Magnet AXIOM Examinations
What You’ll Learn
This course is ideal for those who require intermediate-level training with a digital investigation platform that covers cases involving smartphones, tablets, computers, and cloud data in a single collaborative interface. This course is the perfect entry point for examiners who are new to AXIOM.
AX200 follows a methodology of how to conduct a computer forensic examination taking an artifact-first approach. Students will learn how to conduct a computer forensic examination of the suspected media, including a computer, USB drive, iOS and Android device. The artifacts recovered will lead the examiner/student to solve the case determining who, what , when, where, why, and how the suspects committed the crime and in the process learn the functionality of each of the six explorers (Case Dashboard, Artifacts, Connections, File System, Registry and Timeline) and how to maximize the use of each explorer to bring about a factual conclusion to the investigation.
Introduction and Installation of Magnet AXIOM
- Learning objectives will be presented along with expected outcomes over the course’s four days.
- Hands-on exercises will allow you to install Magnet AXIOM and learn about its associated programmatic components: AXIOM Process and AXIOM Examine.
Evidence Processing and Case Creation
- All settings in AXIOM Process will be discussed to ensure the use and effectiveness of Magnet AXIOM are maximized during processing — all while decreasing processing time and increasing effectiveness.
- Collection from different evidence sources such as computer-based media (hard disks, memory cards, USB devices), cloud data, and mobile devices will be discussed and demonstrated.
- Hands-on exercises will focus around processing details such as adding keywords to search and the importance of selecting the different encoding available for “All Content” searches (ASCII, Unicode…), hashing functionality and the varying types of hash sets such as NSRL, Project VIC, and gold-build image hashes. During this exercise, students will also be shown the capabilities of setting options for each supported artifact, and how to turn off specific artifacts to speed the processing of evidence files.
- At the conclusion of this module, students will be able to successfully acquire forensic images from various evidence sources; configure case-specific and global settings in AXIOM Process for the recovery of key artifacts; and, create a case for analysis in AXIOM Examine.
Part 1: Computer Artifact Analysis – Refined Results
- The Refined Results Artifact Category of AXIOM Examine is defined to combine and refine artifacts recovered into specific subcategories of artifacts for most commonly sought-after items of evidence.
- Learning Magnet AXIOM’s artifact-first forensics approach is a major part of this lesson and refined results plays a huge part of that. For example, most examiners at some point during a computer forensics examination will want to know what the subject searched for using Google, as Google is the most commonly used search engine. Refined Results contains an Artifact category aptly named Google Searches where all Google Searches, independent of the browser used, are categorized in one place for ease of use.
- Creating Profiles of the suspect and victim on the individual items of evidence from the information recovered in the Refined Results “Identifiers Artifact” category will allow the examiner to search across multiple devices cross platform to retrieve data related from one piece of evidence to another.
- Utilize the Artifact Reference to continue to keep updated on the new artifacts supported within new releases of AXIOM.
Part 2: Computer Artifact Analysis – Chat Artifacts
- Magnet AXIOM employs several different explorers that can be used in Magnet AXIOM Examine to view Artifacts and information within the casefile in a much more efficient and expedient workflow. The Dashboard, Artifact, File System, Registry, and Connections explorers are utilized to look at evidence associated with user and Skype-generated activities.
- Configure search, as well as how to use the many AXIOM Examine filtering options and functionality to identify key artifacts from Chat file, folder, and database structures. Utilizing the built-in SQL viewer within AXIOM Examine, students will validate what artifacts are recovered from the Skype SQL database.
- AXIOM Examine will be used to rebuild chats into a conversation bubble view commonly used on mobile devices which examiners and users are accustomed to.
- Also learn how to tag and comment on key artifacts in preparation for case reporting and how to enable Magnet.AI to assist them in their investigations dealing with Chat classification.
Part 3: Computer Artifact Analysis – Documents
- Gain an understanding of the differing views of documents, the metadata of files, and how to access AXIOM’s built-in capabilities as well as the Artifact reference. Utilize Magnet AXIOM to save artifacts externally from AXIOM and the formats used during the export functionality.
