with Volatility Integration
Magnet AXIOM 2.0 now comes with Volatility fully integrated, allowing investigators to conduct memory analysis through user friendly software instead of command line prompts and to run multiple instances of Volatility concurrently.
Recovery of Data from Locked iOS & Android Devices
As there is an increase in the number of users securing data on digital devices, it is becoming more difficult to extract data from locked devices. AXIOM 2.0 can now ingest GrayKey images from Grayshift, and review evidence from locked iOS devices.
With AXIOM 2.0 you can also bypass passwords and recover full physical images on Motorola Android devices in addition to the Samsung and LG devices that were previously supported.
Viewing File System Artifacts
Once you have processed artifacts you can then view their contents using external applications such as HxD, Adobe Acrobat, Google Chrome, Microsoft Word and so on. Magnet AXIOM makes suggestions as to which application to use to view each artifact, from recently used Windows programs that are associated with each artifact type.
• Operating system: Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista (64-bit only)
• Software framework: Microsoft .NET Framework 4.5.2 or later
• Display resolution: minimum - 1280x720, recommended - 1080p
• CPU: minimum - 4 logical cores, recommended - 8-16 logical cores
• GPU: Compute capability of 3.5 or later, CUDA version 9.0
• Memory: minimum - 8 GB RAM, recommended - 32 GB RAM
• Storage: minimum – HDD, recommended - SSD
• Virtualization: You cannot use the image acquisition capabilities of Magnet AXIOM through a virtual machine. The rest of Magnet AXIOM functions as normal when you use it through a virtual machine.
Practical use of AXIOM 2.7
The installation is very simple, I was provided with the download link for the latest version of AXIOM. Once the installing of AXIOM is complete, you are presented with the AXIOM Process module in which you have to provide a valid licence key. When the key has been validated you are then able to begin your investigation.
On the Home Screen there is a tab which allows you to enter details of the case, such as the case number, type, location of case files, and location for evidence of the case to be saved and scan information. Within the case type field there is a drop down list that you can choose from (e.g. Child Exploitation, Fraud, and Counter Terrorism).
From there you can start to enter evidence from a computer, mobile or cloud source. With each option you can either choose to acquire the data or load pre-existing data.
Evidence Source – Computer allows you to either acquire data from a device that is connected to the host system or load existing data. AXIOM allows you to submit data from a drive, image, files & folders, volume shadow copy or memory (there are profiles which are set up for searching but these are currently only for Windows). AXIOM supports the following image file and archive types:
• EnCase Images (.E01, .Ex01, .L01, .Lx01)
• FTK Images (.AD1)
• Raw Images (.raw, .dd, .img, .ima, .vfd, .flp, .bif, .bin, .dmg, .dmp, .mem)
• Segmented Raw Images (.000, .001, .0000, .0001)
• Virtual Machine Images (.vdi, .vhd, .vmdk, .xva)
• DMG Images (.dmg)
• Archives (.cpio, .cpio.gz, .docx, .pptx, .rar, .tar, .tar.gz, .tgz, .xlsx, .zip, .zip.001, .7z, Zz001)
Evidence Source – Mobile allows you to either acquire data from a device that is connected to the host system or load existing data. AXIOM allows you to submit data from an Android, iOS, Windows, Kindle Fire or Media Transfer Protocol (MTP) device.
Evidence Source – Cloud allows you to either acquire data from the following sources (pictured) or load existing data (AXIOM Cloud image, Google takeout or iCloud backup).
If you choose to acquire data from an Apple device, you are prompted to either enter an authentication token or an Apple User ID and Password. Apple uses dual verification so you also need to enter the verification code from the device you are trying to access.
I was able to successfully extract iCloud backup data with AXIOM using my own personal Apple ID credentials. My cloud token and Apple ID/password were viewable in AXIOM Examine.
Once the iCloud backup is fully processed, I then used AXIOM Examine to view the contents.
