hey everyone training from magnet forensics here and today I'm excited to walk through axiom cybers Network acquisition features with the recent release of axiom cyber we now have the ability to complete remote endpoint collections as well as collect from cloud services like AWS s3 buckets and ec2 instances for this case we're going to utilize axiom cyber collect from a corporate endpoint that's currently under investigation and as you can see I've already got axiom process open for cyber and we have a new evidence source which is this remote computer I'm going to go ahead and select remote computer and this is where we're going to have the agents table so these agents right here I've already created and have used in different investigations in the past so I can go ahead and if I needed to I could connect back to the agent I could redeploy the agent or I can go ahead and remove these if I've already used them and I don't need them again and for this instance I'm going to go ahead and delete these now I'm gonna go ahead and start a new agent since this is a new endpoint I've never investigated before and I'm gonna go ahead and hit create new agent and we've given you a lot of flexibility when creating these agents so the first thing is we can name this if we wanted to change the name we could absolutely change this to whatever we want to so if you wanted to signify maybe the file name plus maybe your case number or some other way to designate you know which endpoint this was going to you could absolutely do that from here you can also hit show more options here and this really gives you a lot of flexibility so we can add in different pieces of metadata into this file that you're creating so that if someone finds it on their immune system and they right-click on it they're gonna have you know whatever you populate information in here for so we could enter more information here if you want to but you absolutely don't have to next we have location for agent so this is going to be where the agent is saved to your computer and the reason we did this is because you don't have to use axiom to actually deploy the agent if you have other endpoint utility agents that you're using or pieces of software you can absolutely use those different pieces of software to deploy this agent you can use axiom but you don't have to so this is going to be where the agent is saved so that if you need to have access to it you will absolutely be able to do that so I'm gonna leave this us that to default I have a agents folders to my desktop with all the different agents that I've created go to but that being said I'm gonna leave that as is for now this is going to be down under connectivity details where the agent is going to call home - so this is gonna be based on your information and where your examiner machine is so I'm gonna go ahead and populate this with my IP address I have port signified four three two one that's gonna be where I've allowed axiom to navigate back and forth to my analysis machine so I've got that set we have reconnect alais and disconnected keepalive so what's cool about this is obviously in corporate environments a lot of people typically you know going from meeting to meeting and maybe they shut their laptop and that kills your connection and then you're you know having to start that investigation over and waiting for them to get back online we've got it set up now to where it will automatically retry that connection for ten seconds and we also have the disconnected keepalive which will keep that agent alive for whatever time period you signify so maybe at the end of a Friday you don't get the collection and you need to wait till Monday and instead of having to say you know what I'm have to redeploy the agent Monday you can set this to say you know what I'll go ahead and allow this to be disconnected for three days before this agent automatically removes itself from that system what's important about our agent is that this is actually going to be more of an ad hoc approach in that you are targeting one computer at a time you're not deploying this Asia and a gold build where this agents going to live on every endpoint that's inside your environment so just definitely keep that in mind because basically you want to deploy this agent collect the data off of you know the given endpoint and then have that agent dissolve itself so that you can move on to your next case but with that being said we've already created or we have the information for our agent we're gonna go ahead and hit create agent now from here we're gonna go ahead and review our agent details and we can see we didn't change name we left that standard I got my agent going to my desktop and the agents folder you can specify this you know on your own and I've got the connectivity details for this agent and where it's gonna call home too so I'm gonna go ahead and hit deploy agent now this is gonna be where we put in the information about our target computer and for this one I'm going to go ahead and enter in the IP address something to keep in mind when you deploy this agent is you're going to need a username and password and most organizations will have admin profiles already set up on their endpoints so you could absolutely use that to make these collections but keep that in mind you'll need to have that if in handy to be able to deploy the agent and we can specify where we want to store this agent now obviously you can hide this wherever you want to on your endpoint but for this particular case I'm just gonna leave it at the root of the drive and hit deploy agent and as you can see we've deployed the agent now it's launching that executable on our end point the agent is now running so I'm going to go ahead and hit connect to agent and here you can see we've got computer status and that is we're trying to connect and what's important to note is you can still already select targeted locations even if you aren't actually connected to the computer just yet we did that so that once it there is a connection made it will automatically start downloading some of those pieces it's important to note though before you're actually connected