What's new 9 Magnet AXIOM 11 System requirements 12

Transcription

1 USER GUIDE

2 CONTENTS What's new 9 Magnet AXIOM 11 System requirements 12 Administrator permissions 13 Clock speed and cores 13 Memory 13 Storage devices 13 Virtualization 13 Installing Magnet AXIOM 14 Set up Magnet AXIOM for the first time 14 Set up Magnet AXIOM using a trial license 14 Set up Magnet AXIOM using a read-only USB dongle 14 Install the read-only USB dongle driver 15 License Magnet AXIOM 15 Remove Magnet AXIOM 15 Remove the Passware plugin 16 Magnet AXIOM Process 17 Starting a case 17 Case details 17 Evidence sources 18 Acquiring evidence 18 Loading evidence 18 Show mapped drives 19 Supported evidence sources and file types 19 Decrypting drives 21 Decrypt a drive with a known password 21 Choosing a search type 21 Processing details 22 Refining search results using keywords and regular expressions 22 Add keywords to search 22

3 Keyword search types 23 Calculate hash values 24 Calculate hash values for all files 24 Tag files with matching hash values 24 Ignore non-relevant files 24 Categorize pictures 24 Load Project VIC or CAID files 25 Load hash sets 25 Find more artifacts 25 Artifact details 25 Options for artifacts that have video attachments 26 Custom artifacts 26 Analyze evidence 26 Customizing AXIOM Process 26 Create segments for Android and drive images 27 Create a hash value for evidence sources 27 Verify hash values for acquired images 27 Compress images 27 Restore device state for Android devices 28 Save temporary files to a custom location 28 Verify hash values for images 28 Handling duplicate artifact results 28 Remove duplicate artifact results 29 Collect log information 29 Optimize scan times 29 Prevent hashing of large files 30 Set the format for hash values 30 Identify pictures that have been modified 30 Send diagnostic information 31 Turn off software updates 31 Prevent your computer from Going Into sleep mode 31 Turn on Passware encryption features 31 Change the display language 32 Preparing mobile devices for image acquisition 32

4 Prepare the mobile device 32 Android devices 32 ios devices 33 Turn on USB debugging for Android devices 34 Device drivers for popular Android device manufacturers 34 Imaging mobile devices 35 Access to devices 35 Supported Android devices 35 Android full images 35 Android quick images 36 Downgrading apps 36 Bypassing passwords to obtain full images of locked devices 37 Flash a recovery image to the device 37 Troubleshooting: The Android device isn't showing up 37 Verify that the device driver is installed 38 Download Samsung Kies 38 Supported ios devices 38 ios full images 38 ios quick images 38 Acquiring encrypted itunes backups 39 Set an encryption password for itunes backups 39 Acquire and scan an encrypted ios backup 39 Process an encrypted ios backup 40 Imaging drives 41 Supported drives 41 Imaging cloud sources 42 Acquire evidence from the cloud 42 Confirm authorization for a cloud acquisition 43 Sign in to an account 43 Select a date range 43 Select services and sub-services 44 Authentication tokens 44 Add cloud evidence using passwords and tokens in AXIOM Examine 46 Platforms and services 46

5 Apple 46 Box.com 47 Dropbox 48 IMAP/POP 48 Accessing Gmail using IMAP/POP 48 Accessing Yahoo using IMAP/POP 48 Facebook 49 Google 50 Instagram 50 Microsoft 51 Selecting Microsoft SharePoint content 51 Twitter 51 Custom artifacts 52 What is a custom artifact? 52 Load custom artifacts 52 Search for custom artifacts 52 Customizing artifacts in AXIOM Process 53 Select relevant data types and databases 53 Map columns 54 Preview your custom artifacts 55 Save selected artifacts 56 Viewing custom artifacts in AXIOM Examine 56 AXIOM Process known issues 56 Issue: AXIOM Process crashes while scanning a hard drive 56 Issue: AXIOM Process performs slowly after a crash 56 Magnet AXIOM Examine 58 Refined results 59 Recategorize media files 60 Add new evidence to case 60 Change the display language 60 Searching for evidence 60 Change the default explorer 61 Browsing the artifacts 61 Learning about the artifacts 62

6 Discovering connections 62 Source linking 62 View the source of an artifact result 62 View registry entries for an artifact result 62 Filtering artifact results 63 Types of filters 63 Filter by accessible and inaccessible files 64 Filter by date and time 65 Search by keyword 66 Search by regular expression 66 Import a keyword list 66 Keyword snippets 66 Search by keyword snippet 67 Skin tone percentage 67 Filter on columns 67 View artifact results on a timeline 67 View artifact details in the Timeline view 68 View timelines for individual profiles 68 View timelines for individual date/time columns 68 View artifact results on a map 69 View artifact details in the World map view 69 View chat threads 69 Export a chat thread 70 View artifacts on a histogram 70 Save a histogram baseline 70 Load a histogram baseline 70 Viewing evidence 71 Preview 71 Details 71 Text and hex 71 Decode hex values 72 Copy or save text or hex data 72 Database tables 73 Organizing evidence 73

7 Tagging evidence 74 Create a custom tag 74 Tag evidence 74 System tags 74 Add comments to an artifact 75 Creating Profiles 75 Create a profile 75 Apply a profile 75 Sharing and saving evidence 76 Export evidence 76 Export evidence that is in a different language 77 Export types 77 Export metadata 78 Review a portable case 79 Merge a portable case 79 Sample XML output 80 Category types 82 Saving media and documents 83 Save an attachment 83 Discovering connections 83 Navigating maps 84 Print a map 85 Tips for navigating complex maps 85 Sample case walk through 86 Create the map of connections using Superbad.jpg as the primary node 86 Discover where the picture originated from 86 Discover what happened to the picture 86 Validate the picture in the source locations is the same file 87 Demonstrate attribution 88 Exploring the file system 88 Filtering files and folders 89 Filter by date 89 Filter by file attributes 90 Filter by file size 90

8 Filter by tags and comments 90 Filter using keywords 90 View artifacts associated with a file 90 Add files from the file system explorer to the artifacts explorer 90 Display files and folders recursively 91 Save files and folders 91 Saving databases 91 Create artifacts using file snippets 91 Viewing the registry 92 Create artifacts using registry data 93 Keyboard shortcuts in AXIOM Examine 93 AXIOM Examine known issues 94 Issue: AXIOM Examine crashes while a scan is running in AXIOM Process 94

9 WHAT'S NEW VERSION DESCRIPTION Added Imaging cloud sources. Added Keyboard shortcuts for Magnet AXIOM Examine. Added Show mapped drives. Added Refined results. Added Change the default explorer Added Add files from the File system explorer to the Artifacts explorer. Added AXIOM Process known issues. Added AXIOM Examine known issues. Updated Custom artifacts page. Updated Browsing artifacts with information about the Date and time filter Added Filter by accessible and inaccessible files No major updates No major updates. Added Discovering connections. Updated Browsing artifacts with information about viewing connections between evidence sources. 1.2 Updated Exploring the file system with information about viewing connections between evidence sources. Updated Magnet AXIOM Process with information about cloud-based evidence sources. Updated Magnet AXIOM Process with information about creating custom artifacts No major updates. 9

10 VERSION DESCRIPTION Added Handling duplicate artifact results. Added Acquiring encrypted itunes backups Updated Supported evidence sources and file types with information about archive file types, file systems, and encryption types. Updated Keyword search types with information about artifact all content searches. Updated Sharing and saving evidence with information about excluding potentially sensitive data from reports. Added Imaging mobile devices. Added Bypassing passwords to obtain full images of locked devices Updated Evidence sources with information about media devices. Added Recategorize media files. Updated Decrypting drives with information about BitLocker recovery keys. Updated Processing details with information about how to refine your search using keywords Added Types of filters to Filtering artifact results. Updated Custom artifacts with information about using XML files and Python scripts to create custom artifacts. Added Starting a case. Added Add new evidence to case. Added Decrypting drives Updated Setting up AXIOM with information about turning on encryption and drive decryption features using the Passware plugin. Added Export evidence that is in a different language. Added Filter by keyword list. Updated Browsing the artifacts with information about the new Conversation view. Updated Export types with information about EXCEL and PST options. Updating Organizing evidence with more details about tags, profiles, and comments. 10

