Join Us!

Notifications
Clear all

AXIOM Cyber  

  RSS
BytesDigger
(@bytesdigger)
New Member

Any of you guys played with AXIOM Cyber? I tried a early version of the beta… it was neat to get RAM remotely but it did not provide much more than that. The account rep at the time mentioned that they were looking at adding more feature. Seeing that they released the product, I'm wondering if the feature-set is more complete now.

Anyone here tried it? What does it give other than the live memory?

Quote
Posted : 01/02/2020 9:50 pm
dandaman_24
(@dandaman_24)
Active Member

Anyone here tried it? What does it give other than the live memory?

Try reading Magnets page on the product
https://www.magnetforensics.com/products/magnet-axiom-cyber/

ReplyQuote
Posted : 02/02/2020 9:33 am
BytesDigger
(@bytesdigger)
New Member

I've read it, mostly marketing BS with lots of buzzwords. It doesn't say much about the product features and capabilities. I was hoping to hear a little more without having to talk to a rep… I get enough junk in my mailbox as it is!

Anyone here tried it? What does it give other than the live memory?

Try reading Magnets page on the product
https://www.magnetforensics.com/products/magnet-axiom-cyber/

ReplyQuote
Posted : 02/02/2020 9:54 pm
jpickens
(@jpickens)
Active Member

Wonder if they'll begin supporting dongle-less licenses with this new version. Product brief doesn't say much.

ReplyQuote
Posted : 03/02/2020 2:19 pm
MagnetForensics
(@magnetforensics)
Junior Member

Anyone here tried it? What does it give other than the live memory?

Morning,

Happy to answer any questions the community has around AXIOM Cyber. In terms of what can be collected, as you mentioned we can grab live memory, both full RAM captures as well as specific processes, logical and physical file collection over a network connection. We also have targeted locations preset for quick selection and acquisitions from the end point under investigation (i.e. browser history, desktop collection, documents collection, MFT, and the PageFile to name a few).
Here’s a quick YouTube video on the network acquisition capabilities with AXIOM Cyber.

Network Acquisition with AXIOM Cyber

ReplyQuote
Posted : 04/02/2020 2:28 pm
jaclaz
(@jaclaz)
Community Legend

Seen from the outside, it seems to me like there is a new product and prospective buyers for it are perplexed by the lack of documentation about its features, and the replies to these (IMHO legitimate) doubts is provided by means of
1) an AMA 😯
2) some generic "to name a few" meaningless list
3) a "quick" youtube video

Maybe, just maybe, producing a proper document about the features and licensing of this new tool might be more suitable, and would be a solution that would extend to other people (besides the forum members) that may have the same doubts.

Since the intended audience is made of professional investigators, already familair with the concepts, I believe that the document could even be in the "quick" form of a "cheat-sheet" or "check-list".

jaclaz

ReplyQuote
Posted : 04/02/2020 2:52 pm
mcman
(@mcman)
Active Member

Wonder if they'll begin supporting dongle-less licenses with this new version. Product brief doesn't say much.

Yep there's a dongle-less option for cyber. There are machine license and I believe they're building out some other license server options as well.

Along with the remote agent capabilities already mentioned there's some additional cloud functionality as well. Admin access to services (O365/Gsuite/Box/Slack/etc…)

Maybe, just maybe, producing a proper document about the features and licensing of this new tool might be more suitable, and would be a solution that would extend to other people (besides the forum members) that may have the same doubts.

Fair feedback but it just launched and I'm sure they're still writing some of the documentation and marketing material for it. If you reached out to your rep, they might actually already have it available but not posted to the website.

In the meantime, here's a bunch of other videos that show it being used in different circumstances
Incident Response - https://www.youtube.com/watch?v=sDw18h03xI8
Remote Acquisition - https://www.youtube.com/watch?v=kLlHorQcmdI (previously linked)
Harassment Investigation - https://www.youtube.com/watch?v=8hoLpT5pMjM
IP Theft Investigation - https://www.youtube.com/watch?v=exPJRcvKItE
Fraud Investigation - https://www.youtube.com/watch?v=gurHvkKi2Xw
Employee Misconduct - https://www.youtube.com/watch?v=SAfnFDQqzGE

Hope that helps, feel free to reach out if you have any questions. I don't work on the sales side so you'll have to reach out to your rep for anything sales related but I can definitely help out on anything on the technical side.

Jamie McQuaid
Magnet Forensics

ReplyQuote
Posted : 04/02/2020 5:30 pm
MagnetForensics
(@magnetforensics)
Junior Member

Wonder if they'll begin supporting dongle-less licenses with this new version. Product brief doesn't say much.

Afternoon,
Please fill free to reach out to our team at sales@magnetforensics.com to learn more about our different licensing options!

ReplyQuote
Posted : 04/02/2020 6:10 pm
BytesDigger
(@bytesdigger)
New Member

Couple questions about the file system collection component

1) Is the file collection more targeted to grab a few specific files or we can grab a large amount of data by doing a pull over the network? More specifically, is it a viable option to create a "triage image"? If so, how specific/granular can this get? Can I create my own definition of the files that needs to be pulled? Would timestamps of the evidence collected would still be reliable?

2) Can I do a full file system acquisition (with slack space and unallocated space)? I'm guessing not, since that would likely require some driver wizardry. If no, is it on the roadmap?

3) Is it possible to pull files that are being used on the target system? For example, would I be able to pull the .OST file of a user while they have outlook open? If so, is it transparent to the user?

4) Can it pull a protected system file? (Eg The SAM file)

Anyone here tried it? What does it give other than the live memory?

