Add cloud evidence using recovered passwords and tokens

During a search, if AXIOM Process encounters tokens or passwords for a cloud account, it creates an artifact for them. From the Artifacts explorer in AXIOM Examine, you can use these passwords and tokens to open AXIOM Process and add a cloud evidence source. IMAP/POP email and Apple accounts can't be accessed using this method.

1. In AXIOM Examine, in the Artifacts explorer, browse to Cloud > Cloud passwords and tokens.
2. Right-click the password or token that you want to use and click Add new cloud evidence using passwords/tokens.
3. In AXIOM Process, confirm that you proper search authorization, as described in Sign in to a cloud account. A spinner appears while AXIOM Process attempts to access the account using the token or password you chose.
4. If the login is successful, select the services and sub-services that you want to acquire.
5. After the search starts, click Load new results in AXIOM Examine to view the results.

If the login attempts are unsuccessful, AXIOM Process notifies you that you've entered an incorrect password and does not proceed past the sign-in screen. An unsuccessful attempt can be due to one of the following reasons:

• The target changed their password
• The token expired