Adding custom artifacts

With the frequency that new applications and services are released to the market, custom artifacts can help you keep up to date with artifacts that might not be supported by Magnet AXIOM Cyber. In a corporate environment, you can use custom artifacts to recover data from proprietary applications. In addition to creating your own artifacts, you can browse the Artifact Exchange to search for, download, and install custom artifacts that other organizations have created and uploaded.

In addition to adding custom artifacts in AXIOM Process, you can find more artifacts by enabling the Dynamic App Finder and configuring the Custom file types list to search for artifacts that aren't currently supported by Magnet AXIOM Cyber.

What is a custom artifact?

A custom artifact is an XML file or a Python script that contains instructions for recovering a particular type of evidence. Typically, custom artifacts are targeted towards new applications or features that Magnet AXIOM Cyber does not yet support. Because custom artifacts aren't developed and maintained by Magnet Forensics, they're not required to go through the same level of testing as fully supported Magnet AXIOM Cyber artifacts, so they can often be developed and released faster.

Custom artifacts can contain executable code and are run in an unsandboxed Python environment with administrator privileges. Running in an environment without restrictions gives custom artifacts a lot of power and flexibility, but you must ensure that the source from where you obtain a custom artifact is trusted.

Creating a custom artifact

For information about downloading, contributing, and creating your own custom artifacts, visit the Artifact Exchange.

Add custom artifacts to AXIOM Process

After you've created your own custom artifact or downloaded a custom artifact from the Artifact Exchange, you can load it into AXIOM Process.

  1. In AXIOM Process, on the Tools menu, click Manage custom artifacts.
  2. Click Add new custom artifact and browse to where you saved the artifact.
  3. Select the artifact and click Okay.

AXIOM Process saves artifact definition templates to the AXIOM Process/plugins folder.

Confirm the artifact loaded correctly

  1. In AXIOM Process, click Artifact details.
  2. Depending on what platform you specified for your custom artifact, click Customize computer artifacts, Customize mobile artifacts, or Customize cloud artifacts. If you didn't specify a platform, the artifact is available in each option.
  3. On the Select artifacts to include in case screen, select the Custom artifacts option.
  4. Confirm that the custom artifacts you loaded to the plugins folder are visible.

If an artifact is not available, there might be a problem with the artifact schema. Check the log.txt file in the plugins folder for details.

When you've successfully loaded your custom artifacts in AXIOM Process, you can include them in a search.

Viewing custom artifacts in AXIOM Examine

AXIOM Examine displays custom artifacts in the Artifacts explorer under the Custom heading. When you add a custom artifact to a case for the first time, they don't appear under Evidence if AXIOM Examine is already open. To view your custom artifacts, you must close AXIOM Examine and reopen the case.