Getting Started with Magnet AXIOM Examine - Search and Filters
Summary
TLDRIn this Magnet Forensics tutorial, Jimmy McQuaid introduces viewers to the powerful search and filtering capabilities of Magnet Axiom. He demonstrates how to apply global and column filters to streamline case analysis, highlighting the tool's unique ability to separate and filter date and time stamps. The video also covers keyword searches across various data types, showcasing the speed and efficiency of Axiom's indexed search feature. McQuaid concludes with a quick guide on setting up keyword lists for both pre- and post-processing stages.
Takeaways
- 🔍 The video is a tutorial on using Magnet Axiom, focusing on searching and filtering evidence within a case.
- 📊 Filters in Axiom are categorized into global filters and column filters, each serving different scopes within the case.
- 🔎 Column filters are applied within specific artifacts and columns, allowing for targeted searches based on column content.
- 🗂️ Global filters apply across the entire case, not limited to a single artifact or column, and include evidence sources, artifacts, and content types.
- ⏰ A unique feature of Axiom is the separation of date and time in filters, enabling more precise searches based on these parameters.
- 📅 The video demonstrates how to filter evidence based on business hours, such as Monday to Friday, 9:00 AM to 5:00 PM.
- 🔑 Keyword searches can be performed quickly due to indexing during the processing of artifacts, which speeds up the search without a full disk index.
- 📚 The tutorial shows how to apply multiple filters and keyword searches simultaneously, narrowing down the evidence efficiently.
- 🖥️ Axiom allows for keyword searches and filtering on the file system and registry, with options for recursive searches in folders.
- 🔑 The video explains how to use keyword lists for advanced searching, including the ability to combine multiple lists for 'OR' searches.
- 🛠️ The tutorial concludes with a reminder that keyword lists can be set up during or after processing, enhancing the search capabilities in Axiom.
Q & A
What is the main focus of the video by Jimmy McQuaid from Magnet Forensics?
-The main focus of the video is to help users get started with Magnet Axiom, specifically discussing searching and filtering in Axiom Examined.
What are the two main categories of filters mentioned in the video?
-The two main categories of filters mentioned are global filters and column filters.
How does the column filter work in Axiom Examined?
-The column filter allows users to filter data within a specific artifact and column by right-clicking and applying a search term to that column.
What is a global filter in the context of Magnet Axiom?
-A global filter in Magnet Axiom applies to the entire case, not just a specific artifact or column, and can filter based on evidence, artifacts, content types, and other case-wide criteria.
How does Magnet Axiom handle date and time filtering?
-Magnet Axiom splits up the date and time and stores them separately, allowing users to filter with the date or time independently, which is unique compared to most tools.
What is the benefit of filtering by 'business hours' in a case?
-Filtering by 'business hours' allows users to focus on data relevant to specific time periods, such as weekdays from 9:00 to 5:00, which can be particularly useful in corporate cases or understanding user activity during typical working hours.
How can users apply multiple filters in Magnet Axiom?
-Users can stack filters by applying them one after another, with each additional filter narrowing down the results based on the previous filters, effectively applying an 'and' operation between them.
What is the significance of indexing during the processing in Magnet Axiom?
-Indexing during the processing in Magnet Axiom allows for quick keyword searches by indexing all artifacts, which adds minimal overhead but significantly speeds up the search process compared to a full disk index.
How can users perform keyword searches on the file system and registry in Axiom Examined?
-Users can perform keyword searches on the file system and registry by navigating to those sections and using the search term feature, with the option to conduct a recursive search across all subfolders for a more comprehensive result.
What is the purpose of using keyword lists in Magnet Axiom?
-Keyword lists in Magnet Axiom allow users to import and search for multiple keywords simultaneously, which can be particularly useful for targeted investigations or when specific terms need to be flagged or analyzed.
How does the quick search feature differ from a keyword list search in Magnet Axiom?
-The quick search feature in Magnet Axiom adds an 'and' operator between keywords, while keyword list searches treat each keyword as an 'or' search, allowing for broader or more specific searches depending on the user's needs.
Outlines
🔍 Introduction to Searching and Filtering in Magnet Axiom
Jimmy McQuaid from Magnet Forensics introduces a tutorial video on using Magnet Axiom, focusing on searching and filtering functionalities. The video demonstrates how to apply filters to evidence items within a case. Filters are categorized into global filters, which apply to the entire case, and column filters, which are specific to individual artifacts and columns. The tutorial shows how to use column filters to search for specific terms like 'how to' within Google searches and how to apply date/time filters to narrow down evidence based on timestamps. The video also explains how global filters can be used to filter evidence by source, artifacts, content types, and other criteria. A unique feature of Magnet Axiom is its ability to separate date and time in filters, allowing for more precise queries, such as filtering for business hours on weekdays.
