Note: The information in this topic applies to RSA NetWitness Platform Version 11.4 and later.
You can perform the following forensic investigation on a host:
- Master File Table (MFT)
- System Dump
- Process Dump
Note: This is applicable only for Windows agent (in Advanced mode) with NetWitness Platform version 11.4. Downloading system dump files may take significant time. Additional requests to the agent during system dump download are queued and processed when the download is complete.
MFT, system dump, and process dump downloads are not supported for agents communicating through Relay server.
Note: MFT, system dump, and process dump are stored in the Endpoint Server which may fill up the disk space. For large deployments, to utilize the storage efficiently without impacting the health of Endpoint Server, RSA recommends you to configure an external storage mount, so all the Endpoint Server can use the configured location to store the downloaded data.
By default, all files are downloaded to /var/netwitness/endpoint-server/<file type>/, where <file type> is MFT, system dump, or process dump. If you want to change the location, make sure that you have endpoint-server.configuration.manage permissions and do the following:
1. In the Explore view, go to endpoint/download.
2. In the base-path, provide the location of the directory.
Download Master File Table
Master File Table contains metadata of every file on the host. It keeps track of information, such as filename, size, timestamps, permissions, and location of the file on the host. It consists of two sets of timestamps - Standard Information ($SI) and File Name ($FN). Each set has the following timestamps - creation, access, update, and modification.
Time stomping is a technique that modifies the timestamps for a file (creation, access, update, and modification time) to mimic files that are in the same folder, making it difficult to identify suspicious files on a host. To perform forensic investigation of a suspicious file, you can download and analyze the MFT, and focus on files that are time stomped. For more information, see Analyze Downloaded MFT.
During MFT analysis, you can also search for suspicious filenames, and also files that were created before or after a known malicious event. You can also download files from the MFT viewer for further analysis.
Download MFT to Server
To download MFT to the server from the Hosts view:
-
Go to Hosts and do one the following:
-
View details of the downloaded MFT in the Downloads tab within the host details. For more information, see Hosts View - Downloads Tab.
Analyze Downloaded MFT
You can use the MFT viewer to begin analysis where you can search for files based on file name, time stamps, and identify files that are timestomped.
View MFT
To view the content of the downloaded MFT:
- Go to Hosts.
- Select the hostname to open the host details and select the Downloads tab.
-
Click the file name. The MFT viewer is displayed.
All available files are displayed in a tree view similar to the Windows Explorer in the All Files folder. The Deleted Files folder contains a sequential list of all deleted files.
-
Click
to view the folder structure. Click the row to view the folder content.
The details of the MFT is displayed in the table. By default, the table is sorted on the creation time ($FN). If the $SI and $FN timestamps are different, the columns are highlighted in red (
) indicating that it is time stomped.
-
Select one or more files and click Download File to Server on the toolbar to download files to the server.
Note: Downloading a folder is not supported and hence the option is grayed out for folders.
You can filter files on file name, creation time ($FN), creation time ($SI), access time ($FN), access time ($SI), update time ($FN), update time ($SI), modified time ($FN), and modified time ($SI).
Click Save to save the filter and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the filter name and click .
Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.
To filter, save, and delete MFT, see Filter Downloaded Files, Save Downloaded File, and Delete Downloaded Files.
System and Process Memory Dump
To perform forensic investigation during an incident response, you can request a memory dump of a host or a process running on the host. You can analyze these dumps using third-party tools, such as Volatility, Rekall.
Download System Dump to Server
To download system dump to the server from the Hosts view:
-
Go to Hosts and do one the following:
- View the details of the downloaded system dump in the Downloads tab within the host details. For more information, see Hosts View - Downloads Tab.
Download Process Dump to Server
To download process dump to the server:
-
Go to Hosts.
-
Select the hostname to open the host details.
-
In the Processes, Libraries, or Anomalies tab, select Download Process Dump to Server from the right-click context menu, or from the More drop-down list in the toolbar.
-
View the details of the download process dump in the Downloads tab within the host details. For more information, see Hosts View - Downloads Tab.
To filter, save, and delete system dump or process dump, see Filter Downloaded Files, Save Downloaded File, and Delete Downloaded Files.
The following are some errors you might encounter during system and process dump download:
Issue | Explanation |
Parameter is incorrect. | The process for which the dump is requested might be running with a different process ID. |
Element not found | The process for which the dump is requested is no longer active. |
java.io.IOException:Unable to unwrap data, invalid status [CLOSED] | Connection to the agent is interrupted. |
java.net.SocketTimeoutException | The network is slow or the system is down. |
One or more arguments are not correct | Agent might be in the Insight mode or driver is not running. |
Download Files Using Full Path or Wildcard
You can manually download files that help in investigations by either providing full path of the file or using wildcard.
Note: This is applicable only for agents in Advanced mode with NetWitness Platform version 11.5 and later.
To download files to the server:
-
Go to Hosts and do one of the following:
-
Select one or more hosts from the same operating system, and select Download Files to Server from the right-click context menu, or from the More drop-down list in the toolbar. You can download files from only top 100 selected hosts at a time.
-
Select the hostname to open the host details, click
(More) beside the hostname, and select Download Files to Server.
-
-
In the Download Files to Server dialog, enter the full path where the files may be present or search using wildcard. For wild card search, you can use a maximum of two *, one at a folder level and the other at a file level.
For example, to retrieve the registry hive, you can enter the full path, C:\Windows\System32\config\SYSTEM.
If you want to retrieve user settings and configuration preferences for all users, download all files using the wildcard C:\Users\*\NTUSER.DAT.
-
For wildcard search, enter the number of files to download and size of the file. By default, the number of files is set to 10 and file size is set to 100 MB. For example, if the maximum number of files is set to 10 and file size is set to 10 MB, first 10 files within 10 MB are downloaded.
-
Click Download.
All files downloaded as a part of wildcard search are grouped together based on the search criteria. For example, all files downloaded using C:\Users\*\NTUSER.DAT are grouped, and you can click to expand and view all files under this group. You can sort the groups on the downloaded time and view the status of the download in the Downloaded column.
Filter Downloaded Files
You can filter the downloaded files on wildcard downloads, file type, file name, SHA256 (for files), and downloaded time. In the Downloaded Time field, you can also filter by custom date.
Click Save to save the filter and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the filter name and click .
Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.
Save Downloaded File
You can retrieve the downloaded file and save it to your local file system for further analysis. To save the file:
-
Go to Hosts.
-
Select the hostname to open the host details and select the Downloads tab.
-
Right-click the file you want to save and select Save a Local Copy from the context menu or from the toolbar.
-
Browse the location and click Save.
Note: For wildcard downloads, select a file from the group that are downloaded successfully to save a local copy. You cannot save multiple files in the group at a time or save files with errors.
Delete Downloaded Files
If you want to delete the downloaded file from the server: