Magnet Forensics Portable Case Part Two - How To
Thursday, March 02, 2017 (16:29:49)
Posted by MagnetForensics
In part one of our Portable Case series, our Director of Forensics, Jessica Hyde, took a look at the features and benefits of Portable Case. She highlighted the power of real-time collaboration with multiple stakeholders and having all the feedback collected in one place.
Read part one here.
In part two: Magnet AXIOM Portable Case for Non-Technical Stakeholders, Jamie McQuaid gives a deep dive into using Portable Case.
Portable Case is a feature available in Magnet AXIOM which allows users to share their findings from an investigation with stakeholders who might not be forensic examiners, and may not have access to a full version of AXIOM.
Examiners can export a subset of their Magnet AXIOM case to be shared and reviewed by others and then merge any tags or comments back into the original case so the data can be shared and reviewed by all interested parties.
The purpose of this feature is to allow others, who might have additional details about an investigation that the examiner does not know (such as names, phone numbers, persons of interest, or other context surrounding the case) the ability to review important details without getting entrenched in the technical details of a forensic examination.
The following information should help examiners get their stakeholders up and running with Portable Case in AXIOM.
Portable Case can be run on a system that does not have AXIOM installed, however it does require a few dependencies and minimum system requirements to function properly:
* Windows 64-bit machine
* .NET version 4.5.2 or later installed
* C++ Redistributable 2008, 2012, and 2013 installed
* Local admin access on the machine (only required to install dependencies, not run the Portable Case)
Like AXIOM, Portable Case requires a Windows machine along with all the above to run properly. AXIOM also has a minimum system specification that will help ensure that the case can be opened on the system. Because your stakeholders won’t be processing any evidence, the processor specifications don’t matter as much, but for the stakeholders to have a decent viewing experience, the memory and disk values should at least match or exceed the following:
Anything less than the above specs and the stakeholder will experience slow searching and filtering and may cause issues running out of memory when trying to accomplish certain tasks.
Opening a Case
The next step is to ensure your stakeholders are opening the case correctly. When you create a Portable Case export in AXIOM, it will include a folder with quite a few files and folders inside. Portable Case is standalone, meaning that it includes the AXIOM Examine executable and most other dependencies in the Portable Case folder (along with the actual case data) and does not require AXIOM to be installed on the system beforehand.
When sharing a Portable Case with stakeholders or other users, ensure that you give them the entire Export folder or they may have trouble opening the case. This folder must also be able to read and write in order to be opened. Many examiners will share a portable case burned to a CD or as read-only, this prevents the case database from opening. If you receive the Portable Case on a CD, the folder will need to be copied to the local computer before it can be opened.
The Portable Case folder will include the following files and folders:
* bat – This is the file that should be double-clicked on to open the case. It will check for any dependencies prior to opening the case and ensure that you have the correct system requirements listed above.
* AXIOM Examine – This folder contains the AXIOM Examine executables and files needed to run the program. Stakeholders shouldn’t need to go into this folder.
* Documentation – All the documentation that is included with AXIOM is included in this folder in case you wish to learn how a feature works or need help when in the application.
* PortableCase – This folder contains all your case data. It will include the AXIOM case that you exported along with any pictures, videos, docs, or other attachments that are included in your case.
* Prerequisites – Some of the installers for .NET and C++ can be found in this folder should you need to install them on the system (some may be web based and need the Internet to download and install all the relevant files).
As mentioned above, all the stakeholder need to do is to double-click on the OpenCase.bat file, let it check for dependencies and then the case will open. The most common errors that prevent the case from opening are that the dependencies aren’t all installed or the Portable Case is read-only.
Reviewing the Evidence
Once the case is opened, the stakeholder can begin reviewing the data that is shared with them. We typically suggest not sharing the entire case with stakeholders as there will be a lot of artifacts that aren’t relevant to the investigation or may be too technical for the intended audience. For example, sharing Shellbags or Jumplists with non-technical stakeholders will tend to confuse them and will likely lead to a lot of questions.
These types of artifacts can be of great interest to a trained examiner but should be left out of a Portable Case. Most stakeholders are interested in chats, pictures, videos, documents, etc. that they can quickly review and determine if they’re relevant to the investigation or not.
The Portable Case should look and feel similar to the full version of AXIOM. You can run keyword searches in the top right of the screen, apply filters, use the various views, or just browse the artifacts along the left side. More advanced features such as the file system, registry, or hex/text views are disabled for Portable Case as these views shouldn’t be needed for a non-technical stakeholder and could cause challenges and questions during the review.
For more information on the basic functionality of AXIOM Examine and Portable Case, please refer to the documentation that is installed with AXIOM or included with the Portable Case.
Reporting/Returning to Main Case
Once the stakeholder has added any tags or comments, you may want to include that information in the master case so it can be included in the final report. AXIOM includes an option to merge the Portable Case back into the master case.
NOTE: You cannot merge two portable cases together. The portable case must be merged with the master case it was created from.
When merging cases, you will be walked through a short merge wizard that helps ensure that there are no conflicts, and that your stakeholder’s information does not overwrite any previous work done by the examiner. During this process, if any conflicts arise, it allows the examiner to decide how it should proceed (for example, if you tag a picture as “Category 1” but the stakeholder tags it as “Category 2”, you will have the option to choose one or the other or allow both tags to be applied to the given artifact).
Once the merging is complete, you can continue to finish your examination or create a report with data from both the master case and any additional Portable Cases that were merged back into the master.
PART TWO CONTINUED...
Check out our full blog post here for more information on limitations of Portable Case and to connect directly with Jamie and Jessica.