Customizing processing settings

Save temporary files to a custom location

By default, AXIOM Process stores all temporary files associated with a case to the Cases folder.

  1. In AXIOM Process, on the Tools menu, click Settings.
  2. In Processing >  Temporary file location, in the drop-down list, click Custom location.
  3. Click Browse and select the folder where you want to save all temporary files associated with a case.
  4. Click Okay.

Verify hash values for images

AXIOM Process can create a hash value for each image that it processes. This hash value acts like a digital fingerprint for the image, and you can use it to verify that the file has not been tampered with. Hash verification information gets written to the Case Information.txt and .xml files. By default, creating hash values for processed images is turned off.

If hash verification fails for an AFF4 logical image, the Case Information.txt file lists the files that the verification fails on, but omits the actual hash values for the failed files. To see the hash values for the failed files, refer to the Case Information.xml file.

  1. In AXIOM Process, on the Tools menu, click Settings.
  2. In Processing > Image hash verification, select the Verify the hash value of each image file (E01 and AFF4 only) option.
  3. Click Okay.

Deduplicating artifact results

When scanning an evidence source, AXIOM Process parses allocated space and carves data from across the entire image (whether it's allocated or unallocated, and a recognized file system or not). By carving data from the entire image, AXIOM Process can uncover files or fragments of data vital to your investigation—however, you're more likely to have duplicate data in your case. Most commonly, AXIOM Process could report the same file recovered through both parsing and carving techniques.

By default, Magnet AXIOM Cyber deduplicates artifact results in your case to help reduce the amount of data you need to examine.

As part of the deduplication process, AXIOM Process looks at the essential information fragments for each artifact and the source of the artifact (the source representing where the data is found and is presented by the Source column in AXIOM Examine), and then assigns a unique value to the artifact. When AXIOM Process encounters a duplicate of an existing unique value, only the first artifact with a unique value is kept. Other artifacts with the identical unique value are discarded as duplicates. For example, with pictures, the unique value is based on the hash of picture. If two pictures are found with the same hash and source, they would be deduplicated.

While parsed hits are always kept (they always have a different source), AXIOM Process will discard duplicates of the hit with the same unique value that were recovered through carving (carved hits will often be incomplete and contain only partial data).

If an identical artifact is found in two different locations (i.e. the source is different), AXIOM Process will not discard the artifact from one location. AXIOM Process treats each path as a unique source, so the artifact will appear in both locations. For example, if an identical picture is discovered in two different places—a downloads folder and a temp folder—the artifact wouldn't be discarded as a duplicate from one location.

For deleted files recovered from unallocated space, only the first artifact with a unique value is kept. If the same artifacts are found in unallocated space on different drives, both artifacts are kept because the sources are different.

For searches of NTFS and FAT file systems, AXIOM Process will automatically deduplicate results from unallocated space if they are covered by a range of space that's occupied by a known deleted file. Only the deleted file hit with an existing $MFT record will be shown in AXIOM Examine. If no $MFT record exists, the hit will be carved from unallocated space.

Remove duplicate artifact results

  1. In AXIOM Process, on the Tools menu, click Settings.
  2. In Processing > Duplicates, select the Remove duplicates option.
  3. Click Okay.

Optimize search times

The easiest way to decrease scan times and increase performance is to add more CPU cores to your system. Magnet AXIOM Cyber is designed to create a separate thread for every core that's available in your system (currently, the upper limit is 32 cores). For the fastest search time, AXIOM Process uses all logical cores on your computer (to a maximum of 32 cores). If you want to use your computer for other tasks during a search, reduce the number of cores. Increasing the clock speed of your CPU is another way that you can improve performance.

In AXIOM Process, you can manually set the number of cores that you want to use:

  1. In AXIOM Process, on the Tools menu, click Settings.
  2. Under Processing > Search speed, in the Number of cores drop-down list, select the number of cores you want to use.
  3. Click Okay.

Note: Adding additional cores does not improve performance in a linear way. The more cores that your system has, the more work it is for RAM to keep each core busy with new instructions to process. As the number of cores increases, the returns on performance diminish. Whereas increasing the number of cores from 4 to 8 will yield significant improvements, increasing from 8 to 16 has a less noticeable effect. After 8 cores, the easiest way to improve performance is by increasing clock speed.