AX250 Magnet AXIOM Advanced Computer Forensics
MAKING TRAINING A TOP PRIORITY FOR DIGITAL FORENSICS
MAGNET FORENSICS TRAINING: Magnet AXIOM Advanced Computer Forensics (AX250)
Magnet Forensics Training and Certification helps empower users to know how to find the right information and bring expertise to add valuable context.
THE BENEFITS OF MAGNET TRAINING:
• Deep, expert-level practical knowledge of Magnet AXIOM
• Usage of Magnet RAM Capture, AXIOM Wordlist Generator, and other third-party tools
• Learn how to improve the acquisition and analysis of your computer data
• Get a deeper dive into Windows data and all the places you can piece the story together
• Find out how to get access to encrypted data
Computer forensics can be a crucial part of any investigation. Whether it’s piecing together activity to showcase intent, or finding incriminating evidence itself, there’s no shortage of places to look on modern computers. And with constantly expanding memory and more sophisticated software, there were will always be new places to look.
Magnet AXIOM can be an extremely valuable tool in the acquisition, analyzing, and reporting of that information — bringing it together in an intuitive and robust solution that saves you time and helps you solve more cases.
WHO IS MAGNET AXIOM ADVANCED COMPUTER FORENSICS (AX250) FOR?
AXIOM Advanced Computer Forensics (AX250) is an expert-level four-day training course, designed for participants who are somewhat familiar with the principals of digital forensics and who are seeking to expand their knowledge base on advanced forensics and leverage Magnet AXIOM to improve their computer investigations.
WHY DO I NEED IT?
AXIOM is easy to navigate, but AX250 will help attendees discover the depth and true value of AXIOM when conducting investigations with computer evidence — saving you hours that can now be spent on deeper analysis and faster collaboration.
Our world-class trainers will bring their years of expertise to the classroom and share the latest trends that examiners need to be aware of, keeping them one step ahead in their investigations. Magnet Forensics trainers have had active experience in investigations and forensics, which means they bring with them a wealth of knowledge. That knowledge provides attendees with tips and tricks for driving better forensics results. The opportunity to ask questions and engage with our trainers is invaluable.
WHAT ARE THE OUTCOMES?
When students attend AX250, they get a dedicated four-day course that will utilize instructor-led scenario-based exercises to reinforce the learning objectives of the specific learning modules. It will further enhance your understanding of Magnet AXIOM’s functionality in computer analysis and its application within the forensic workflow.
In the end, students that complete Magnet Training are better equipped to get through cases faster, more thoroughly, and with fewer mistakes — saving departments hours of backlogged cases and ensuring higher conviction rates.
If you haven’t already, you can go complete the AXIOM Examinations (AX200) course. Upon completion of the AX200 course, you can obtain Magnet Certified Forensics Examiner (MCFE) Certification for free. Credibility is crucial when presenting evidence, and by obtaining MCFE certification, you can display your competence and expertise with forensics tools and be recognized as an authority when sharing and reporting on your findings — whether to stakeholders or in a courtroom setting.
HOW DO I TAKE PART IN AXIOM ADVANCED COMPUTER FORENSICS (AX250)?
Visit the magnetforensics.com/training to see our upcoming schedule and choose the date and location that work best for you.
AX250 will give participants the knowledge and skills they need to track computer access and file usage, utilizing Magnet AXIOM to explore the evidence in greater depth by learning about the newest sign-on technologies — such as pin password, Windows Hello, picture password, fingerprint recognition, and facial recognition.
In this course, a deeper understanding of investigating Windows computers will be provided by searching through artifacts like Windows Notification, Windows System Resource Utilization, Windows Error Reporting (WER) Logs, Event Logs (EVT), Event Tracing Logs (ETL), as well as a breakdown of the taskbar and whether an artifact was system pinned or user pinned to it.
Also, there will be time spent investigating EMDMgmt to dig deep into tracking drives attached to the Windows OS that may leave traces nowhere else. AppCompatFlags and AMCACHE will also be investigated to determine executable files which were previously executed on the system, but no longer exist.
This course will also discuss how to track files and folders based on information in the user profile and information recovered from Shellbags. Maximizing the data from Prefetch files, Jumplists, and Recent Docs to correlate the data recovered from the artifacts previously mentioned above.
This course also takes a look at collecting RAM images and parsing those images for actionable intelligence in support of the investigation.
