Endpoint: Analyzing Downloaded Files

Document created by RSA Information Design and Development on Apr 11, 2019
Version 1Show Document
  • View in full screen mode
 

Analyzing Downloaded Files

To perform a deep analysis of suspicious files, you can manually download the file to the server.

Note: Make sure that the location for file download is configured. For more information, see "Configure Location for File Download" in the NetWitness Endpoint Configuration Guide.

For the downloaded file, you can:

  • Search for strings in the executable
  • View text content for scripts
  • View imported libraries and functions
  • Save a local copy for further analysis

Download Files to Server

The Download to Server option is disabled for memory DLL and floating code. You can download a maximum of 100 files at a time. To download files to the server from the Hosts view:

  1. Go to INVESTIGATE > Hosts.

  2. Select the hostname to open the Host Details view.

  3. In any of the Processes, Autoruns, Files, Drivers, Libraries, or Anomalies tabs, select the file, and do one of the following:

    Download to server

    • Right-click and select Download File to Server from the context menu.
    • Select Download File to Server from the More drop-down list in the toolbar.

To download files to the server from the Files view:

  1. Go to INVESTIGATE > Files.

  2. Select the file and do one of the following:

    Download to server

    • Right-click and select Download File to Server from the context menu.
    • Select Download File to Server from the More drop-down list in the toolbar.

The status of the download is displayed in the Downloaded column. The download statuses are Downloaded, Not downloaded, and Error.

Save Downloaded Files

You can retrieve a downloaded file and save it to your local file system for further analysis. Downloaded files are stored in the server in the configured location. This option is enabled only if the file is downloaded to the server.

To save a file:

  1. Go to INVESTIGATE > Hosts Details or Files .
  2. Right-click the file you want to save and select Save a Local Copy.
  3. Browse the location and click Save.

Analyze Downloaded Files

You can use the Analyze File option to view detailed information about a downloaded file. This option is enabled only if the file is downloaded to the server. To analyze a file:

  1. Go to INVESTIGATE > Hosts or Files.

  2. Right-click the downloaded file and select Analyze File. The File Analysis view opens and properties of the are is displayed in the right panel.

    Analyze files

  3. View strings in the file in the Strings view while analyzing an executable (such as macho, pe, elf). This view contains the string, offset in the binary, unicode, and the length of the string. You can search for or filter on a specific string value in the Filter String field.

  4. View the text content of the file and look for any suspicious behavior in the script file.

    For example, if the file contains C2 information in the form of domain names or IP addresses, it is highly suspicious.

    File containing C2 information

    If you see unprintable keyboard keys listed within the file, such as: [F1], [F2]…[Page Up], [Enter], [ESC], and so on, that may be indicative of a keystroke logger.

    Indicators of keystroke logging

Next Topic:Analyze Events
You are here
Table of Contents > Analyze Downloaded Files

Attachments

    Outcomes