- Explore the ability to maximize the filtering, sorting and search potential of documents via the filters bar and metadata searches using AXIOM. Utilizing a stacked filter approach will allow the separation of a huge amount of data found within evidence files from the actual data being sought after.
- Learn about the Connections explorer and how the utilization of Connections will help visualize how artifacts are connected to one another. Connections will also help examiners connect key pieces of evidence together to tell the entire story of who, what, when, where, and how the suspect artifacts came to be on the system and if the artifacts were distributed through cloud storage, email, or chat.
Part 4: Computer Artifact Analysis – Email
- Learn how to recover emails and email attachments from mail clients.
- Review, sort, filter and tag emails, as well as search through their transport message headers and their attachments to retrieve valuable information pertaining to the investigation.
- Gain an understanding of source linking as it relates to emails and understand the results found in the Details and Content cards of AXIOM.
- Finally, students will discover the ease of the export functionality to export email artifacts and their attachments into numerous formats supported by AXIOM Examine.
Part 5: Computer Artifact Analysis – Media
- Learn about image and video artifacts and how the differing views of Magnet AXIOM make it easy to review them.
- AXIOM’s filmstrip view concerning videos and thumbnail view for images will be introduced.
- EXIF data and how the sorting and filtering of the EXIF data including geolocation information, camera make, model, and serial number will be explained to allow for the categorization of images in an expedient and efficient manner in preparation for writing a final report.
- Maximize the use of Magent.AI to automatically categorize images using the power of the CPU and GPU into multiple categories including: possible nudity, weapons-related content, drugs-related content, and child abuse content.
Part 6: Computer Artifact Analysis – Encryption/Anti-Forensics
- Understand the importance of looking for encryption and anti-forensics tools and how AXIOM categorizes those artifacts into a specific artifact category, enabling a quick identification if either category of software is being employed on the suspect media.
- Track an encryption program from installation and activation, to use on the suspect system and the timeline associated with each.
Part 7: Computer Artifact Analysis – Web Related
- Learn how the most popular browsers store items like internet history, favorites and bookmarks, and how each one stores information in their respective databases. Chrome, Firefox, Internet Explorer, Edge, Opera and Apple Safari store artifacts differently and being able to track and recover artifacts from the web browsers to correlate the information discussed in previous lessons is paramount to solving cases.
- Google Analytics First Visit, Referral and Session Cookies will also be explored since they track the user’s activity of how they arrived at a website, when they first visited that website, and what they did while they were there.
- Webcache will be used in this lesson to rebuild webpages of interest to the student. Autofill information will also be examined in this lesson to glean information that was typed in and saved by the user.
Part 8: Computer Artifact Analysis – Operating System Artifacts
- Consisting of several modules, each of which will focus on a specific set of key artifacts most commonly encountered during the analysis of computer evidence recovered from the Windows Registry.
- The Registry Explorer will be utilized to validate artifacts recovered from the registry and populated in the Operating System Artifact Category.
- Investigation and tracking of USB devices, Jump Lists, Prefetch files, LNK Files, Windows Notification Center, Operating System Information, Shellbags, Timezone Information, User Accounts, User Assist, Virtual Machines, and Windows Event Logs are all a part of this lesson and how the data correlates with each other to tell a story of computer usage and put a person behind the computer while the nefarious acts took place.
Mobile Artifact Analysis
- This module is comprised of two parts: iPhone artifacts and Android artifacts.
- Explore smartphone evidence, parsed by Magnet AXIOM, from each operating system.
- Learn about device file systems and structures to recover additional information, including device owner information; third party application data; core operating system data; internet browser data; and more.
- The hands-on exercise will also work through AXIOM’s Dynamic App Finder so that examiners who are conducting mobile device examinations can look for SQL databases belonging to apps currently unsupported by AXIOM in the core product, to produce them as an artifact within AXIOM Examine, thereby supporting mobile apps which are new.
- Scenario-based instructor-led, and student practical exercises will be used to demonstrate the navigation, searching, filtering, and tagging features in AXIOM, and reinforce the learning objectives.