Participants of this course will be utilizing Passware and the AXIOM Wordlist Generator to crack iTunes backups and Windows passwords from information in the image of the suspect hard disk drive including the most up to date versions of that software. Finally, participants of this course will investigate Google Drive, Modern Apps (Windows Store Apps), UsnJrnl and an in-depth look at File history and the extensible Database files tracking it.
AXIOM ADVANCED COMPUTER (AX250) MODULES
Each module of instruction employs instructor-led and student practical exercises to reinforce the learning objectives and provide the participants with the knowledge and skills necessary to successfully utilize Magnet AXIOM in their investigative workflow.
MODULE 1: INTRODUCTION AND COURSE OVERVIEW
- Learning objectives will be presented along with expected outcomes over the course’s four days.
- Hands-on exercises will allow you to install Magnet AXIOM and learn about its associated programmatic components: AXIOM Process and AXIOM Examine.
MODULE 2: WINDOWS 10 OVERVIEW
- In addition to an overview of the course scenario, participants will gain an understanding of why Microsoft stated Windows 10 is the last Windows version they will ever release and the impact that is having and will continue to have on the forensic community.
- Explore Windows sign-in technologies, such as pin password, Windows Hello, picture password, fingerprint recognition, and facial recognition and how those technologies affect investigations.
- Report on the System Resource Utilization database for applications sending and receiving data via the internet — seeing how much data was sent and received, which could be paramount to proving (or disproving) an alibi.
- Track the current Windows build number of the system being examined, which will ensure the examiner is reporting the correct facts, as some facts change based on the Windows build number currently installed.
MODULE 3: EMD MANAGEMENT AND VOLUME SERIAL NUMBERS
- Learn how to utilize not so well-known registry locations to track serial numbers of volumes being accessed by the Windows Operating System. What files on those volumes were accessed via our suspect and corroborating this information via event logs.
- Use the power of AXIOM’s filtering and searching to conduct exercises that reinforce the learning objectives by utilizing all of these artifacts to tell a story on the files accessed by a user on a specific drive, and the fact that the drive was accessed by that computer at a certain date and time.
MODULE 4: FINDING MISSING FILES AND FOLDERS
- The Program Compatibility Assistant of the Windows operating system tracks the compatibility of software across different Windows versions.
- The PCA tracks the usage of executables on the suspect system, regardless of it has since been removed, much like USER ASSIST within the NTUser.DAT. AMCache, a very useful registry location, will be learned by students — including how to garner information detailing the use of executables across the suspect system.
- Learn how to utilize the PCA and AMCache Data to track the use of executables and hashes on the computer in question.
MODULE 5: PREFETCH FILES AND CORRELATING THE DATA
- Examine prefetch files in a much more in-depth view to determine the secrets they may hold, as well as how Windows stores and deletes them, to ensure when testifying, it’s done with knowledge and confidence. Maximizing the use of the intelligence gathered from prefetch files will lead examiners to discover new avenues to explore in their forensic cases.
- Also track the use of an encrypted container, as well as a wiping utility you may or may not know is built into Windows by default.
MODULE 6: WINDOWS JUMPLISTS & MOST RECENTLY USED (MRU)
- Understanding Jumplists is just the beginning. Being able to utilize the data provided to correlate information about previously existing drives and the files located on them which are no longer part of the system, is what this lesson is all about.
MODULE 7: COLLECTING RAM AND PARSING RAM
- Collection of RAM in running computers is paramount. Examiners would not leave a 16 GB or 32 GB thumb drive laying at the collection scene and surely, they are not going to leave RAM uncollected. This lesson will discuss the collection of RAM and where and why it is important. Besides collecting, this lesson also goes into the basics of RAM examination in volatility as well as AXIOM for carving artifacts. Once you open this Pandora’s box, watch out, as you will have a desire to investigate RAM at every opportunity knowing what it can hold.
MODULE 8: SHARING FILES AND FOLDERS AND SETTINGS ACROSS COMPUTERS
- Microsoft makes is easy to share between devices, using OneDrive for file sharing, and a Microsoft email account for other settings. Determine when the first time and last time data was shared with other devices via Sync technology. Settings of one Windows system can be shared with other Windows systems including Wi-Fi profiles and deleted profiles.
- Use the acquired RAM from the previous module and Passware to gain access to the Truecrypt container and its contents.
