Magnet AXIOM: User Guide To Acquiring Computer Evidence

by Sunny Hoi

What is Magnet AXIOM Forensic Software?

Magnet AXIOM is a convenient and comprehensive digital forensics tool that permits investigators to analyze evidence from distinct devices such as computer systems and mobile phones simultaneously.

Downloading Magnet Axiom Forensic Software

Magnet Forensics is offering a free 30-day trial to test the AXIOM software’s powerful capabilities.

The forensic software can be downloaded from Magnet Forensic’s official site but acquiring a trial license key from the company is necessary to take advantage of its powerful powerful features.

During the trial, the user is granted access to acquisition types such as computer, mobile, and cloud.

Guide To Acquiring Computer Evidence Using Magnet AXIOM Process

Our Magnet AXIOM software guide will show the user how to acquire computer forensic evidence and image drives using AXIOM Process. Various acquisition options exist.

Acquiring Computer Images Using Magnet Forensics AXIOM

When we start AXIOM Process, we are presented with various options. We can either create a new case, open a recent case,  or add evidence to an existing case by opening a existing AXIOM case folder.

1. Create A New Case

For this Magnet AXIOM tutorial, we will create a brand-new case.

2. Enter Case Details: CASE INFORMATION

Click on “CASE DETAILS” on the left side of the user interface to see the various options available.

Under “CASE DETAILS” and “CASE INFORMATION, enter information relating to your case details such as the case number and case type.

Case Type

For Case type, ensure that you select the proper topic relating to your investigative case.

If there are no relevant case types, feel free to choose “Other” as the case type.

Location For Case Files

Folder name – Set your folder name accordingly, and you may wish to retain the date and timestamp.

By default, the AXIOM Process software already retains relevant information such as ‘when’ in the folder name. It is up to you whether to change the default information in the folder name.

Our folder name is “Magnet AXIOM – Computer”.

File path – It is essential to set your file path to the location of your Magnet AXIOM cases. The folder is where all your important AXIOM cases are in. It is up to you where you would like to set the file path to your cases.

Our file path is “C:\Users\SunnyHoi\Desktop\Magnet AXIOM Cases”.

Location For Acquired Evidence

Folder name – For the Acquired Evidence folder name, you may set it to the identical folder name for the case files or choose a different folder name. The choice is yours.

File path – The file path for your acquired evidence images may differ from the file path for your AXIOM case files.

Hence, our acquired evidence may be located in “D:\” and our case files in “C:\”. Clearly, this may differ for you. Feel free to choose what works best for you.

Our file path is “D:\Acquired Evidence Images”.

3. Enter Case Details: SCAN INFORMATION & REPORT OPTIONS

SCAN 1

For the scan information of our scan, fill out the applicable information.

Scanned by –We can fill in the digital forensic professional’s name.

Description – We can fill in the description related to the scan/case investigation. What is typed in the description may assist us in our digital forensic investigation in the future.

REPORT OPTIONS

Cover logo – To choose an image for your cover logo, click on “BROWSE”, locate the image, and click “Open”.

4. Choose Evidence Source: COMPUTER

Proceed by clicking on “EVIDENCE SOURCES” on the left side of the user interface.

We have the option of choosing either computer, mobile, or cloud data as the evidence source.

In this tutorial, we’ll go ahead and select “COMPUTER” data as our evidence source.

Keep in mind that we also have the ability to select other data such as mobile and cloud together.

5. Choose Evidence Source: ACQUIRE EVIDENCE

We can choose whether to load evidence or acquire evidence in Magnet AXIOM Process.

We’ll select “ACQUIRE EVIDENCE” since we are interested in creating an image of a computer hard drive and happen to have already a hard drive connected to our desktop PC right now.

Therefore, we see there is a “PhysicalDrive0” 1 TB Samsung fixed Hard Drive and the serial number of the hard drive which can be helpful in forensic investigations.

We select “DRIVE” aka “PhysicalDrive0” which is our internal hard drive. Nevertheless, a hard drive that was connected through a write blocker would also show in the user interface.

Continue by clicking “NEXT”.

6. Choose Evidence Source: COMPUTER – SELECT IMAGE TYPE

We are presented with various imaging options for imaging drives.

Remember that what you choose depends on the kind of data you are seeking for and any time limits that may be present.

Entire contents of the drive in E01 format – The default option permits AXIOM Process to copy all of the contents of the drive into a “.E01” file. Hence, this option typically takes a longer time. This is a popular format since many digital forensic professionals prefer it.

Entire contents of the drive in raw format – This option permits AXIOM Process to copy all of the contents of the drive into a “.raw” file. Like the first type of acquisition, this type of acquisition will generally take a longer time.

All files and folders – This type of acquisition is logical, and AXIOM Process will copy every file and folder into a compressed file. Hence, it is a logical image that holds every file and folder of the system.

Quick – Targeted acquisition – This type of acquisition is logical and focuses on particular items such as registry hives and log files. Investigators may want to select a targeted acquisition to quickly obtain a logical image that contains important files for digital forensic analysis. This option is excellent if you want to save disk space and time.

We will stick with the default option “Entire contents of the drive in E01 format”.

Proceed by clicking “NEXT”.

7. Choose Evidence Source: COMPUTER – Search Type

We are presented with a window to choose our search type.

We see that there are three search types available.