Evidence in the Cloud
- With the proliferation of cloud storage and the acceptance of it in both the corporate environment as well as the home-user environment, it is important for all examiners to understand the artifacts that remain on the cloud, which may not be stored on local media.
- Discovering cloud artifacts and putting together what the capabilities of AXIOM are in reference to cloud collection and examination will be discussed.
- Being able to combine data from computers, mobile devices, and the cloud into one case and to utilize the power of AXIOM to correlate that data in case it is in multiple places on a suspect’s many devices could prove to be the catalyst in solving an investigation.
- Explore the various exporting and reporting features available within AXIOM Examine used for the presentation of case evidence and collaboration with other investigative stakeholders.
- Through the scenario-based instructor-led, and student practical exercises, learn how to manage the exporting of artifacts; produce and merge portable cases; and create a final investigative case report which is easily interpreted by both technical and non-technical recipients.
Cumulative Review Exercises
- A final scenario-based practical exercise will be administered, which represents a cumulative review of the exercises conducted in each of the previous modules.
Try The Training Annual Pass (TAP)
TAP lets you pay once, but train continuously. For $4,995 USD (less than the cost of two courses), you can attend any class at any time throughout the following 12 months.
|Online Self-Paced (Spanish)||Online||Ongoing|
|Online Self-Paced (German)||Online||Ongoing|
|Virtual Instructor-Led||Online||May 7-10|
|Classroom Instructor-Led||Wyboston, UK||May 14-17|
|Virtual Instructor-Led||Online (GMT)||May 21-24|
|Classroom Instructor-Led||Myrtle Beach, SC||May 29-June 1|
|Classroom Instructor-Led||Wyboston, UK||June 4-7|
|Classroom Instructor-Led||Herndon, VA||June 11-14|
|Virtual Instructor-Led||Online||June 18-21|
|Virtual Instructor-Led||Online||Aug 6-9|
|Classroom Instructor-Led||San Francisco, CA||Aug 27-30|
|Classroom Instructor-Led||Herndon, VA||Sept 3-6|
|Virtual Instructor-Led||Online||Sept 17-20|
|Classroom Instructor-Led||Wyboston, UK||Sept 24-27|
|Classroom Instructor-Led||Madrid, Spain||Oct 1-4|
|Classroom Instructor-Led||Herndon, VA||Oct 8-11|
|Classroom Instructor-Led||Atlanta, GA||Oct 8-11|
|Virtual Instructor-Led||Online||Oct 29-Nov 1|
|Classroom Instructor-Led||Andover, MN||Oct 29-Nov 1|
|Classroom Instructor-Led||Kista, Sweden||Oct 29-Nov 1|
|Classroom Instructor-Led||Herndon, VA||Nov 19-22|
|Classroom Instructor-Led||Princes Risborough, UK||Dec 3-6|
Authorized Training Partner Schedule
|On-Site||Kandel, Germany||mh Service GmbH||April 8-11|
Once you have completed AX200, you are eligible to obtain Magnet Certified Forensics Examiner (MCFE) AXIOM certification. Visit the Certification page and follow the necessary steps to apply to take the free certification exam.
If you want to continue diving deeper into digital forensics, you can take more courses to learn more about Advanced Computer Forensics (AX250), Advanced Mobile Forensics (AX300), and Incident Response Examinations (AX310).
Frequently Asked Questions
What do I need to bring?
Computer needs will be determined by class, but otherwise, it’s a classroom like any other, so bring in something to take notes on, water, lunch, etc.
How many students are in a classroom?
It can vary wildly depending on location and topic. Check out our registration page to find out how many seats are available per class.
Can I get custom training for my organization?
Yes! Simply contact us and let us know the details of who would be receiving the training and what topic you would like addressed. We’ll follow up with more details.
What materials will I receive in the course?
You will receive an course manual which you can keep and refer to long after the course has been completed.
Are all courses available with TAP?
Yes. If you’ve purchased a TAP, you can take any course, any time, no matter if it’s in-person, online, or online self-paced.