11 MAGNET AXIOM Magnet AXIOM is a comprehensive, integrated digital forensics platform. It's the only platform that acquires and processes computer, smartphone, and cloud data in a single case file. Magnet AXIOM helps you: recover data from the most sources drill-down into artifacts, providing a better investigative starting point find key evidence quickly discover connections between artifacts collaborate with industry standard tools and images hit the ground running with an intuitive user interface, and easily collaborate with both technical and non-technical users MAGNET AXIOM PROCESS You can use Magnet AXIOM Process to search images, drives, files and folders, and other sources to find evidence that's relevant to your case. You can customize your search by selecting specific artifacts or groups of artifacts, and you can provide keywords or hash values to search for. Using AXIOM Process, you can create forensic images of ios and Android devices, cloud-based evidence sources, plus a variety of different types of drives including HDD, SDD, USB and SD flash, and more. Depending on the evidence that you're looking for and your time requirements, you can customize the type of image that you want to acquire. MAGNET AXIOM EXAMINE After processing is complete, Magnet AXIOM Examine presents your evidence in a consumable and user-friendly manner. You can view results by artifact, discover connections between items of interest, drill-down to the source using the File system explorer, or view the registry. When you find what you're looking for, tag those items for later. After you finish examining the evidence, you can share your findings. You can use the filters that are available to customize what gets included in your export. After you organize your evidence, you can export the case to several different formats in a few clicks. 11

12 SYSTEM REQU IREMEN TS Note: While it's possible to run Magnet AXIOM on a basic system, scan and imaging times in AXIOM Process might be poor if your system has only the minimum requirements. If your case has a large number of results, performing certain types of actions in AXIOM Examine might take a long time as well. ITEM REQUIREMENT operating system Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista 64-bit only software framework Microsoft.NET Framework or later display resolution minimum 1280x720 recommended 1080p CPU minimum recommended 4 logical cores 16 logical cores memory minimum recommended 8 GB RAM 32 GB RAM storage minimum HDD * SSD * recommended ios devices: latest version of itunes mobile devices** Android devices: mobile device drivers from each manufacturer (available through Windows Update or from the device manufacturers' websites) 12

13 * The storage device requires enough space for storing images and cases from devices with large amounts of data (in some cases, these might be TBs in size). ** If you're using Magnet AXIOM to create forensic images of mobile devices, you'll need to install this software. Administrator permissions You must have administrator permissions on your computer to install AXIOM. Clock speed and cores The easiest way to decrease scan times and increase performance is to add more CPU cores to your system. Magnet AXIOM is designed to create a separate thread for every core that's available on the system (currently, the upper limit is 32 cores). Increasing the clock speed of your CPU is another way that you can improve performance. However, due to the multi-threaded architecture of AXIOM, you'll see more significant improvements by adding cores instead of increasing clock speeds. Note: Adding additional cores does not necessarily improve performance in a linear way. The more cores that your system has, the more work it is for RAM to keep each core busy with new instructions to process. Note: In AXIOM Process, you can manually set the number of cores that you want to use. On the Tools menu, click Settings. In the Search speed drop-down list, click the number of cores to use. Memory You should allocate at least 2 GB of RAM for every processing core in your system. Without enough memory to keep each core working constantly, your system might experience thread starvation. Thread starvation occurs when a processing core is sitting idle for an extended period because there isn't any RAM available to provide it with instructions. Storage devices You can help prevent thread starvation by storing your case data on a high-performance drive such as an SSD. SSDs have access times that are much faster than HDDs. Having faster I/O times is helpful when your system needs to read a large number of small files. Virtualization You cannot use the image acquisition capabilities of Magnet AXIOM through a virtual machine. The rest of Magnet AXIOM functions as normal when you use it through a virtual machine. 13

14 INSTALLING MAGNET AXIOM The setup process varies depending on whether you're installing Magnet AXIOM for the first time, have a trial license, or are using a read-only USB dongle. Note: For all setup processes, you can only use one version of AXIOM Process at a time. Set up Magnet AXIOM for the first time 1. Connect the USB dongle that has your AXIOM license on it to your computer. 2. In Windows Explorer, browse to the USB drive and double-click the AXIOMvx.x.xsetup.exe file. 3. Follow the instructions in the setup wizard. 4. After AXIOM is installed, on your desktop, double-click the AXIOM Process shortcut. AXIOM loads your license information and is now ready to use. Set up Magnet AXIOM using a trial license 1. Open the message from Magnet Forensics and double-click the AXIOMvx.x.xsetup.exe file. 2. Follow the instructions in the setup wizard. 3. After AXIOM is installed, on your desktop, double-click the AXIOM Process shortcut. 4. In the Licensing window, in the License key field, paste the license key that Magnet Forensics provided to you. 5. Click Okay. AXIOM loads your trial key and is now ready to use. Set up Magnet AXIOM using a read-only USB dongle As an alternative to standard writeable USB device licensing, you can use read-only USB dongles to license Magnet AXIOM. Note: You must install the read-only USB dongle driver and add the license.bin file to every computer that you plan to use the read-only USB dongle on. 14

15 Install the read-only USB dongle driver 1. Download the read-only USB dongle driver.zip file from here. 2. On the computer where you'll run Magnet AXIOM, right-click the Magnet AXIOM Read-Only USB Dongle Driver-.zip folder, and then click Extract all. 3. Open the Magnet AXIOM Read-Only USB Dongle Driver folder and click Setup.exe. 4. Follow the instructions in the setup wizard. License Magnet AXIOM 1. Open the message from Magnet Forensics and save the license.bin file to your computer. 2. Connect the read-only USB dongle to the computer. 3. Start AXIOM Process. 4. If the Licensing window does not appear, click Help > Licensing. 5. In the Licensing options section, click Load key file. 6. Browse to the location where you saved the license.bin file and click Open. The Licensing window populates with the license details. You can now use Magnet AXIOM with your read-only USB dongle. Remove Magnet AXIOM When you remove Magnet AXIOM from your computer, required dependencies like Microsoft.NET Framework and Visual C++ Redistributable Packages are not removed. If you do not want these programs on your computer, you must remove them separately. Before you begin: On the computer where you want to remove Magnet AXIOM, close any instances of AXIOM Process or AXIOM Examine that are running. If you don't close these applications, some files don't get removed. 1. Browse to the folder where Magnet AXIOM is installed (the default is C:\Program Files\Magnet Forensics\Magnet AXIOM). 2. Double click unins000.exe. 3. When prompted to completely remove Magnet AXIOM and all its components, click Yes. 4. When prompted, click Okay. 5. Browse to C:\Users\USERNAME\AppData\Loca\Magnet Forensics. 15

16 6. Delete the Magnet Forensics folder. 7. If necessary, delete any files or components that might have been left behind. Note: If you're using a temporary key to license Magnet AXIOM and you delete the temporary keys in your C:\Users\USERNAME\AppData\Local\AXIOM folder, you'll have to obtain new temporary keys. Remove the Passware plugin When you turn off the recognition and full disk decryption of drives feature and restart AXIOM Process, you remove all of the Passware plugin components from your computer. Future AXIOM software updates will no longer include updates to the Passware plugin. 1. In AXIOM Process, click Tools > Settings. 2. In the AXIOM Process settings > Passware encryption features section, clear the Turn on encryption and drive decryption features using the Passware plugin checkbox. 3. Click Okay. 4. When prompted to remove the Passware plugin, click Remove. 5. When prompted, manually restart AXIOM Process. 16

17 MAGNET AXIOM PROCESS Using Magnet AXIOM Process, you can acquire forensic images and run scans on those images all from the same interface. This integration of both processes helps save you time since you don't have to wait for the acquisition to complete before you can configure and initiate a scan. AXIOM Process can also run scans on many other types of images and devices. All of the evidence that AXIOM Process processes gets saved to a case. You can include multiple mobile devices, drives, images, and cloud-based social media platforms in a case. Note: The more evidence you want to process, the longer the scan will take. You can customize how you want AXIOM Process to run scans. For more information about these settings, see Customizing AXIOM Process. Each of the following sections describe the steps involved in setting up and running a scan. If you skip a step that's required, AXIOM Process flags it with a warning symbol and you won't be able to start processing until the step is complete. 1. Starting a case 2. Case details 3. Evidence sources 4. Processing details 5. Artifact details 6. Analyze evidence Starting a case When you first open AXIOM Process, you can create a new case, add evidence to an existing case, or open a recent case. Note: If you choose to add evidence to an existing case, certain information like the case number, search type, keyword lists, and more will be locked down based on the settings from the original scan. Case details In this section you specify basic information about your case, such as the case number, folder name and location, and other case details. 17

18 Evidence sources In this section, you specify your evidence sources computer, mobile, or cloud and whether you are acquiring or loading evidence. Choose to acquire evidence if you want AXIOM Process to create an image of a computer drive, mobile device, or cloud-based social media platform. Choose to load evidence if you are uploading existing forensic images, files, or folders. If you have multiple forensic images, you can add them all to the same case. Acquiring evidence AXIOM can acquire and process evidence from the following types of devices: Drives, including: HDD, SSD, USB, and SD flash drives. and other external drives. AXIOM supports Windows, OS X, and Linux. Media devices that support the media transfer protocol (MTP), including: digital cameras, feature phones, and smartphones like Android, ios, BlackBerry, and Windows Phone. Android devices For quick images, the device must be running Android 2.1 or later. For full images, AXIOM requires privileged root access to the device. ios devices For quick images, the device must be running ios 5.0 or later. For full images, the device must be jailbroken. Cloud-based social media platforms, including: Apple, Dropbox, Google, Microsoft, and Twitter. Loading evidence In addition to its own images, AXIOM Process can scan many other types of evidence sources. Connected Drive: This option can be used for a number of different types of drives, such as HDD, SSD, USB, and SD flash, and more. AXIOM supports drives that are running Windows, Linux, or OS X. Files & Folders: This option can be used with files or folders that you might have stored locally on your computer. This option supports files and folders from Windows, Linux, and OS X. Note: If you can't see mapped drives, you can browse to the mapped file's original location using the Folder browser, or you can make them visible by adding a DWORD value to the registry. For more information about creating the DWORD value, see Show mapped drives. For files and folders on a mobile OS, use the Mobile evidence source option instead. Computer Image: This option can be used with many different types of computer images. For more information about the images that AXIOM supports, see the table below. 18

19 Volume Shadow Copy: This option can be used to locate Volume Shadow Copy files that are present on a connected drive or image. Mobile Source: This option can be used to process images and files and folders from mobile devices. AXIOM supports Android, ios, Windows Phone, and Kindle Fire. You can also search images on network drives by providing a path to the network drive using the format \\drive\folder. Show mapped drives Sometimes, mapped network drives don't appear. To show mapped drives, you must add a DWORD key to your computer's registry, and then restart your computer. Warning: This workaround could pose a minor security risk to your computer. If you add a key to the registry, there's a possibility that your computer can be more easily accessed by non-elevated malware. 1. In the search box on your computer's task bar, type "regedit". Click the search result to open the Registry Editor. 2. Navigate to HKEY_LOCALMACHINE_SOFTWARE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System. 3. Right-click System and click New > DWORD Value. 4. Type EnableLinkedConnections as the value name. 5. Right-click the EnableLinkedConnections value and click Modify. 6. In the Value data field, type Click OK. 8. Restart your computer. Supported evidence sources and file types EVIDENCE SOURCES mobile Android, ios, Kindle Fire, Windows Phone computer Windows, OS X, Linux cloud Apple, Box.com, Dropbox, IMAP/POP , Facebook, Google, Instagram, Microsoft, Twitter 19

20 IMAGE AND FILE TYPES archive files.7z,.7z.001,.cpio,.tar,.tar.gz,.tgz,.zip,.zip.001,.z01,.rar Mac OS X disk images.dmg EnCase images.e01, Ex01,.L01,.Lx01 FTK images AD1 RAW images.bif,.bin,.dd,.dmg,.flp,.ima,.img,.vfd,.raw split RAW images.001,.0001 virtual machine images.vdi,.vhd,.vhdx, VMDK, XVG FILE SYSTEMS Windows NTFS, FAT32, exfat Mac OS HFS+, HFSX Linux ext2, ext3, ext4, F2FS NAND YAFFS2 ENCRYPTION TYPES BitLocker all versions up to and including Windows 10, including BitLocker To Go TrueCrypt TrueCrypt 5.0 and later (hidden and system partitions are not supported) PGP Whole Disk Encryption (PGP WDE) PGP Desktop 9.x - 10.x (encrypted drives cannot currently be decrypted using administrator credentials) 20

21 ENCRYPTION TYPES McAfee Drive Encryption McAfee 7.x and later (non-system partitions are not supported) Decrypting drives If you installed the Passware plugin, AXIOM Process detects whether a drive is encrypted and, where possible, the type of encryption method that was used. You can provide known decryption credentials, such as passwords and recovery keys, to decrypt the drive before AXIOM Process searches it. Otherwise, AXIOM Process attempts a sector level search of the drive. You can easily view the encryption status of each partition on a drive: A locked icon appears beside encrypted partitions and an unlocked icon appears beside partitions that have been successfully decrypted. If you decide that you don't want to process an encrypted drive, deselect it on the Decryption options screen. In addition to the encrypted image, decrypted images get added to the case folder. Before you attempt to decrypt a drive, make sure you have enough space for both the encrypted and decrypted images. Decrypt a drive with a known password If you know the password or recovery key for a drive, you can attempt to decrypt it. 1. In Evidence sources, select your drive. 2. On the Decryption options screen, type the known password or recovery key. 3. Click Next. If the password or recovery key is correct, AXIOM Process will take you to Processing details. Note: When preparing to decrypt a McAfee encrypted drive, only the largest partition is available. The rest appear grey and can't be selected. This is because McAfee encrypts the entire drive rather than individual partitions, so only the largest partition contains relevant information. Choosing a search type After you specify your evidence type, select the type of search that you want AXIOM Process to run. Depending on the evidence type, you can perform the following searches: 21

22 Full: Searches all areas of a drive or image for artifacts. This method processes fragmented files more effectively than other methods. Quick: Searches the most common areas of your computer where evidence can be found. Common areas include default application data directories, the windows registry, user profiles, and My Documents. Sector level: This option reads raw data from the hard drive and searches for artifacts that can be carved out and pieced together from that data, with no understanding of the underlying files and folders. Custom: A combination of any of the above options that you tailor to your specific needs. Tip: If you don't know the type of file system that you're running a search on, the file system is not supported using a full or quick search, or you don't have a password to decrypt the drive, use the Sector level option. Selecting the Sector level option forces Magnet AXIOM to search an evidence source bit by bit, so it doesn't matter how the file system is structured. Processing details This section contains advanced processing features that you can use to get more out of your search. Add keywords to search Calculate hash values Categorize pictures Find more artifacts Refining search results using keywords and regular expressions To help refine the results of your search, you can use keywords and regular expressions in AXIOM Process before you start a scan or in AXIOM Examine when you load a case. A regular expression is a pattern that you define using a sequence of letters, numbers, and special characters. Using regular expressions, you can quickly and precisely search large amounts of text. Magnet AXIOM supports the.net Framework syntax for creating regular expressions. For more information about creating regular expressions, visit: Add keywords to search If you have a lot of search terms to filter on or want to search more than just artifacts, add keywords and regular expressions in AXIOM Process before you start a scan. You can add individual search terms or keyword lists that contain multiple items. Keyword lists must be.txt files and each search term must appear on a new line. A single file can contain both keywords and regular expressions. 22

23 1. In AXIOM Process, in the Processing details section, click Add keywords to search. 2. In the Keyword search types drop-down list, click the type of keyword search you want to perform. 3. Add keyword lists or individual keywords. 4. In the Encoding drop-down list, click the encoding type of your keyword or keyword list. 5. For each keyword that is a regular expression, select the Regex / GREP check box beside the term. 6. If you want to perform a case-sensitive search, select the check box beside each term or keyword list. Tip: If you're not sure which encoding type to use, select them all. Keyword search types In AXIOM Process, you can specify whether you want to find keywords in artifacts only or all content. TYPE OF SEARCH DESCRIPTION Artifact keyword searching looks for keywords in only the artifacts that AXIOM Process can recover. As part of the process, encrypted or encoded artifacts are decrypted into plain text that can be searched using keywords. artifacts Search results are limited to the artifacts that AXIOM Process supports, but hits are found quickly. In AXIOM Examine, each of the keywords and regular expressions that you get a result on are added to a Keywords filter. You can turn on or turn off an entire list of items by clicking on the file name. Searching for keywords in all content is a byte for byte search of data in the encoding type that you specify. AXIOM Process looks for keywords across the entire evidence source not just the artifacts that it recovers. all content Searching all content for keywords can increase processing time significantly, but AXIOM Process can find hits in data (including deleted content) without a corresponding artifact type. In AXIOM Examine, in the Artifact explorer, each of the keywords and regular expressions that you get a result on are added as new keyword snippets. If a keyword result is found on an item that is both an artifact and resides in the file system (for example a result on a document discovered in unallocated space) the keyword is counted twice. It appears as a result on the artifact itself and as a new Keyword Snippet. 23

24 Calculate hash values Evidence sources can contain thousands of files, including known files that are critical to an investigation and common files that are not relevant. Searching through each file and categorizing them can be a very time consuming task. By calculating hash values for all files and importing hash sets of known files, AXIOM Process automatically searches and categorizes for you. Calculate hash values for all files During a scan, AXIOM Process can calculate unique hash values for each file. In AXIOM Examine, you can then quickly search for, compare, or filter those files based on known hash sets (for example, NSRL hash sets). Hash sets can include both MD5 and SHA-1 formats. Calculating hash values slows down processing times. By default, files larger than 500 MB will not be hashed. Tag files with matching hash values If you want to quickly see whether known files exist in your evidence, you can import a list of hash values for files that might be of interest to your case. Hash sets must be.txt files containing MD5 or SHA1 hashes (such as NSRL files), with each hash on a separate line. After you add a hash set, you can provide a tag that gets applied to the files. You can view the matching files in the File system explorer. Ignore non-relevant files If you don t want common operating system files like icons, wallpapers, system files, and so on to clutter up your evidence, you can exclude them by providing their hash values in a hash set. Hash sets must be.txt files containing MD5 hashes (such as NSRL files), with each hash declared on its own line. After you add a hash set, you can provide a tag that gets applied to the files. Even though the files are excluded from the Artifact explorer, you can still view the files and the tag that is applied to them in the File system explorer. Categorize pictures In some cases, it's common to have evidence sources that contain thousands of pictures. Looking at every picture and categorizing them one by one can be a very time consuming task. However, by importing hash sets of known pictures, AXIOM Process automatically searches and categorizes for you. 24

25 Load Project VIC or CAID files AXIOM Process supports importing.json files from Project VIC and CAID. Project VIC and CAID are organizations that allow for the sharing of hash sets between law enforcement organizations for the purpose of identifying media related to child exploitation. You can import these hash sets into AXIOM Process to automatically identify and categorize pictures during a scan. Project VIC files are.json files that follow a standard protocol and categorize images with a number from For more information about Project VIC, see After a scan completes, AXIOM Examine adds each category number it gets hits for to the Media categories filter. You can also enable PhotoDNA to use "fuzzy matching" to help identify more pictures. With PhotoDNA enabled, AXIOM can identify pictures that are similar in appearance to existing Project VIC pictures and categorize them in the same way. For information about exporting Project VIC data, see Sharing and saving evidence. Load hash sets Hash sets must be.txt files containing MD5 and SHA-1 hashes, with each hash declared on its own line. After you add a hash set, you can provide a category name that gets applied to each picture AXIOM Process finds from the file. After a scan completes, AXIOM Examine adds each category it gets hits for to the Media categories filter. Find more artifacts During a search, AXIOM Process might discover SQLite databases for applications that aren t currently supported by AXIOM. You can configure AXIOM to extract data from these databases. Warning: Turning this feature on can increase scan times significantly. 1. Under Processing details, click Find more artifacts. 2. Select the Allow AXIOM to search for more artifacts option. With the option turned on, AXIOM Process looks for databases that contain certain types of data (conversations, geolocation data, website URLs, and person identifiers). After the scan completes, you can view and configure the recovered artifacts on the Customize artifacts screen. Artifact details In this section, you select the artifacts that you want to include or exclude from your scan. Depending on the type of AXIOM license that you have, you might have computer artifacts, mobile artifacts, or both. 25

26 Options for artifacts that have video attachments By default, AXIOM Process saves only a thumbnail picture for the videos it recovers, not the full content. If you have access to the source image, you can always export the full content of the video even if you set AXIOM Process to save only thumbnail pictures. If you want AXIOM Process to include the full content of the videos it discovers, you can configure this option on the Artifact details screen. 1. On the Artifact details screen, click Customize computer artifacts or Customize mobile artifacts, depending on the evidence source that you're searching. 2. In the list of artifacts, click Media. 3. Under the Videos artifact, click Options. 4. Select the Save videos up to check box and specify the maximum size for the videos that you want AXIOM Process to save. The default maximum size is 500 MB. 5. Click Okay. Custom artifacts You can create your own custom artifacts for proprietary applications or applications that AXIOM might not have support for yet. One way to create custom artifacts is to allow AXIOM Process to search for artifacts automatically. For more information, see Find more artifacts. You can also create a custom artifact by defining its properties in an artifact definition.xml template or Python script. For more information about the artifact definition.xml templates and Python scripts, and how to add them to AXIOM, see Custom artifacts. Analyze evidence After you finish configuring each section in AXIOM Process, click Analyze evidence to start scanning the evidence. AXIOM Examine opens automatically to display any evidence that is recovered. The Analyze evidence screen indicates what percentage of the scan is complete along with information about search definitions and thread details. After the scan completes, there might be additional steps to complete. If you configured AXIOM Process to find more artifacts, you might have to configure the artifacts that it discovers. For more information about turning this recovered data into custom artifacts, see Custom artifacts. Customizing AXIOM Process Before you start using AXIOM Process, you can customize general settings like whether you want to provide diagnostic information to Magnet Forensics, receive software updates automatically, prevent your computer from enter- 26

27 ing sleep mode during a scan, and more. You can also set up how you want to run your scans, inlcuding whether to compress images, create hash values, and more. Create segments for Android and drive images You can specify the size of the image segments that you want AXIOM Process to create when it acquires evidence from Android and drive images. Each option represents a different size that reflects its storage capabilities. By default, image segmentation is turned off. 1. In AXIOM Process, click Tools > Settings. 2. In the Imaging > Image segmentation section, select a format from the drop-down list. 3. Click Okay. Create a hash value for evidence sources AXIOM Process can create hash values for each evidence source that it acquires. By default, image hashing is turned off. 1. In AXIOM Process, click Tools > Settings. 2. In the Imaging > Image hashing section, select the Calculate a hash value for each evidence source that's being acquired check box. 3. Click Okay. Verify hash values for acquired images AXIOM Process can create a hash value for EO1 images and compare it to the hash value of the source E01 image. This process verifies that the image has not been altered. Hash verification information gets written to the Case Information.txt and.xml files. By default, image hash verification is turned off. 1. In AXIOM Process, click Tools > Settings. 2. In the Imaging > Image hashing section, select the Enable image hash verification check box. Compress images You can compress the E01 images that AXIOM Process acquires. The Fast option provides some compression in a reasonable amount of time. The Best option provides the best possible compression, but can take much longer than the fast option. By default, image compression is turned off. 27

28 1. In AXIOM Process, click Tools > Settings. 2. In the Imaging > Compression section, select a compression method from the drop-down list. 3. Click Okay. Restore device state for Android devices While AXIOM Process acquires evidence from Android devices, it installs an agent application onto the device to assist with recovering data. When the scan completes, AXIOM Process can remove the agent application from the device. By default, the agent application is left on the device. 1. In AXIOM Process, click Tools > Settings. 2. In the Imaging > Restore device state section, select the Remove agent application check box. 3. Click Okay. Save temporary files to a custom location By default, Magnet AXIOM stores all temporary files associated with a case to the Cases folder. 1. In AXIOM Process, click Tools > Settings. 2. In the Processing > Temporary file location section, in the drop-down list, click Custom location. 3. Click Browse and browse to the folder where you want to save all temporary files associated with a case. 4. Click Okay. Verify hash values for images AXIOM Process can create a hash value for each image that it processes. This hash value acts like a digital fingerprint for the image, and you can use it to verify that the file has not been tampered with. By default, creating hash values for images is turned off. 1. In AXIOM Process, click Tools > Settings. 2. In the Processing > Image hash verification section, select the Verify the hash value of each image file check box. 3. Click Okay. Handling duplicate artifact results Cases often contain duplicate artifact results that can clutter up your evidence and make your investigation less efficient. You can set AXIOM Process to remove or deduplicate artifact results from your case. 28

29 As part of the deduplication process, AXIOM Process looks at the essential information fragments for each artifact and assigns a unique value to those fragments. Only the first artifact with a unique value is kept; any others with the identical value are discarded as duplicates. Parsed hits are always kept, as they contain the most complete information, and any duplicate carved hits are discarded. Even if you choose to remove duplicate artifact results from your case, there are scenarios where AXIOM Process might still create duplicates. For example, if an identical picture is discovered in two different places a downloads folder and a temp folder the artifact won't be removed from one location. AXIOM Process treats each path as a unique source, and so the artifacts will appear in both locations. The only exception is if one of the artifacts is parsed and the other is carved. AXIOM Process will keep the parsed picture and discard the carved one. In the case of deleted artifacts, if they are recovered from unallocated space, the same rules apply: Only the first artifact with a unique value is kept. But if the same artifacts are found in unallocated space on different drives, then both artifacts are kept because the sources are different. Remove duplicate artifact results By default, AXIOM Examine keeps duplicate artifact results. 1. In AXIOM Process, click Tools > Settings. 2. In the Processing > Duplicates section, select the Remove duplicates check box. 3. Click Okay. Collect log information While it's running, AXIOM Process can collect log information that you can use to help track progress and troubleshoot potential issues. Turning on logging can slow down performance, so you should only turn it on when necessary. You can find the log file for AXIOM Process at: C:\AXIOM\Cases\<case name>. 1. In AXIOM Process, click Tools > Settings. 2. In the Processing > Logging section, select the Turn on logging check box. 3. Click Okay. Optimize scan times For the fastest scan time, AXIOM Process uses all logical cores on your computer (to a maximum of 32 cores). If you want to use your computer for other tasks during a scan, reduce the number of cores. 29

30 1. In AXIOM Process, click Tools > Settings. 2. In the Processing > Search speed section, in the drop-down list, click the number of cores that you want AXIOM Process to use. 3. Click Okay. Prevent hashing of large files When you set up a scan, you can add files that contain hash values. AXIOM Process then uses these values to ignore non-relevant files or automatically categorize pictures. In either case, AXIOM Process must hash every file it encounters during a scan to compare to the hash lists. Hashing very large files can take a long time, so you can set the maximum size for files to hash to help improve scan times. The default value is 500 MB. 1. In AXIOM Process, click Tools > Settings. 2. In the Hashing > File size limit for hashing section, select the To optimize processing time, don't calculate hashes for files larger thancheck box. 3. Type the maximum file size, in MB, that you want to create hash values for. 4. Click Okay. Set the format for hash values AXIOM Process can create hash values in MD5 and SHA1 formats. 1. In AXIOM Process, click Tools > Settings. 2. In the Hashing > Hash formats section, in the drop-down list, click the hashing format that you want to use. Identify pictures that have been modified If you provide hash files to AXIOM Process for the purpose of picture categorization, you can use PhotoDNA and fuzzy matching to help identify pictures that have had modifications to change their hash values. PhotoDNA is only available to law enforcement. To request a password, visit 1. In AXIOM Process, click Tools > Settings. 2. In the Hashing > Enable photo DNA section, type the password that you received from Magnet Forensics. 3. Click Okay. 30

31 Send diagnostic information You can choose to share information about how you use Magnet AXIOM with Magnet Forensics. This information can help us improve our products. The type of information that gets sent can include data about how long it took to perform a search and the processing options you used in the search. The information that gets sent never includes actual data from the evidence sources that you search. By default, the collection of diagnostic information is turned off. 1. In AXIOM Process, click Tools > Settings. 2. In the AXIOM Process settings > Diagnostic information section, select the Automatically gather and send diagnostic information check box. 3. Click Okay. Turn off software updates Each time AXIOM Process starts, it automatically checks for software updates. If you turn this option off, you must manually check the Customer Portal for updates. 1. In AXIOM Process, click Tools > Settings. 2. In the AXIOM Process settings > Software updates section, clear the Check for updates automatically check box. 3. Click Okay. Prevent your computer from Going Into sleep mode To make sure that processes continue to run at a normal speed during a scan, you can prevent your computer from going into sleep mode when AXIOM Process is running. 1. In AXIOM Process, click Tools > Settings. 2. In the AXIOM Process settings > Sleep mode section, select the Prevent computer from entering sleep mode check box. 3. Click Okay. Turn on Passware encryption features Using a third-party plugin available from Passware, Inc., Magnet AXIOM supports the recognition and full disk decryption of drives with a known password or recovery key. When you turn this feature on, future AXIOM software updates will also include updates to the Passware plugin. 31

32 1. Install the latest version of Magnet AXIOM. 2. In AXIOM Process, click Tools > Settings. 3. In the AXIOM Process settings > Passware encryption features section, select the Turn on encryption and drive decryption features using the Passware plugin check box. 4. Click Okay. Change the display language Changing the display language for AXIOM Process also changes the display language for AXIOM Examine. (You can still change the language in AXIOM Examine.) When you change languages, you must restart AXIOM Process. 1. In AXIOM Process, on the Tools menu, click Settings. 2. In the AXIOM Process settings > Language section, in the drop-down list, click the language that you want to use. 3. Click Okay. 4. To restart AXIOM Process and apply the change, click Now. Preparing mobile devices for image acquisition Before you acquire an image from an ios or Android device, verify that your computer and devices are set up correctly. For more information about setting up your computer, see System requirements Prepare the mobile device To enable Magnet AXIOM to connect to the mobile device and acquire the most complete forensic image possible, there are several options that you need to set. Tip: If you don't want your search criteria to be saved in the recent search history on the device, don't use the magnifying glass on the mobile device to search for settings or other information. Android devices Turn on the device. Connect the device to the computer using a sync cable (not a charging cable). Charge the device to at least 50%. Unlock the device. Turn on airplane mode. 32

33 Verify the device is running Android 2.1 or later. Set the USB option to charging. On some devices, you must set this option each time the USB cable is reconnected or the device is restarted. Turn off USB mass storage (on devices with micro SD capabilities). If this option is turned on, the device might unmount the SD card, resulting in less data being acquired during a quick image. Turn on USB debugging/developer mode. On most devices, you turn on developer mode by tapping on the build number until the "You are now a developer" message appears on the screen. Verify that USB debugging/develper mode is in turned on. On some devices, you must turn this setting on after you turn on USB debugging/developer mode. In Settings > Developer options, turn on USB debugging. Set the screen to stay awake. In Settings > Developer options, turn on Stay awake. Trust the computer that the device is connected to. When you connect the device to the computer, follow the device's on-screen instructions. Turn off the Verify apps via USB or Verify apps: Block or warn setting. In Settings > Developer options, turn off Verify apps via USB. The wording of the setting might vary depending on the device manufacturer. Allow the installation of applications from unknown sources. In Settings > Security, turn on Unknown Sources. The wording of the setting might vary depending on the device manufacturer. Tip: You must enable USB debugging mode before you receive a prompt to trust the computer. To revoke the trust setting, in Settings > Developer options tap Revoke USB debugging authorizations. ios devices Verify your computer is running the latest version of itunes. Turn on the device. Connect the device to the computer using a sync cable (not a charging cable). Charge the device to at least 30%. Unlock the device. Turn on airplane mode. Verify that the device is running ios 5 or later. Turn off screen lock or set it to the maximum amount of time. Set the screen timeout or sleep mode to stay awake or the maximum amount of time. Trust the computer that the device is connected to. When you connect the device to the computer, follow the device's on-screen instructions. Tip: On ios 8 and later, to revoke trust, tap Settings > General> Reset > Reset Location & Privacy. 33

34 Turn on USB debugging for Android devices Depending on the type of Android device, there are different ways to turn on USB debugging or developer mode. Here's how you can turn on USB debugging for a few popular devices: TYPE OF DEVICE TURN ON USB DEBUGGING Android 2.x+ In Settings > Applications > Development, tap the Enable USB Debugging option. Android 4.2+ In Settings > About phone, tap the Build Number field approximately 7 times until You are now a Developer displays on the screen. HTC One (M7/M8/M9) In Settings > About > Software information > More > Build number, tap the Build Number field approximately 7 times until "You are now a Developer displays on the screen. LG G2/G3 Samsung Galaxy In Settings > About phone > Software information > Build number, tap the Build Number field approximately 7 times until You are now a Developer displays on the screen. stock Android In Settings > About phone, tap the Build Number field approximately 7 times until You are now a Developer displays on the screen. Device drivers for popular Android device manufacturers If you're connected to the Internet while using Magnet AXIOM, AXIOM attempts to download the appropriate drivers for the mobile device that you're imaging. If the correct driver can't be found, you might have to visit the device manufacturer's website to download the driver. Here are the links to download drivers for a few popular devices: HTC - LG - Motorola - Nexus - Samsung - Sony

35 Imaging mobile devices Before you attempt to image a mobile device, make sure that you have properly prepared the device. For more information, see Preparing mobile devices for image acquisition. There are two types of images that you can acquire: A quick image is a comprehensive logical image that contains both user data and some native application data. Magnet AXIOM uses multiple acquisition methods to get you as much information as possible from the device, as quickly as possible, so that you can start examining the evidence right away. A full image is a physical or file-system logical image. During this type of acquisition, AXIOM copies the entire contents of a device into a single file (either a.raw file or a.zip file, depending on the device). With a full image, you have a higher potential of recovering deleted files. Access to devices The type of image you can acquire depends on the level of access you have to the device. To acquire a full image, you need the device to be rooted or jailbroken. On Android devices, root access gives you enhanced permissions so that you can run apps that need access to certain system settings, flash custom images to the device, and more. On ios devices, a jailbreak uses an exploit or security vulnerability in the software to give you enhanced permissions to the operating system. For early ios versions, these permissions enabled you to get a full image of the device, but for ios 5.0 and later, the encryption allows only a logical image to be obtained. Jailbreaks are discovered after an ios release. The timing of their availability depends on how difficult it is to find the vulnerability in the software. For many modern ios devices, there are no public jalilbreaks available. You should monitor public jailbreaks to stay current. Supported Android devices AXIOM can obtain a quick image from devices running Android version 2.1 and later and a full image from rooted Android devices. You can also obtain a full image from Samsung devices by flashing a recovery image to the device. Android full images For full images, if an Android device is not rooted, AXIOM attempts to gain privileged access to the device using tested rooting methods. AXIOM creates a log file documenting the process, and indicates which roots are tried and whether any are successful. Full images are formatted as.raw files. 35

36 OS METHODS EVIDENCE Android 2.1 and later** Linux DD command Recover a full physical image of the device s flash memory. Evidence collected includes all files, folders, user data, native data, and unallocated space. ** Requires a rooted device. In some cases, Magnet AXIOM can root the device for you. Android quick images Quick images are formatted as.zip files. OS METHODS EVIDENCE Android 2.1 to Android Debug Bridge (ADB) pull command Contents of any external storage (for example, an SD card). Android 2.1 to agent application Call logs, SMS/MMS, browser history, and user dictionary. Third-party application user data. Android 4.0 and later ADB Backup / Agent application Some native device data including SMS/MMS, browser history, calendar, call logs, BT devices, WiFi hot spots, user accounts, and user dictionary. Contents of any external storage (for example, an SD card). Android Samsung models only MTP bypass Pictures, videos, and any other files discoverable via MTP. Downgrading apps Some newer mobile device apps block access to their data. You can choose to temporarily install a previous version of the app that provided access to the data, acquire the evidence, and then install the original app back on the device again. Warning: There are risks associated with app downgrading. You might change data on the device when you use 36

37 this feature. Bypassing passwords to obtain full images of locked devices If a Samsung mobile device is locked or you cannot gain privileged access to it, you can flash a recovery image to the device so you can acquire evidence from it. There are risks associated with using third-party recovery packages. You might: void the device warranty turn off the Knox security platform on Samsung devices render the device completely or partially inoperable ("brick" the device) Flash a recovery image to the device Before you attempt to flash a device, make sure it does not have a locked bootloader and that the Factory Reset Protection (FRP) feature is not activated. Failing to do so might wipe the device or render it inoperable. AT&T and Verizon devices often have locked bootloaders. To determine if the device has a locked bootloader, in an Internet browser, search for "check if bootloader is locked" for the device model. FRP is a security feature on Android devices running Lollipop 5.1 and later. It is automatically activated when a user sets up a Google Account on the device. When activated, after a factory reset, FRP prevents use of the device until you log in to the Google Account that was previously set up. For more information about FRP, visit 1. Make sure there are no devices in download mode connected to the computer. 2. Put the device into download mode. Turn off the device. Press and hold the Volume Down + Home + Power buttons at the same time. When the "Warning!!" message appears, release the buttons. Press the Volume Up button to confirm that you want to enter download mode. 3. Connect the device to the computer. 4. When prompted, put the device into recovery mode. Turn off the device. Press and hold the Volume Up + Home + Power buttons at the same time until you enter recovery mode. Troubleshooting: The Android device isn't showing up After you prepare your computer and the device, if AXIOM Process still can't detect the device, perform the following tasks. 37

38 Verify that the device driver is installed 1. Browse to the folder where Magnet AXIOM is installed. The default location is C:\Program Files\Magnet Forensics\Magnet AXIOM\AXIOM Process. 2. In the ADB folder, press CTRL + SHIFT and right click. Click Open command window here. 3. Verify that the device is connected to the computer. 4. At the command prompt, type adb devices. If a device appears in the list, the driver is installed. If a device does not appear in the list, you must install the appropriate driver. For more information about downloading device drivers, see Preparing mobile devices for image acquisition. Download Samsung Kies After verifying that the correct driver is installed, if your device still does not appear in the list, download Samsung Kies or Samsung Kies 3. Supported ios devices AXIOM can obtain a quick image from ios devices (version 5.0 and later) and full images from jailbroken ios devices. ios full images Full images from ios are formatted as.zip files. OS METHODS EVIDENCE ios 5 to 9.x ** Apple File Conduit 2 For jailbroken ios devices, AXIOM recovers a full logical file system dump that includes all of the files, folders, user data, and native data. ** Requires a jailbroken device. ios quick images Like full images, quick images of ios are formatted as.zip files. 38

39 OS METHODS EVIDENCE ios 5 to 10.x itunes backup process third-party application user data some native device data, including: SMS/MMS and imessage, calendar, and call logs ios 5 to 10.x Apple File Conduit camera pictures, ringtones, and itunes books ios 8 and earlier file relay some native device data, including: complete photo album, SMS/MMS and imessage, address book, typing cache, geolocation cache, application screen shots, WiFi hot spots, voic , and native metadata Acquiring encrypted itunes backups Magnet AXIOM can acquire more evidence from an ios device if it acquires an encrypted backup. For example, an encrypted backup might include information like saved passwords (ios keychain), health data (HealthKit), smart home data (HomeKit), and more. You set the encryption password in itunes and then specify that password in AXIOM Process when the program prompts you to do so. Set an encryption password for itunes backups 1. Connect the device to the computer. 2. In itunes, click the device icon. 3. In the Backups section, select the Encrypt iphone backup check box. 4. Type a password for the encrypted backup. Acquire and scan an encrypted ios backup 1. In AXIOM Process, in the Evidence sources section, click Mobile. 2. Click ios > Acquire evidence. 3. Click the device, and then click Next. 4. Select the type of image you want to acquire, and then click Add to case. 5. In the Encrypted itunes backup message box, type the password that you just set. 39

40 6. Specify any additional processing and artifact details. 7. Click Analyze evidence. Process an encrypted ios backup If you already have an encrypted ios backup that you want to process, you can add the backup to AXIOM Process and provide the encryption password. 1. In AXIOM Process, in the Evidence sources section, click Mobile. 2. Click ios > Load evidence. 3. Click Files & folders. 4. Browse to the encrypted itunes backup. 5. When prompted, type the password. 6. Specify any additional processing and artifact details. 7. Click Analyze evidence. 40

41 Imaging drives For imaging drives, there are four distinct imaging options that you can choose from. The option that you choose should reflect your time constraints and the type of data that you're looking for. The Full raw - Entire contents of the drive option represents a physical image of the drive. During this type of acquisition, AXIOM copies the entire contents of the drive into a single.raw file. This option typically takes the longest. The Full E01 - Entire contents of the drive option also represents a physical image of the drive. During this type of acquisition, AXIOM copies the entire contents of the drive into a single.e01 file. This option typically takes the longest. The Full - All files and folders option represents a logical image that contains all files and folders. During this type of acquisition, AXIOM copies all files and folders into a single, compressed file. This does not include deleted files and/or content. The Quick - Targeted acquisition option represents a logical image that contains important files for forensic analysis. During this type of acquisition, AXIOM copies files such as system files, user profiles, and more into a single, compressed file. The locations that AXIOM targets are typically the ones that are most likely to contain evidence. This option is typically the fastest. Supported drives AXIOM can obtain images from many types of external drives that are physically connected to your computer (HDDs, SSDs, USB and SD flash drives, and more). Windows, OS X, and Linux are all supported. Note: AXIOM Process cannot detect and image network-attached storage (NAS) devices over the network. If the computer that's running Magnet AXIOM is connected directly to the NAS with a USB cable, detection of the device and imaging works as expected. IMAGE TYPE OS EVIDENCE entire contents of the drive Windows, Linux, OS X A physical image of the entire drive. all files and folders Windows, Linux, OS X A full, logical file system image that includes all files and folders. This does not include deleted files and/or content. 41

42 IMAGE TYPE OS EVIDENCE targeted acquisition Windows Linux Pagefile, Hibernation File, Master File Table, USN Journal, Event Logs, Setup API Logs, Windows Registry Hives, LNK Files, User Profiles, Prefetch Files System logs, home, sleep images, tmp, etc, and usr. OS X System logs, home, sleep images, tmp, etc, and usr. Imaging cloud sources When you choose the Cloud evidence source in AXIOM Process, you can use a target's login information to acquire evidence from various cloud-based platforms. Some platforms also allow you to sign in to a target's account using authentication tokens that Magnet AXIOM discovers during a scan or creates itself. For more information about tokens, see Authentication tokens. The services that Magnet AXIOM Cloud supports are as follows: Apple Box.com Dropbox IMAP/POP Facebook Google Instagram Microsoft Twitter The Cloud evidence source is greyed out unless you have a valid cloud license. To find out how to purchase a cloud license, contact sales@magnetforensics.com. Acquire evidence from the cloud When you create a new case in AXIOM Process, you can acquire a single account for each platform. If you want to add additional accounts, you can add them as a new evidence source after the original scan completes. 42

43 Acquired cloud data is saved as a.zip file. Each service and platform is saved in a separate folder, each containing an attachments folder. The files are saved in the same structure that appears in the account online and in the File system view in AXIOM Examine. Confirm authorization for a cloud acquisition Before you can acquire cloud data from a user's account, you must confirm that you have the proper search authorization to access the target's account. 1. In AXIOM Process, in the Evidence sources section, click Cloud. 2. Click Acquire evidence. 3. Select the check box beside I have proper search authorization to access the target's information stored in the cloud. 4. In the text field that appears, type the Warrant number. Note: The warrant number that you provide is saved to the Case Information.txt file, but is not verified to be a valid warrant number by AXIOM. After you verify that you have the authorization to proceed, the list of available platforms appears. Sign in to an account 1. Click the icon of the platform you want to sign in to. 2. In the Sign-in with the following credentials drop-down list select your preferred sign-in method. User name and password Token (only appears if it's supported by the selected platform) 3. Click Sign in. When AXIOM Process gains access to an account, the owner of the account may receive an notifying them that someone has signed in to their account. Select a date range After you gain access to a cloud account, you can specify a date range to acquire data from. By default, AXIOM Process acquires as far back in time as possible for the account. Acquiring some accounts can take a long time depending on the amount of data they contain, so you might want to narrow the date range to decrease the amount of time the acquisition takes. To change the date range: 43