Morning,

Happy to answer any questions the community has around AXIOM Cyber. In terms of what can be collected, as you mentioned we can grab live memory, both full RAM captures as well as specific processes, logical and physical file collection over a network connection. We also have targeted locations preset for quick selection and acquisitions from the end point under investigation (i.e. browser history, desktop collection, documents collection, MFT, and the PageFile to name a few).
Here’s a quick YouTube video on the network acquisition capabilities with AXIOM Cyber.

Network Acquisition with AXIOM Cyber

ReplyQuote
Posted : 05/02/2020 12:38 am
mcman
(@mcman)
Active Member

Couple questions about the file system collection component

1) Is the file collection more targeted to grab a few specific files or we can grab a large amount of data by doing a pull over the network? More specifically, is it a viable option to create a "triage image"? If so, how specific/granular can this get? Can I create my own definition of the files that needs to be pulled? Would timestamps of the evidence collected would still be reliable?

2) Can I do a full file system acquisition (with slack space and unallocated space)? I'm guessing not, since that would likely require some driver wizardry. If no, is it on the roadmap?

3) Is it possible to pull files that are being used on the target system? For example, would I be able to pull the .OST file of a user while they have outlook open? If so, is it transparent to the user?

4) Can it pull a protected system file? (Eg The SAM file)

1) For the collection you have a few options, you could grab full disks or volumes (not ideal over the network), single files or folders that you specify, or we have defined sets of targeted collections (such as all user profiles, $MFT, registry hives, etc… most common stuff you might need for investigations so it's pretty flexible. We don't allow for custom lists quite yet but it's on the list to allow users to customize and save those customizations. The timestamps would be maintained in most situations, artifact times and metadata timestamps always, and file system/MAC times get preserved as long as it stays within a container. If you just save individual files to your desktop or anything like that, normal MAC time changes would occur as you're transferring across volumes. Ideally you'd keep it in a container though most times anyway.

2) Yep, we'll do a full file system at the disk or volume level which would include slack and unallocated. It's basically a stream of the data so it will grab everything. Downside like most things over the network is that it's slow but otherwise works if that's what is needed. You can't grab unallocated as a single item logically but grabbing the volume will include it.

3) We can grab live files (actually we can even grab live processes from memory, which are always in use). Obviously if the file completely disappears in mid download because the user deletes it or something, it will fail or only get partial files but we'll do checks when we grab files so that it will allow you to retry if something fails or disappears. This shouldn't be noticed by the user at all.

4) We do get protected files on unencrypted drives right now but not quite yet on encrypted drives but that's being worked on as we speak so I would expect to see it added soon, just didn't make it in time for release but was definitely asked for as part of the beta so stay tuned for that one.

Hope that answers everything you asked, still a lot of things we want to add to it but works quite well with some unique ways to collect data from remote systems which should solve some pain points that you might have previously encountered when doing remote collections. Request a trial, give it a go and let me or someone else know what you think, we're always big on getting feedback from users and that typically dictates how we prioritize features and improvements.

Jamie McQuaid
Magnet Forensics

ReplyQuote
Posted : 05/02/2020 3:47 pm
pbobby
(@pbobby)
Active Member

I beta tested Axiom Cyber - some datapoints for you.

1. Endpoint is windows only.

2. No parsing of NTFS data structures (so no filtering of content based on permissions), no signature analysis. Everything based on just name. So perhaps good for triage gathering.

3. Can collect files by 'type', but these categories are not editable. And since data structures aren't parsed, I can't constrain the collection by an NTID. For example, I want all PSTs and .docx for a particular Owner SID, no go.

4. What does the acquisition data look like when you collect it? Okay, this is where it gets silly.

The product creates one folder on my local system per target file! Yes, collecting 5000 files? Axiom Cyber creates 5000 local folders.

When the collection is finally complete, you have a ZIP of the target contents! Yes a ZIP, not a forensic container, a ZIP of the collected files.

To be honest, if that's all that is happening, you might as well get permissions on the target device and just mount C$.

Axiom Cyber has a ways to go.

ReplyQuote
Posted : 06/02/2020 1:36 pm
MagnetForensics
(@magnetforensics)
Junior Member

Hi pbobby,

Thanks for sharing your experience and feedback - always helpful for us to know where we're doing well and where we need to do some work.

Just a few comments on your points below

1. Yes, just Windows right now but Mac is coming soon.

2. This is helpful - I'll chat with the team to see if the NTFS permissions/data structure items are on the roadmap. I can totally see the value of using those attributes as criteria for collecting files.

3. The 'collect by type' categories will be customizable in an upcoming release, that's definitely already on the roadmap.

4. Also appreciate your candid feedback here - we do have plans to add support for the AFF4-L (logical) image format for those who want a forensic container. We used ZIP initially to keep things simple and use a standard format that many other tools would support, and selected AFF4-L as the next format option since it's an open format. I do believe we're also taking steps today to preserve the MAC times of the files and we store all the files' metadata in a log file that includes hashes of all the collected files so that can always be re-verified if ever questioned.

I'll reach out to you offline as I'm sure our team would love to get on a call with you to go into all of your feedback in more detail, if you'd be open to that.

Thanks!
Jad

ReplyQuote
Posted : 06/02/2020 1:48 pm
jpickens
(@jpickens)
Active Member

Afternoon,
Please fill free to reach out to our team at sales@magnetforensics.com to learn more about our different licensing options!

Are there any product documents or briefs on the new licencing models available and for which products? If so, can you link it here?

ReplyQuote
Posted : 06/02/2020 1:56 pm
Share: