This course is ideal for those who require intermediate-level training with a digital investigation platform that covers cases involving smartphones, tablets, computers, and cloud data in a single collaborative interface. Students will gain a deep understanding of the benefits Magnet AXIOM’s “artifact first” approach in optimizing investigative efficiency. This course is the perfect entry point for examiners who are new to AXIOM.
Magnet AXIOM Examinations (AX200) is an intermediate-level course, designed for participants who are familiar with the principles of digital forensics, and seeking to use Magnet AXIOM for their investigations. At the conclusion of the four-day training course, participants will have the knowledge and skills they need to acquire forensic images from computers, tablets, smartphones, and cloud evidence; configure Magnet AXIOM Process to recover the most-relevant artifacts; use Magnet AXIOM Examine to explore the evidence in greater depth, simplifying analysis activities by intuitively linking facts and data; and, preparing key artifacts for collaboration with other stakeholders. Each module of instruction employs extensive scenario-based exercises, to reinforce the learning objectives, and further enhance the participant’s understanding of AXIOM’s functionality, and its application within the forensic workflow.
Objectives of Magnet Axiom Examinations
- Installation of AXIOM and its core components, AXIOM Process and AXIOM Examine
- Configuration of AXIOM Process for the optimal acquisition and processing of digital evidence, including the Single Stage Evidence Processing capabilities of AXIOM
- Identification and decryption of encrypted evidence images such as Bitlocker encrypted drives
- Analyzing case data in AXIOM Examine to focus on Artifact identification, extraction, further investigation, and validation
- Use of Magnet.AI to automatically categorize images into known categories to reduce the examiner’s time spent manually categorizing them
- Use of AXIOM Process to demonstrate basic iOS and Android imaging capabilities including the ingestion and examination of iOS and Android backups
- Utilization of hash sets, keywords, regular expressions, and filters to identify key artifacts
- Using Connections Explorer to automatically link artifacts to each other to better tell the story of the artifact and its existence on the suspect’s devices
- Utilize the functionality of AXIOM Process to leverage Project VIC and CAID files as well as PhotoDNA to categorize images automatically
- Navigation within the evidence set utilizing multiple Explorers within AXIOM including Case Dashboard, Artifact, File System, Registry, and Connections
- Using the Dynamic App Finder to discover SQLite databases and extract data from within and keep templates of those databases for use in future examinations
- Application of tags and comments to prepare case evidence for exporting and reporting
- Using AXIOM Examine’s visualization tools such as the timeline and worldmap views to emphasize user’s behavior patterns
- Enhance participant understanding of key artifacts; their locations and formats; the user and system behaviors which created them; and the manner in which AXIOM recovers them
- Building intuitive reports and sharing and managing portable cases with stakeholders
Training Class Schedule
|Self-Paced Online (Spanish)||Online||Ongoing|
|Self-Paced Online (German)||Online||Ongoing|
|Classroom Instructor-Led||Cary, NC||November 27-30|
|Classroom Instructor-Led||New York, NY (Law Enforcement Only)||December 18-21|
|Virtual Instructor-Led||Online||Jan 15-18|
|Classroom Instructor-Led||Wyboston, UK||Jan 15-18|
|Classroom Instructor-Led||Herndon, VA||Jan 15-18|
|Classroom Instructor-Led||Singapore||Jan 29-Feb 1|
|Classroom Instructor-Led||Anaheim, CA||Feb 5-8|
|Virtual Instructor-Led||Online (GMT)||Feb 12-15|
|Classroom Instructor-Led||Las Vegas, NV||Feb 12-15|
|Virtual Instructor-Led||Online||Feb 26-Mar 1|
|Classroom Instructor-Led||Herndon, VA||March 5-8|
|Classroom Instructor-Led||San Diego, CA||March 7-10|
|Classroom Instructor-Led||Princes Risborough, UK||Mar 12-15|
|Classroom Instructor-Led||Mexico City, MX||March 26-29|
|Classroom Instructor-Led||Nashville, TN (Part of Magnet User Summit)||Mar 29-Apr 1|
|Classroom Instructor-Led||Herndon, VA||Apr 9-12|
|Virtual Instructor-Led||Online||Apr 9-12|
|Classroom Instructor-Led||Anaheim, CA||April 23-26|
|Classroom Instructor-Led||Princes Risborough, UK||April 23-26|
|Classroom Instructor-Led||Herndon, VA||May 7-10|
|Virtual Instructor-Led||Online||May 7-10|
|Classroom Instructor-Led||Wyboston, UK||May 14-17|
|Virtual Instructor-Led||Online (GMT)||May 21-24|
|Classroom Instructor-Led||Oklahoma City, OK||May 21-24|
|Classroom Instructor-Led||Myrtle Beach, SC||May 29-June 1|
|Classroom Instructor-Led||Wyboston, UK||June 4-7|
|Classroom Instructor-Led||Herndon, VA||June 11-14|
|Virtual Instructor-Led||Online||June 18-21|
AUTHORIZED TRAINING PARTNER SCHEDULE
Classroom Instructor-Led Training
|Kandel, Germany||April 8-11|
AXIOM Examinations Module Descriptions
Module 1: Introduction and Installation of Magnet AXIOM
In this introductory module, participants will be presented with the learning objectives and expected outcomes for the four-day training event, and all related course materials. The module will conclude with hands-on exercises during which participants will install Magnet AXIOM, and learn about its associated programmatic components, AXIOM Process and AXIOM Examine.
