Getting Started with Magnet AXIOM - File System and Registry
Summary
TLDRIn this video, Jamie McQuaid from Magnet Forensics introduces viewers to analyzing file systems and registry views in Magnet Axiom. Key features highlighted include source linking, navigating between views, and decoding data. The video demonstrates how to access raw file details, use the built-in SQLite viewer for mobile devices, and filter artifacts for specific users or folders. It also showcases the registry view and the ability to export data for further analysis.
Takeaways
- 😀 Jamie McQuaid from Magnet Forensics introduces a tutorial on using Magnet Axiom for file system and registry analysis.
- 🔍 The video demonstrates how to navigate from artifacts to the file system view in Magnet Axiom, highlighting the source and location of artifacts.
- 💾 It showcases the ability to view raw file system details such as MAC times and cluster sizes, as well as raw hex and text data.
- 🔎 The script explains the decoding feature in Magnet Axiom, which attempts to decode highlighted data into readable formats like ASCII, base64, unicode, or timestamps.
- 📊 The tutorial includes a walkthrough of viewing SQLite databases natively within Axiom, including the ability to open and preview tables and data.
- 📱 The video mentions the utility of Axiom's native viewers for mobile device data, such as SQLite databases and plist files for iOS devices.
- 🗂️ It discusses the capability to perform recursive searches across all subfolders within a user's profile or other specified folders.
- 📈 The script highlights the feature to view related artifacts for a specific file or folder, which can be useful for focusing analysis on particular user activity.
- 🔗 The video explains how to use source linking to quickly navigate between the file system and registry views within Axiom.
- 🛠️ It touches on the ability to export registry hives or other data from Axiom for further analysis using dedicated registry tools outside the platform.
Q & A
What is the main focus of the video presented by Jamie McQuaid?
-The main focus of the video is to provide guidance on using Magnet Axiom for analysis in the file system and registry views, including traversing between different views and utilizing the tool's features for in-depth analysis.
How does Magnet Axiom help in navigating to the file system from an artifact?
-Magnet Axiom allows users to navigate to the file system from an artifact by clicking on a link that takes them directly to the SQLite database for that specific artifact, displaying the file system details and raw hex and text data.
What additional feature does Magnet Axiom provide for analyzing raw data?
-Magnet Axiom provides a feature that attempts to decode highlighted data in the raw hex and text view, such as strings, timestamps, and various data types, to assist in the analysis process.
Can Magnet Axiom open SQLite databases natively within the tool?
-Yes, Magnet Axiom has a built-in SQLite viewer that allows users to open and view the contents of an SQLite database directly within the tool, such as tables and their associated data.
What is the purpose of the native plist viewer in Magnet Axiom?
-The native plist viewer in Magnet Axiom is used to view and analyze property list (plist) files from iOS devices, providing details such as IMEI, installed applications, phone numbers, and other relevant information.
How can users manipulate data in the file system view within Magnet Axiom?
-Users can manipulate data in the file system view by selecting options such as 'All Subfolders' to get a recursive view of all files within a folder or user profile, which is useful for timelining activities or filtering data.
What does the 'View Related Artifacts' feature in Magnet Axiom do?
-The 'View Related Artifacts' feature in Magnet Axiom allows users to quickly filter and display artifacts related to a specific file or folder, narrowing down the analysis to a particular user or area of interest within a case.
How does Magnet Axiom handle the analysis of registry data?
-Magnet Axiom provides a dedicated registry view where users can analyze registry hives and artifacts. It also offers source linking to directly navigate to the registry view from an artifact, simplifying the process of locating and analyzing registry data.
What is the significance of the rot13 encoding mentioned in the video?
-Rot13 is a simple letter substitution cipher used by Microsoft to store certain data in the registry. Magnet Axiom automatically translates this encoded data, making it readable and easier for analysts to understand the content.
Can users export data from Magnet Axiom for further analysis using other tools?
-Yes, users can export data from Magnet Axiom by right-clicking and saving files out of the tool, allowing for additional analysis using dedicated registry or other forensic tools outside of Axiom.
What is the benefit of the source linking feature in Magnet Axiom?
-The source linking feature in Magnet Axiom allows for quick navigation between different views, such as the file system and registry views, by providing a direct link to the exact location of the data, saving time and improving efficiency in the analysis process.
Outlines
🔍 Exploring File System and Registry Views in Magnet Axiom
Jamie McQuaid from Magnet Forensics introduces viewers to the capabilities of Magnet Axiom for digital forensics. The tutorial focuses on navigating through file systems and registry views to perform analysis. Starting with artifacts, Jamie demonstrates how to access the file system of a Windows 7 computer by clicking on a link, which takes the user to the SQLite database associated with a specific artifact. The video showcases detailed file system information, including MAC times and cluster sizes, and the ability to view and decode raw hex and text data. The built-in SQLite viewer within Axiom allows users to preview and analyze database files directly within the platform. Additionally, the video highlights the utility of the native viewer for mobile device databases and plist files from iOS devices, emphasizing the versatility of Axiom's file system analysis tools.
