New Features

New Performance Enhancements in Magnet AXIOM Mean Faster Results

Processing Times Reduced Dramatically in AXIOM 1.0.6

By Jad Saliba, Founder and CTO of Magnet Forensics

Last week, we released Magnet AXIOM version 1.0.6. This update included a number of features and fixes, but one of the main goals was to address issues we, and our customers, had seen in processing times. And we did it! AXIOM Process times are now testing as being equal to, or slightly faster than, IEF.

Here’s how we did it…

Customers told us that AXIOM Process (AXIOM’s application for acquisition and processing of images) was slower at processing data than IEF. Absolutely it was. We expected processing to take about 10-15% longer because AXIOM simply does more. (The 10-15% increase assumes an “apples-to-apples” scenario. Comparing AXIOM to the full implementation of IEF – with both the Business and Mobile modules included.)

However, we were being told about cases where AXIOM Process was four to 10 times slower than IEF, which was not acceptable. The team went to work trying to recreate those scenarios and find root causes for the deltas in performance.

We already had performance testing in place, but had to research different image types and identify new images that had poor performance. Our performance systems track the performance of both IEF and AXIOM on an hourly basis. This allows us to quickly spot any issues and to log them for correction as we build fixes and enhancements.

Some of the Culprits

It was months of work, but our team found a number of places for improvement.

Processing of artifacts has been enhanced in AXIOM in order to provide near-instant search results and filtering when examiners move on to the analysis stage. Basically, artifact data is indexed in the AXIOM case database, a feature that is only available in AXIOM. In AXIOM 1.0.6, we applied the indexes at a more efficient time and it made a noticeable difference.

Sometimes search duration goes up when more artifacts are recovered and this is the delicate balance between adding features and maintaining performant searches. With the latest AXIOM release, we have optimized the search algorithm to reduce the overhead of the new AXIOM features, and to reduce the overhead of finding new artifacts and applications going forward.

The team understands that time is of the essence in forensic examinations and they are continuing to find new ways to improve processing time for our customers.

The Proof – Where AXIOM even beats IEF in some cases

When we focused on performance enhancements and solving these issues, we understood that AXIOM Process might be eight to 10 percent slower than IEF – again this was reasonable to us because of the extra processing features that AXIOM provides. However, in our most recent tests, AXIOM is not only well within that range, it’s even faster than IEF in some cases.

Here’s are a few examples from our automated performance system:

process-blog-3-new
Click to enlarge
process-blog-2-new
Click to enlarge
process-blog-1-new
Click to enlarge

In our performance testing: every code change made to AXIOM or IEF is run against a slew of mobile and computer images; the search duration and artifact results are collected and stored; and this data is compared to previous code change tests, as well as previously released software updates.

How is AXIOM Process more powerful?

AXIOM still parses and carves for hundreds of artifact types – leveraging the engine that is used in IEF, but we built AXIOM to do more. Beyond the built-in artifact indexing that we do, here are some key AXIOM-specific features:

  1. File System Explorer Access – AXIOM produces a fully functional file system explorer. It does this by enumerating the entire file tree and storing information about every file and folder, including meta-data. By processing the filesystem, AXIOM enables you to quickly browse through the filesystem in Examine, even without the source image present.
  2. Automated File Hashing – All files in the filesystem of every evidence item is hashed to generate an MD5 and SHA1 hash. This option, popular among examiners, requires time to generate the hashes. AXIOM does allow you to disable this processing option if you do not need it.
  3. Integrated Mobile and PC Acquisition – We have integrated our Magnet ACQUIRE technology into the main workflow of the product. This allows you to acquire a mobile device or hard drive and have it processed all in one single stage – no longer will you need to monitor the acquisition process just to have to manually start processing. AXIOM Process also allows you to queue up multiple devices (mobile devices or hard drives) to be acquired and processed as part of the same case.
  4. Operating System Artifacts – AXIOM users get more artifacts than IEF as part of the AXIOM PC version. With AXIOM PC, you automatically get artifacts such a Windows event logs, USB devices, recycle bin, user accounts, LNK files etc. These artifacts can be critical in an investigation in order to show intent and potentially identify the main user of the computer.
  5. File System Parsing – AXIOM parses the file system of all evidence items. This allows you to browse the entire file system in AXIOM Examine in order to tag, save and review files. Parsing of the filesystem provides all critical meta-data in order to do a more in-depth analysis. Details such as the file creation, modified and accessed timestamps as well as file hashes are provided. AXIOM generates MD5 and SHA1 hashes for all files in the filesystem in order to allow users to search for specific file hashes.

What if I find a case with a noticeable difference in processing time?

One of the things that we pride ourselves on is our commitment to listening to our customers’ feedback and using their experiences and suggestions to shape our products as they mature.

If you are still seeing cases where AXIOM Process is more than 10-15% slower than the full implementation of IEF, we want to know about it. Please reach out to us at: support@magnetforensics.com.

The team has worked incredibly hard to identify and correct these performance issues and getting AXIOM to match or better IEF speeds is a great achievement.

AXIOM continues to grow

Since the launch of Magnet AXIOM five months ago, the product team has been busy making changes and adding new features, such as support for Uber, Fitbit, Amazon Echo, LINE, Nest and new versions of a multitude of existing artifacts. We have worked on fixing disk space errors, logging, licensing, exports, and enhancing filters – just to name a few updates in the last six releases.  And I know for a fact that we have some big features coming soon.

We appreciate your continued support, especially those who have been on this journey with us since the early days. We invite you to walk with us as we take things to the next level with AXIOM! As always, feel free to reach out if you have any comments or questions.

All the best,

Jad and the Magnet Forensics Team

Related Resources

Blog

Blog

Share digital evidence faster and easier than ever with Magnet Review 

Magnet Review empowers your investigative team members – both inside and outside your organization – to securely collaborate and review digital evidence from any of your data sources, and from

April 16, 2024 • About a 5 minute view
Blog

Blog

Magnet Axiom Cyber 8.0: RSMF exports, MFT parsing, new AI tools, and more

We’re thrilled to announce the latest major release of Magnet Axiom Cyber!

April 9, 2024 • About a 6 minute view
Blog

Blog

Magnet Axiom 8.0: new Mobile View, AI tools, memory analysis, and more

The latest major release of Magnet Axiom, version 8.0, is now available. 

April 9, 2024 • About a 5 minute view
Resource Center Home

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top