Sunday, May 12, 2019

Processing an Image with Axiom Process

Create a new case

Going to use images from NIST's Computer Forensics Data Sets site:

Personal Computer (PC) – 'EnCase' Image

Download Linkspc.E01pc.E02pc.E03pc.E04 (total 7.28 GB compressed by EnCase) - hash
Imaging S/WEnCase Imager
Image FormatE01 (Expert Witness Compression Format) converted from VMDK

Using Powershell to retrieve the image files from the site to desktop:
run these two commands, 2nd one will need to be for each .E01 file
  • $client = new-object System.Net.WebClient
  •  $client.DownloadFile("", C:\Users\bryan\Desktop\Data_Leakage_pc.E01")
*needs to be done for E01 - E04

Open Magnet's Axiom Process 

Filling in case details

Selecting Evidence source.  In this case it is a Windows Computer image

Load the evidence image file

Select the image option

Evidence Sources Added
Sources on the disk image from where artifacts are processed from. 

Options for further processing.  Can choose to find keywords from artifact type.

Select Analyze.  Magnet Examine will open and a percentage circle with time elapsed bar will count the process time

Currently processing progress percentage shown

Next post will be showing the examination piece of this evidence image, once done processing.

NIST.(2019). Data Leakage Case. Retrieved from

No comments:

Post a Comment