Search for Keywords Post-Processing in Magnet AXIOM
Investigations don’t follow straight or narrow lines, so neither should the workflow of your tools.
We’ve taken the next step to improve the keyword search experience in Magnet AXIOM and Magnet AXIOM Cyber. We’re now supporting the ability to search for additional keywords in “all content” after evidence sources have been processed and added to a case, recouping significant time that would have been spent duplicating investigative efforts and reprocessing cases to apply newly discovered keywords to the examination.
Read about the improvements we made to keyword filtering in AXIOM 4.0 here
Flexibility is Key
Even though searching artifacts by keyword in a processed image is quick and easy in previous versions of AXIOM, fragments of valuable data containing keywords are hidden beyond the reach of artifacts, so we’ve introduced keyword post-processing to mirror the investigative process.
Searching Byte for Byte
When performing an “all content” keyword search in AXIOM, a byte for byte search of data in the specified encoding type is performed. Prior to the release of AXIOM 5.0, this had to be accomplished at the outset of a case in AXIOM Process due to the intensive nature of the search itself, which meant performing an “all content” keyword search after a case had been processed effectively took the form of reprocessing any evidence sources that you wanted to perform the keyword search on. (see the note below for more detail).i
The challenge when having to reprocess images with new keywords was that the now reprocessed image would be added into the case as a net-new evidence source, effectively erasing the investigatory work, such as tags or comments that were added to the case by the examiner, that had already been completed. In this workflow, case reprocessing was at odds with the investigatory process.
With AXIOM 5.0, we’ve updated the workflow to support “all content” byte for byte searches after cases have already been processed.
Adding Keywords is Simple
Now adding keywords to a case is simple: select the “Process” menu in AXIOM Examine, then “Add keywords to case”, select the search type you would like to perform, the specific evidence sources to search, and then update the .txt or .kws file, or manually type in the new keywords.
The major benefit is that you are no longer limited to keyword searches up front. You can now uncover evidence, and then use the new information to do a deeper, more targeted dive into the case, while narrowing the scope of the investigation.
Perform “all content” searches at any time during an investigation with updated keywords, while preserving the work that has already completed on the case. The updated workflow enables a more targeted approach to be taken, without sacrificing time that would be lost to reprocessing and duplicating efforts. An “all content” keyword search, however, is still a byte by byte search, so it does nevertheless still take time to carve through a sources data.
Search with Keywords at Any Time with AXIOM 5.0
When we set out to improve the workflow to mirror the investigative process, we meant to deliver on that, to save examiners time and effort while uncovering critical evidence.
You can upgrade to AXIOM & AXIOM Cyber 5.0 within AXIOM & AXIOM Cyber or over at the Customer Portal.
If you haven’t tried AXIOM or AXIOM Cyber yet, request a free trial here.