0% found this document useful (0 votes)

1K views441 pages

AX200 v1908 - Compressed

Uploaded by

Fgdz Esthie

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

1K views441 pages

AX200 v1908 - Compressed

Uploaded by

Fgdz Esthie

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

ja

vi
er
@
dg
for
en
si
ks
.m
x9
/2
8/
20
20
Copyright © 2019 Magnet Forensics
Magnet AXIOM AXIOM Examinations (AX200) Training
1908

No part of this document may be copied or reproduced

without the written permission of Magnet Forensics

Magnet Forensics
156 Columbia St W., Unit 2
Waterloo, ON, Canada
519-342-0195

magnetforensics.com
20
20
8/
/2
x9
.m
ks
si
en
f or
dg
@
er
vi
ja

© 2019
Magnet AXIOM®, and related trademarks, names and logos are the property of Magnet Forensics and are registered and/or used in the U.S.
and countries around the world. All other marks and brands may be claimed as the property of their respective owners.

ii MAGNET AXIOM EXAMINATIONS (AX200)

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
TABLE OF CONTENTS
PREFACE ..................................................................................................................................................... XIII

Module 1 Course Introduction and Magnet AXIOM Installation ......................................... 1

AX200 COURSE INTRODUCTION ................................................................................................................... 4
WELCOME AND PERSONAL INTRODUCTIONS ............................................................................................ 4
COURSE OUTLINE .......................................................................................................................................... 4
SYSTEM REQUIREMENTS ............................................................................................................................ 6
ABOUT MAGNET AXIOM ................................................................................................................................. 7
MAGNET AXIOM PROCESS ............................................................................................................................ 9
MAGNET AXIOM EXAMINE .......................................................................................................................... 10
................................................................................................................................................ 10
PRODUCT INSTALLATION AND CLASSROOM COMPUTER SETUP .......................................................... 12
RUNNING EXERCISES ................................................................................................................................. 12
INSTALLATION OF MAGNET AXIOM ........................................................................................................ 12
ACTIVATION OF THE SOFTWARE LICENSE KEY ..................................................................................... 13
REVIEW OF THE INSTALLATION FILES AND FOLDERS ......................................................................... 13
CLASSROOM COMPUTER SETUP ............................................................................................................. 13

Module 2 Evidence Processing and Case Creation ........................................................... 17

AXIOM OVERVIEW ........................................................................................................................................ 20
PROCESSING OVERVIEW ............................................................................................................................. 21
CASE DETAILS .............................................................................................................................................. 22
EVIDENCE SOURCES.................................................................................................................................... 23
PROCESSING DETAILS ................................................................................................................................ 30
ARTIFACT DETAILS ...................................................................................................................................... 35
ANALYZE EVIDENCE .................................................................................................................................... 37
20

DASHNER CASE SCENARIO ........................................................................................................................ 38

RUNNING EXERCISES .................................................................................................................................. 39

CREATING A NEW CASE ........................................................................................................................... 39

/2
x9

ADDING EVIDENCE TO THE CASE ............................................................................................................ 39

SETTING THE PROCESS OPTIONS ........................................................................................................... 40

SELECTING ARTIFACTS TO PROCESS AND SETTING ARTIFACT OPTIONS .......................................... 42

si
en

POST-PROCESSING ..................................................................................................................................... 44
or

ENCRYPTED DRIVES .................................................................................................................................... 47

f
dg

RUNNING EXERCISE ................................................................................................................................... 49

@
er

POST-PROCESSING AND ENCRYPTED DRIVES ...................................................................................... 49

AXIOM EXAMINE SETTINGS ........................................................................................................................ 51

CASE DASHBOARD ...................................................................................................................................... 54

RUNNING EXERCISE ................................................................................................................................... 60
CASE DASHBOARD ................................................................................................................................... 60
ARTIFACT EXPLORER .................................................................................................................................. 61

MAGNET AXIOM EXAMINATIONS (AX200) iii

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
Module 3 Computer Artifact Analysis Part 1 Refined Results ...................................... 69
REFINED RESULTS ................................................................................................................................... 72
HELP/DOCUMENTATION ............................................................................................................................. 73
GOOGLE SEARCHES .................................................................................................................................... 74
SOURCE LINKING ......................................................................................................................................... 75
RUNNING EXERCISE ................................................................................................................................... 78
GOOGLE SEARCHES ................................................................................................................................. 78
PARSED SEARCH QUERIES ......................................................................................................................... 79
RUNNING EXERCISE ................................................................................................................................... 80
PARSED SEARCH QUERIES ...................................................................................................................... 80
CLASSIFIEDS URLS ..................................................................................................................................... 81
RUNNING EXERCISE ................................................................................................................................... 83
CLASSIFIEDS URLS .................................................................................................................................. 83
CLOUD SERVICES URLS .............................................................................................................................. 83
RUNNING EXERCISE ................................................................................................................................... 84
CLOUD SERVICES URLS ........................................................................................................................... 84
FACEBOOK URLS ......................................................................................................................................... 85
RUNNING EXERCISE ................................................................................................................................... 86
FACEBOOK URLS ...................................................................................................................................... 86
SOCIAL MEDIA URLS ................................................................................................................................... 87
RUNNING EXERCISE ................................................................................................................................... 88
SOCIAL MEDIA URLS ................................................................................................................................ 88
GOOGLE MAP QUERIES ............................................................................................................................... 89
IDENTIFIERS ................................................................................................................................................. 90
PROFILES ..................................................................................................................................................... 91
RUNNING EXERCISE ................................................................................................................................. 93
CREATING A PROFILE ............................................................................................................................. 93
EDITING A PROFILE ................................................................................................................................. 93
MANAGING PROFILES .............................................................................................................................. 93
MODULE REVIEW ......................................................................................................................................... 95
REVIEW QUESTIONS .................................................................................................................................... 96
20

