A common request from legal counsel: "We have a forensic image containing email files, and we need to find every message that hits on this keyword list. Can you pull them out for us to review?"
We recently worked a case along exactly these lines — a keyword list of several dozen terms, an AD1 image containing email data, and a need to produce a clean, reviewable export for a legal team. Here's what we learned about getting the most out of Magnet AXIOM on a task like this, and the honest answer about when a different tool is the better call.
The setup
The starting point was a forensic image in AD1 format containing the email files we needed to search. The workflow was straightforward in principle: load the image into Magnet AXIOM, apply a keyword list and a date range filter, and export the matching emails for review.
We loaded the keyword list as a plain text file with one keyword per line and constrained the search to the relevant date window. AXIOM ran the search across the parsed email artifacts in the image and surfaced the matching items.
Comparing the export formats
This is where it got interesting. AXIOM offers several export formats, and the choice matters more than you'd think for a deliverable that a legal team actually has to use.
HTML export turned out to be the clear winner for legal review. The output is organized into a navigable structure, the full email body renders correctly, embedded images and inline content display properly, attachments are linked and can be opened directly, and there's even a link back to the original message in Outlook for context. For a reviewer scanning hundreds of hits, this is by far the most usable format.
Magnet's native format (.mfdb, internally JSON) is a different animal. It's designed for programmatic consumption and ingestion back into AXIOM — not for human reading. The structured data is all there, but a lawyer trying to review emails from a raw JSON dump is going to have a bad day.
PDF export sounds appealing on paper, but in practice the output was difficult to read. Attachments don't carry over cleanly, the email body sometimes renders with raw HTML strings mixed into the visible text, and threading and formatting get lost in ways that make reviewers second-guess what they're looking at.
Excel export is well organized at the row-and-column level, but it strips out the things that matter most for review — you lose the email body content and the links to attachments. Useful as an index or hit-list summary, not as the deliverable itself.
After working through all four, we standardized on HTML for review-grade exports and documented a detailed step-by-step internally so the workflow is repeatable across future cases.
The accuracy problem nobody likes to talk about
Here's the harder lesson. AXIOM's keyword search produced both false positives and false negatives — enough of each that we couldn't confidently hand the result over as a complete picture of the data.
False positives are an unavoidable feature of any keyword search: hits in email signatures, headers, quoted footers from prior threads, and incidental matches inside attachment metadata or encoded payloads will always show up. Reviewers can filter those out with attention, but it slows the process down.
False negatives are the more dangerous problem. Modern email containers — PST files in particular — store body content in UTF-16 LE encoding, while a default keyword search against unparsed content does ASCII matching unless explicitly configured otherwise. A keyword that should match plainly readable text can silently miss the majority of the document because the underlying bytes are encoded differently than the search assumes. Add to that issues with keywords split across line wraps in HTML email bodies, hits buried in attachments that weren't fully parsed, and Unicode normalization differences (smart quotes versus straight quotes, ligatures, accented characters), and the accuracy ceiling becomes a real concern.
We tried a few mitigations during the case — including running the search against all content rather than only parsed artifacts, and re-running with the keyword list applied at different stages of case creation — but the underlying accuracy ceiling stayed in roughly the same range.
The honest takeaway
AXIOM is an excellent forensic investigation tool. For timeline analysis, deleted item recovery, artifact carving, and overall case investigation, it's hard to beat. But for large-scale keyword discovery across email data — the specific task of "here is a keyword list of several dozen terms, find every hit in this mailbox" — the right answer is increasingly to hand the PST file to legal counsel and let them ingest it directly into a dedicated e-discovery platform like Relativity.
Relativity is purpose-built for this exact workflow. Its search engine handles encoding properly, its review interface is designed for legal teams to tag, redact, and code documents at scale, and its keyword search results carry the kind of defensibility that holds up in discovery. For our case, this is what counsel asked for in the end — and on similar matters going forward, we'd recommend the same approach from day one.
When AXIOM is still the right call
This isn't a "don't use AXIOM for emails" conclusion. AXIOM still shines when the question is forensic rather than discovery — when was this email deleted, what attachments did it have, was it ever forwarded, what does the device's overall messaging timeline look like — and when you need to correlate email evidence with other artifacts on the same device, like chat messages, browser history, or file system activity. Its integrated case view is hard to replicate elsewhere. For small datasets where careful manual review of an HTML export is feasible, AXIOM is also still the cleanest path.
The line we draw now: AXIOM for investigation, Relativity for review. Knowing which side of the line a given matter falls on is half the battle.
Case details have been generalized to protect client confidentiality. Published with client consent.
Working an e-discovery matter and unsure where the line falls? Our Email & eDiscovery team handles both sides — open a case for a privileged consult.