to that endpoint you won't be able to select files and drives remember you'll only be able to do targeted locations but here you can see we are connected to that endpoint we can go into targeted locations and for this particular case we might want to go ahead and look at their downloaded folder so go ahead and select that and that's going to grab everything from their downloads I might want to go ahead and say you know what I want let's look at their desktop as well or maybe you wanted just the MFT file you could grab just that and be you know good to go but I've selected those pieces for the targeted locations so we've got downloaded items and desktop selected I'm gonna go ahead to hit next and as you can see it's already downloading the information from that endpoint so before I've gone through files and drives and if I need memory you can see axiom is already collecting that data and you'll be able to see exactly when those items are downloaded as well but for this I'm gonna go ahead and hit files and drives now as you can see we could select if we wanted to do a full physical image of that drive we could do that obviously we don't recommend trying to image you know entire drives over a network connection that's gonna take a very long time but for this particular case I'm gonna drill down to the C Drive I'm gonna go into the users folder for this particular target keep moving on down and I want to look on their desktop to see if there's a particular file there and sure now if there's an excel file that we were looking for so I could say you know what I just want to go ahead and grab that one file as well it's also important to note that we have a refresh button so maybe you are working a case and you've been on this window for a long time looking for something and you want to make sure that that user hasn't just created maybe a desktop folder and added pieces of evidence into that you can hit refresh at any time and that will automatically pull in the updated information so it's very very quick to do all right so we've grabbed the one file that we are looking for I'm going to go ahead and hit next and I'm going to move over to memory so memory you can grab individual processes so if you know exactly what process you're looking for you can absolutely grab just that or you can go ahead and grab a full memory acquisition that we will take from the target computer so for this case we don't actually need any of the memory but if we did we could just say you know what let's go ahead and grab the full memory acquisition and then we could use axiom cyber that's got volatility built in to go ahead and process and examine that memory which is great so for this case I'm going to go ahead and hit next and as you can see we've already started downloading all the different pieces of evidence that we needed for this case so I think we're good here I'm going to go ahead and hit next once again and as you can see axiom cyber is prompting me do I want to go ahead and delete the agent or keep the agent on that computer and maybe you think you have everything we need but you're not exactly sure you could always say you know what keep the agent on that so you could just very quickly reconnect to that agent that you've already deployed but for this particular case I'm going to go ahead and say delete agent and axiom is going to go ahead and remove that from that target endpoint from here you can see we've archived the items we've hashed the zip file that we have created with all the evidence pieces that we just collected we've checked the RAM and we've checked for encryption just in case I'm gonna go ahead and hit add to evidence sources and as you can see we've got our zip file now that has all the evidence that we just collected and just like we've always done with axiom I'm going to go on down to analyze evidence and hit analyze evidence from here and while axiom is processing that out I want to show off what we're kind of doing on the back end in terms of the image file that we've created and how we are providing users a hash of that so you know that it is a protected file in the sense of if anything's been changed you'll know very quickly on that so while axiom ax is processing that I'm going to go ahead and open up my folder here and navigate to my case folder now that I have my case folder open as you can see on the right hand side we've got these that contains our evidence files that we just collected using axiom cyber and right below we have the text document which I have open here which gives you all the information as far as the output directory and the timestamps as well as the md5 and sha-1 hash value of that zip file so you'll always be able to revert back to this to confirm that that zip hasn't been affected if you're moving it around or you're you know wanting to make sure that your evidence integrity is still intact so with that let's go ahead and I'm gonna close this and let's just take a quick look inside of axiom examine cyber and here you can see we have our remote computer I'm gonna go from our dashboard view onto our file system and here you can see we've got the breakdown of the path while we collected both the desktop and the Downloads folder when we select that we can see we do have that excel document and we can get our preview just like you normally would inside of axiom and then when we select downloads folder we can also see what's going on in there which includes a lot of pictures and it looks like some zip files if I go from file system view I'm gonna hop on over to artifact view and once again just as normal you'll be able to start digging through your data to see what all you've collected from the piece of evidence I'm gonna go ahead and select pictures it looks like we've downloaded a lot of pictures once again if we look on the right hand side looking down you'll get your path so you'll always be able to source link exactly what you're looking for for your investigation so goes without saying we're really excited about axiom cipher and if you're interested in learning more or getting a trial license make sure to reach out to our sales team thanks for joining us you