RUNNING EXERCISE .................................................................................................................................... 97

20
8/

RESEARCH OF A CONTROLLED SUBSTANCE ..................................................................................... 97

ADVANCED SEARCHING AND FILTERING .............................................................................................. 98

x9
.m

CREATING AND USING PROFILES ........................................................................................................... 99

ks
si
en

Module 3 Computer Artifact Analysis Part 2 Chat ....................................................... 103

f or
dg

MAGNETAXIOMPROCESSCHATARTIFACTS ............................................................................................. 106

CUSTOM ARTIFACTS .................................................................................................................................. 108

YAHOO MESSENGER ................................................................................................................................. 109

vi
ja

RUNNING EXERCISE ................................................................................................................................. 110

AXIOM PROCESS CHAT SETTINGS ......................................................................................................... 110
CHAT ARTIFACTS ....................................................................................................................................... 110
ARTIFACTS ROW VIEW ........................................................................................................................... 112
ARTIFACTS CONVERSATION VIEW ........................................................................................................ 113
ARTIFACTS MAGNET ARTIFICIAL INTELLEGENCE CATEGORIZE CHATS ........................................ 114

iv MAGNET AXIOM EXAMINATIONS (AX200)

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
RUNNING EXERCISE ................................................................................................................................. 115
ENABLING MAGNET.AI ........................................................................................................................... 115
ARTIFACTS SOURCE LINKING ............................................................................................................... 115
SKYPE ........................................................................................................................................................ 117
RUNNING EXERCISE ................................................................................................................................. 119
SKYPE ACCOUNTS .................................................................................................................................. 119
SKYPE AVATAR ................................................................................................................................... 120
SKYPE CHAT MESSAGES .......................................................................................................................... 120
RUNNING EXERCISE ............................................................................................................................... 121
SKYPE CHAT MESSAGES........................................................................................................................ 121
SKYPE CONTACTS ...................................................................................................................................... 123
RUNNING EXERCISE ................................................................................................................................. 124
SKYPE CONTACTS ................................................................................................................................... 124
SKYPE IP ADDRESSES ........................................................................................................................... 124
RUNNING EXERCISE ................................................................................................................................. 126
SKYPE IP ADDRESSES............................................................................................................................ 126
APPLICATION OPTIONS FOR MOBILE CHAT ARTIFACTS .............................................................. 127
REVIEW QUESTIONS .................................................................................................................................. 129
STUDENT EXERCISE .................................................................................................................................. 130

Module 3 Computer Artifact Analysis Part 3 Documents ........................................... 133

DOCUMENTS ARTIFACTS .......................................................................................................................... 136
DOCUMENT CONTENT ............................................................................................................................... 137
EXPORTING DOCUMENTS TO A LOCAL DRIVE ........................................................................................ 139
RUNNING EXERCISE ................................................................................................................................. 140
VIEWING AND SEARCHING DOCUMENT CONTENT ............................................................................. 140
EXPORTING DOCUMENT ARTIFACTS..................................................................................................... 141
DOCUMENT METADATA ............................................................................................................................ 141
CREATING AN ARTIFACT REPORT ............................................................................................................ 142
RUNNING EXERCISE ................................................................................................................................. 145
VIEWING AND SEARCHING DOCUMENT METADATA ........................................................................... 145
20
20

CONNECTIONS ........................................................................................................................................... 146

RUNNING EXERCISE ................................................................................................................................. 150

/2
x9

CONNECTIONS ........................................................................................................................................ 150

TIMELINE ................................................................................................................................................... 151

RUNNING EXERCISE................................................................................................................................ 152

si
en

CONNECTIONS ....................................................................................................................................... 152

MODULE REVIEW ....................................................................................................................................... 153

f
dg

REVIEW QUESTIONS .................................................................................................................................. 154

@
er

STUDENT EXERCISE .................................................................................................................................. 155

vi
ja

Module 3 Computer Artifact Analysis Part 4 Email ..................................................... 159

EMAIL ARTIFACTS ..................................................................................................................................... 162
EMAIL CONTENT ....................................................................................................................................... 163
EMAIL SOURCE LINKING........................................................................................................................... 164
RUNNING EXERCISE ................................................................................................................................. 165

MAGNET AXIOM EXAMINATIONS (AX200) v

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
VIEWING EMAIL CONTENT ..................................................................................................................... 165
EMAIL SOURCE LINKING........................................................................................................................ 165
EMAIL MESSAGE HEADERS...................................................................................................................... 165
EMAIL ATTACHMENTS ............................................................................................................................. 166
CREATING AN EMAIL REPORT.................................................................................................................. 167
RUNNING EXERCISE ................................................................................................................................. 167
CREATING AN EMAIL REPORT............................................................................................................... 167
VIEWING EMAIL ATTACHMENTS ........................................................................................................... 168
EXPORTING EMAILS TO A PST FILE ...................................................................................................... 168
SEARCHING EMAIL .................................................................................................................................... 169
RUNNING EXERCISE ................................................................................................................................. 169
SEARCHING EMAILS ............................................................................................................................... 169
MODULE REVIEW ....................................................................................................................................... 170
REVIEW QUESTIONS .................................................................................................................................. 171
STUDENT EXERCISE .................................................................................................................................. 172