🖥️ Advanced File System and Registry Analysis Techniques
Continuing the tutorial, Jamie McQuaid delves into more advanced techniques for analyzing file systems and registry views in Magnet Axiom. The video explains how to use the platform's search functionality to recursively view all files within a folder or drive, which is particularly useful for timeline analysis. The feature to view related artifacts for a specific file or folder is highlighted, allowing users to filter and focus on relevant data, such as browsing activity or chats associated with a particular user profile. The tutorial also covers the dedicated registry view, where users can examine registry hives and artifacts, such as user assist data. Jamie demonstrates the source linking feature that enables users to quickly navigate between the file system and registry views, streamlining the analysis process. The video concludes with a demonstration of how to export data for further analysis using external tools, showcasing the comprehensive capabilities of Magnet Axiom for digital forensic investigations.
Mindmap
Keywords
💡Magnet Axiom
💡Artifacts
💡File System
💡Registry Views
💡Hex and Text
💡SQLite Database
💡Plist Viewer
💡Source Linking
💡User Artifacts
💡Registry Hives
Highlights
Introduction to Magnet Axiom for file system and registry views analysis.
Navigating to the file system view from artifacts.
Automatic linking to the file system view for a specific artifact.
Viewing raw file system details such as MAC time and cluster size.
Decoding raw hex and text data within a file.
Highlighting and decoding strings, timestamps, and other data types.
Viewing a SQLite database natively within Axiom.
Previewing tables and data within a SQLite database.
Opening a database with a native viewer for deeper analysis.
The utility of the native SQLite viewer for mobile device databases.
Accessing and viewing plist files for iOS devices.
Exploring the folder structure and manifest for iOS devices.
Manipulating data in the file system with recursive views.
Sorting and filtering files for timeline analysis.
Viewing related artifacts for a specific user or folder.
Switching between file system and registry views.
Using source linking to navigate to the registry view.
Analyzing user assist activity and RAM capture tool references in the registry.
Deciphering rot13 encoded data in the registry.
Exporting registry hives for additional analysis with dedicated tools.
Concluding remarks and thanks for watching.
Transcripts
hello everyone my name is Jamie McQuaid
from magnet forensics and today we've
got a couple of quick videos to help you
get started with magnet axiom in this
video we're gonna talk about doing some
analysis in the file system of registry
views using axiom traversing between the
different views here so normally people
start with the the artifacts and we've
last video was on the artifacts and you
can see I've got a Google search up here
with the artifacts as I mentioned
previously you we always list the source
and location for all the artifacts that
we have here so what I can do is if I
want to actually go to the file system
for this given artifact I could just
click on this link and you see this is
for a Windows 7 computer it'll take me
to the history sequel Lite database for
that that exact artifact so we click on
that we can see it took me to the the
drop down took me automatically to the
file system view and automatically if I
scroll up here took me to the Windows 10
PC C and down on the partition all the
way to the default folder and there's
that history database so I can look at
the raw details of it this is just the
file system details you get the Mac time
so you get cluster size and all that
fine details from NTFS but if we also
look a little bit further down you get
the raw hex and text for anything now
you can see that took us to the start of
the hex and text of that that file and
nice thing with the the hex and text
there if I bring this over a little bit
better you could go through and decode
some of that data as well now this is a
sequel Lite database so there's nothing
too exciting to decode and the raw hex
in text but if I start scrolling through
here and start highlighting data you can
see a little bit further down it will
try to decode that for us as well so
it'll try to decode strings or
timestamps for us so as I highlight
it'll try to do some ASCII base64
unicode or any other types of data you
might have there but it'll also do
timestamps so say you find timestamps
that we don't pull as an artifact in the
the raw metadata of a file you just
start highlighting it and we'll try to
decode what that time
now that's not a valid timestamp
obviously but you can see we tried to
decode it there as hfs+ or UNIX 32-bit
timestamp there which obviously gave us
an incorrect one but you can see how
that that works quite easily there so as
you highlight it'll try to decode that
data as best it can for you which is a
nice little feature but this is a sequel
Lite database if I scroll back up to the
hex and text you can see it starts with
there's the sequel Lite header so we
could actually view that sequel Lite
database natively inside axiom all you
need to do is you see this little icon
that it indicates it's a single light
database I can double click on that
it'll open up on our sequel Lite viewer
and if I take a look there is the the
tables here there's the url's table and
if I take a look over here we can
actually start seeing the URLs the title
for for that the database visit time all
that you get the visits table as well
you get the visit source table this
one's empty but you get the idea that we
can actually take a look at that now
this isn't meant to be a deep dive
viewer for our analysis tool for sequel
a it's just meant to preview it for you
if you wanted to actually dive a little
bit deeper and wanted to use another
tool to do that if I go back outside the
sequel Lite viewer I get very easily
going a little too far up here so let me
go to the default one and if I go down
to the actual history database I could
right-click on this and I can see that
that file out or because it's a database
