Connecting the Dots Between Data and its Source: Source Linking
One of the new features in Magnet AXIOM that we are most excited about is Source Linking. This key feature should really help forensic examiners dive deeper into their data and analyze evidence quickly and efficiently. In a nutshell, Source Linking allows an examiner to quickly navigate between the artifacts, file system, and Windows Registry using clickable active links.
Historically in Magnet IEF, we would list the source of every artifact that was found in the “Source” and “Located At” columns. These are probably my favourite fields and consistently, the most valuable to my investigations. IEF would tell me exactly where it found the data and I could quickly determine if it was relevant to my case and it would also allow me to verify and validate my findings.
With AXIOM, we’ve taken this a step further and found a way to make the verification of location (which can be really tedious) extremely simple. The Source and Location columns are now hyperlinks allowing the examiner to click on them and be immediately transported to that exact location in either the file system or Windows Registry.
Source Linking to the File System
Now that we’ve added a File System Explorer to AXIOM, examiners can now browse the file structures of a given image or evidence item. Pairing this with Source Linking, users are able to quickly jump directly to where the relevant evidence is stored on the disk, saving a lot of time searching for a particular file or folder.
Quickly takes you to the database in the file system.
Magnet IEF has always done a great job of finding key evidence on a system but if you wanted to validate those findings, you had to open the data in another tool, browse to the given source location and ensure the data was reported as it was in the artifact. Now you can quickly jump to that data with one click allowing you to verify the artifact data in the file system.
Source Linking to the Registry
The Windows Registry contains a vast amount of valuable information. AXIOM works to pull a lot of artifacts from the Registry, but sometimes you need to manually dig in and find some additional information or validate what was previously found. The hardest part about traversing the registry is remembering where something is stored and navigating through the hierarchy to get to the data you need.
By Source Linking directly to your desired location, you can save a lot of time in your examinations.
Finding Related Artifacts
As valuable as Source Linking is, my favourite part about it is that you can also Source Link in reverse. From the file system, you can right click on any file or folder, select “View Related Artifacts” and immediately switch over to the Artifacts Explorer only showing you artifacts that are related to the given file or folder.
This is a really powerful feature that will help examiners quickly identify artifacts of value. For example, if you are examining a computer that has multiple users: select the user’s profile; see related artifacts; and view artifacts only related to that user. You may also find a file that is important to your investigation and if you wish to find any other related files located in the same folder, “View Related Artifacts” will do so with one click.