Sunday, May 19, 2019

NIST data sets on Magnet AXIOM - Examine

Continued from Magnet AXIOM Process post

This post will be looking at the processed image from NIST data sets regarding a data leakage case from the Computer Forensics Reference Data Sets Project(CFReDS).
Found at:

Opening Magnet AXIOM Examine and selecting the recent processed case

Magnet Axiom Examine - Home page

Drop down for different tabs in the home menu

Artifacts tab, tree pane view, within Axiom Examine

File system, tree pane, view.  2 partitions, System Reserved and C

  • What are the hash values (MD5 & SHA-1) of all images?


  •        Identify the partition information of PC image?

  •        Explain installed OS information in detail.
    (OS name, install date, registered owner…)?

In the artifacts tab, drilling down to Operating System Information

OS information(Windows 7 Ultimate, 3/22/2015 install date, Owner is informant)

  •        What is the timezone setting?

Eastern Standard Time, gathered from registry

  • Who was the last person to logon to the PC?
Because this is Win 7, it is located in the registry at:

Registry Key for Last Logged on

  • What application was last installed?
Eraser has the most recent created date in the Installed Programs

  • Identify web related history

Web Related items include artifacts from Chrome History file and Edge\IE Webcache file

Search Terms in Google Web related item

  • When was the last recorded shutdown date/time?

HKLM\SYSTEM\ControlSet###\Control\Windows (value: ShutdownTime)

Pathing to registry key value and highlighting the hex

Decode section to read the decoded time 

  • What are some artifacts of recent execution?

Jump Lists sorted off recent Last Access time

Link files showing activity to a D: drive, a share drive, and cloud drive services

In the NTUSER.DAT location of "Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\Folder"

Decoded to Unicode

Shellbags indicating access to a C:, D:, and share drive

  • What was written on the recent sticky note?
In Win7 it is located here: 
"\Users\informant\AppData\Roaming\Microsoft\Sticky Notes\StickyNotes.snt"
Tomorrow ... Everything will be OK

NIST has kindly posted the solutions for the case.
And can be found at

It shows in better detail about the data leakage included with USB images that I did not include.  As well as looking at email artifacts and a burnt CD.

I do commend and thank NIST for making this and found it to be a fun resource.


No comments:

Post a Comment