New Features

Making a case (Portable Case)

Magnet Axiom’s Portable Case is a lightweight version of the full capabilities found in Axiom—designed for easy access and analysis of forensic findings. It shares the ability to investigate the case data from digital devices and produce reports with non-technical stakeholders, such as investigators and attorneys.

A fellow investigator says, “What got us here isn’t going to get us there.”

He is right.

One of the major challenges we face in digital forensics is the sheer volume of cases, devices, and storage sizes, requiring a variety of tools, time, and techniques. Magnet Axiom’s Portable Case is an effective tool for engaging stakeholders, all while increasing efficiency. Let’s take a look at a few of Portable Case’s many uses as well as this solution’s functionality, features, and ease of use.

Case examples where Portable Case can be useful

Scenario 1

A digital forensic examiner has extracted numerous image files from a digital device in relation to the abuse of a child but does not know what the child looks like. The examiner can build a Portable Case containing those images and provide it to the detective.

The detective, without an Axiom license, can then use the intuitive interface of the Portable Case to filter, sort, and search through the data for images involving their victim. The detective can then build a report of those results to provide to the court. This is a more efficient way to work the case as the detective would have more specific case knowledge. This also allows the examiner to focus on other cases.

Scenario 2

Consider the case of a corporate examiner who is assigned the task of investigating whether an employee may have taken proprietary data. That examiner can build a Portable Case containing artifacts such as documents, emails, and chat applications extracted from an employee’s computer. The Portable Case can be provided to other stakeholders, i.e., Legal, HR, etc., who can use the functionality of a Portable Case to find proprietary documents that the employee should not have in their possession.

Scenario 3

The examiner has extracted multiple mobile devices and preserved the SMS/MMS contained on them. The examiner then creates a Portable Case, which is provided to the investigator or investigative team to review for the potential clues and/or evidence.

All of these scenarios allow us to overcome the challenge of sharing the results of forensic investigations with stakeholders who lack specialized forensic software and possess limited technological knowledge. Digital forensics examinations can be highly technical in nature. Presenting data to non-technical stakeholders in a manner that is understandable and accessible can be a complex task, however using Portable Case is intuitive and easy. The intricate nature of digital forensic data, coupled with the varying levels of technical literacy among stakeholders, creates obstacles to effectively communicating the significance and implications of forensic results.

Interface

Upon opening, the Portable Case displays the Case Dashboard. The Case Dashboard contains a Case Overview and a summary of the evidence and artifacts parsed for review.

A screenshot of the Case Overview, Evidence Overview and Places to Start menus in Magnet AXIOM.

The end user can switch to the Artifact Explorer, where Portable Case displays each category of data parsed for review. The display format used by the Portable Case consists of a Navigation Pane (left pane), an Evidence Pane (middle), and a Details Pane (right). Clicking on a category in the Navigation Pane displays the results in the Evidence Pane. Clicking on an item in the Evidence Pane displays the results for that item in the Details Pane.

A screenshot of the Evidence overview in Magnet AXIOM.

In the Evidence Pane of the Portable Case, the user can also filter and sort on column headings.

this is done by clicking on the options for the column headings.

A screenshot showing the column options in the Evidence view, highlighting the "Filter on column" option.

In addition to the ease of navigation, the Portable Case artifact interface offers a distinct advantage with its Refined Results category. This category parses information globally

from the entire case and organizes artifacts of higher interest, such as Google Searches, Passwords and Tokens, and Facebook URLs.  Portable Case conveniently presents the information within the Refined Results category. These Refined Results, like any of the categories of artifacts presented to the recipient of the Portable Case, are dependent on what the Case Creator presented. The end user can switch seamlessly between the Navigation, Evidence, and Details Panes to review the artifacts as they are presented.

A screenshot of the refined results in Magnet AXIOM.

Sorting, filtering, and searching

Efficient sorting, filtering, and searching through the substantial volume of data in forensic cases is of paramount importance, particularly when stakeholders with limited technical knowledge are involved.

Portable Case gives users the ability to sort data by clicking on the column headings and choosing to sort either in an ascending or descending order. Users can also filter column headings individually or by applying a global filter from the filters bar interface. This allows users to apply multiple filters as well as an advanced searching functionality. The advanced searching functionality allows users to search for keywords or use them as an advanced filter. All these features allow users to swiftly narrow down and identify relevant data, which makes for more efficient collaboration between stakeholders.

A screenshot of the Advanced search dialogue box in Magnet AXIOM.

In addition to having the ability to sort, filter, and search within the Artifact Explorer, users also have the availability to do so within the Timeline Explorer. This robust explorer gives the user even more capabilities to search for evidence based on a specific time or a timeframe surrounding a specific incident.

In testing, users who have no experience with Portable Case were given five minutes to familiarize themselves with the tools interface and then a series of tasks, with artifacts to find. They were able to complete these tasks within seconds—not minutes—demonstrating that they could use the Portable Case functionality to quickly find the evidence needed to drive their investigations.

The Portable Case comes with a quick start guide. While users find it to be an intuitive tool with a friendly user interface, a broader guide is also provided on how to review evidence and even create an export or a report from the Portable Case.

Collaboration

As an investigative team, whether public or private sector, we must use our tools, time, and techniques more efficiently to reduce that time to first fact.

Portable Case helps us do just that.

By providing needed artifacts to stakeholders such as investigators, attorneys, or human resources, just to name a few, we can move that investigation more efficiently by having the right stakeholder with full knowledge of the case review those provided artifacts. The reviewer can then quickly and efficiently tag and comment on the relevant artifacts and even create a report from it.

The Portable Case can also be ingested back into the main Axiom case. This can be useful when large cases require artifacts to be sent out to various members of the team, who can review then tag and comment on them via Portable Case, before bringing these various Portable Cases back into the main case and then producing a final report. This allows for the best possible collaboration to drive the investigation. There are limitless scenarios, such as malware investigations or violent crimes that involve numerous mobile devices, in which stakeholders and investigators would benefit from utilizing Portable Case.

Getting the data to the right people in an easy and efficient tool like Portable Case allows them to get to the heart of the matter and make timely decisions regarding their investigation.

Learn more in our Making the Case (Portal Case) training course

Want to dive deeper into Portable Case? Our training course, Making the Case (Portal Case) is an introductory course designed for the aforementioned stakeholders (like investigators, attorneys, and subject matter experts) who are responsible for reviewing digital forensics case data that has been provided by a digital forensics examiner in the form of a Portable Case.   

Attendees will learn and develop skills related to a Portable Case, including investigating a subset of data, Portable Case navigation, searching and filtering data, analyzing and understanding artifacts, and distributing findings in the form of a report. 

Learn more here and sign up today.

Additional Resources:

The Value Portable Cases Bring to Customers (Video)

Magnet Axiom Exports, Tags & Comments – True View Exports and Portable Case (Video)

Deep Dive on Portable Case Part One (Blog)

Deep Dive on Portable Case Part Two (Blog)

Related Resources

Blog

Blog

Share digital evidence faster and easier than ever with Magnet Review 

Magnet Review empowers your investigative team members – both inside and outside your organization – to securely collaborate and review digital evidence from any of your data sources, and from

April 16, 2024 • About a 5 minute view
Blog

Blog

Magnet Axiom Cyber 8.0: RSMF exports, MFT parsing, new AI tools, and more

We’re thrilled to announce the latest major release of Magnet Axiom Cyber!

April 9, 2024 • About a 6 minute view
Blog

Blog

Magnet Axiom 8.0: new Mobile View, AI tools, memory analysis, and more

The latest major release of Magnet Axiom, version 8.0, is now available. 

April 9, 2024 • About a 5 minute view
Resource Center Home

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top