Please enjoy this blog post from James (Jay) Brown, Senior Manager, Data Forensics, Digital Mountain, Inc.
Are you looking for alternative digital forensic tools for your forensic toolbox? Over the last decade many types of forensic software have surfaced to either augment or replace traditional forensics tools such as Encase or FTK. One worth mentioning for exploration is Magnet Forensics’ product Axiom. Axiom may be a new name to many, but this program is a refined development of forensic software formally known as Internet Evidence Finder (IEF). This article addresses Axiom’s capabilities and reporting functions and how it may bring relevant data to the attention of forensic examiners, litigation support professionals, case teams, and/or clients.
Internet Evidence Finder was introduced over a decade ago to address a gap in the market to assist in searching for and recovering evidence from web and online usage. This program was initially incredibly useful to the law enforcement community hunting for the evidence in which criminals took advantage of the internet. Magnet Forensics official launch in 2011 paved the way for Internet Evidence Finder to evolve into Axiom, a full-featured digital forensics product competing directly with traditional computer forensics tools.
Axiom’s basic version allows the user to analyze data from most traditional electronic devices along with a selection of cloud-based applications. The Axiom Cyber add-on is well-suited for root cause analysis in Incident Response cases as well as Human Resources and Insider Threat investigations. There is a third add-on available only to law enforcement that facilitates the interaction of Axiom and a product called GrayKey, made by Grayshfit, which extracts encrypted or inaccessible data from mobile devices.
Traditional digital forensic software suites are adept at parsing information to analyze and present the data in a way that computer forensics examiners can interpret the findings. Axiom, continuing with its traditional roots, pre-classifies the data into many different categories such as Web-Related, Chat, Social Networking, Email, etc. This can be a tremendous time saver as examiners can focus on just the artifacts that are pertinent to the case.
Connections is one of Axiom’s time saving features that assists examiners by visually displaying how a file is linked to other files and devices in a case. For many IP theft and data exfiltration cases, this automation in Axiom of taking attributes of the file in question and showing relationships to other files and devices in the case, provides a more efficient process than having the forensic examiner piece this together themselves. This feature can potentially show where the file originated, to where it may have been moved, if it was altered, and on what devices it now resides. Where there are multiple devices in the mix and tracing the file path information is important, establishing those connections quickly and easily is a priority.
Once the data has been analyzed, Axiom provides a multitude of formats to export the relevant data. The data can be exported to spreadsheets, PDFs, HTML, and other outputs. As an alternative to these traditional exports, Axiom also offers a portable case. If there is a person on the case team who feels comfortable with data within a forensic tool, Axiom provides a method to export the relevant data in a portable version of the tool. This is ideal for cases where the case team wishes to search through the data independently.
With increased flexibility and functionality increasing the range of work that it can handle, Magnet Forensics’ Axiom has matured into a well-rounded forensic software suite. This, combined with the assistance that it provides the examiner and the multitude of ways to export the relevant findings makes it worthy of consideration as part of a tool chest for forensics analysis.