Module 2: Evidence Processing and Case Creation
This module of instruction will focus on the many features available in AXIOM Process. All settings in AXIOM Process will be discussed to ensure examiners are able to maximize the use and effectiveness of Magnet AXIOM during processing to decrease the processing time and increase effectiveness. Instructors will discuss and demonstrate the collection from different evidence sources such as computer-based media (hard disks, memory cards, USB devices), cloud data, and mobile devices. Students will take part in hands-on exercises focused around processing details such as adding keywords to search and the importance of selecting the different encoding available for “All Content” searches (ASCII, Unicode…), hashing functionality and the varying types of hash sets such as NSRL, Project VIC, and gold-build image hashes. During this exercise Students will also be shown the capabilities of setting options for each supported artifact, and how to turn off specific artifacts to speed the processing of evidence files. At the conclusion of this module, participants will have the knowledge and skills necessary to successfully acquire forensic images from various evidence sources; configure case-specific and global settings in AXIOM Process for the recovery of key artifacts; and, create a case for analysis in AXIOM Examine. After the creation of the case, participants will be introduced to the AXIOM Examine interface.
Module 3, Part 1: Computer Artifact Analysis – Refined Results
The Refined Results Artifact Category of AXIOM Examine is defined to combine and refine artifacts recovered into specific subcategories of artifacts for most commonly sought-after items of evidence. Learning Magnet AXIOM’s artifact-first forensics approach is a major part of this lesson and refined results plays a huge part of that. For example, most examiners at some point during a computer forensics examination will want to know what the subject searched for using Google, as Google is the most commonly used search engine. Refined Results contains an Artifact category aptly named Google Searches where all Google Searches, independent of the browser used, are categorized in one place for ease of use. This is one of the many uses of Refined Results. Creating Profiles of the suspect and victim on the individual items of evidence from the information recovered in the Refined Results Identifiers Artifact category will allow the examiner to search across multiple devices cross platform to retrieve data related from one piece of evidence to another. Students will also learn how to utilize the Artifact Reference to continue to keep updated on the new artifacts supported within new releases of AXIOM.
Module 3, Part 2: Computer Artifact Analysis – Chat Artifacts
Magnet AXIOM employs several different explorers that can be used in Magnet AXIOM Examine to view Artifacts and information within the casefile in a much more efficient and expedient workflow. The five explorers utilized are the Dashboard, Artifact, File System, Registry, and Connections Explorers to look at evidence associated with user and Skype-generated activities. Students will learn to configure search, as well as how to use the many AXIOM Examine filtering options and functionality to identify key artifacts from Chat file, folder, and database structures. Utilizing the built-in SQL viewer within AXIOM Examine, students will validate what artifacts are recovered from the Skype SQL database. Students will also use AXIOM Examine to rebuild chats into a conversation bubble view commonly used on mobile devices which examiners and users are accustomed to. Students will also tag and comment on key artifacts in preparation for case reporting. Students will learn how to enable Magnet.AI to assist them in their investigations dealing with Chat classification.
Module 3, Part 3: Computer Artifact Analysis – Documents
In this module students will gain an understanding of the differing views of documents, the metadata of files, and how to access AXIOM’s built in capabilities as well as the Artifact reference. Students will utilize Magnet AXIOM to save artifacts externally from AXIOM and the formats used during the export functionality. Students will explore the ability to maximize the filtering, sorting and search potential of documents via the filters bar and metadata searches using AXIOM. Utilizing a stacked filter approach will allow students to separate the huge amount of data found within evidence files from the actual data being sought after. Also in this module, students will be exposed to and learn about the Connections explorer and how the utilization of Connections will help them visualize how artifacts are connected to one another. Connections will also help examiners connect key pieces of evidence together to tell the entire story of who, what, when, where, and how the suspect artifacts came to be on the system and if the artifacts were distributed through cloud storage, email, or chat.
Module 3, Part 4: Computer Artifact Analysis – Email
In this lesson students will learn how to recover emails and email attachments from mail clients. This lesson focuses on how to review, sort, filter and tag emails, as well as search through their transport message headers and their attachments to retrieve valuable information pertaining to the investigation. At the conclusion of this lesson, students will gain an understanding of source linking as it relates to emails and understand the results found in the Details and Content cards of AXIOM. Finally, students will discover the ease of the export functionality to export email artifacts and their attachments into numerous formats supported by AXIOM Examine.
