Getting Started with Magnet AXIOM Process - Computers
Summary
TLDRIn this video, Jamie McQuaid from Magnet Forensics guides viewers through the process of acquiring and processing computer images using Magnet Axiom. The video covers key steps such as setting up folder paths, choosing evidence sources, and selecting acquisition methods (full physical, raw, logical, or targeted). It also explains how to load existing evidence, including images and memory dumps, and configure search options to extract valuable data. The tutorial emphasizes best practices for managing evidence, ensuring data integrity, and optimizing the investigation workflow.
Takeaways
- 😀 Set up folder paths for your images and case data before starting the process.
- 😀 You can organize evidence in separate folders or keep them in the same location—it's up to you.
- 😀 Choose the evidence source based on your case; you can load computer, mobile, or cloud data.
- 😀 In this video, the focus is on acquiring computer data, though there are other videos covering mobile and cloud data.
- 😀 For computer acquisition, you can choose between acquiring a full physical image or logical images (e.g., all files, registry hives, log files).
- 😀 The most common acquisition type is a full physical image (L1), as it segments and compresses the data with error checking.
- 😀 When acquiring evidence, you can choose between acquiring new evidence or loading evidence already acquired (e.g., using another tool).
- 😀 The system supports various image formats, including segmented images like EO1, and can automatically recognize file systems like NTFS.
- 😀 When loading existing evidence, you can choose a full search, a custom search, or a sector-level search depending on the file system's compatibility.
- 😀 When loading a memory dump, the system uses its integrated volatility framework to analyze and identify the appropriate image profile for the data.
- 😀 The system can handle multiple evidence sources at once, but adding more sources may increase processing time for the case.
Q & A
What is the first step in using Magnet Axiom for processing and acquiring computer images?
-The first step is setting the folder names and paths for storing the data. This involves selecting the locations for the computer images and case data, which can be customized as needed.
What are the available types of evidence sources you can add in Magnet Axiom?
-Magnet Axiom allows you to add evidence from various sources, including computer data, mobile smartphone data, and cloud data.
How does the process differ when loading computer data versus mobile or cloud data?
-When loading computer data, you choose the option to acquire evidence from a connected hard drive. For mobile or cloud data, there are separate processes outlined in other videos, as they involve different types of evidence and acquisition methods.
What is the default acquisition option when acquiring a physical disk in Magnet Axiom?
-The default acquisition option is a full physical L1 image, which is a common format that segments the data, provides compression, and includes error checking.
What are the other acquisition options available aside from the default full physical L1 image?
-Other acquisition options include a full physical image in raw format, a logical acquisition that includes all allocated files and folders, and a targeted acquisition that focuses on specific items such as user profiles, registry hives, and log files.
What is a targeted acquisition used for?
-A targeted acquisition is used when you need to focus on specific items like user profiles, registry hives, prefetch files, and log files. It's helpful for saving space and time in investigations.
What is the difference between a full search and a sector level search?
-A full search scans all available data, while a sector level search is used when the file system is not recognized. The sector level search can still carve data and find valuable evidence but does not recognize file systems.
What should you choose when dealing with a memory dump in Magnet Axiom?
-When dealing with a memory dump, you should use a sector level search because memory dumps don’t have a file system structure. A sector level search allows you to carve through the raw data to find evidence.
How does Magnet Axiom handle different types of image files when loading evidence?
-Magnet Axiom supports a variety of image formats. When loading evidence, you point to the first segment of the image (e.g., an EO1 file), and the system automatically recognizes and processes the rest of the image segments.
What happens when you load a memory dump in Magnet Axiom?
-When you load a memory dump, Magnet Axiom uses its memory analysis capabilities, along with the integrated volatility framework, to analyze the memory image and identify the correct operating system profile before adding it to the evidence sources.
Outlines
Этот раздел доступен только подписчикам платных тарифов. Пожалуйста, перейдите на платный тариф для доступа.
Перейти на платный тарифMindmap
Этот раздел доступен только подписчикам платных тарифов. Пожалуйста, перейдите на платный тариф для доступа.
Перейти на платный тарифKeywords
Этот раздел доступен только подписчикам платных тарифов. Пожалуйста, перейдите на платный тариф для доступа.
Перейти на платный тарифHighlights
Этот раздел доступен только подписчикам платных тарифов. Пожалуйста, перейдите на платный тариф для доступа.
Перейти на платный тарифTranscripts
Этот раздел доступен только подписчикам платных тарифов. Пожалуйста, перейдите на платный тариф для доступа.
Перейти на платный тарифПосмотреть больше похожих видео
Apple iPhone 7 Quick Acquisition with Magnet AXIOM
Getting Started with Magnet AXIOM - File System and Registry
Getting Started with Magnet AXIOM Examine - Search and Filters
How to use NMR machine? (NMR Basic Operation)
Faraday's Law of Induction Demonstration - Penn Physics
Simulasi Magnet dan Induksi Elektromagnetik Menggunakan PHET
5.0 / 5 (0 votes)
