Getting Started with Magnet AXIOM - File System and Registry

00:04

hello everyone my name is Jamie McQuaid

00:06

from magnet forensics and today we've

00:08

got a couple of quick videos to help you

00:10

get started with magnet axiom in this

00:12

video we're gonna talk about doing some

00:15

analysis in the file system of registry

00:16

views using axiom traversing between the

00:20

different views here so normally people

00:22

start with the the artifacts and we've

00:24

last video was on the artifacts and you

00:26

can see I've got a Google search up here

00:28

with the artifacts as I mentioned

00:30

previously you we always list the source

00:32

and location for all the artifacts that

00:34

we have here so what I can do is if I

00:36

want to actually go to the file system

00:37

for this given artifact I could just

00:39

click on this link and you see this is

00:41

for a Windows 7 computer it'll take me

00:43

to the history sequel Lite database for

00:46

that that exact artifact so we click on

00:49

that we can see it took me to the the

00:52

drop down took me automatically to the

00:54

file system view and automatically if I

00:56

scroll up here took me to the Windows 10

00:58

PC C and down on the partition all the

01:01

way to the default folder and there's

01:03

that history database so I can look at

01:05

the raw details of it this is just the

01:08

file system details you get the Mac time

01:10

so you get cluster size and all that

01:13

fine details from NTFS but if we also

01:16

look a little bit further down you get

01:18

the raw hex and text for anything now

01:21

you can see that took us to the start of

01:22

the hex and text of that that file and

01:26

nice thing with the the hex and text

01:29

there if I bring this over a little bit

01:30

better you could go through and decode

01:33

some of that data as well now this is a

01:35

sequel Lite database so there's nothing

01:36

too exciting to decode and the raw hex

01:39

in text but if I start scrolling through

01:41

here and start highlighting data you can

01:43

see a little bit further down it will

01:45

try to decode that for us as well so

01:47

it'll try to decode strings or

01:49

timestamps for us so as I highlight

01:51

it'll try to do some ASCII base64

01:54

unicode or any other types of data you

01:57

might have there but it'll also do

01:59

timestamps so say you find timestamps

02:01

that we don't pull as an artifact in the

02:04

the raw metadata of a file you just

02:05

start highlighting it and we'll try to

02:07

decode what that time

02:09

now that's not a valid timestamp

02:10

obviously but you can see we tried to

02:12

decode it there as hfs+ or UNIX 32-bit

02:16

timestamp there which obviously gave us

02:18

an incorrect one but you can see how

02:20

that that works quite easily there so as

02:23

you highlight it'll try to decode that

02:25

data as best it can for you which is a

02:27

nice little feature but this is a sequel

02:30

Lite database if I scroll back up to the

02:31

hex and text you can see it starts with

02:32

there's the sequel Lite header so we

02:35

could actually view that sequel Lite

02:36

database natively inside axiom all you

02:39

need to do is you see this little icon

02:41

that it indicates it's a single light

02:42

database I can double click on that

02:44

it'll open up on our sequel Lite viewer

02:47

and if I take a look there is the the

02:50

tables here there's the url's table and

02:52

if I take a look over here we can

02:55

actually start seeing the URLs the title

02:57

for for that the database visit time all

03:01

that you get the visits table as well

03:03

you get the visit source table this

03:05

one's empty but you get the idea that we

03:07

can actually take a look at that now

03:09

this isn't meant to be a deep dive

03:11

viewer for our analysis tool for sequel

03:15

a it's just meant to preview it for you

03:16

if you wanted to actually dive a little

03:18

bit deeper and wanted to use another

03:19

tool to do that if I go back outside the

03:22

sequel Lite viewer I get very easily

03:25

going a little too far up here so let me

03:27

go to the default one and if I go down

03:30

to the actual history database I could

03:32

right-click on this and I can see that

03:34

that file out or because it's a database

03:37

I can open the database with and I can

03:39

choose to open it in any native view or

03:41

if you've got something sitting on your

03:42

examination machine that you wanted to

03:45

use take a little bit closer look

03:47

through that so again nice sequel Lite

03:50

viewer built right into it this works

03:52

really well for mobile devices as well

03:54

as the the chrome sugilite databases but

03:57

there's a lot of sequent databases on

03:58

mobile devices so that that native

04:01

viewer can be really helpful we also

04:04

have a plist viewer for iOS devices so

04:06

if I get out of the windows computer

04:08

which will have no P lists in it

04:11

we do have there's an iPhone in here so

04:14

if I take a look at the iPhone here I

04:16

can see and look at any P lists as well

04:19

so right off the top here we've got an

04:21

info.plist

04:22

that if I wanted to look through I could

04:24

easily get some some details from the

04:26

info dot plist file and you can see this

04:29

is admins phone you get the IMEI there

04:32

some details on the installed

04:34

applications phone number and all of

04:36

those details you would normally expect

04:38

to find in a P list so again nice little