44 1. In the Date range drop-down menu, do one of the following: Select After if you want to acquire data after a specified date. Select Before if you want to acquire data before a specified data. Select Custom date range if you want to acquire data between two specified dates. 2. Click the calendar icon and choose a date. Note: Some services don't use the date range for acquisition even if you specify one. In these cases, AXIOM Process allows you to specify a date range, but acquires and displays data for all available dates. This behavior applies to the following sources: Google connected apps Google recent devices Google passwords Apple icloud backups Select services and sub-services After you gain access to a cloud account, you can specify which services and content to acquire. Some services indicate the amount of data they contain in the Account size column. By default, AXIOM Process selects all available services and content. To remove a service, deselect the check box for that service. Some services contain sub-services that you can also choose to acquire content from. To choose the sub-services and content for a service: 1. Hover the cursor over the service's row in the table. 2. In the Content column, click Edit. 3. Deselect the check box for each sub-service you don't want to include. 4. Click Next. 5. Complete each additional screen to set up the case, then start the scan. After the scan starts, AXIOM Process displays updates about the scan on the Analyze evidence screen. To see the results of the scan, open AXIOM Examine and browse recovered artifacts using the Artifact explorer. Authentication tokens There are two types of tokens: Refresh tokens and authentication tokens. Refresh tokens are typically stored by mobile applications and used to retrieve authentication tokens, which can then be used to access user content. Authentication tokens tend to have short life spans of a few hours or less, and may no longer be valid if you've obtained them from other forensic tools. Refresh tokens often have longer life spans. 44

45 IMAP/POP , Instagram, and Twitter don't support tokens. Additionally, some cloud platforms have services and content that can't be acquired when you use a token to authenticate. TYPE EXAMPLE AND NOTES Apple BasicAuthToken Basic bmlic2jhz2dpbnnaawnsb3vklmnvbtpdbg91zfrlc3rlcie3 All Apple content is acquired (this token type is recommended for icloud accounts) Apple sldauthtoken MTE2NzY1MDExMDc6QVFBQUFBQmFaNTdFclpSQittcFAxSFZFck- JTWnlVQ2NXQUEvcmNJPQ== Some Apple content may not be acquired Box.com refresh token X0FiI1zbgNjNCBta8GogHlwzHwKCq2G0C8uH5sLF51wVx6Yaoi7Ut4FwShRIeHRd All files in online storage are acquired Dropbox authentication token All files in online storage are acquired SblvXJ_rVbAAAAAAAAAEiEYvS4KuZaPGxWAgsnGwH6IeAmXo8uvHz2qX0HUoBVNj Facebook token APA91bH8btiQ-VAzE_Q1lPev9XdNYHK1oiFMMdGfGf4ymUOaecqLu0h-Ci7z0xZ6YHrGrJRAB3MDx- c2vpkzak0q21at- Only Timeline is acquired Google refresh token 1/LF7JXcQQn2o2bFGAs2js7iPFayU91WghqYGkzeX3E94 Passwords, Recent devices, Google activity, Connected apps, and Timeline are not acquired Google authentication token ya29.gltlbclov-7qmpt427mxrah5quqb6txqxuoyxi2ye_3skd9ildjowrai_acljepfyrlpp_ ksnvrhx- 4Jfko8Eqk5N0g6VT33OJ2lp-jNdjmeGGf5A9UgT7vY4gwT" Passwords, Recent devices, Google activity, Connected apps, and Timeline are not acquired Microsoft token MCTBal7ifOs*ZrHrHc*GZz5e4X*Vazp3uEAUiIn1pXMGwta5zaCTY1utvdQL7QVdMfepLQvLl8yZ8zbOk07i4IAZD9l5UdHf!AAD Office 365 Audit logs and SharePoint are not acquired 45

46 Add cloud evidence using passwords and tokens in AXIOM Examine During a scan, if Magnet AXIOM encounters tokens or passwords for a cloud account, it creates an artifact for them. From the Artifacts explorer in AXIOM Examine, you can use these passwords and tokens to open AXIOM Process and add a cloud evidence source. IMAP/POP and Apple accounts can't be accessed using this method. Tip: When you add new evidence to a case, make sure to provide Scan information in the Case details section of AXIOM Process. This allows you to keep track of the separate acquisition instances in a case. 1. In Artifacts explorer in AXIOM Examine, expand the Cloudcategory and click Cloud passwords and tokens. 2. Right-click on the password or token that you want to use and click Add new cloud evidence using passwords/tokens. 3. In AXIOM Process, confirm that you have authorization for a cloud acquisition, as described in Acquire evidence from the cloud. AXIOM Process attempts to gain access to the account using the token or password. 4. If the login is successful, select or deselect the services you want to acquire, as described in Select services and sub-services. 5. After the scan starts, click Load new results in AXIOM Examine to view the results. If login attempts are unsuccessful, AXIOM Process notifies you that you've entered an incorrect password and does not proceed past the sign-in screen. An unsuccessful attempt can be due to one of the following reasons: The target changed their password The token expired Platforms and services Apple SERVICES AND CONTENT LAST ACTIVITY ACCOUNT SIZE DATE RANGE LOGIC icloud backups icloud Drive files icloud photos Last activity for photos only Includes all photos Files modified, created, or accessed within the chosen date range 46

47 The error "Apple ID or password is incorrect" could mean that the credentials are not correct, or that the account is locked out. To confirm that the user name and password are valid, try logging in on AXIOM Process displays the three most recent backups for each device associated with the icloud account, as well as the size of each backup. To select the backups that you want to acquire, hover your mouse over icloud Backup and click Edit. Box.com SERVICES AND CONTENT LAST ACTIVITY ACCOUNT SIZE DATE RANGE LOGIC Files and folders Last modified of any files or folders Includes all files and folders Files modified, created, or accessed within the chosen date range The following columns in AXIOM Examine allow you to see the number of times a Box.com file has been shared, previewed, or downloaded: Download count Preview count (number of times viewed through the share link) Download permissions Preview permissions Access Null: the file hasn't been shared Open: anyone with link can see the file Collaborators: only collaborators can see the file 47

48 Dropbox SERVICES AND CONTENT LAST ACTIVITY ACCOUNT SIZE DATE RANGE LOGIC Files and folders Last modified of any files or folders Includes all files and folders Files with server last accessed, client accessed, or time taken within the chosen date range, including files that match the "from" date and "to" date IMAP/POP SERVICES AND CONTENT LAST ACTIVITY ACCOUNT SIZE DATE RANGE LOGIC s and attachments Not acquired Not acquired s modified, created, or accessed within the chosen date range When signing in to IMAP/POP with a user name and password, you must also select either IMAP or POP, and provide the Server port and Host name. Typically, you can find this information on the server's host site. Accessing Gmail using IMAP/POP When acquiring a Gmail account using the IMAP/POP platform, you may not be able to access the account if the target, who the account belongs to, has disabled the "less secure apps" setting. You can still access the account using the Google platform. Accessing Yahoo using IMAP/POP You can access Yahoo accounts using the IMAP/POP platform in AXIOM Process. In order for you to successfully acquire a target's Yahoo account, it must have the "Less secure apps" setting enabled. If you receive an error from AXIOM Process indicating that you've entered an incorrect user name or password, but all entered credentials are 48

49 correct, access the user's account to enable this setting: 1. Open a web browser and browse to yahoo.com. Click Sign in and enter the target's address and password. 2. Click the target's name and icon, located near the top right of the screen. 3. Click Account info > Account security. 4. Click the grey icon beside Allow apps that use less secure sign in. If the icon is blue, it means that the setting is enabled. 5. Return to AXIOM Process and click Sign in. Facebook SERVICES AND CONTENT LAST ACTIVITY ACCOUNT SIZE DATE RANGE LOGIC Facebook timeline Facebook Messenger Facebook profile Not acquired Not acquired Posts and messages posted or sent within the chosen date range Facebook Friends There may be a discrepancy between the number of Friends acquired and the Friends list count on Facebook. This occurs when accounts are deleted by Facebook due to a violation of terms of services. These accounts are still included in the Facebook Friend count, but they are not displayed on the site or acquired by AXIOM Process. 49

