Continued from Magnet AXIOM Process post
This post will be looking at the processed image from NIST data sets regarding a data leakage case from the Computer Forensics Reference Data Sets Project(CFReDS).
|Opening Magnet AXIOM Examine and selecting the recent processed case|
|Magnet Axiom Examine - Home page|
|Drop down for different tabs in the home menu|
|Artifacts tab, tree pane view, within Axiom Examine|
|File system, tree pane, view. 2 partitions, System Reserved and C|
- What are the hash values (MD5 & SHA-1) of all images?
- Identify the partition information of PC image?
- Explain installed OS information in detail.
(OS name, install date, registered owner…)?
|In the artifacts tab, drilling down to Operating System Information|
|OS information(Windows 7 Ultimate, 3/22/2015 install date, Owner is informant)|
- What is the timezone setting?
|Eastern Standard Time, gathered from registry|
- Who was the last person to logon to the PC?
|Registry Key for Last Logged on|
- What application was last installed?
|Eraser has the most recent created date in the Installed Programs|
- Identify web related history
|Web Related items include artifacts from Chrome History file and Edge\IE Webcache file|
- When was the last recorded shutdown date/time?
HKLM\SYSTEM\ControlSet###\Control\Windows (value: ShutdownTime)
|Pathing to registry key value and highlighting the hex|
- What are some artifacts of recent execution?
|Jump Lists sorted off recent Last Access time|
|Link files showing activity to a D: drive, a share drive, and cloud drive services|
|In the NTUSER.DAT location of "Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder"|
|Decoded to Unicode|
|Shellbags indicating access to a C:, D:, and share drive|
- What was written on the recent sticky note?
|Tomorrow ... Everything will be OK|
NIST has kindly posted the solutions for the case.
And can be found at
It shows in better detail about the data leakage included with USB images that I did not include. As well as looking at email artifacts and a burnt CD.
I do commend and thank NIST for making this and found it to be a fun resource.