Processing details allows you to define what you would like to search for. With Keyword searching, you able to define keywords or regular expressions to add to a filter. These can be imported as a list or entered manually. The ‘Search archives and mobile backups’ option will open and search archive files and mobile backups if enabled. You can also enter passwords for the mobile backups. AXIOM will calculate hash values for all files so that these values will be displayed in the file system view. You can also import MD5 and SHA1 hash values into AXIOM so that files of interest will be tagged for the file system explorer. By importing known hash values you can also use this to filter out non-relevant files: these can be known system files, thumbnails and so on.
Magnet.AI can categorise chat messages, pictures and videos. The categorisation of grooming/luring and sexual content only works on chat conversations and not individual chat messages. You are also able to import Project VIC/CAID files and hash sets so that AXIOM will automatically categorise pictures and videos. Magnet Forensics and the Child Rescue Coalition have integrated and therefore you are able to download .csv files from the Child Protection System (CPS) and import the files into AXIOM, which then automatically tags the relevant files.
During a search, AXIOM may discover SQLite databases for applications that are not supported by current AXIOM artifacts; however you can configure AXIOM to extract data from these databases anyway.
Artifacts are known data and file types which will automatically be recognised by AXIOM, such as Microsoft Word documents, audio files, Cortana, .eml files and so on. Depending on the evidence source, you can choose to select from 161 computer artifacts, 147 mobile artifacts and 53 cloud artifacts.
Magnet Forensics Artifact Exchange
The Artifact Exchange allows forensics professionals to upload the artifacts they have built, and help their peers with their cases, or download artifacts others have built to help with their own cases. You will be required to register for a Magnet Customer Portal account in advance of accessing this exchange.
Once you have started processing, AXIOM Examine will automatically open and you are presented with the new Case Dashboard. From here you can view artifacts which have been found so far, add case summary notes and choose to add another evidence source.
AXIOM saves all the case files, logs and artifacts to a destination folder of your choice. It is easy to re-access a case you have previously closed, as all the information is stored and easy to find again.
Navigating through the artifacts is very simple; you can view all artifact categories or view artifacts from one particular source.
You are presented with a lot of information regarding each artifact including the location, file offset on the physical drive, the source etc. With this information it may be useful to use another tool to verify the data provided by AXIOM, as sometimes the metadata may not be accurate.
Using the different views (classic, conversation, histogram, row, thumbnail, timeline, world map), you can configure the interface to your preferred settings.
When examining an artifact it is possible to click on the location which changes the dashboard to the file system view and will show you the hex and text of a file. It will also give you information on how it was decoded.
Right clicking on a file also allows you to export it, create a report, export to Project VIC, add/remove a tag or view connections. Building connections allows you to see a visual representation of the artifacts and how they relate to one another.
Reporting is also very simple: you can create reports in different formats and decide to include just high-level information or very detailed notes depending on your case structure. You can also create a report for a single file, or for all the files of interest.
In summary, Magnet AXIOM is a very powerful tool which enables you to process computer and mobile data all in one place. It is heavily geared towards the extraction and analysis of indecent material and internet artifacts. The many processing and examination options leave you spoilt for choice, which may be overwhelming to some. Although you are able to view the hex associated with a file, this isn’t automatically shown in a format you might be used to, but it is easy to adjust the view.
Due to the way the artifacts are carved by AXIOM, I was presented with several false positives, however this may not always be the case and it is easy to filter these out.
AXIOM comes with a lot of support via the Magnet Forensics Customer Portal, online documentation, the Artifact Exchange. It was also very useful to have a demo of the tool before use.
About The Reviewer
Jade James BSc (Hons) is currently a Digital Forensic Investigator at the Serious Fraud Office. She has previous professional Digital Forensic experience from working at IntaForensics, Home Office Centre for Applied Science and Technology and the City of London Police. Jade has gained experience from conducting Computer, Mobile devices examinations, Drone Forensics and has been involved with ISO 17025 & Quality Standards both as a Digital Forensic Practitioner and Quality Manager.
About Magnet Forensics
Magnet Forensics provide forensic products which leverage the latest technological innovations to help law enforcement, consultants, military, and private enterprise address the challenges of digital forensic investigations in the modern world. They use AI, automation, advanced searching techniques, modern data visualization and more to help investigative teams find digital evidence and understand the story it is telling.
Article content received from: Forensic Focus,