04:41

native viewer in the file system there

04:43

too to take a look at it and you can see

04:45

we've got the whole a folder structure

04:48

shown through there

04:49

either through the the standard way or

04:52

the interpreted way through the manifest

04:54

for iOS devices as well so lots of

04:58

different options there another weight

04:59

we could actually manipulate data in the

05:02

in the file system here is if I move

05:05

this back over let's take a look a

05:07

little bit closer at the go back to that

05:09

Windows 10 machine here and look at

05:10

partition three and I can see users

05:13

there's the one user admin now this is

05:16

just gonna show me the content to the

05:21

administer

05:22

I'll the files under the admitting that

05:26

fits in not just in this folder but in

05:28

all of these folders you and instead of

05:31

selecting selected folders only you

05:33

could easily flip over to all subfolders

05:36

this basically gives you a recursive

05:38

view of all of the files within that so

05:41

to run a full search on everything and

05:43

you could do that for the entire drive

05:44

as well there goes and it's you can

05:48

actually go through and do any sort of

05:50

sorting or filtering if you wanted to

05:52

sort on the created time or anything

05:54

like that and this gonna this can help

05:58

if you if you're looking for doing some

06:00

time lining activity in the file system

06:02

um but in a larger scale beyond just

06:05

what the contents of a single file or

06:07

folder additionally if I go back to and

06:10

I'll go just to select its folders only

06:12

and go back to users here I've got the

06:15

user admin right here but pretend

06:17

there's three or four users to this this

06:20

computer and I want to see all the

06:21

artifacts related to just the admitted

06:26

in folder here and I can do this for any

06:28

file or folder in the file system and I

06:31

can click view related artifacts so I

06:33

can do that

06:34

it automatically flips me to the

06:36

artifacts page and we'll run a filter to

06:38

just show me the admin's artifacts so

06:41

instead of looking at six hundred

06:43

thousand or so artifacts for the entire

06:46

case there's only forty three thousand

06:48

that are found under the user's profile

06:50

this is really helpful especially if you

06:52

want to look at just the browsing

06:53

activity or just the chats or anything

06:55

related to just that that's single user

06:58

again you could very easily do this for

07:01

any file or folder maybe you just want

07:03

to see anything that came from

07:04

unallocated space same sort of concept

07:06

applies let me clear that filter out and

07:09

let me flip over to the registry view so

07:12

we also have a dedicated registry view

07:13

you might have seen some of the registry

07:14

hives in the file system but you can

07:16

actually look at those in a dedicated

07:18

registry view as well and you can see

07:19

there's the file system and there's the

07:21

registry but let's actually use that

07:22

same source linking we used to get to

07:24

the file system view and we'll do that

07:26

to the registry so let's go to operating

07:28

system artifacts you can see there's a

07:29

whole lot here let's find one that goes

07:31

to the registry there's user assist so I

07:34

can see there's a whole lot of user

07:36

assist activity here and there's a

07:38

reference to our RAM capture tool so

07:40

somebody used on a USB the RAM capture

07:43

tool to acquire memory and it came up in

07:46

the the user assist here so we can see

07:49

that there's the basic details it was

07:50

run once there's the date and time is

07:52

March 16th and you can see this came

07:54

from the users enter user Def perfect if

07:57

I clicked on the source it would take me

07:58

to the file system right to the unti

08:00

user at the location however is the key

08:03

within the hive so if I click on this it

08:06

will take me to the registry view and it

08:08

will automatically take me right down to

08:10

where all that beautiful user sis data

08:13

is now Microsoft loves to store that in

08:15

rot13

08:16

so it's really ugly but we've done the

08:19

translation for you on the artifact side

08:20

but you can see very easily that's how

08:23

it gets get stored in there and you can

08:25

you can take a look at any of the

08:27

details as you want to go through like I

08:30

said you do get to see all of the the

08:32

registry hives here there's the Windows

08:33

10 PC there is all the hives there's the

08:35

users hives for the NT user dot and

08:38

whatever else but you can very easily

08:41

follow through that the nice thing about

08:44

linking back and forth is that in case

08:46

you

08:46

remember exactly where things are in the

08:48

registry or you don't like traversing

08:50

through that entire hierarchy the

08:52

one-click really gets you there a lot

08:54

faster and again you can still do that a

08:55

source linking from the the evidence

08:58

sources so if I click here this will

09:00

take me to the file system right to that

09:02

users NT user dot dot and again I could

09:05

easily right-click save the file out and

09:07

then I could do some additional analysis

09:10

outside of axiom so you have some

09:11

dedicated registry tools you want to use

09:14

you can easily export that out and do

09:17

some additional analysis there that's

09:19

everything I wanted to show for for this

09:21

video

09:22

thanks for watching