Module 3 Computer Artifact Analysis Part 5 Media .................................................... 175

MEDIA ARTIFACTS .................................................................................................................................... 178
PICTURES.................................................................................................................................................... 178
VIDEOS ........................................................................................................................................................ 181
CATEGORIZING PICTURES USING MAGNET.AI ........................................................................................ 183
MODULE REVIEW ....................................................................................................................................... 186
REVIEW QUESTIONS................................................................................................................................. 187
STUDENT EXERCISE .................................................................................................................................. 188

Module 3 Computer Artifact Analysis Part 6 Encryption & Anti-forensics Tools ...... 193
ENCRYPTION & ANTI-FORENSICS TOOLS ............................................................................................... 196
MODULE REVIEW ....................................................................................................................................... 200
REVIEW QUESTIONS................................................................................................................................. 201
STUDENT EXERCISE .................................................................................................................................. 202
20
20
8/
/2

Module 3 Computer Artifact Analysis Part 7 Web Related ......................................... 205

x9
.m

WEB RELATED ARTIFACTS ....................................................................................................................... 208

BROWSER ARTIFACTS AND REFINED RESULTS .................................................................................... 209

si
en

HISTORY GOOGLE CHROME ................................................................................................................... 210

RUNNING EXERCISE ................................................................................................................................. 213

f
dg

CHROME HISTORY................................................................................................................................... 213

HISTORY MOZILLA FIREFOX .................................................................................................................. 214

er
vi

RUNNING EXERCISE ................................................................................................................................. 216

FIREFOX HISTORY ................................................................................................................................... 216

HISTORY MICROSOFT INTERNET EXPLORER & EDGE ......................................................................... 217
RUNNING EXERCISE ................................................................................................................................. 220
INTERNET EXPLORER AND EDGE HISTORY .................................................................................. 220
SESSION RECOVERY .................................................................................................................................. 223
CHROME................................................................................................................................................... 223

vi MAGNET AXIOM EXAMINATIONS (AX200)

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
FIREFOX ................................................................................................................................................... 224
INTERNET EXPLORER AND EDGE ......................................................................................................... 225
RUNNING EXERCISES ............................................................................................................................... 226
CHROME SESSION RECOVERY ............................................................................................................... 226
FIREFOX SESSION RECOVERY ............................................................................................................... 226
EDGE SESSION RECOVERY .................................................................................................................. 226
DOWNLOADS ............................................................................................................................................. 227
CHROME................................................................................................................................................... 227
FIREFOX ................................................................................................................................................... 228
INTERNET EXPLORER AND EDGE ......................................................................................................... 228
RUNNING EXERCISES ............................................................................................................................... 229
CHROME DOWNLOADS .......................................................................................................................... 229
FIREFOX DOWNLOADS ........................................................................................................................... 230
EDGE DOWNLOADS ................................................................................................................................ 230
BOOKMARKS .............................................................................................................................................. 231
CHROME................................................................................................................................................... 232
FIREFOX ................................................................................................................................................... 232
INTERNET EXPLORER AND EDGE ......................................................................................................... 233
RUNNING EXERCISE ................................................................................................................................. 234
CHROME BOOKMARKS ....................................................................................................................... 234
FIREFOX BOOKMARKS ........................................................................................................................... 235
COOKIES ..................................................................................................................................................... 236
CHROME................................................................................................................................................... 236
FIREFOX ................................................................................................................................................... 237
INTERNET EXPLORER ............................................................................................................................ 238
EDGE ........................................................................................................................................................ 239
GOOGLE ANALYTICS ................................................................................................................................ 240
FIRST VISIT COOKIES .............................................................................................................................. 241
SESSION COOKIES .................................................................................................................................. 241
REFERRAL COOKIES ........................................................................................................................... 242
RUNNING EXERCISE ................................................................................................................................. 243
20

CHROME COOKIES .................................................................................................................................. 243

FIREFOX COOKIES ................................................................................................................................... 243

INTERNET EXPLORER COOKIES ............................................................................................................ 243

/2
x9

INTERNET BROWSER CACHE ................................................................................................................... 244

CACHE CHROME ...................................................................................................................................... 244

RUNNING EXERCISE ................................................................................................................................. 247

si
en

CHROME CACHE ...................................................................................................................................... 247

CACHE FIREFOX ...................................................................................................................................... 248

f
dg

RUNNING EXERCISE ................................................................................................................................. 250

@
er

FIREFOX CACHE ...................................................................................................................................... 250

CACHE EDGE ........................................................................................................................................... 251

RUNNING EXERCISE ................................................................................................................................. 253

EDGE CACHE ......................................................................................................................................... 253
TYPED URLS ............................................................................................................................................. 253
CHROME AND FIREFOX .......................................................................................................................... 253
INTERNET EXPLORER AND EDGE ......................................................................................................... 255
RUNNING EXERCISE ................................................................................................................................. 256

