Digital Evidence Processing: Parsing-Only Processing and Post-Process Carving
Processing evidence sources that contain terabytes of data and hundreds of thousands of artifacts is now a common and sometimes time-consuming process. Magnet AXIOM and Magnet AXIOM Cyber offer you more control over evidence processing by offering the option to process evidence with parsing-only and post-process carving—allowing you to apply the appropriate collection method for the investigation at hand.
When you know that you will be able to collect the evidence you need to push your investigation only by parsing an evidence source, this can save you a significant amount of time depending on the evidence source. For example, based on our internal testing, parsing-only processing of a case that included a small computer image, an SD card, a thumb drive, an iPhone backup, and a small Google takeout was 71% faster. And, when parsing only was used to process a 450GB E01 image, it was 70% faster. In another test, parsing-only processing of a 47GB GrayKey extraction was 19% faster than parsing and carving.
Of course, with parsing-only, you will recover fewer artifacts than if you complete a parsing and carving scan, but what this allows you to do is decouple an initial artifact collection from the deep-dive, giving you more flexibility to determine when and if a parsing-only scan is appropriate, with the ability to carve those evidence sources post-processing at a later time.
To select the scan type that you would like, you will find a new screen in AXIOM Process under the Artifact Details heading. You will be able to select your processing mode here. It is important to note, however, that the default setting will continue to be parse and carve evidence sources to ensure that AXIOM and AXIOM Cyber recover the most evidence as the standard setting.
To ensure that you are able to log the collection method used to surface the evidence at hand, the evidence card will now display the process method, such as parsing only or parsing and carving. If the case includes at least one evidence item that was only parsed, a menu will be available to then select sources of evidence to reprocess with carving.
Parsing Only and Post Processing in the Magnet Digital Investigation Suite
Magnet AUTOMATE and AUTOMATE Enterprise users will have even greater flexibility in customizing your workflows. Parsing only and post process carving will be available to AUTOMATE users, so you can maximize off-hour processing to carve evidence sources to ensure no evidence is left behind, even though that source may have already provided the evidence required to push an investigation ahead with parsing only.
For Magnet REVIEW users, this provides an opportunity to share parsed artifacts with downstream reviewers even faster before collecting carved evidence in post processing.
Effectively, this allows you to determine the appropriate processing method for your case, giving you control over your digital evidence processing with Magnet AXIOM and AXIOM Cyber.
If you haven’t tried AXIOM or AXIOM Cyber yet, request a free trial here.