By Jamie McQuaid, Forensic Consultant at Magnet Forensics
One of the most obvious benefits of Magnet AXIOM is the access to the entire file system, as well as the hundreds of artifact types that the Magnet Forensics parsing and carving engine finds. To accommodate the larger data set and expanded access, we’ve improved the hashing functionality as well.
If you are more familiar with IEF, then you know there are a few options to hash pictures or whitelist non-relevant files. However, since IEF only reports on the artifacts it finds, some features like hashing were limited to artifacts and any file that was not an artifact wouldn’t be included.
To get started using AXIOM’s advanced hashing functionality, the first thing you’ll want to do is to load your hash lists into AXIOM and, depending on the type of hash list you’re loading, you’ll have a few options available.Adding hash lists is easy, the examples below show how to load these lists prior to processing your evidence. Upon loading each set, AXIOM will build a database from your hash list, which can take a bit of time. AXIOM should go through your hash set at about a pace of 5000-10000 hashes per second depending on your system — which is much improved over the speeds in IEF. Once the database is built, those hash sets will be persistent across cases and will be available to include or exclude in every subsequent case thereafter.
Let’s take a look at the different hashing options in Magnet AXIOM:
Setting Up Your Hash Lists in AXIOM Process
Calculate Hash Values
In AXIOM Process, under Processing Options, you will find two pages that specifically apply to hashing: “Calculate hash values” and “Categorize pictures.” The first one starts with some basic hashing options, giving you the ability to hash every file on the system and provide either an MD5, SHA1, or both values. These hashes will be available as a column in the File System Explorer for AXIOM Examine.
The next option under “Calculate hash values” is to tag files with matching hash values. Here examiners can load a list of hashes of known files they wish to identify in the file system. This works well if you have a list of files you wish to match and look for, such as known malware or intellectual property. To load the list, simply use a line separated text file of MD5 or SHA1 hashes, select “Add File”, and then choose a tag name to label any matches. Any files in the file system that match the hash from the list added will automatically be tagged as the name the list was given.
The last option under “Calculate hash values” works as a whitelist of known, non-relevant files. Often Windows and other applications come pre-installed on a fresh, clean system that have files that were never touched by the user. These files are usually system files, icons, dlls, etc. that have no bearing on your investigation but add to the data that must be examined — and that can be time consuming. By identifying known, non-relevant files, we can exclude these files from your case, so they don’t need to be reviewed by the examiner.
Examiners can build their own whitelists (this is common in enterprise settings where all employee computers run from a standard image deployed by IT) or use pre-built lists such as the NSRL list by NIST. The NSRL hash list is a massive file of known non-relevant hashes maintained by NIST and available free from their website (http://www.nsrl.nist.gov/). There are three sets available (full, reduced, and minimal.)
I usually recommend AXIOM users download and use either the reduced or minimal set as the full set contains duplicates and is unnecessary when used with AXIOM.
To learn more about Categorizing Pictures, Photo DNA, and to see examples of AXIOM hashing, click here and read the rest of Jamie’s post.