MAGNET AXIOM EXAMINATIONS (AX200) vii

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
CHROME TYPED URLS ............................................................................................................................ 256
FIREFOX TYPED URLS ............................................................................................................................ 256
INTERNET EXPLORER TYPED URLS...................................................................................................... 257
EDGE TYPED URLS ................................................................................................................................. 257
FORM FILL INFORMATION AND SEARCH DATA ..................................................................................... 258
CHROME................................................................................................................................................... 258
FIREFOX ................................................................................................................................................... 260
INTERNET EXPLORER AND EDGE ......................................................................................................... 261
RUNNING EXERCISE ................................................................................................................................. 261
CHROME AUTOFILL ................................................................................................................................ 261
FIREFOX FORMHISTORY ......................................................................................................................... 261
MODULE REVIEW ....................................................................................................................................... 262
REVIEW QUESTIONS................................................................................................................................. 263
STUDENT EXERCISE .................................................................................................................................. 264

Module 3 Computer Artifact Analysis Part 8 Operating System ................................ 269

OS ARTIFACTS PERSONAL COMPUTERS (PCS) ................................................................................... 272
WINDOWS REGISTRY ................................................................................................................................. 274
FILE SYSTEM INFORMATION .................................................................................................................... 276
DRIVE IDS AND MOUNTED DEVICES ........................................................................................................ 276
PARTITIONING SCHEME ............................................................................................................................ 278
RUNNING EXERCISE ................................................................................................................................. 279
FILE SYSTEM INFORMATION ................................................................................................................. 279
OPERATING SYSTEM INFORMATION........................................................................................................ 280
TIMEZONE INFORMATION ......................................................................................................................... 283
USER ACCOUNTS ....................................................................................................................................... 284
SAM FILE - F KEY ....................................................................................................................................... 287
SAM FILE V KEY ...................................................................................................................................... 288
SOFTWARE HIVE ........................................................................................................................................ 289
RUNNING EXERCISE ................................................................................................................................. 289
OPERATING SYSTEM INFORMATION..................................................................................................... 289
20
20

TIMEZONE INFORMATION ...................................................................................................................... 290

USER ACCOUNTS .................................................................................................................................... 291

/2
x9

USB DEVICES .............................................................................................................................................. 292

MOUNTED DEVICES ................................................................................................................................... 293

MOUNTPOINTS2 ......................................................................................................................................... 296

si
en

USERASSIST ............................................................................................................................................... 296

LNK FILES .................................................................................................................................................. 299

f
dg

RECENT DOCS ............................................................................................................................................ 300

@
er

JUMP LISTS ................................................................................................................................................ 301

SHELLBAGS ............................................................................................................................................... 304

RUNNING EXERCISE ................................................................................................................................. 305

LNK FILES ............................................................................................................................................... 305
USB DEVICES ........................................................................................................................................... 306
JUMP LISTS ............................................................................................................................................. 307
SHELLBAGS ............................................................................................................................................ 308
PREFETCH .................................................................................................................................................. 309

viii MAGNET AXIOM EXAMINATIONS (AX200)

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
PREFETCH SETTING IN THE REGISTRY .................................................................................................... 311
WINDOWS EVENT LOGS ............................................................................................................................ 312
WINDOWS EVENT LOG FILTERING ........................................................................................................... 314
RUNNING EXERCISE ................................................................................................................................. 315
WINDOWS PREFETCH FILES ................................................................................................................. 315
WINDOWS EVENT LOGS ......................................................................................................................... 317
MODULE REVIEW ....................................................................................................................................... 317
REVIEW QUESTIONS .................................................................................................................................. 318

Module 4 Mobile Artifact Analysis ................................................................................... 323

SMARTPHONE OPERATING SYSTEMS .................................................................................................... 326
IOS ............................................................................................................................................................... 326
INSTRUCTOR DEMONSTRATION............................................................................................................... 328
UDID IDENTIFICATION ............................................................................................................................ 328
REGISTRY ENTRIES.................................................................................................................................... 329
ITUNES BACKUP ........................................................................................................................................ 330
LOADING FORENSIC IMAGES/DATA INTO AXIOM ................................................................................... 334
RUNNING EXERCISE ................................................................................................................................. 335
ADDING IMAGES TO AXIOM USING AN EXISTING CASE ...................................................................... 335
IMAGING IN AXIOM ...................................................................................................................................... 336
MOBILE IMAGE TYPES ............................................................................................................................... 340
IOS FULL IMAGES AND JAILBREAKING .................................................................................................. 341
IMAGE FILES............................................................................................................................................... 343
INSTRUCTOR DEMONSTRATION............................................................................................................... 344
ACQUIRING AN IOS DEVICE .................................................................................................................... 344
ACQUIRING AN ANDROID DEVICE ......................................................................................................... 344
MOBILE ARTIFACTS ................................................................................................................................... 345
SQLITE AND PLIST FILES .......................................................................................................................... 346
VIEWING ARTIFACTS ................................................................................................................................. 347
CONVERSATION VIEW ............................................................................................................................... 348
CUSTOM ARTIFACTS .................................................................................................................................. 350
20
20

ANDROID OS ............................................................................................................................................... 351

ACQUIRING ANDROID DEVICES ................................................................................................................ 352

/2
x9

WHAT IS ADB.............................................................................................................................................. 353

DEVELOPER OPTIONS ............................................................................................................................... 354

USB DEBUGGING ....................................................................................................................................... 354

si
en

ANDROID IMAGE TYPES ............................................................................................................................ 355

ROOTING ..................................................................................................................................................... 357

f
dg

ARTIFACTS IN A FULL IMAGE .................................................................................................................... 358

