Browsing the artifacts
In AXIOM Examine, use the Artifacts explorer to browse artifact groups and select the specific types of artifacts that you want to view in more detail.
Depending on the type of investigation you're doing, any one of the artifacts that Magnet AXIOM Cyber recovers might be important to your search. For example, in a corporate espionage investigation, you might want to focus your efforts on the operating system artifacts. In a fraud case, you might want to focus on email and web-related artifacts.
Views in the Artifacts explorer
Within the Artifacts explorer, you can customize how evidence is displayed using several Views:
View | Description |
---|---|
Classic view | Stacks Evidence and Details vertically. |
Column view | Displays all artifact data in a table format that allows you to sort on any column. This is the default view. |
Conversation view | Displays messages as a back-and-forth dialog, in a format similar to the application that the messages are from. You can expand a conversation to see all the messages included in that conversation. This view uses an implicit filter to display only the content that is supported by chat threading. |
Histogram view | Provides a graphical representation of all the results in your case for each type of artifact. |
Row view | Displays an artifact result's most relevant pieces of data in a row format. |
Thumbnail view | Displays media files as thumbnails. This view uses an implicit filter to display only the artifacts that contain media attachments. You can double-click the picture and video thumbnails to preview the content. |
World map view | Plots artifact results as coordinates on a world map. This view uses an implicit filter to display only the artifacts that contain location information. |
Reviewing Refined results
Use the Refined results category as a starting point when browsing the artifacts in your case. Refined results extract and highlight specific fragments from their artifact counterparts. These fragments are considered important depending on the type of case (for example, Identifiers is a refined results category that pulls out fragments which point to specific people involved in the case, allowing you to create profiles). Magnet AXIOM Cyber analyzes the evidence that's recovered from other artifact categories and creates a hit for each artifact that matches the criteria of a refined results artifact (for example, when AXIOM Process recovers a URL that contains a search query, it creates a refined result of the Parsed search queries type). Each refined result has a link to the parent artifact that the evidence was recovered from. You can browse to the parent by clicking the Original artifact link in Details.
Refined results categories:
|
|
Change character encodings
Sometimes, Magnet AXIOM Cyber does not apply the correct encoding to an item, which causes some characters to become difficult to read. You can choose to change the encoding for a single item, a collection of items, or a whole artifact on a per-attribute basis.
- In AXIOM Examine, in the Artifacts explorer, select the items you want to change character encodings for.
- Right-click the selected items and click Change encoding.
- In the Items to encode drop-down list, select the items that you want to change character encodings for.
- In the Attribute selection drop-down list, select the attributes that you want to change character encodings for.
- In the drop-down list beside each attribute, select the encoding you want to use.
- Click Okay.
View artifacts in an external application
You can view the contents of artifacts using external applications such as HxD, Adobe Acrobat, Google Chrome, Microsoft Word, and more. The applications that Magnet AXIOM Cyber suggests for each artifact come from recently used Windows programs that are associated with each artifact type.
- In AXIOM Examine, in the Artifacts explorer, right-click an artifact.
- Click Open with.
- Select the application that you want to open the artifact with and click Okay.
Save artifacts
When you save artifacts, AXIOM Examine saves the bytes of data that the specific artifact hit is associated with. If the hit is parsed, the entire source file gets saved. If the hit is carved, only a subset of the source file gets saved.
Saving the attachments for single artifacts is available only in the Row, Column, and Classic views.
- In AXIOM Examine, in the Artifacts explorer, right-click an artifact group or type, or a single artifact.
- Click Save artifact to.
- Browse to the location where you want to save the files and click Select folder.