Magnet Axiom

Magnet AXIOM is a comprehensive digital investigation platform developed by Magnet Forensics ↗, used globally by law enforcement and corporate incident response teams. Rather than forcing an investigator to use separate tools for different devices, AXIOM is designed to recover, process, and analyze digital evidence from computers, smartphones, and cloud sources all within a single collaborative case file.

Magnet AXIOM Process#

AXIOM Process handles the heavy lifting of acquiring and processing the raw evidence. It is designed to automate the initial stages of an investigation so examiners can spend less time executing basic tasks and more time analyzing data.

• Acquisition & Processing: It can ingest data from a wide variety of sources, including forensic images (E01, RAW), memory dumps, live RAM captures, volume shadow copies, and mobile device backups.
• Parsing and Carving: The “Evidence Analyzer” inside AXIOM Process searches through allocated and unallocated space. It parses structured data (like Outlook OST files) and uses data carving to recover deleted files or URL fragments from unstructured space.
• Artifact Categorization: As it processes the data, it categorizes everything into “Artifacts.” For example, it automatically categorizes recovered documents into a Documents artifact category, or logs installed applications under Installed Programs.
• Automated Hash Lookups: During processing, it calculates hash values for all files and tags them if they match known hash databases (such as identifying known bad files).

Magnet AXIOM Examine#

Once AXIOM Process finishes extracting the data, the investigator opens AXIOM Examine. This is the graphical interface where the actual forensic analysis, filtering, and reporting takes place.
It features several different “Explorers” that allow you to view the data from different perspectives:

• Artifacts Explorer: This is the primary view, designed to make it easy to review large volumes of data. It displays the parsed artifacts (like Chat histories, Browser activity, and Recycle Bin entries) alongside a Preview Pane that details exactly what metadata was parsed (such as the deleted date from an $I file).
• File System & Registry Explorers: These allow you to jump from the high-level Artifact view straight down to the raw source data. You can use the Registry Explorer to validate OS artifacts or view native file structures.
• Connections Explorer: This powerful visual tool maps out the relationships between different pieces of evidence. It uses visual “nodes” and “connectors” to show how a file moved. For example, it can prove that a specific logged-in user downloaded a document, saved it to OneDrive, and then emailed it to an accomplice.
• Reporting: AXIOM Examine allows investigators to bookmark, tag (e.g., “Of Interest” or “Evidence”), and comment on key artifacts to easily generate comprehensive forensic reports for stakeholders or court proceedings.