@
er

DATA FROM OTHER SOURCES .................................................................................................................. 359

RUNNING EXERCISE ................................................................................................................................. 359

ADDING DATA FROM OTHER SOURCES .............................................................................................. 359

Module 5 Cloud ................................................................................................................. 363

WHAT IS THE CLOUD? ............................................................................................................................... 366
ACQUIRING DATA WITH AXIOM CLOUD ................................................................................................... 367

MAGNET AXIOM EXAMINATIONS (AX200) ix

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
WHAT IS A TOKEN? ................................................................................................................................... 369
APPLE ......................................................................................................................................................... 369
FACEBOOK.................................................................................................................................................. 371
DROPBOX .................................................................................................................................................... 372
GOOGLE ...................................................................................................................................................... 373
CLOUD ARTIFACTS .................................................................................................................................... 375
RUNNING EXERCISE ................................................................................................................................. 376
ADDING CLOUD DATA ............................................................................................................................ 376
REVIEWING CLOUD DATA ......................................................................................................................... 376
CLOUD ACCOUNTS INFORMATION AND CLOUD PASSWORDS AND TOKENS ..................................... 377
ICLOUD PHOTOS ........................................................................................................................................ 378
DROPBOX .................................................................................................................................................... 379
FACEBOOK.................................................................................................................................................. 381
GOOGLE ...................................................................................................................................................... 384
RUNNING EXERCISE ................................................................................................................................. 388
REVIEWING CLOUD ARTIFACTS............................................................................................................. 388
MODULE REVIEW ....................................................................................................................................... 390
REVIEW QUESTIONS................................................................................................................................. 391
STUDENT EXERCISE .................................................................................................................................. 392

Module 6 Reporting .......................................................................................................... 395

EXPORTING ARTIFACTS VIEW .............................................................................................................. 398
EXPORTING PORTABLECASE ................................................................................................................ 399
MERGING PORTABLE CASES .................................................................................................................... 401
MERGING PORTABLE CASES TAGS....................................................................................................... 401
MANAGING PORTABLE CASES COMMENTS......................................................................................... 402
RUNNING EXERCISE ................................................................................................................................. 403
EXPORTING FROM THE FILE MENU ...................................................................................................... 403
EXPORTING FROM THE EVIDENCE PANE ............................................................................................. 403
EXPORTING FROM THE FILE SYSTEM EXPLORER ............................................................................... 404
SAVING FILES FROM THE ARTIFACTS EXPLORER ............................................................................... 404
20
20

SAVING FILES FROM THE FILE SYSTEM EXPLORER ........................................................................... 404

CREATING A PORTABLE CASE............................................................................................................... 405

/2
x9

MERGING A PORTABLE CASE ................................................................................................................ 405

SPECIAL EXPORTS PROJECT VIC........................................................................................................... 406

SPECIAL EXPORTS IDENTIFIERS ........................................................................................................... 407

si
en

EXPORTING FILE SYSTEM EXPLORER .................................................................................................. 408

SAVING FILES ARTIFACT AND FILE SYSTEM EXPLORERS ................................................................. 408

f
dg

CASE REPORTING ...................................................................................................................................... 409

@
er

CASE REPORTING FINAL REPORT ........................................................................................................ 410

RUNNING EXERCISE ................................................................................................................................. 411

CREATING A CASE REPORT ARTIFACT CATEGORIES ....................................................................... 411

CREATING A CASE REPORT TAGGED ITEMS ..................................................................................... 411
REVIEW QUESTIONS .................................................................................................................................. 413
STUDENT EXERCISE .................................................................................................................................. 415

x MAGNET AXIOM EXAMINATIONS (AX200)

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
Module 7 Cumulative Review Exercise ........................................................................... 419
JACK WATERS CASE SCENARIO .............................................................................................................. 421
CUMULATIVE EXERCISE ......................................................................................................................... 422

20
20
8/
/2
x9
.m
ks
si
en
f or
dg
@
er
vi
ja

MAGNET AXIOM EXAMINATIONS (AX200) xi

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
20
20
8/
/2
x9
.m
ks
si
en
f or
dg
@
er
vi
ja

xii MAGNET AXIOM EXAMINATIONS (AX200)

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
PREFACE
Welcome to the Magnet Forensics® AXIOM Examinations (AX200) training course. forensic
investigators are navigating through an ever-changing technology landscape. The volume, velocity, and
variety of Internet evidence entering the marketplace all pose unique challenges. For digital forensics
professionals to meet these challenges, accomplish their mission, and uncover the truth, they must be
equipped with the right combination of analytic tools, and practical training.
Magnet AXIOM, from Magnet Forensics Inc. allows investigators to explore the evidence in great depth,
while simplifying analysis activities by intuitively linking facts and data in a way that helps investigators
draw insightful conclusions. Training from Magnet Forensics is designed and delivered by experts with
decades of real world experience in the field of digital forensics. The combination of AXIOM and AXIOM-
based training, from Magnet Forensics, provides the perfect solution for students whose working
environments demand they have the right tools and knowledge to accomplish their mission.

COURSE OVERVIEW
This four-day instructor-led course provides students with the knowledge and skill sets necessary to
install, configure, and use Magnet Forensics, Inc. software tools, in support of their investigative efforts. The
Magnet Forensics, Inc. forensic tools covered during this course include:

• Magnet AXIOM Process

• Magnet AXIOM Examine

AUDIENCE
This course is intended for users who are responsible for collecting and analyzing digital evidence
artifacts stored on various media platforms, including PCs and mobile devices. Although designed for
20

users who are new to Magnet AXIOM, experienced practitioners who have not attended formalized AXIOM
20
8/

training will also benefit greatly from the course materials.

