Searching for custom file types
During a search, AXIOM Process might discover file types that aren't currently supported by AXIOM artifacts. You can use the Custom file types list to configure AXIOM Process to create artifacts for these file types. Magnet Forensics provides several file types to get you started, and you can add your own custom file types.
If AXIOM Process recovers any custom file types, AXIOM Examine displays the hits in the Artifacts explorer under the category heading you configured in the Custom file types list. AXIOM Process does not index or search file type artifact hits that it discovers—you should review hits for file type artifacts manually.
You can change where the Custom file type list is saved or import a list configured by another examiner. You can also add more file types and choose which file types you want AXIOM Process to search for.
Warning: Turning this feature on can increase search times significantly.
Add custom file types
Add file types to the Custom file types list so that AXIOM Process creates artifact hits for file types discovered during a search. After AXIOM Process completes its search, you can view recovered custom file type artifacts in AXIOM Examine.
You must have Microsoft Excel or an equivalent application installed on your computer to open the Custom file type list. If you do not have an application able to open a spreadsheet on your computer, you can move the Custom file types list to another location, such as a shared network, where you're able to open the file.
Warning: Only one person can open the Custom file type list at a time. If the list is saved to a shared network, you must close the list on your computer before anyone else can open it.
- In AXIOM Process, click Processing details > Find more artifacts.
- Under Edit custom file types, click Edit custom file types list. AXIOM Process opens the file in your default spreadsheet application.
- In the Custom file type list, add your file types. The file includes instructions about what data you should include. Review the Custom file type list fields topic for more information about each column in the spreadsheet.
- Save and close the document.
- To load the new file types in AXIOM Process, under Find more artifacts > Edit custom file types, click Refresh.
You can see the file types in the file type list in the Categories and file types table. The file types are organized into artifact categories. You can enable or turn off categories or specific file type artifacts from the Categories and file types table as well as the Artifact details screens.
Turn off searching for specific file types
You can turn off searching for file type categories or specific file type artifacts. If you turn off a category, AXIOM Process won't search for any of the file types grouped in the category.
- In AXIOM Process, click Processing details > Find more artifacts.
- Under Edit custom file types, in the Categories and file types table, expand the category with the file type you want to turn off searching for.
- Clear the checkbox beside the category or file type you want to turn off searching for.
Custom file types list fields
| Column name | Description |
|---|---|
| Category |
Choose an artifact category from the options provided. These categories correspond to the artifact categories available in AXIOM Examine. The category you choose determines where the file type artifact will appear in the Artifacts explorer in AXIOM Examine. You can't enter your own category name. |
| Name |
Enter the name of the file type artifact, as you want it to appear in AXIOM Examine. To search for multiple headers and/or footers for the same file type, enter the file type multiple times in the list using the same Category and Name. AXIOM Examine will display hits for the file type as a single artifact. Note: AXIOM Process will not process custom file type artifacts that have the same name as artifacts already supported by AXIOM artifacts. |
| Description | A description of the custom file type you're searching for. Providing a description is helpful to other examiners who might be using the Custom file types list. |
| Extensions |
To identify files by their file extension, or parse, enter one or more file extensions. To enter multiple extensions, separate each value by a semicolon. File extensions are not case sensitive and you can include or exclude a period. |
| Header |
To identify files by their binary content, or carve, enter the hexidecimal byte header. Enter each byte as "\x" followed by the two-character hex header value. Specifying a header can improve the search performance of AXIOM Process because the software knows where to search. Warning: If you type a common header such as "OO" or "F", search times increase significantly. You can enter a header value with or without providing a footer value. Depending on whether you specify just a header, just a footer, or both, AXIOM Process searches the file differently. For more information, see Searching for headers and footers in custom file types. |
| Header offset |
If the file's header does not occur at the beginning of a file, enter the header offset. The header offset is expressed as a numeric value greater than zero. This is an optional value. If you do not provide a value, the header offset is assumed to be zero. |
| Footer |
To identify files by their binary content, or carve, enter the hexidecimal byte footer. Enter each byte as "\x" followed by the two-character hex header value. Specifying a footer can improve the search performance of AXIOM Process because the software knows where to search. You can enter a footer value with or without providing a header value. Depending on whether you specify just a header, just a footer, or both, AXIOM Process searches the file differently. For more information, see Searching for headers and footers in custom file types. |
| Footer offset |
If the file's footer does not occur at the end of a file, enter the footer offset. The footer offset is expressed as a numeric value greater than zero. This is an optional value. If you do not provide a value, the footer offset is assumed to be zero. |
| Maximum size of data to carve |
In bytes, specify the maximum amount of data that you want to carve, beginning from the header offset, for a particular file type artifact hit. The maximum size of data to carve is expressed as a numeric value greater than zero. This is an optional value. If you don't provide a value, AXIOM Process will carve 1 KB of data. If you specify a maximum of 0 bytes to carve and turn on the Remove duplicates setting, AXIOM Examine will display a single artifact hit if the header signature is located in multiple locations in the file. Depending on whether you specify just a maximum file size, AXIOM Process searches the file differently. For more information, see Searching for headers and footers in custom file types. |
Searching for headers and footers in custom file types
Depending on whether you specify just a header, just a footer, or both, Magnet AXIOM searches the file differently.
| Header | Footer | Result |
|---|---|---|
| Yes | No |
If you specify a maximum size of data to carve, AXIOM Process saves data from the beginning of the file to the number of bytes you specify. If you do not specify a maximum size, AXIOM Process saves data from the beginning of the file to up to 1 KB of data. |
| No | Yes | AXIOM Process saves only the footer data you specify. |
| Yes | Yes |
AXIOM Process saves the file data from the header you specify to the footer you specify. If you specify a maximum size of data to carve, AXIOM Process saves data from the beginning of the file to the footer you specify. If you do not specify a maximum size, AXIOM Process saves data from the beginning of the file to up to 1 KB of data. |
Change the location of the Custom file types list
You can move the Custom file types list to another location, such as a shared network to easily collaborate with other examiners.
- In AXIOM Process, click Processing details > Find more artifacts.
- Under Custom file types list location, click Change location.
- Browse to the location you want to save the custom file type list to.
- Click Okay.
Import a Custom file types list
If another examiner configured the Custom file types list in AXIOM Process and has made the file available to you, such as on a network share, you can change the location of the Custom file type list to use that list.
- In AXIOM Process, click Processing details > Find more artifacts.
- Under Custom file types list location, click Change location.
- Browse to the location of the Custom file types list that you want to import, and then click Okay.
- When prompted to use the file at the location you selected, click Use file.