In part one of our Portable Case series, we looked at the features and benefits of Portable Case. We highlighted the power of real-time collaboration with multiple stakeholders and having all the feedback collected in one place.
How to: Magnet AXIOM Portable Case for Non-Technical Stakeholders
Portable Case is a feature available in Magnet AXIOM that allows users to share their findings from an investigation with stakeholders who might not be forensic examiners or have access to a full version of AXIOM.
Examiners can export a subset of their AXIOM case to be shared and reviewed by others and then merge any tags or comments into the original case so all interested parties can share and review the data.
The purpose of this feature is to allow others who might have additional details about an investigation that the examiner does not know (such as names, phone numbers, persons of interest, or other context surrounding the case) the ability to review important details without getting entrenched in the technical details of a forensic examination.
The following information should help examiners get their stakeholders up and running with Portable Case in AXIOM.
Portable Case can run on a system that does not have AXIOM installed. However, it does require a few dependencies and minimum system requirements to function correctly:
- Windows 64-bit machine
- .NET version 4.8 or later installed
- C++ Redistributable 2008, 2012, 2013, and 2015 installed
Like AXIOM, Portable Case requires a Windows machine and everything on the list above to run properly. AXIOM also has a minimum system specification to help ensure stakeholders can open the case on the system. Because your stakeholders won’t be processing any evidence, the processor specifications don’t matter as much, but for the stakeholders to have a decent viewing experience, the memory and disk values should at least match or exceed the following:
Anything less than the above specs and the stakeholder will experience slow searching and filtering and may cause issues running out of memory when trying to accomplish specific tasks.
Opening a Case
The next step is to ensure your stakeholders are opening the case correctly. Creating a Portable Case export in AXIOM will include a folder with quite a few files and folders inside. Portable Case is standalone, meaning that it includes the AXIOM Examine executable and most other dependencies in the Portable Case folder (along with the actual case data) and does not require AXIOM to be installed on the system beforehand.
When sharing a Portable Case with stakeholders or other users, ensure that you give them the entire Export folder, or they may have trouble opening the case. This folder must also be able to read and write to be opened. Many examiners will share a portable case burned to a CD or as read-only; this prevents the case database from opening. If you receive the Portable Case on a CD, copy the folder to the local computer before opening it.
The Portable Case folder will include the following files and folders:
- OpenCase.exe – Double-click this file to open the case. It will check for any dependencies before opening the case and ensure you have the correct system requirements listed above.
- Case Files – This folder contains the AXIOM Examine executables and files needed to run the program. Stakeholders shouldn’t need to go into this folder.
- Dependencies – All the documentation with AXIOM is included in this folder if you wish to learn how a feature works or need help when in the application.
- Portable Case Quick Start Guide – This file is a guide that runs through the basic operations available within a Portable Case. This file also has hyperlinks to various training videos created to walk users through using a Portable Case
- ExportSummary.json – This is a .json file containing details regarding the Portable Case export from AXIOM. Stakeholders shouldn’t have to open this file.
As mentioned above, all the stakeholders need to do is double-click on the OpenCase.exe file, let it check for dependencies, and then the case will open. The most common errors that prevent the case from opening are that the
dependencies need to be installed or included in the Portable Case folder or the Portable Case is read-only.
Reviewing the Evidence
Once the case is open, the stakeholders can begin reviewing the data that is shared with them. We suggest not sharing the entire case with stakeholders as there will be a lot of artifacts that aren’t relevant to the investigation or may be too technical for the intended audience. For example, sharing Shellbags or Jumplists with non-technical stakeholders will tend to confuse them andlead to many questions. These artifacts can greatly interest a trained examiner but should be left out of a Portable Case. Most stakeholders are interested in chats, pictures, videos, documents, etc., that they can quickly review and determine whether they’re relevant to the investigation.
The Portable Case should look and feel similar to the full version of AXIOM. You can run keyword searches in the top right of the screen, apply filters, use the various views, or browse the artifacts along the left side. More advanced features such as the file system, registry, or hex/text views are disabled for Portable Case as these views aren’t needed for a non-technical stakeholder and could cause challenges and questions during the review.
A User Guide is automatically installed inside the Portable Case when opened. You can access the guide by hitting the F1 key or navigating the drop-down menu by selecting Help > Documentation > User Guide.
Reporting/Returning to Main Case
Once the stakeholder has added any tags or comments, you may want to include that information in the master case to include it in the final report. AXIOM includes an option to merge the Portable Case back into the master case.
NOTE: You cannot merge two Portable Cases together. The Portable Case must be merged with the master case it was created from.
When merging cases, you will follow a short merge wizard that helps ensure no conflicts and that your stakeholder’s information does not overwrite any previous work done by the examiner. During this process, if any conflicts arise, it allows the examiner to decide how it should proceed (for example, if you tag a picture as “Category 1” but the
stakeholder tags it as “Category 2”, you will have the option to choose one or the other or allow both tags to apply to the given artifact).
Once the merging is complete, you can finish your examination or create a report with data from the master case and any additional Portable Cases you merge into the master.
As mentioned above, there are a few limitations for Portable Case in both the use of the Portable Case and the features excluded from the full version of AXIOM. Still, I wanted to summarize them here for a more straightforward review.
When reviewing a case using an unlicensed version of AXIOM Examine, several features will appear greyed out or inaccessible, including:
- Exploring the File System or Registry explorers
- Viewing the raw hex or text of a file
- Hex decoder
- Creating or merging another portable case
Otherwise, most features in AXIOM Examine will be available in the Portable Case without a license. For more information about using a Portable Case, see the documentation installed with AXIOM or included with the Portable Case.