Full – Looks for artifacts by searching every area of a drive/image. Note that this procedure processes fragmented files to a greater extent than other procedures.

Quick – Conducts a search of the most ordinary areas of your computer where evidence can be discovered. Such areas comprise user profiles, the windows registry, and data directories of applications.

Sector level – Searches for artifacts that may be carved out and assembled together from the hard drive’s raw data. This search type compels the AXIOM forensic software to find an evidence source bit by bit. Thus, the structuring of the file system is largely irrelevant.

In our tutorial, we will select the “Full” search type since we prefer a more detailed search.

Proceed by clicking “OKAY”.

Nonetheless, we recommend that you choose the “Sector level” search type if you do not possess the password to decrypt the drive, the full or quick search does not support the file system, or you don’t recognize the file system’s type.

8. Computer Image Loaded – EVIDENCE SOURCES

We can see that we have our computer image loaded in the evidence sources section.

We can also add additional evidence sources such as other computer drives, mobile devices, or cloud.

9. Add Another Computer Image – EVIDENCE SOURCES

For demonstration purposes, we’ll show how to add another computer image to the forensic program.

This image is one we’ve already acquired with another tool such as Magnet ACQUIRE.

Click on “COMPUTER” in the “SELECT EVIDENCE SOURCE” section.

10. Add Another Computer Image – LOAD EVIDENCE – EVIDENCE SOURCES

We have many options such as choosing a local drive, an image, files & folders, volume shadow copies, or memory.

To add another computer image, continue by clicking on “LOAD EVIDENCE” under the “EVIDENCE SOURCES” section.

Let’s select “IMAGE”.

Select the image you want to add by browsing to the appropriate folder/file.

We see that Magnet supports various image formats which grant investigators greater flexibility. What you have created with other tools is likely not going to be a problem at all.

For our example, we’ve got a “.E01” image. After finding your image, click “Open”.

11. Add Another Computer Image – ADD FILES AND FOLDERS – EVIDENCE SOURCES

We see the image and that it recognizes NTFS in the “ADD FILES AND FOLDERS” section of “EVIDENCE SOURCES”.

The boxes should already be automatically ticked. If not, ensure that you tick them before proceeding.

Click on “NEXT” to continue.

12. Add Another Computer Image – SELECT SEARCH TYPE – EVIDENCE SOURCES

We are presented to select the search type for our image.

Our image defaults to a full search type which is what we’ll stick to.

Therefore, we can search for everything in the NTFS volume.

We also see that another search type called “Custom” exists along with the other three that we’ve discussed earlier.

Custom – Permits us to specify particular areas for the NTFS volume.

To continue, click “NEXT”.C

13. In Queue – EVIDENCE SOURCES

As we can see, the image is now in the queue, ready for analysis.

We can also add more images.

14. Add A Memory Image – EVIDENCE SOURCES

Since we have a memory image for the computer, let’s add it.

Go back and click “COMPUTER” under the “EVIDENCE SOURCES” section.

Click “MEMORY” under “SELECT EVIDENCE SOURCE” of the “EVIDENCE SOURCES” section.

Click “LOAD MEMORY DUMP” and browse to your memory image.

When you have found your image, click “Open”.

Keep in mind that we can load memory images in their native file format so we can scan them for artifacts.

If you are uncertain what a memory dump is, it essentially includes information regarding a consumer’s activity on the system that might have alternatively been lost when the device was crashed or shut down.

Loading a memory dump file can be particularly useful in investigations related to incident response because such images include data pertaining to which processes are running and which files have been opened by the individual.

Getting a memory dump from an adversary’s computer is possible using third-party programs such as Magnet RAM Capture.

15. Computer – Memory Image – SELECT PROFILE – EVIDENCE SOURCES

We are asked by AXIOM Process whether we want the forensic software to supply a list of recommended image profiles or instead choose the image profile ourselves.

We will deploy our own memory capabilities and the integrated Volatility framework in AXIOM.

AXIOM Process carries out a KDbg scan to try to identify the profile. We can see the scan’s results in our case folder which has the case summary text file.

Therefore, we will choose the default option “I want AXIOM Process to provide a list of recommended image profiles.” and click “NEXT”.

16. Computer – Memory Image – Wait Until AXIOM Process Is Done With KDbg Scan – SELECT PROFILE – EVIDENCE SOURCES

It will take a few minutes for AXIOM Process to figure it all out.

17. Computer – Memory Image – Choose Suitable Profile For Image – SELECT PROFILE – EVIDENCE SOURCES

Once AXIOM Process is done with identifying image profiles, the program will provide a recommended image type.

The software recommends the Windows 7 32-bit image which is accurate since that is the operating system.

There may be other recommendations when we click the dropdown list.

But we will use the first recommendation.

Click “NEXT”.

We will see the memory image added as an evidence source. Clearly, we can add more evidence sources, but it will take longer to process.

Having all our evidence sources in one location is convenient.

Conclusion

Ultimately, we see that this guide for the Magnet Forensics AXIOM software is vital in not merely training the user in using the forensic program to acquire computer evidence in investigations, but also deepen their comprehension on the subject.

We can see that AXIOM builds on the strengths of Magnet Forensics’ Internet Evidence Finder (IEF).

If you are satisfied with the trial of AXIO and want to acquire Magnet AXIOM pricing, contact Magnet Forensics to request a price quote.

We hope that you enjoyed reading our guide.

Related Posts