This is the first part in a two-part series. You can read Part 2 here.
In our previous blog post, “Telling the Story of Digital Evidence,” we outlined how the Connections feature in Magnet AXIOM automatically shows where key digital evidence came from, where it is currently located, who it was shared with and when (or if) it was opened.
We also showed how this helps you to visualize relationships between artifacts and trace files’ movement between systems and devices so that you can save time and effort demonstrating attribution and proving intent.
We’ve continued to improve on Connections’ speed and performance since we first introduced it last year. While you can still access our recorded webinar to get a feel for Connections and what it’s all about, we thought we’d take some time to answer the most popular questions about Connections.
In this blog, we cover the basics: how connections are determined, when to run the feature, how to add new evidence, and how to report them.
How and Where Connections Are Established
Does Connections require an internet connection to run?
No. It relies solely on the case file that was processed with AXIOM.
Can I use Connections to correlate data between two devices if I have an image of each device, for instance, a phone and a computer?
Yes, you can use Connections to correlate data across devices including computers, mobile phone, cloud devices, and external media (SD cards, flash drives). If you have images of these devices loaded into one case, you can correlate the artifacts.
For example, if you have a picture that was downloaded from Dropbox and saved to a USB drive with a new name and then accessed, the picture will have a connection based on the hash value to the USB drive, the Dropbox cloud account, and the local synced instance of Dropbox on the PC. Additionally, there may be a LNK file to the file instance on the USB drive.
How are the connections established or determined? Are they created automatically when you open an image (that was already previously processed)?
Artifact fragments, their common properties, and defined relationships between them are what determine connections. Connections within a specific artifact are written uniquely for each fragment based on rules to show how the fragments relate.
Connections can be created two different ways. After processing is complete, Connections can be run automatically in AXIOM Examine. By going to the Settings menu in Examine under the Tools heading, as seen in Figure 1, you can select your preference to “Automatically build connections”. This is not checked by default.
If the box is unchecked, you may build connections at any time by going to Tools and then selecting “Build Connections”, as shown in Figure 2:
Does Connections work on both logical and physical images?
Yes. Connections will build from beginning to end of both full binary (physical) acquisitions and the files and folders from a logical acquisition.
If there’s data in unallocated space, such as carved deleted pics or attribution links to files, will Connections pick up on it?
Yes. Any artifact, regardless of whether it was carved or parsed (including URLs) can be correlated, then indexed and connected based on their attributes.
When to Run Connections
Does Connections run automatically when you process the evidence, or do you have to select certain types of processing?
Connections are built post-processing, not as a part of evidence processing. In AXIOM Examine, you can choose to set Connections to build automatically when processing is completed, or to build connections manually by selecting “Build connections” from the Tools menu whenever you’re ready.
By default, the setting to “Automatically build connections” is unchecked. This is helpful because it allows you to determine when you want to build connections. For example:
- If you plan to run it overnight, simply select “Build connections” from the Tools menu at the end of the day.
- If you instead want Connections to run automatically when processing is completed, check the “Automatically build connections” box in the Settings menu under Tools.
Can connection creation be triggered manually if the process of creating them fails?
Yes. Connections can be manually selected at any time in Examine by clicking on “Build connections” under Tools.
Adding New Evidence to Make New Connections
Can you add evidence after the initial processing, reprocess and then see connections with the new evidence?
Yes. To add new evidence to a case, select “Add new evidence to case” under the Process menu in AXIOM Examine, as shown in Figure 3. AXIOM Process will re-open and you can add the evidence under Scan 2. Adding additional pieces of evidence to a case where connections once existed, will remove existing connections.
Once the additional evidence is added, you can manually build connections by selecting “Build Connections” under the Tools menu.
Do I have to re-process the hard drive images from old cases to derive new connection data?
No. As long as the case was processed with AXIOM and not IEF, when you open your previously processed image in AXIOM Examine (version 1.2 or later) you can build connections manually.
Does Connections de-duplicate files or show the number of times the same file appears?
On the right-hand side of the screen, the Details card shows every instance of the file that was found—unless you clicked the “remove duplicates” option in AXIOM Process. If this option is highlighted, file replications not found in AXIOM’s database won’t show up in Connections.
However, keep in mind that this only applies to files that are duplicated in every way. If for some reason a “duplicate” file is different—some piece of metadata available from one image but not from another—the instance will still show up in the Details card.
Connections does not provide a “count” per se.
What are the reporting options for Connections?
To create a quick report, tag only those items you want to report on. Then, right-click to create an HTML report based on those tagged items.
How do you export the graph showing the connections? What format can you export it in?
Right-click to “Print” and then save in PDF format as shown in Figure 4:
Is this functionality available to investigators in a Portable Case?
No, the Connections feature is only available with an AXIOM license.
In the next part of our Connections series, we’ll cover the feature’s processing time and storage, as well as more detailed questions about working with artifacts within Connections. Be sure to subscribe to our blog using the form on the right to get updates!