Magnet Axiom actually creates an agent or an executable with our host IP, and when we run that agent on the intended system we are going to use for acquisition, it starts to acquire the image. It creates a live session with the suspect machine. Both devices should be connected on the LAN.
When we need to parse data, we use the axiom process, and when we need to examine or acquire some image, we use the axiom examine.
In this scenario, we are going to acquire the disk image from a corporate endpoint remotely using the Axiom Cyber Process.
We have to click on the “create new case” option.
On opening, we have a case details tab, where we need to input the necessary details related to the case, including the folder path for the case files for storage purposes on our host machine. Now we have to click on the “Go to evidence sources.”
For this purpose, our evidence source is a remote computer. If we select the computer option, it will redirect us to the next page.
We have to select our desired platform as we have selected the computer option. As we have Windows 10 running, we will select that.
Two options are there. We have to click on “”Acquire Evidence,” and it will start to acquire the image from our local machine, and if we already have an image created, then we can click on “Load evidence.”
As we are acquiring an image from a remote device, we will click on the Remote Option. After clicking on the Remote Option, we will be given an agent creation tab. An agent is like a payload that we have to install on the suspect machine, and it will make a live session between our host machine and the Windows 10 VM, and through this we will acquire the image. Now on this page, we have to click on the Create New Agent Option as we don’t have any agents.
Now in this tab, we will give the necessary details like agent I’d, the operating system, file name. There is an option also for keeping the agent running on the suspect endpoint after the shutdown. We have to give our host Ip address and port. One thing we should remember is that we have to keep the Windows VM in the bridge mode, so it will pretend that the Windows VM is running on the same subnet, and it will obtain the IP from the same DHCP server.
The agent is created, and now we have to send it to Windows 10 VM.
After that, we have run the agent on Windows 10 vm and from our side we have to connect to the agent.
The tab will look like this after the connection.
We can capture the Memory of the device as well as the whole drive and also some particular files .
