000014613 - Duplicate meta (e.g. 'windows_executable' vs. 'windows executable') exists during RSA NetWitness investigations

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000014613
Applies ToRSA NetWitness NextGen
RSA NetWitness NextGen 9.5 and above
RSA NetWitness Investigator
IssueDuplicate meta (e.g. "windows_executable" vs. "windows executable") exists during RSA NetWitness investigations.
When reviewing meta data in Investigator, I see many metas which are likely duplicate. I would like to remove either of the meta values.

 

Examples: 


Forensic fingerprint: 
- "windows_executable" vs. "windows executable" 
- "windows_installer" vs. "windows msi installer" 
- "access_db" vs. "access db"

Resolution
This can be attributed to using multiple different versions of parsers that perform similar task. 

 


For example access_db and windows_installer are generated by now depreciated parser file_fingerprints. We recommend to disable this parser and use set of "fingerprint_*" parsers instead.  See the attached document, 'Disabling Parsers'.
 

The duplicate executable meta can be offten attributed to parsers "CMS Windows Executable" ("windows_executable" meta) and "Advanced Windows Executable" ("windows executable" meta). The difference is that "CMS" parser is provided by default and the "Advanced" parser comes with (and is required by) Spectrum. 

If you run Spectrum you can therefore disable the "CMS" parser to avoid duplicate meta generation.

NotesIf "Advanced Windows Executable" is enabled and "CMS Windows Executable" parser is disabled, some of the Application Rules from CMS will not work.
For example, "Filter Google Updates" <name=nw140020 rule="alias.host ends google.com && filetype = windows_executable,windows_installer,windows_dll" order=13 filter type=application> will not work as the "Advanced Windows Executable" will register "windows executable" not "windows_executable" as the "filetype".
A workaround is to modify all affected rule (i.e. that has "filetype") to use <"windows executable", "windows installer", "windows dll">. Alternatively, you can enable both "Windows Executable" parsers and simply ignore the duplicate meta.
Legacy Article IDa58919

Attachments

    Outcomes