/2
x9
.m
ks
si
en
f or
dg
@
er
vi
ja

MAGNET AXIOM EXAMINATIONS (AX200) xiii

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
20
20
8/
/2
x9
.m
ks
si
en
f or
dg
@
er
vi
ja

xiv MAGNET AXIOM EXAMINATIONS (AX200)

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
Module 1 Course Introduction and Magnet AXIOM
Installation
1

MODULE 1:
Course Introduction and Magnet AXIOM Installation
20
20
8/
/2
x9
.m
ks
si
en
or
f
dg
@
er
vi
ja
Module 1 Course Introduction and Magnet AXIOM Installation

20
20
8/
/2
x9
.m
ks
si
en
f or
dg
@
er
vi
ja

2 MAGNET AXIOM EXAMINATIONS (AX200)

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
Module 1 Course Introduction and Magnet AXIOM Installation

LEARNING OBJECTIVES
In this module, students will review the course outline and introduce themselves to other participants of
the course. Students will learn how to install the Magnet AXIOM platform, and its core components
AXIOM Process and AXIOM Examine.

GOALS
At the conclusion of this module, students will be able to demonstrate the proper installation of Magnet
AXIOM and will be able to identify the core files and folders that can be shared between installations of
Magnet AXIOM.

20
20
8/
/2
x9
.m
ks
si
en
f or
dg
@
er
vi
ja

MAGNET AXIOM EXAMINATIONS (AX200) 3

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
Module 1 Course Introduction and Magnet AXIOM Installation

AX200 COURSE INTRODUCTION

Welcome to the Magnet AXIOM Examinations Course (AX200). This is an intermediate level course,
designed for students who are familiar with the principles of digital forensics, and seeking to use AXIOM
for their investigations. At the conclusion of the 4-day training event students will have the knowledge
and skills they need to: acquire forensic images from computer and smartphone evidence, configure
AXIOM Process to recover the most-relevant artifacts for their investigations, use AXIOM Examine to
explore the evidence in greater depth, simplify analysis activities by intuitively linking facts and data, and
prepare key artifacts for collaboration with other stakeholders. Each module of instruction employs
extensive scenario-based hands-on exercises to reinforce the learning objectives, and further enhance

WELCOME AND PERSONAL INTRODUCTIONS

• Who are you and where do you work?

• your primary role? Investigations? Forensics?

• What previous forensic training have you received?

• Which forensic software tools are you currently using?

• Look at the index in the beginning of this book and find one or two items that are most important to
you and share this with your instructor.
• What would you like to take away from this course?

COURSE OUTLINE
20
20

MODULE 1: COURSE INTRODUCTION AND MAGNET AXIOM INSTALLATION

8/
/2
x9

In this introductory module, students will be presented with the learning objectives and expected
.m

outcomes for the 4-day training event, and all related course materials. The module will conclude with a
ks
si

hands-on exercise during which students will install Magnet AXIOM and learn about its associated
en

components AXIOM Process and AXIOM Examine.

f or
dg
@
er
vi

MODULE 2: EVIDENCE PROCESSING AND CASE CREATION

This module of instruction will focus on the many features available in AXIOM Process. The students will
be shown how to: successfully acquire forensic images from various evidence sources, configure case-
specific and global settings in AXIOM Process for the recovery of key artifacts, and create a case for
analysis in AXIOM Examine. After the creation of the case, students will be introduced to the AXIOM
Examine interface. This module includes an instructor-led exercise to reinforce the learning objectives.

4 MAGNET AXIOM EXAMINATIONS (AX200)

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
Module 1 Course Introduction and Magnet AXIOM Installation

MODULE 3: COMPUTER ARTIFACT ANALYSIS

This module of the course is composed of several sections, each of which focuses on a specific set of key
artifacts most commonly encountered during the analysis of computer evidence. The sections within this
module cover Refined Results, Chat clients, Documents, Email, Media, Social Networking, Internet
browsers, and Operating System artifact analysis. For each of the sections, scenario-based instructor-
led and student practical exercises will be used to demonstrate the navigation, searching, filtering, and
tagging features in AXIOM; and reinforce the learning objectives.

MODULE 4: MOBILE ARTIFACT ANALYSIS

In this module students will explore smartphone evidence parsed by Magnet AXIOM from iPhone and
Android devices. Additionally, this module will explore the device file systems and file structures to
recover additional information, including: device owner information, third party application data, core
operating system data, Internet browser data, and more. Scenario-based instructor-led and student
practical exercises will be used to demonstrate the navigation, searching, filtering, and tagging features
in AXIOM, and reinforce the learning objectives.

