AXIOM Cyber Data Collection

1. Case Creation

Create a new case to organise and store all the evidence collected throughout the investigation.

Case Creation: Launch the AXIOM Process and select Create New Case

Add Case Information: Case Number: Assign a case number for tracking purposes, INC-1001 Case type: Select the appropriate case type, for example Intrusion/incident response

Select Location For Case Files Storage: Folder Name: Provide a meaningful name, such as <hostname> - Intrusion Investigation File path: A:\CASES

Select Location For Acquired Evidence Storage: Folder Name: Provide a meaningful name, such as <hostname> - Intrusion Investigation File path: A:\CASES

Add Scan Information: Scanned by: <investigator name>

NEXT: Go to Evident Sources

2. Evidence Sources

Remote Computer

Create New Agent

General Agent Settings: The agent will be saved to the default location: C:\AXIOM-Agents Agent ID: optional Operating System: Windows

Agent Masking Details: File name: AXIOM-Agent.exe SHOW MORE DETAILS (add as required or leave as is)

Survive Shutdown of Endpoint: Based on the investigation scenario, Leave or select: Keep the agent running on the endpoint after a shutdown

Connectivity Details: Examiner workstation hostname or IP address: <IP address of examiner's workstation> Port: <Portnumber> (8080) Reconnect delay: 10 seconds Disconnected Keep alive: 1 day (up to you)

Next, Create Agent

Create Agent

Review Agent Details <Review details>

Deploy Agent Select: Deploy Agent Endpoint IP address: Remote host IP address Username: Investigator AD username Password: AD password Agent location on endpoint: C:\Windows\Temp

Next: Deploy Agent Deployment in Progress Select: Connect to Agent Select: Connect to Endpoint

Select Items to Download Review and Select the Data From the Endpoint Targeted Locations: Select all available options Files and Drives: Files and Folders Select: Files and Folders as appropriate to investigations

Select Memory to Download Select: Individual processes OR Full memory acquisition

Important Note: Leave the tool to capture the data until finished; don't navigate away. Depending on the size and amount of files to be downloaded, it could take some time

When data capture is complete, select Next for the final section of EVIDENCE SOURCES: Preparing Selected Items Note: AXIOM will archive and do its final checks. When complete, click: Go to Evidence Sources and next click Go to Processing Details

3. Processing Details

PROCESSING DETAILS allow additional IOCs or search keywords to be added to the search.

Data Processing Options Quick Scan: A faster option focusing on key artefact types and providing quick insights into major evidence categories. Full Scan: Performs a comprehensive scan of all collected data, including a deeper search for deleted files, file system artefacts, and more granular evidence. Custom Scan: Customise the scan to focus on specific artefact types, such as system logs, user activity, or network traffic.

Add Keywords to Search Keyword Search Types: