With AXIOM, we try to take an approach that not only gets the job done for expert forensic examiners, but also introduces skills and concepts to new or intermediate level examiners at a level that they can easily absorb. Whether this is integrating the command-line memory analysis tool Volatility into our graphical user interface, or using Connections to show examiners how artifacts relate to one another, we want to pique your interest in diving deeper.
Last week we posted about our new white paper, “10 Skills You Need Toward Mastering Mobile App Forensics.” We cover these skills in greater detail in both our webinar, “All About that Data,” and in our “Being Forensically Curious” blog series, but we wanted to take some time to describe how AXIOM’s ability to find and build custom artifacts can help you learn how to develop your skills.
Use AXIOM to Go from Uncertainty to Proficiency
When it comes to finding and parsing unsupported mobile apps, we’ve built three features that can help you move from uncertainty to proficiency at a pace you can manage. (Although, it helps if you take our AX300 training course.) Those features are:
- AXIOM’s Dynamic App Finder (DAF) enables users to discover chat, geolocation, contact information, and web data applications that aren’t yet supported by a native artifact. It helps you find more evidence from unsupported apps, giving you a stronger foundation for your manual validation, and helps you build custom artifacts for what it finds.
- AXIOM also enables you to build custom artifacts of your own. With custom artifacts, you can recover data—messaging, location, browser interactions, etc.—from across an app. You can build custom artifacts using one of two languages:
- Extensible markup language (XML) artifacts use a template, which makes creating your own artifacts easy even if you don’t know how to script. XML artifacts can be created for data from SQLite databases, as well as for carving based on headers/footers.
- Python scripting is available for those with more advanced skills.
- When your custom artifact is complete, and you’ve tested it to be sure it works, share it on the Magnet Artifact Exchange so that other AXIOM users can benefit.
Using DAF to Generate Custom Artifacts
DAF displays all the databases it finds on the Customize Artifacts screen. You can use the data that’s displayed to configure your own custom artifacts. In this video, our sales engineer Martin Barrow describes how to use DAF to:
- Identify SQLite databases that may contain useful info
- Determine relevant data types using columns such as artifact type (web address, chat, location info), database location, etc.
- Map (or name) columns according to the structure for each database DAF discovered
- Save the artifact as a custom artifact that you can use again and again in your investigations
Writing Custom Artifacts of Your Own
If you want to go deeper on custom artifacts (even beyond DAF!) then you can, as discussed above, use XML or Python to write them. As we wrote in our blog last May:
Offering support for Python, as well as XML, gives examiners at every level more options when building their own Custom Artifacts. XML is a great tool for non-technical or beginner users, while Python development is suited to someone with a bit more development experience.
Both development environments allow examiners to build artifacts that will recover data from across an app – messaging, location, browser interactions, etc.
Using the Magnet Artifact Exchange to Work with Custom Artifacts
Not sure how to write your own script? No worries—the Artifact Exchange has reference guides for working with XML and Python languages. You can find that documentation on the Artifact Exchange after you login.
To see what XML and Python artifacts look like and how to work with them, take a look at Forensic Consultant Jamie McQuaid’s video, which describes how to:
- Access the Artifact Exchange through the Customer Portal
- Download and review scripts to see what the tool does within a tool like Notepad++
- How to load scripts (all or just some) into AXIOM, and where to find your custom artifacts
Remember: the Artifact Exchange is free to use, and anyone can sign up without need for an AXIOM or IEF license. Be sure to read the Artifact Exchange FAQ for more information on how it all works.
Some Tips for Sharing in the Artifact Exchange
A shared artifact doesn’t have to be perfect! It just has to work. Cheeky4n6Monkey, Adrian Leong, offers this example based on his script-writing experience: “There will always be a need for parsing historical/obscure artifacts. Mobile devices can lay dormant for years until they are found/examined. It could be for a one-off job but by scripting a solution, you are achieving a few things:
- “It provides you with more experience coding and you can probably re-use some of the code in the future (saving your future self some time).
- “Documenting your methodology and sharing your work/thought process so others can benefit. (E.g. people who may not have access to test data can still learn about the artifacts involved and people that did not know about the artifact now do.)
- “It can provide you with more experience on how data is stored (e.g. timestamp formats, data types used to store location).
- “It can allow you to connect with others in the community who have similar/better skills and knowledge.”