MODULE 5: CLOUD
In this module, students will learn about the Cloud component of AXIOM Process and Examine. The Cloud
component of AXIOM allows examiners to extract valuable evidence from cloud sources such as Google,
iCloud, Dropbox, Microsoft 0365 and others. Students will use hands-on exercises to learn how the
information collected from these sources can integrate with other data recovered from live evidence
sources and how it can play into their examinations.
20
20

MODULE 6: REPORTING
8/
/2

In this final instructional module of the course, students will explore the various exporting and reporting
x9
.m

features available within AXIOM that can be used to present of case evidence, and/or collaborate with
ks

other investigative stakeholders. Through the scenario-based instructor-led and student practical
si
en

exercises, participants will learn how to manage the exporting of artifacts, produce and merge portable
or

cases, and create a final investigative case report which is easily interpreted by both technical and non-
f
dg

technical recipients.
@
er
vi
ja

MODULE 7: CUMULATIVE REVIEW EXERCISE

Throughout the 4-day training event, instructor-led and student practical exercises are used to reinforce
the learning objectives and provide the participants with the knowledge and skills necessary to
successfully use Magnet AXIOM in their investigative workflow. To further reinforce the instructional

MAGNET AXIOM EXAMINATIONS (AX200) 5

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
Module 1 Course Introduction and Magnet AXIOM Installation

goals of the course, students are presented with a final scenario-based practical exercise which
represents a cumulative review of the exercises conducted in each of the individual modules.

Each module of instruction during the course will have a similar structure. At the beginning of the module,
the learning objectives will be identified and explained by the instructor. The content of the module will
be presented, through a combination of demonstrations, open discussions, and instructor-led exercises.
A series of module review questions are provided to ensure students have understood the key concepts.
At the conclusion of the module, the students will participate in a scenario-based practical exercise
designed to test their understanding and application of the learning concepts.

SYSTEM REQUIREMENTS
Table 1.1 below details the minimum and recommended hardware requirements for running AXIOM on a
Microsoft Windows-based computer:
20
20
8/
/2
x9
.m
ks
si
en
f or
dg
@
er
vi
ja

Table 1.1 Hardware system requirements

6 MAGNET AXIOM EXAMINATIONS (AX200)

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
Module 1 Course Introduction and Magnet AXIOM Installation

OPERATING SYSTEM: Windows Vista (64-bit), Windows 7, Windows 8, Windows 10

SOFTWARE FRAMEWORK: Microsoft .NET 4.5.2, or newer
STORAGE DEVICE: The storage device should have enough space to store images and cases from devices
with large amounts of data (in some cases, these might be TBs in size). You can also help prevent thread
starvation by storing case data on a high-performance drive such as a Solid State Drive (SSD). SSDs have
input/output operations per second (IOPs) that are much faster than HDDs. Faster IOPs are helpful when
the system needs to read many small files.
MEMORY: As a general recommendation, you should allocate at least 2GB of RAM for every processing
core in your system. Without enough memory to keep each core working constantly, your system might
experience thread starvation. Thread starvation occurs when a processing core is sitting idle for an

CLOCK SPEED AND CORES: The easiest way to decrease scan times and increase performance in is to
add more CPU cores to your system. Magnet AXIOM is designed to create a separate thread for every
t is 32 cores). Increasing the clock speed of
your CPU is another way that you can improve performance. However, due to the multi-threaded

clock speeds. I o note that adding additional cores does not necessarily improve
performance in a linear way. The more cores that your system has, the more work it is for RAM to keep
each core busy with new instructions to process.

You can manually set the number of cores that you want AXIOM Process to use via the Search Speed
option accessed from the Tools → Settings menu. Select the number of cores AXIOM Process can use
from the Search Speed drop-down list.
VIRTUALIZATION: The only part of Magnet AXIOM that cannot be used in a virtual machine is image
acquisition. All other parts of Magnet AXIOM functions as normal.
ANTI-VIRUS: Some anti-virus software can interfere with the installation and operation of Magnet AXIOM.
20

If errors are encountered, disable the anti-virus software. This is especially true when adding the Project
20
8/

VIC/CAID or similar large data sets. During the import process, changes are being made to the local
/2
x9

SQLite database files associated with Magnet AXIOM and its installation. The anti-virus software can
.m

make this process very slow, because they are monitoring the safety of the local system.
ks
si
en
or

ABOUT MAGNET AXIOM

f
dg
@
er

AXIOM allows the examiner to explore evidence in greater depth and integrate digital data from multiple
vi
ja

devices in one case. With AXIOM, you can acquire, process, analyze and report using just one tool. Intuitive
linking will help you validate location data and find related artifact data quickly.
In the past, examiners used Magnet IEF to recover artifacts, and perform initial analysis. Now, AXIOM
recovers more, displays the file system and registry hives, delves deeper with more analysis tools and
features.

MAGNET AXIOM EXAMINATIONS (AX200) 7

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
Module 1 Course Introduction and Magnet AXIOM Installation

With AXIOM, your examinations will be faster and more thorough. You will uncover facts quickly, validate
your findings with ease, and share the meaning of your results clearly. With advanced integration
features, AXIOM allows you to examine data recovered through other tools as well.
The AXIOM platform is comprised of two applications - AXIOM Process and AXIOM Examine.