Module 3, Part 5: Computer Artifact Analysis – Media
This lesson is comprised of images and video artifacts and how the differing views of Magnet AXIOM make it easy to review said items. Students will be introduced to AXIOM’s filmstrip view concerning videos and thumbnail view for images. Students will also learn about EXIF data and how the sorting and filtering of the EXIF data including geo location information, camera make, model, and serial number will allow them to categorize images together in an expedient and efficient manner in preparation for writing a final report. During this lesson, students will also learn how to maximize the use of Magent.AI to automatically categorize images using the power of the CPU and GPU into multiple categories including, possible nudity, possible weapons related content, possible drugs-related content, and possible child abuse content.
Module 3, Part 6: Computer Artifact Analysis – Encryption/Anti-Forensics
Students will learn the importance of looking for encryption and anti-forensics tools and how AXIOM categorizes those artifacts into a specific artifact category, enabling the examiner to quickly identify if either category of software is being employed on the suspect media. At the conclusion of this lesson, students will be able to track an encryption program from installation and activation, to use on the suspect system and the timeline associated with each.
Module 3, Part 7: Computer Artifact Analysis – Web Related
During this lesson, students will learn how the most popular browsers store items like Internet history, favorites and bookmarks, and how each one stores information in their respective databases. Chrome, Firefox, Internet Explorer, Edge, Opera and Apple Safari store artifacts differently and being able to track and recover artifacts from the web browsers to correlate the information discussed in previous lessons is paramount to solving cases. Students will also learn Google Analytics First Visit, Referral and Session Cookies to track the user’s activity of how they arrived at a website, when they first visited that website, and what they did while they were there. Webcache will be used in this lesson to rebuild webpages of interest to the student. Autofill information will also be examined in this lesson to glean information that was typed in and saved by the user.
Module 3, Part 8: Computer Artifact Analysis – Operating System Artifacts
The Computer Artifact Analysis section of the course is composed of several modules, each of which focuses on a specific set of key artifacts most commonly encountered during the analysis of computer evidence recovered from the Windows Registry. The Registry Explorer will be utilized to validate artifacts recovered from the registry and populated in the Operating System Artifact Category. Investigation and tracking of USB devices, Jump Lists, Prefetch files, LNK Files, Windows Notification Center, Operating System Information, Shellbags, Timezone Information, User Accounts, User Assist, Virtual Machines, and Windows Event Logs are all a part of this lesson and how the data correlates with each other to tell a story of computer usage and put a person behind the computer while the nefarious acts took place. An introduction to Mobile Device Operating System artifacts will be discussed and examined as an introduction to Module 4: Mobile Artifact Analysis.
Module 4: Mobile Artifact Analysis
The Mobile Artifacts Analysis lesson is comprised of two parts, one focusing on iPhone artifacts, and the second focusing on Android artifacts. Participants will explore smartphone evidence, parsed by Magnet AXIOM, from each operating system. In addition, the modules will explore the device file systems and structures to recover additional information, including device owner information; third party application data; core operating system data; Internet browser data; and more. The hands-on exercise will also work through AXIOM’s Dynamic App Finder so that examiners who are conducting mobile device examinations can look for SQL databases belonging to apps currently unsupported by AXIOM in the core product, to produce them as an artifact within AXIOM Examine, thereby supporting mobile apps which are new. Scenario-based instructor-led, and student practical exercises will be used to demonstrate the navigation, searching, filtering, and tagging features in AXIOM, and reinforce the learning objectives.
Module 5: Evidence in the Cloud
With the proliferation of cloud storage and the acceptance of it in both the corporate environment as well as the home-user environment, it is important for all examiners to understand the artifacts that remain on the cloud, which may not be stored on local media. This module will discuss discovering cloud artifacts and putting together what the capabilities of AXIOM are in reference to cloud collection and examination. Being able to combine data from computers, mobile devices, and the cloud into one case and utilize the power of AXIOM to correlate that data in case it is multiple places on a suspects many devices could prove to be the catalyst in solving an investigation.
Module 6: Reporting
In this final instructional module of the course, participants will explore the various exporting and reporting features available within AXIOM Examine used for the presentation of case evidence, and collaboration with other investigative stakeholders. Through the scenario-based instructor-led, and student practical exercises, participants will learn how to manage the exporting of artifacts; produce and merge portable cases; and create a final investigative case report which is easily interpreted by both technical and non-technical recipients.
Module 7: Cumulative Review Exercises
Throughout the four-day training event, instructor-led and student practical exercises are used to reinforce the learning objectives and provide the participants with the knowledge and skills necessary to successfully utilize Magnet AXIOM in their investigative workflow. To further reinforce the instructional goals of the course, students are presented with a final scenario-based practical exercise which represents a cumulative review of the exercises conducted in each of the previous modules.