Kevin Clerks

Investigation Bootcamp

Blog Post created by Kevin Clerks Employee on Oct 21, 2016

Hi Folks,

I recently a recorded a few brief videos explaining the Investigation module of NetWitness. They’re broken into 3 sections that cover the Navigate View, Event View, and Profiles.

Much like this blog post, I tried to keep them as short as possible for convenience. If you’re seeking a more concise and thorough training experience, I would recommend RSA University - RSA NetWitness Logs and Packets: Hunting. However, if you’re interested in a more targeted explanation, please take a look at the following:

1. Navigate View

  • Searching and querying using meta keys available as well as the Query box
  • Meta formatting and behavior


2. Investigation Profiles

  • HTTP Meta Group Demo
  • Creation of Meta Group, Column Group, then using both in a profile
  • Prequeries

3. Events View

  • Pivoting to/from Navigate View
  • Different views of event listing
  • Best Reconstruction and the other types of session rendering
  • Discovery of malicious executable


As always, Happy Hunting