By Chris Cone, Forensic Consultant
How large was the last case you worked and how much data were you dealing with? I get a bit sentimental thinking back to some of the earlier days of my digital forensics casework. The good old days when a normal case consisted of a single desktop computer with maybe a few gigabytes of storage capacity—on the high end.
One thing we have all likely noticed is that the volume of data on any given case just keeps getting larger. The average capacity of a mobile device, internal storage on a computer, and USB flash drives? They all just keep expanding. Not only are we seeing rapid expansion concerning the storage capacity of individual devices, but users these days often have access to several devices. Going into an investigation, we may not know which of the (many) devices a user has at their disposal is going to be the one we are most interested in. Sometimes the variety of devices a user has access to means that we need data from more than one device to piece everything back together and find the truth. It may even turn out that the device we are most interested in is not a device in the traditional sense, but cloud-stored data that we need to obtain access to. There are just so many options…and so much data.
Using a digital forensics platform like Magnet AXIOM or Magnet AXIOM Cyber, where all of the data from the variety of devices that are of potential interest in an investigation can be reviewed alongside each other, makes the review of massive volumes of data easier for examiners.
With Greater Capacity Comes Greater Processing Responsibility
As our case data sizes continue to grow, the time it takes to process that data, the number of artifacts we are left to review from that data, and the overall amount of time we spend working with that data all tend to increase.
If we look at a hypothetical case, imagine we have a Windows computer and an Apple iPhone that the target of our investigation is using. In our imaginary case, both the Windows computer and the iPhone belong to the organization that our target of investigation is employed by.
That same user may also have an Android device which is their personal phone. In this hypothetical scenario, assuming we have access to the devices and the data they contain, the total volume of data starts to add up quickly. These days, we cannot just consider the device storage, but the connected cloud accounts are likely of interest. In this hypothetical scenario iCloud, Google, and Microsoft accounts are almost certainly a consideration—potentially another 25 gigabytes of data, just considering the free tiers of storage offered by those platforms.
If you are a regular AXIOM or AXIOM Cyber user, you may have noticed that along with your evidence sizes increasing on cases, AXIOM has also gotten larger along the way. AXIOM currently sits at just over 9.2 gigabytes with AXIOM 6.8. No question about it, that is a large program! By comparison, AXIOM 3.2 only consumed a touch over 4.7 gigabytes of disk space. But how does that size impact Magnet AXIOM performance? Looking back at earlier versions of AXIOM, they were certainly smaller in size, but they also did fewer “things”. Some of those things make our lives easier as digital forensic examiners, such as automatically loading iOS keychains, finding similar pictures, or YARA rule matching for detected threats, along with many other features that have been introduced along the way.
Like most examiners, I may not be the best about remembering everything in the release notes, but I do remember seeing mentions of Magnet AXIOM performance improvements along the way. I can also be a bit of a gearhead and the opportunity to do some comparison testing between different versions of Magnet AXIOM performance was a bit like digital drag racing for me. So, if you are interested in the numbers I came up with, read on!
For this test, I was interested to see how AXIOM 6.8 performed when compared to earlier releases. Did the increased program size negatively affect Magnet AXIOM performance? Were the additional automated features that are available in newer versions of AXIOM adding significant case processing time before examiners could review important artifacts of interest to their investigations? I also wanted to use a data set that was comparable to something examiners might encounter during a real-world investigation. Like our hypothetical case discussed above, in this test, an image of a Windows computer, a full file system acquisition of an iOS device, and an Android logical acquisition were used.
For this testing, I used the following items from the 2022 Magnet User Summit CTF events. Links are included for download for anyone that would like to perform similar testing on their machine.
HP Image in E01 format https://storage.googleapis.com/mvs-2022/HP-Final.zip
iPhone 8 Full file system https://storage.googleapis.com/mvs-2022/2022CTFiPhone8.zip
Google Pixel 3 Logical Image https://storage.googleapis.com/mvs-2022/Pixel.tar
For this test, I used the same computer, drive configuration, and processing options for each version of AXIOM. This is not a typical forensic computer but started life as a Dell Precision 3630 mid-tower desktop with some additional hardware added. Hardware configuration is listed below.
|Test System Configuration|
|CPU||Intel i9-9900K CPU 8 Core / 16 Thread 3.60GHz base clock speed|
|RAM||40GB DDR4 RAM|
|GPU||NVIDIA Quadro P1000 GPU|
|OS||Windows 11 Pro 22H2|
|Primary Storage||Samsung EVO 860 500GB SATA interface SSD – operating system and AXIOM installation|
|Secondary Storage||Samsung EVO 860 500GB SATA Interface SSD – case file storage|
|Evidence Storage||HP SSD EX950 1TB PCIe interface NVMe drive – evidence file storage|
Versions of AXIOM and Processing Settings
I utilized four different versions of Magnet AXIOM for this test, the table below lists some of the features that version includes that were not part of earlier releases along with a link to the release notes page at the Magnet Forensics website.
|AXIOM 3.2.0 added processing of DAR images from CAS and UFED 4PC|
|AXIOM 4.0.1 Lucene.NET integration for indexing all evidence in a case|
|AXIOM 5.0 parsing and carving of both Android and iOS application permissions / Media explorer|
|AXIOM 6.8 automatic loading of iOS keychain-protected data in GrayKey images|
If you are interested in comparing the artifacts, new features, and expanded application support that have been added with the different releases of Magnet AXIOM or AXOIM Cyber, along with other features that have been developed, the release notes for current and prior versions can be found here.
For each test, the Windows operating system, the specific version of AXIOM that was being tested, and temporary files created during processing were stored on the same SATA interface solid-state drive. A second SATA interface SSD was used for storage of the case files created during processing, and the evidence files were stored on a PCIe interface NVMe drive.
Default settings for computer and mobile artifacts were selected. The option to verify the hash of E01 format evidence files (the HP image in this data set) after processing was completed was enabled, along with calculating the MD5 and SHA1 hash of all files, regardless of size. These settings were intended to emulate what many examiners might select in their investigations.
Before revealing the results, I want to mention some of the features that have been introduced with the versions of AXIOM that have been released over the years. Hopefully, I can manage expectations, because frankly, AXIOM does a whole lot more now than when I started using it after switching from Internet Evidence Finder.
Magnet AXIOM 3.0
Magnet AXIOM 3.0 added support for macOS images, including the decryption of FileVault2 and support for APFS containers. We also saw enhanced timeline capabilities with the introduction of a dedicated Timeline explorer in AXIOM Examine.
Magnet AXIOM 4.0
With the number of images examiners are tasked with reviewing continuing to soar, even after using hash sets and features like Magnet.AI categorization, the ability to build a picture comparison database and locate visually similar images is an effective way to locate actionable results that may have previously taken much longer to perform manually. The option to provide a reference image from outside the data set for comparison with the pictures in the data set is a huge benefit. Magnet AXIOM 4.0 introduced the capability to find similar pictures using Magnet.AI.
Magnet AXIOM 5.0
Magnet AXIOM 5.0 provided the ability to add keyword lists to a case after processing—a great feature! Like a lot of examiners, I have generic keyword lists I use for certain case types. After initial processing, I can develop a keyword list that is specific to that case and then re-process using that newly developed keyword list that has been tailored to a specific investigation.
The Media Explorer was another welcome addition to AXIOM 5.0, adding a variety of features designed to make the categorization of picture and video artifacts easier and faster for examiners.
AXOIM 5.0 also introduced support for processing many popular distributions of Linux, with initial artifacts introduced for things like Bash history, network interfaces, recent files, scheduled tasks, SSH activity, and user accounts to name a few.
Magnet AXIOM 6.0
Magnet AXIOM 6.0 introduced the Cloud Insights Dashboard, which is a great resource for learning about connected cloud accounts from the evidence items you are processing in your cases. For me, this is like performing on-scene triage at a search warrant and finding artifacts for connected USB devices on a Windows computer, and then tracking down those physical devices for collection and review. If I was unaware those USB devices had been connected to the computer, I may not know to look for them and this could mean missing out on crucial evidence. In some ways, the cloud has replaced removable storage devices for some users. We have all encountered a user that leverages the integration of Microsoft OneDrive on Windows, Apple iCloud on macOS, and without question—Google Drive on Chromebook. In cases such as these, the data we are interested in may not just be saved locally, but in that connected cloud account, or ONLY in that connected cloud account. The Cloud Insights Dashboard surfaces information that examiners previously were required to locate manually, provides a reference for artifacts that are available from the connected cloud platform, and details the access methods available using AXIOM Process.