🚀 Advanced Filtering and Keyword Searches in Magnet Axiom
This section of the video script delves into advanced filtering techniques and keyword searches within Magnet Axiom. It highlights the speed of keyword searches due to the indexing of artifacts during the processing stage, which is efficient and quicker than a full disk index. The video shows how to apply filters and keyword searches to various data types, including documents, emails, and chats. It also discusses the use of keyword lists for complex searches and the ability to stack filters for more refined results. Additionally, the script covers how to conduct keyword searches on the file system and registry, with options for recursive searches and the use of the F3 key to navigate between keyword hits. The video concludes with a brief mention of setting up keyword lists during processing and a thank you note to viewers.
Mindmap
Keywords
💡Magnet Axiom
💡Global Filters
💡Column Filters
💡Artifacts
💡Date/Time Filtering
💡Keyword Searches
💡Indexing
💡File System
💡Registry
💡Keyword Lists
💡Evidence
Highlights
Introduction to Magnet Axiom and its capabilities for searching and filtering in digital forensics.
Explanation of global filters and their application across the entire case.
Demonstration of column filters within individual artifacts.
Tutorial on applying filters to specific columns such as search terms and date/time.
Example of filtering Google searches for the term 'how to'.
Discussion on the flexibility of column filters to accommodate different data types.
Overview of global filters including evidence, artifacts, and content types.
Unique feature of Axiom's date and time filtering, allowing separate date and time ranges.
Practical example of filtering for business hours to narrow down case evidence.
Capability to stack filters for more precise searching within a case.
Quick keyword search demonstration across various types of evidence.
Highlighting of search results within documents and emails for the keyword 'how to'.
Efficiency of Axiom's indexing during processing for fast keyword searching.
Introduction to keyword lists and their use in advanced searches.
Guide on conducting keyword searches in the file system and registry.
Use of the F3 key to navigate between multiple keyword hits in a search.
Setting up keyword lists during or after processing for enhanced searching.
Conclusion and thanks for watching the tutorial on Magnet Axiom.
Transcripts
hello everyone my name is Jimmy McQuaid
from magnet forensics and today we've
got another video to help you get
started with magnet axiom in this video
we're gonna talk about searching and
filtering in axiom examined so I've got
a case already up here ready to go
axiom examines open with a case a bunch
of evidence items and we're gonna talk
about searching and filtering now you
can break down our our filters into two
main categories global filters which are
up here across the top and call them
filters which are inside each artifact
in apply to each column so column filter
is pretty straightforward you're in
where in the Google searches artifact
here you could filter on any of these
columns by right clicking this is for
the search term I can say filter on
column and I can apply that search term
so I'm gonna use maybe the word how to
because I think there's a bunch of
searches for how to and we can see it
applies a filter on just the how-to so
you get hits for how to in all the
Google searches now these are specific
to the single artifact for that single
column and you can continue to add other
filters and those filters are specific
to what the content in the in the each
column so the the search term obviously
it's a string the date/time is a
timestamp so if I filter on that it'll
allow you to set a date and time range
so depending on what type of data is in
each column or each field you can filter
independent of that so that's how the
column filters work and if I remove that
you can see it goes back to the full set
and we're back to square one again
now the global filters similar but that
applies to the entire case so not just
Google searches not just the specific
column it applies to everything so the
first one evidence so this is pretty
obvious it'll filter on the source
evidence and as you can see in this case
I have a whole bunch of evidence sources
loaded into this one a Windows 10
computer samsung j7 phone a ram capture
for the computer a USB device and an
iPhone so I could filter on any one of
these very easily you could also filter
on the artifacts either by category or
individual artifacts or you could do it
by content types
these are common things like URLs
anything that has
a user ID name picture video or anything
like that even items that are accessible
or inaccessible by the users that's
dictated based on the source so if the
user can access it natively through
Windows it's accessible if they can't
access it if it's the leader or we had
to do something special forensic lis to
get to it it's inaccessible still on the
computer but inaccessible to to the
native viewer they might have deleted it
and it's it's an unallocated space or
something like that
my favorite date and time so you can
filter on the date and time and axioms
really nice and unique in the way that
um most tools when when you parse out
time stamps the date and time is stored
together axiom when it processes it
splits up the date and time and stores
them separately so you can actually do
filters with the date or time
independent of each other so where most
tools you can you can sit there and say
show me everything 7:00 to 10:00 p.m.