I can open the database with and I can
choose to open it in any native view or
if you've got something sitting on your
examination machine that you wanted to
use take a little bit closer look
through that so again nice sequel Lite
viewer built right into it this works
really well for mobile devices as well
as the the chrome sugilite databases but
there's a lot of sequent databases on
mobile devices so that that native
viewer can be really helpful we also
have a plist viewer for iOS devices so
if I get out of the windows computer
which will have no P lists in it
we do have there's an iPhone in here so
if I take a look at the iPhone here I
can see and look at any P lists as well
so right off the top here we've got an
info.plist
that if I wanted to look through I could
easily get some some details from the
info dot plist file and you can see this
is admins phone you get the IMEI there
some details on the installed
applications phone number and all of
those details you would normally expect
to find in a P list so again nice little
native viewer in the file system there
too to take a look at it and you can see
we've got the whole a folder structure
shown through there
either through the the standard way or
the interpreted way through the manifest
for iOS devices as well so lots of
different options there another weight
we could actually manipulate data in the
in the file system here is if I move
this back over let's take a look a
little bit closer at the go back to that
Windows 10 machine here and look at
partition three and I can see users
there's the one user admin now this is
just gonna show me the content to the
administer
I'll the files under the admitting that
fits in not just in this folder but in
all of these folders you and instead of
selecting selected folders only you
could easily flip over to all subfolders
this basically gives you a recursive
view of all of the files within that so
to run a full search on everything and
you could do that for the entire drive
as well there goes and it's you can
actually go through and do any sort of
sorting or filtering if you wanted to
sort on the created time or anything
like that and this gonna this can help
if you if you're looking for doing some
time lining activity in the file system
um but in a larger scale beyond just
what the contents of a single file or
folder additionally if I go back to and
I'll go just to select its folders only
and go back to users here I've got the
user admin right here but pretend
there's three or four users to this this
computer and I want to see all the
artifacts related to just the admitted
in folder here and I can do this for any
file or folder in the file system and I
can click view related artifacts so I
can do that
it automatically flips me to the
artifacts page and we'll run a filter to
just show me the admin's artifacts so
instead of looking at six hundred
thousand or so artifacts for the entire
case there's only forty three thousand
that are found under the user's profile
this is really helpful especially if you
want to look at just the browsing
activity or just the chats or anything
related to just that that's single user
again you could very easily do this for
any file or folder maybe you just want
to see anything that came from
unallocated space same sort of concept
applies let me clear that filter out and
let me flip over to the registry view so
we also have a dedicated registry view
you might have seen some of the registry
hives in the file system but you can
actually look at those in a dedicated
registry view as well and you can see
there's the file system and there's the
registry but let's actually use that
same source linking we used to get to
the file system view and we'll do that
to the registry so let's go to operating
system artifacts you can see there's a
whole lot here let's find one that goes
to the registry there's user assist so I
can see there's a whole lot of user
assist activity here and there's a
reference to our RAM capture tool so
somebody used on a USB the RAM capture
tool to acquire memory and it came up in
the the user assist here so we can see
that there's the basic details it was
run once there's the date and time is
March 16th and you can see this came
from the users enter user Def perfect if
I clicked on the source it would take me
to the file system right to the unti
user at the location however is the key
within the hive so if I click on this it
will take me to the registry view and it
will automatically take me right down to
where all that beautiful user sis data
is now Microsoft loves to store that in
rot13
so it's really ugly but we've done the
translation for you on the artifact side
but you can see very easily that's how
it gets get stored in there and you can
you can take a look at any of the
details as you want to go through like I
said you do get to see all of the the
registry hives here there's the Windows
10 PC there is all the hives there's the
users hives for the NT user dot and
whatever else but you can very easily
follow through that the nice thing about
linking back and forth is that in case
you
remember exactly where things are in the
registry or you don't like traversing
through that entire hierarchy the
one-click really gets you there a lot
faster and again you can still do that a
source linking from the the evidence
sources so if I click here this will
take me to the file system right to that
users NT user dot dot and again I could
easily right-click save the file out and
then I could do some additional analysis
outside of axiom so you have some
dedicated registry tools you want to use
you can easily export that out and do
some additional analysis there that's
everything I wanted to show for for this
video
thanks for watching
Ver Más Videos Relacionados
Getting Started with Magnet AXIOM Examine - Search and Filters
Filter Views - How to Filter Google Sheets Without Affecting Other Users
12 Keyboard Shortcuts For Windows File Explorer You Didn't Know You Needed
Indicators of Exposure (IoEs) in Tenable Identity Exposure
23.Copy data from multiple files into multiple tables | mapping table SQL | bulk
Come funziona il bluetooth?
5.0 / 5 (0 votes)