AXIOM 6.3 introduced the ability to make a selection of the artifact recovery methods used during case processing. Instead of the traditional parsing and carving functions, examiners could now choose to only parse evidence sources for artifacts. Most examiners recognize that parsing active data is generally faster than carving data. When examiners need access to actionable data quickly, parsing-only may be a viable alternative to traditional processing methods. When choosing this processing method, examiners can perform carving of individual evidence sources at a later time, if desired. As a point of reference, performing case processing on this same data set and only parsing for artifacts completed in 53.6% of the time it took to both parse and carve—a great option when time to evidence is critical.
Now for the reveal! As you might expect, newer versions of AXIOM are indeed faster than prior versions when processing the same data set using the same hardware. At the time of this test, AXIOM 6.8 was the latest release. Using the same settings and processing options, AXIOM 6.8 processed the same data set on the same computer in 46.95% of the time it took AXIOM 3.2.0 to process. That is a significant improvement in Magnet AXIOM performance and speed! This improvement in processing speed was not unique to a comparison between the latest version of AXIOM and one from a few years ago, each successive version of AXIOM showed speed gains over the earlier version it replaced.
Not only were the newer versions of AXIOM faster at processing the same data set, but they also found more artifacts. I mentioned release notes earlier in the article and I will just reference them again here—each release of AXIOM includes artifact updates that are detailed in its corresponding release notes. The releases often include additional support for existing native and third-party applications on computer and smartphone platforms, or new applications entirely, along with additional features based on new research around various artifacts or platforms that are supported by AXIOM.
Additional Tests Conducted on AXIOM 6.8
Two additional Magnet AXIOM performance tests were conducted with AXIOM 6.8 that I want to mention. The first was copying the image files to a network share and processing the evidence files stored and accessed via a 1Gbe connection. In this configuration, processing times increased by approximately 16.5%. I get it, some data sets are just too large to store locally, and some digital forensic labs are configured to process evidence stored on a network share. I worked in one that operated that way. Can you imagine the performance hit examiners experience when that same network segment experiences other traffic at the same time their installation of AXIOM is trying to read those evidence files? What about a lab with multiple examiners processing data simultaneously using evidence files stored on the same network share? Even with 10Gbe network connections, things get congested quickly.
The second was replacing the E01 format HP image with a DD image. In typical fashion, the E01 was created, and a level of compression was applied to reduce the container footprint of the 256GB source drive to something easier to move around on disk and work with. While there are advantages, one drawback to using compressed images is having to decompress the data they contain during case processing. This processing overhead increased overall times by 12.5% during initial testing.
It does appear that Magnet AXIOM performance has improved over the years: newer versions of AXIOM are not only doing more work for us and finding more artifacts, but these newer versions are also doing that work more quickly. Knowing how to leverage the many options available during case processing within Magnet AXIOM and appropriate configuration choices given your specific hardware will contribute to your success. Magnet Forensics training courses, blog posts, video tutorials, and white papers all serve to improve your understanding of the configuration and use of Magnet AXIOM and AXIOM Cyber. There are features designed to perform deep-dive forensic analysis and options aimed at reducing time to evidence—the choice is yours to make depending on your investigative goals and demands of the case at hand. You may find performing an initial pass designed to surface selected artifacts from targeted locations in a triage-style approach is beneficial when combined with a more thorough scan to be performed after you have an opportunity to review actionable data and make informed decisions about the artifacts you are most interested in for a specific investigation.
At the 2023 Magnet User Summit in Nashville, attendees will have an opportunity to hear from Manny Kressel with BitMindz. We will be co-presenting some of our Magnet AXIOM performance testing data using not only different versions of AXIOM but different hardware configurations for examiners to consider when shopping for digital forensic hardware.
In the meantime, if you haven’t updated to latest version of Magnet AXIOM or Magnet AXIOM Cyber, be sure to head over to the Customer Portal to get the latest version or update in-product.