Endpoint: Performing Host Forensics

Document created by RSA Information Design and Development

on Jan 31, 2020•Last modified by RSA Information Design and Development

on Nov 11, 2020

Version 19Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Note: The information in this topic applies to RSA NetWitness Platform Version 11.4 and later.

You can perform the following forensic investigation on a host:

Master File Table (MFT)
System Dump
Process Dump

Note: This is applicable only for Windows agent (in Advanced mode) with NetWitness Platform version 11.4. Downloading system dump files may take significant time. Additional requests to the agent during system dump download are queued and processed when the download is complete.
MFT, system dump, and process dump downloads are not supported for agents communicating through Relay server.

Note: MFT, system dump, and process dump are stored in the Endpoint Server which may fill up the disk space. For large deployments, to utilize the storage efficiently without impacting the health of Endpoint Server, RSA recommends you to configure an external storage mount, so all the Endpoint Server can use the configured location to store the downloaded data.
By default, all files are downloaded to /var/netwitness/endpoint-server/<file type>/, where <file type> is MFT, system dump, or process dump. If you want to change the location, make sure that you have endpoint-server.configuration.manage permissions and do the following:
1. In the Explore view, go to endpoint/download.
2. In the base-path, provide the location of the directory.

Download Master File Table

Master File Table contains metadata of every file on the host. It keeps track of information, such as filename, size, timestamps, permissions, and location of the file on the host. It consists of two sets of timestamps - Standard Information ($SI) and File Name ($FN). Each set has the following timestamps - creation, access, update, and modification.

Time stomping is a technique that modifies the timestamps for a file (creation, access, update, and modification time) to mimic files that are in the same folder, making it difficult to identify suspicious files on a host. To perform forensic investigation of a suspicious file, you can download and analyze the MFT, and focus on files that are time stomped. For more information, see Analyze Downloaded MFT.

During MFT analysis, you can also search for suspicious filenames, and also files that were created before or after a known malicious event. You can also download files from the MFT viewer for further analysis.

Download MFT to Server

To download MFT to the server from the Hosts view:

Go to Hosts and do one the following:
- Select a host and select Download MFT to Server from the right-click context menu, or from the More drop-down list in the toolbar.
- Select the hostname to open the host details, click (More) beside the hostname, and select Download MFT to Server.
View details of the downloaded MFT in the Downloads tab within the host details. For more information, see Hosts View - Downloads Tab.

Analyze Downloaded MFT

You can use the MFT viewer to begin analysis where you can search for files based on file name, time stamps, and identify files that are timestomped.

View MFT

To view the content of the downloaded MFT:

Go to Hosts.
Select the hostname to open the host details and select the Downloads tab.
Click the file name. The MFT viewer is displayed.

All available files are displayed in a tree view similar to the Windows Explorer in the All Files folder. The Deleted Files folder contains a sequential list of all deleted files.
Click to view the folder structure. Click the row to view the folder content.

The details of the MFT is displayed in the table. By default, the table is sorted on the creation time ($FN). If the $SI and $FN timestamps are different, the columns are highlighted in red () indicating that it is time stomped.
Select one or more files and click Download File to Server on the toolbar to download files to the server.

Note: Downloading a folder is not supported and hence the option is grayed out for folders.

Filter MFT

You can filter files on file name, creation time ($FN), creation time ($SI), access time ($FN), access time ($SI), update time ($FN), update time ($SI), modified time ($FN), and modified time ($SI).

Click Save to save the filter and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the filter name and click .

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

To filter, save, and delete MFT, see Filter Downloaded Files, Save Downloaded File, and Delete Downloaded Files.

System and Process Memory Dump

To perform forensic investigation during an incident response, you can request a memory dump of a host or a process running on the host. You can analyze these dumps using third-party tools, such as Volatility, Rekall.

Download System Dump to Server

To download system dump to the server from the Hosts view:

Go to Hosts and do one the following:
- Select a host and select Download System Dump to Server from the right-click context menu, or from the More drop-down list in the toolbar.
- Select the hostname to open the host details and select Download System Dump to Server from the More option besides the hostname.
View the details of the downloaded system dump in the Downloads tab within the host details. For more information, see Hosts View - Downloads Tab.

Download Process Dump to Server

To download process dump to the server:

Go to Hosts.
Select the hostname to open the host details.
In the Processes, Libraries, or Anomalies tab, select Download Process Dump to Server from the right-click context menu, or from the More drop-down list in the toolbar.
View the details of the download process dump in the Downloads tab within the host details. For more information, see Hosts View - Downloads Tab.

To filter, save, and delete system dump or process dump, see Filter Downloaded Files, Save Downloaded File, and Delete Downloaded Files.

The following are some errors you might encounter during system and process dump download:

Issue	Explanation
Parameter is incorrect.	The process for which the dump is requested might be running with a different process ID.
Element not found	The process for which the dump is requested is no longer active.
java.io.IOException:Unable to unwrap data, invalid status [CLOSED]	Connection to the agent is interrupted.
java.net.SocketTimeoutException	The network is slow or the system is down.
One or more arguments are not correct	Agent might be in the Insight mode or driver is not running.

Download Files Using Full Path or Wildcard

You can manually download files that help in investigations by either providing full path of the file or using wildcard.

Note: This is applicable only for agents in Advanced mode with NetWitness Platform version 11.5 and later.

To download files to the server:

Go to Hosts and do one of the following:
- Select one or more hosts from the same operating system, and select Download Files to Server from the right-click context menu, or from the More drop-down list in the toolbar. You can download files from only top 100 selected hosts at a time.
- Select the hostname to open the host details, click (More) beside the hostname, and select Download Files to Server.
In the Download Files to Server dialog, enter the full path where the files may be present or search using wildcard. For wild card search, you can use a maximum of two *, one at a folder level and the other at a file level.

For example, to retrieve the registry hive, you can enter the full path, C:\Windows\System32\config\SYSTEM.

If you want to retrieve user settings and configuration preferences for all users, download all files using the wildcard C:\Users\*\NTUSER.DAT.
For wildcard search, enter the number of files to download and size of the file. By default, the number of files is set to 10 and file size is set to 100 MB. For example, if the maximum number of files is set to 10 and file size is set to 10 MB, first 10 files within 10 MB are downloaded.
Click Download.

All files downloaded as a part of wildcard search are grouped together based on the search criteria. For example, all files downloaded using C:\Users\*\NTUSER.DAT are grouped, and you can click to expand and view all files under this group. You can sort the groups on the downloaded time and view the status of the download in the Downloaded column.

Filter Downloaded Files

You can filter the downloaded files on wildcard downloads, file type, file name, SHA256 (for files), and downloaded time. In the Downloaded Time field, you can also filter by custom date.

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

Save Downloaded File

You can retrieve the downloaded file and save it to your local file system for further analysis. To save the file:

Go to Hosts.
Select the hostname to open the host details and select the Downloads tab.
Right-click the file you want to save and select Save a Local Copy from the context menu or from the toolbar.
Browse the location and click Save.

Note: For wildcard downloads, select a file from the group that are downloaded successfully to save a local copy. You cannot save multiple files in the group at a time or save files with errors.

Delete Downloaded Files

If you want to delete the downloaded file from the server:

Go to Hosts.
Select the hostname to open the host details and select the Downloads tab.
Right-click one or more files you want to delete, and select Delete File from the context menu or from the toolbar.

Note: For wildcard downloads, you can select the group to delete all files that are downloaded.