Index Searching Endpoints for Targeted Collections
In our opinion, one of the key features of Magnet AXIOM Cyber is the way it enables investigators to capture forensically sound images over the network and to process endpoint data into system artifacts usable for both novice and expert investigators.
We expanded this functionality to off-network endpoints to meet the rising demand of remote work, and you can read more about that in our blog: Harnessing the Cloud to Collect Off-Network Endpoints using AXIOM Cyber.
AXIOM Cyber 5.2 brings the next evolution in how our products enable remote investigations by adding index searching and filtering capabilities to remote system previews.
Need for Speed
There’s no difference in how the agent is deployed or connected. We’ve added a little checkbox in your workflow that allows system metadata to be streamed and indexed on the examiner system. In our internal tests, this usually took less than 5 minutes.*
Once the index is built, all user queries run against the local index. Search for a file name. Filter on extension. Slap on a date range filter. That’s right – every search term comes back with instant results.
Targeted collection with AXIOM Cyber has never been faster.
Target, Adapt, and Overcome
The ability to perform index searches against endpoint data doesn’t just help accelerate your investigation – it provides flexibility. As updates roll in from HR, your date range could change. Or a previously ignored file extension is now the target for your investigation. And if the endpoint drops offline mid-index, the process will resume as soon as the endpoint comes back. What this does is ensure that you get access to the right data, even when things go wrong.
A Real-World Example
Leading up to the release of this new feature—as with all other features and releases—we did extensive internal testing. As a part of our tests, we used an instance of AXIOM Cyber running in the cloud (to get started learning about how you can virtualize your workstation or lab environment, check out our blog: Virtualizing Your Forensics Lab in the Cloud Part 1: Leveraging IaaS for Your Lab).
The VM with AXIOM Cyber was running in the East Coast region in the United States, and the target machine was running in Southern California, off-VPN. After deploying the AXIOM Cyber remote agent, we checked the box to connect to the agent and index file system metadata.
Here’s the awesome part: two minutes and forty-seven seconds later, the contents of the 500GB drive on the target machine were indexed! We ran a filter for “OST” file extensions, and the two instantly appeared. In less than three minutes, we were already hours ahead of the old paradigm. We did notice, however, significant slowdown on endpoints running network meeting software with screenshare and cameras concurrently presenting. Those tests clocked in at about 12 minutes.*
We’re extremely excited to deliver this feature the community and look forward hearing about the ways that it saves you time while performing investigations against remote endpoints.
*Internal testing data is provided for illustrative purposes only and should not be considered a warranty of the typical results of AXIOM Cyber.