Exploring Magnet AXIOM’s Examiner-Created File System and Registry Artifacts

We’re excited to introduce you to Jessica Hyde, our new Director, Forensics. Jessica will be contributing to the Magnet Forensics blog with insights on the digital forensics industry and in-depth looks at our products and product features.

Her inaugural blog explores the ability to add an artifact from the File System or Registry Explorers and provides how-tos for you to create your own.

It is often necessary to delve deeper in a forensic examination to find additional data utilizing a Hex or Text view.  Using these tools, an examiner might be able to find additional data that was missed by a commercial tool due to a variety of reasons.

For example, you might be able to:

1. Confirm/validate the results the tool has returned for a given artifact
2. Perform manual searches, providing additional context related to an artifact
3. Dig deeper for additional data that might be found in a file
4. Perform manual analysis for unsupported applications, file systems, or devices

Once you have found that data, it is valuable to be able to add the additionally parsed data to your case.  A quick way to do that in Magnet AXIOM is using the new feature, released in version 1.0.4, to add an artifact from the File System or Registry Explorers.  Once you add an artifact you can tag and comment on that bookmark for future reference, filtering as you analyze your case, and reporting.

Let’s look at an example where we parse some data from an unsupported device. AXIOM allows for the ingestion of images (providing the image file type (i.e. dd, bin, e01, etc.) is supported) with unrecognized file systems allowing the examiner the ability to take advantage of carving. In this instance we have an unsupported image from a Nokia 6230 (a feature phone from circa 2003). The image was a .bin file obtained via 3^rd party tools.  Since this phone predates AXIOM’s supported mobile formats (Android, iOS, KindleFire, and Windows) only carved images were parsed.

A quick hex search and knowledge of this device results in the quick parsing of additional artifacts.  We were able to locate phone numbers stored in the device.  While the examiner may not yet know where these phone numbers are from (i.e. call logs, contacts), the examiner now has the opportunity to add the artifact.

In order to add the artifact, simply highlight the appropriate Hex in the Hex and Text view and select “Display as artifact.”

When you go back to artifact view, you can see the artifact now appears under the heading “Examiner Created”:

Now that the artifact is added, it can be tagged or filtered like any other evidence in your case:

There were multiple phone numbers stored on this phone.  I was able to add multiple examiner created artifacts:

And now you can export that data and include it in your report:

There are multiple export

formats.  I selected PDF:

Another use case is when you find additional data in a known device.  For example, while AXIOM parsed more than 100,000 artifacts from a Note 3, it did not parse the IMEI.  However, I was able to find it in the image.  Once I found it in the image, I wanted to add it as an artifact back to the case.  By doing this I can tag the information, have a link to the source data for validation, and include it in my report:

I think we can all agree that Examiner Created Artifacts is a powerful tool in AXIOM that allows the examiner to augment their filters and reporting with additional artifacts uncovered during the course of an examination.

Examiner Created Artifacts will help improve your analysis capabilities within AXIOM and we hope your investigations will benefit from their use.

If you have any questions or feedback, feel free to reach out: jessica.hyde@magnetforensics.com.