20
20
8/
/2
x9
.m
ks
si
en
f or
dg
@
er
vi
ja

8 MAGNET AXIOM EXAMINATIONS (AX200)

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
Module 1 Course Introduction and Magnet AXIOM Installation

MAGNET AXIOM PROCESS

Figure 1.1 Magnet AXIOM core components AXIOM Process

With AXIOM Process, users can search images, drives, files and folders, and other sources to find
Users can customize and search for case-specific, or global
needs, by selecting specific artifacts or groups of artifacts. Keywords, regular expressions, and hash
values can also be used to further refine the scope of the evidence included in the resulting case. AXIOM
Process has the capability to create forensic images of iOS and Android devices, plus a variety of different
types of drives including HDD, SSD, USB and SD flash, and more. Users can customize the type of image
they want to acquire, depending on the evidence they are looking for, and time restraints. To streamline
the forensic workflow, AXIOM Process provides users with a single stage evidence processing capability,
in which forensic images can be automatically acquired, and processed.
20
20
8/
/2
x9
.m
ks
si
en
f or
dg
@
er
vi
ja

MAGNET AXIOM EXAMINATIONS (AX200) 9

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
Module 1 Course Introduction and Magnet AXIOM Installation

MAGNET AXIOM EXAMINE

Figure 1.2 Magnet AXIOM core components AXIOM Examine

After the analysis of the evidence with AXIOM Process is complete, AXIOM Examine presents the evidence
in a consumable and user-friendly manner. In addition to the Artifact explorer, users can now drill down
to the source of an artifact using the File system, or Registry explorer. An enhanced search and filters
bar also allows users to quickly narrow their focus to relevant artifacts, which can then be tagged. After
the examination of the evidence is finished, the next step is to share the findings. Using the enhanced
export functionality of AXIOM Examine, users can create intuitive exports, portable cases, and final case
reports for collaboration with other stakeholders.
20
20

When a new version of Magnet AXIOM is installed, a User Guide accompanies the installation. The User
8/
/2

Guide includes a section explaining the newly added features and/or artifacts. The User Guide can be
x9

accessed by either selecting the F1 key on the keyboard or selecting Help → Documentation → User
.m
ks

Guide from the menu bar.

si
en
f or
dg
@
er
vi
ja

10 MAGNET AXIOM EXAMINATIONS (AX200)

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
Module 1 Course Introduction and Magnet AXIOM Installation

Figure 1.3 Accessing the User Guide

20
20
8/
/2
x9
.m
ks
si
en
f or
dg
@
er
vi
ja

MAGNET AXIOM EXAMINATIONS (AX200) 11

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
Module 1 Course Introduction and Magnet AXIOM Installation

The User Guide itself contains many useful information items, however it is recommended every time
AXIOM is updated, the examiner use this file to review the newly added features.

Figure 1.4 NEW IN MAGNET AXIOM listing

PRODUCT INSTALLATION AND CLASSROOM COMPUTER SETUP

The following instructor-led exercises are designed to familiarize students with the installation of Magnet
AXIOM and its associated files, folders, and applications. The following steps will also prepare the
classroom computers for all subsequent hands-on exercises.
NOTE: Depending on the classroom environment, the following installation steps may be performed
during the introductory module using a USB device, or a software application installer (*.exe)
for Magnet AXIOM from a location specified by the instructor.

RUNNING EXERCISES
20
20

INSTALLATION OF MAGNET AXIOM

8/
/2

•
x9

Open Windows Explorer and navigate to the location of the Magnet AXIOM installer. This will
.m

either be on the on the classroom computer, or a USB device provided by your instructor.
ks
si

•
en

Double-click the Magnet AXIOM installation file.

f or
dg

• Follow the installation wizard steps, accepting the license agreement and default installation
@

settings.
er
vi
ja

• Once the installation has completed, uncheck the option to Launch AXIOM Process, and click
Finish.

• After the installation there will be two new desktop icons AXIOM Process and AXIOM Examine.

• The temporary license key is located in the same folder as the AXIOM installation file.

12 MAGNET AXIOM EXAMINATIONS (AX200)

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
Module 1 Course Introduction and Magnet AXIOM Installation

ACTIVATION OF THE SOFTWARE LICENSE KEY

• After successfully installing Magnet AXIOM, launch AXIOM Process from the desktop icon.

• Select the Help menu.

• From the Help menu, select Licensing.

• Browse to the location specified by your instructor and locate the AXIOM training license key.

• The licence key is a plain text file. Open the file, copy the entire content to the clipboard and
return to the Licensing window.

• Paste the key from the clipboard into the LICENSE KEY field and click OKAY to apply the
temporary license.

• Confirmation of the license details should be listed at the top of the Licensing window under
LICENSE INFORMATION.
REVIEW OF THE INSTALLATION FILES AND FOLDERS
• Open Windows Explorer and navigate to the folder
C:\Program Files\Magnet Forensics\Magnet AXIOM\

• Note the folders for AXIOM Process and AXIOM Examine.

CLASSROOM COMPUTER SETUP
• If they have not already been copied by the instructor, copy the following classroom folders to
the desktop:

a. Cases
20

b. Evidence
20
8/
/2

• Create the following folders on the desktop:

x9
.m

•
ks

AX200 Reports
si
en

• AX200 Exports
f or
dg
@
er
vi
ja

MAGNET AXIOM EXAMINATIONS (AX200) 13

© 2019 Magnet Forensics Inc. All rights reserved. May not be copied or reproduced without the written permission of Magnet Forensics Inc.
Module 1 Course Introduction and Magnet AXIOM Installation

Notes
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
____________________________________________________________________________________
20

____________________________________________________________________________________
20

____________________________________________________________________________________
8/
/2
x9

____________________________________________________________________________________
.m
ks

____________________________________________________________________________________
si
en

____________________________________________________________________________________
f or
dg

____________________________________________________________________________________
@
er

____________________________________________________________________________________
vi
ja

____________________________________________________________________________________
____________________________________________________________________________________

14 MAGNET AXIOM EXAMINATIONS (AX200)