50 Google SERVICES AND CONTENT LAST ACTIVITY ACCOUNT SIZE DATE RANGE LOGIC Google Accounts (including passwords, connected devices, connected apps, and activity) Google Drive (files and folders) Not acquired Includes Messages, Drive, and Photos Files modified, created, or accessed within the chosen date range Google Photos Gmail messages Instagram SERVICES AND CONTENT LAST ACTIVITY ACCOUNT SIZE DATE RANGE LOGIC Instagram posts Instagram Direct Messages Date of most recent post Includes total amount of posts Posts uploaded or messages sent within the chosen date range 50

51 Microsoft SERVICES AND CONTENT AVAILABLE CONTENT FROM OTHER ACCOUNTS LAST ACTIVITY ACCOUNT SIZE DATE RANGE LOGIC Office 365/Microsoft Mail (including hosted services: Hotmail, Outlook, MSN, and Live ) OneDrive files and folders SharePoint files and folders Audit logs s (if target has access/administrative privileges) OneDrive (if target has access privileges) Audit logs (if enabled by user and target has administrative privileges) Newest of last modified, last accessed, and last created files (OneDrive only) Includes all files and folders (OneDrive only) Files modified, created, or accessed within the chosen date range Selecting Microsoft SharePoint content When modifying your selected content for SharePoint, you can also use the search bar to filter for keywords. Additionally, if you know the URL of the SharePoint page, you can type or paste it into the search bar to find the page. Twitter SERVICES AND CONTENT LAST ACTIVITY ACCOUNT SIZE DATE RANGE LOGIC Twitter Direct Messages Twitter posts Twitter users (followers and following) Based on latest tweets Includes total amount of tweets Tweets posted within the chosen date range 51

52 There may be a discrepancy between the number of tweets acquired and the number of tweets on the account. This is due to a Twitter API limitation that only allows the acquirement of the most recent 3200 tweets. Custom artifacts With the frequency that new applications and services are released to the market, custom artifacts can help you keep up to date with artifacts that might not be supported by Magnet AXIOM. In a corporate environment, you can use custom artifacts to recover data from proprietary applications. In addition to creating your own, you can use the artifact exchange to download and install custom artifacts that other organizations have created and uploaded. What is a custom artifact? A custom artifact is an XML file or a Python script that contains instructions for recovering a particular type of evidence. Typically, custom artifacts are targeted towards new applications or features that Magnet AXIOM does not yet support. Because custom artifacts aren't developed and maintained by Magnet Forensics, they're not required to go through the same level of testing as fully supported Magnet AXIOM artifacts, so they can often be developed and released faster. Custom artifacts can contain executable code and are run in an unsandboxed Python environment with administrator privileges. Running in an environment without restrictions gives custom artifacts a lot of power and flexibility, but you must ensure that the source from where you obtain a custom artifact is trusted. For information about downloading, contributing, and creating your own custom artifacts, visit Load custom artifacts 1. Create a custom artifact. 2. In AXIOM Process, click Tools > Manage custom artifacts. 3. Click Add new custom artifact and browse to where you saved the artifact. 4. Click the artifact and then click Okay. AXIOM saves artifact definition templates to the AXIOM Process/plugins folder. Search for custom artifacts 1. Start AXIOM Process. 52

53 2. On the Artifact details tab, click either Customize mobile artifacts or Customize computer artifacts depending on what platform you specified for your custom artifact. If you didn't specify a platform, the artifact is available under both. 3. Select the Custom artifacts option, which will only appear if you've already loaded custom artifacts to the plugins folder. 4. Confirm that the custom artifacts you loaded to the plugins folder are visible. If an artifact is not available, there might be a problem with the artifact schema. Check the log.txt file in the plugins folder for details. 5. After you finish setting up the case, click Analyze evidence. Customizing artifacts in AXIOM Process If you have the Allow AXIOM to search for more artifacts option turned on, after completing a search, AXIOM Process displays all the databases that it suspects of containing useful data on the Customize artifacts screen. The data that AXIOM displays is raw, and in many cases, the app name and columns it extracts might not be descriptive or user friendly. You can customize the data so that when results show up in AXIOM Examine, they make sense to the examiner who's viewing them. You can change the name of the artifact (by default, AXIOM uses the name of the database, which usually isn't the most user friendly). You can also map each fragment in the artifact to a category that reflects the type of data. By mapping each fragment, you're providing AXIOM with instructions on how to handle and present the data. For example, fragments that you categorize as a Latitude or Longitude can be plotted on the World map view, while fragments that use Date/time can appear on the Timeline view. Select relevant data types and databases First, Select relevant data types by selecting and deselecting the check boxes in the drop-down menu. Only the databases that include the types of data you select will appear in AXIOM Process, allowing you to filter the data that is relevant or irrelevant to your case. All data types are selected by default. In the table under Select relevant data types (shown below), you can choose which databases to create custom artifacts from. By default, no databases are selected. Use the Enable all and Clear all buttons, as well as the check boxes in each row, to modify your selection. You will not be able to move on in AXIOM Process until you've selected artifacts in this table. In this table, you're also able to rename the artifact. AXIOM gathers a name from the database table and displays it in the Custom artifact name column, but you can change this by clicking the artifact's name and typing something more user-friendly. 53

54 Map columns The next step is to remap the column names to names that are easier for the examiner to understand. AXIOM attempts to name the column to reflect the data type and content. In this example, AXIOM can recover data from many different columns, four of which are visible in the screen shot above. The grayed out columns (in this case, ID and environment) are ones that AXIOM can't identify and provide an accurate category for. By default, these columns are excluded from the custom artifact until you provide a name. To do this, open the drop-down menu under the column heading. You can click Custom and type your own category name, or you can choose from the following categories: City Coordinates Country Date/Time Geolocation 54

55 Latitude Longitude Message Phone Postal code/zip Recipient Sender State/Province Street URL/URI When AXIOM does recognize a category, its column isn't grayed out. In the above example, these categories include a Date/time column that contains the date and time, and a Message column that contains the body text for a message. You can change any of these names to a different value, or you can click None in the drop-down menu if you don't want the column to be mapped. For Date/Time fragments, AXIOM attempts to determine the format that the fragment is stored as and uses that value as the default. You can change the date format for the entire table by choosing an option from the Date format dropdown menu. The specified date format appears in the Preview table as well. Preview your custom artifacts The final step is to review the Preview. This table lists all the columns that AXIOM will include in the final version of the custom artifact, along with the actual data that's recovered. In this example, the user has chosen not to map either of the grayed out columns in the Map columns table, so only the Date/Time and Message fragments will appear with the custom artifact. 55

56 Save selected artifacts When you're satisfied with the content for the artifact, click Save selected artifacts. AXIOM Process saves only the custom artifacts that have their Enabled options selected in the first table. AXIOM Process saves the artifact definitions to the AXIOM Process\plugins directory. The next time you run a scan, the new artifact is available for selection by default. Viewing custom artifacts in AXIOM Examine AXIOM Examine displays custom artifacts in the Navigation pane under the Custom heading. When you add a custom artifact to a case for the first time, they don't appear in the Evidence pane if AXIOM Examine is already open. To view your custom artifacts, you must close AXIOM Examine and reopen the case. AXIOM Process known issues Issue: AXIOM Process crashes while scanning a hard drive Occasionally, AXIOM Process experiences crashes while attempting to read or write protected memory from a hard drive. AXIOM Process might also crash after you click Analyze evidence to start a scan. This occurs on computers with the Dell Backup and Recovery program installed. Possible solution: If your agency allows it, remove Dell Backup and Recovery from your computer. Warning: If you remove the Dell Backup and Recovery program from your computer, make sure you have another method for backing up your digital content. 1. Browse to Control panel > Programs > Uninstall a program. 2. Click Dell backup and recovery. 3. Click Uninstall. 4. Follow the on-screen instructions to remove the program. Issue: AXIOM Process performs slowly after a crash Occasionally, when you restart AXIOM Process after a crash, you might notice performance issues. Possible solution: Stop the adb.exe program 1. Open Task manager. 56

57 2. Right-click adb.exe and click End task. 57

58 MAGNET AXIOM EXAMINE Magnet AXIOM Examine has powerful features that help you make sense out of your evidence. You can search, filter, and tag important evidence, and you can view many types of files in their original format, such as documents, images, and web pages. After you've finished examining and tagging your evidence, you can share the results in a number of different formats. Here's a quick overview of Examine and its various components: 1. Explorer drop-down: Select which explorer you want to use to view evidence. The default is the Artifacts explorer. 2. Home button:switch back to the Artifacts explorer and reset all filters and selections. 3. Navigation pane: Browse through the evidence in your case using this pane. Its contents depend on the type of explorer you use. In the Artifacts explorer, you'll see all the artifact results in your case, organized by category. When you select a category, the Evidence pane refreshes to show all the results in that category. In the File system explorer, you'll see the folder hierarchy of the evidence source. In the Registry explorer, you'll see all the registry hives on the system. 58