last night great you can do that with
axiom but with with this you can you can
actually filter out and say show me
based on a schedule maybe it's a it's a
corporate case and you want to say ok I
only care what he was doing at work or
if you know your users schedule or
anything like that so I can create a
filter like this one and say go to
weekdays only Monday to Friday and if I
go down I can choose you can customize
the time range but you can say business
hours 9:00 to 5:00 and you can specify
anything you want but we'll just use the
default one there and hit go and now
this will actually filter out everything
in the case and now we're down to if I
look at everything 31,000 artifacts or
so that's 31,000 out of four hundred and
sixteen thousand so there's only 31,000
that have timestamps Monday to Friday
9:00 to 5:00 and you can see the filters
applied across the top there which is
great and you can continue to add other
filters you can filter based on tags you
might have applied some tags before any
profiles you built out results keywords
if you added a keyword list you can
filter on the keyword lists skin tone
filter for pictures or media
categorization so I if you're doing
Child Exploitation cases that have media
categorizations already applied you can
filter on those as well but you can
stack these filters as well and it
basically applies an and two to any of
these so we've got Monday to Friday 9:00
to 5:00 and if I want to do
same keyword search for how to I can
just do how to and hit go and it'll
apply a keyword search to that as well
so now we've got the quick keyword
search to it as well as the the other
filter and that gets stocked up there
and now we're down to 51 hits you got
some Google searches we've got some
Safari hits here so you can see the
Safari ones you can see it's highlighted
the word how-to in the title we've got
some emails here so there's some Android
Gmail's with this user and if I take a
look it should have it highlighted in
the actual email let me just see if I go
there it is just about missed it there
it is right there how to break it I
don't know for whatever but basically
there it is highlighted in the dot and
the the email same thing goes if it's a
document we've got just a intell
document here nothing super special you
can preview the document here or we can
go down and we can start looking through
and seeing if we can find that keyword
oh there it is so there's the
highlighted keyword in that document and
you can see that that was a very quick
keyword search you go through it it
found everything within documents emails
a Google searches chats whatever it
searches through it'll find that keyword
in there and you might have noticed how
fast that was the reason being is we
actually index during the processing
index all of the artifacts for your case
it's better than a full index because a
full disk index will take a long time it
can take several hours but we basically
just index anything that's an artifact
it adds minimal overhead but still gets
you the majority of what you need for
your investigation it's a really nice
feature and you can see how quick that
the keyword search applies along with
the the filter that we applied there so
I can clear those filters go back to the
top here and we're back to to square one
on the entire case now any keywords that
you add here in the quick search are
Anne's
so you can say how to and something else
it's there all and so as you add
keywords on the quick search it always
adds an and operator to it now if you
wanted to add an or and say hey I want
to do this one or this one or this one
you would add it under keyword lists you
can import a keyword list there and you
can import a whole bunch of them say
this one this one or this one and those
would actually come in as an
or keyword search now you can also do
keyword searches and and filtering on
the file system and registry side so if
I move from the artifacts and we go to
file system you can sit there and take a
look at where in the file system you can
run filters based on date and time file
size attributes a tags and comments
again very good there or you can do a
quick search as well now the search is
relative to what's in the evidence pane
so if I let's say I go to this Windows
10 PC go to partition 3 and users and
now I've got the administer I'll go into
the min profile now I could do a search
for and to user dot and would come up
here based on the the quick search on
the file path however if I want to
search every subfolder do a recursive
search across everything in here I would
want to flip over change from selected
folder only to all subfolders this gives
me a recursive view of all the
subfolders under the user admins profile
here so now I see everything and then I
can conduct that keyword search so it's
important to understand the difference
between doing the recursive one or just
the the parent folder as as it stands in
addition if I move over to the registry
you can also do keyword searches in the
registry right here search term you type
it in and it would give you your
keywords now for this one if you get
multiple keyword hits you can just hit
the f3 button and it will move on to the
next one so just you can hit f3 and it
moves on to the next keyword hit each
time so lots of ways to do keyword
searches in axiom if I jump back to the
start we've already mentioned during
processing you can set up keyword lists
before this is how you would do it
afterwards both work really well that's
everything I wanted to show for this
video thanks for watching bye bye
you
Weitere ähnliche Videos ansehen
Getting Started with Magnet AXIOM - File System and Registry
How to Find Government Contracts for Your Business | Step-by-Step Guide
Creating Your List of Target Keywords
How to use AI to find *ALL* the literature for your research | A blended approach
How to Hack "Not Provided" Keywords in Google Analytics | Lesson 6/8 | SEMrush Academy
Scrape website data without code using Bardeen
5.0 / 5 (0 votes)