MODULE 9: iTUNES, iOS, AND CLOUD DATA
- Receive a refresher on IOS backups and use the AXIOM Wordlist Generator (AWG) and Passware to gain entry to the IOS backup and obtain the password. The password will then be used to gain access to the keychain data to see passwords utilized by the suspect for WiFi devices joined as well as any iOS Keychain passwords. Of course, we can’t just unlock the contents of the backup without looking at them and utilizing the data within to help us solve the case we are working.
- Get introduced to AXIOM Cloud functionality where a complete collection of the suspects’ Gmail account has taken place and entered into an AXIOM case to examine and correlate further data.
MODULE 10: ENCRYPTION AND CRACKING WINDOWS 10 PASSWORDS
- Microsoft recently introduced a large anniversary update for Windows 10. The standard login workflow of Windows 10 has been slightly changed and due to these slight, yet significant changes, most hacker tools for pulling password hashes out of Windows will not work anymore. These changes may have been motivated by Microsoft’s desire to discontinue support for legacy and vulnerable cryptographic algorithms.
- Use AXIOM, the AXIOM Wordlist Generator and a combination of software to extract the Windows 10 password from the SAM hive using the algorithm stored in the System hive.
- Discuss the booting of the suspect device for court purposes as well as the necessity to gather as many passwords as possible as we are all creatures of habit.
MODULE 11: INVESTIGATING GOOGLE DRIVE
- Google Drive is a powerful tool which has proliferated across businesses and individuals alike. Google Drive uses a program aptly named Backup and Sync and it leaves behind quite a few forensic artifacts which participants will investigate to recover forensic artifacts about the uploading and downloading of files to a specific computer system.
MODULE 12: WINDOWS FILE HISTORY AND WHAT IT COULD MEAN
- Not to be confused with Volume Shadow Service, File History is a Windows 10 program which regularly backs up versions of your files in the Documents, Music, Pictures, Videos, and Desktop folders and the OneDrive files available offline on your PC. If the originals are lost, damaged, or deleted, you can restore them. Users can also browse and restore different versions of their files by browsing through a timeline, selecting the version, and restoring it.
- Learn how to determine File History.
MODULE 13: MODERN APPS OVERVIEW
- Modern Apps (originally known as Metro Apps, Windows 8 Apps, or Windows Store Apps) were designed to be immersive. There is a focus on the touchscreen, but they also work on the standard desktop with no problems.
- Understand that internet history and cache for Modern Apps are not stored in the usual locations where an examiner would expect. Mail App, Photo App, Facebook App, as well as apps from the Windows App Store will all be examined to determine who installed the App, the usage of the App, as well as forensic artifacts left behind for examiners to recover.
MODULE 14: USING FILE SYSTEM LOGGING IN YOUR INVESTIGATIONS
- The USN journal is a log of changes to files on an NTFS volume. Such changes can for instance be the creation, deletion or modification of files or directories. It is optional to have it on and can be configured with fsutil.exe on Windows. However, it was not turned on by default until Vista and later. Being able to track files through the USNJrnl could be the only reference to the file if it had been previously deleted form the Hard Drive.
- Learn how to investigate the USNJrnl to retrieve forensic artifacts in support of an examination.
MODULE 15: CUMULATIVE REVIEW EXERCISES
- Throughout the four-day training event, instructor-led and student practical exercises are used to reinforce the learning objectives and provide the participants with the knowledge and skills necessary to successfully utilize Magnet AXIOM in their investigative workflow.
- To further reinforce the instructional goals of the course, students are presented with a final scenario-based practical exercise which represents a cumulative review of the exercises conducted in each of the individual modules.
Who Should Attend: Participants who are unfamiliar with the principles of digital forensics
Advanced Preparation: None
Program Level: Advanced-level
Field of Study: Computer Software & Applications
Delivery Method: Group Internet Based & Group Live
Magnet AXIOM Advanced Computer Forensics (AX250) is an expert-level four-day training course, designed for participants who are familiar with the principles of digital forensics and who are seeking to leverage Magnet AXIOM, Magnet RAM Capture, and third-party tools to improve their computer investigations.
Because AX250 is an expert-level course, it is recommended that students first complete Magnet AXIOM Examinations (AX200). AX200 will provide a thorough understanding of AXIOM that will help students focus on the mobile part of investigations in AX250.
This training will be delivered by Magnet Certified Instructors.