Investigate: Export a Drill Point

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Oct 24, 2017
Version 8Show Document
  • View in full screen mode

In NetWitness Suite Investigation, when you have the data for a drill point displayed in the Navigate view, you can:

  • Extract files from a session and choose the type of files to extract: archives, audio BitTorrent, documents, executable, images, other, video, and web.
  • Export the drillpoint as a packet capture (PCAP) file, a log file or a meta data file.

The details being exported are affected by both the time range and drill point at the time of exporting.

Note: When you export the drill point as a log file, only the log sessions are exported. The job queue message refers to the total number of sessions in the drill point rather than the number of logs. For example, if the drill point has 505 sessions and only five log sessions, the job queue message states that NetWitness Suite is extracting logs for 505 sessions.

To export a drill point from the Navigate view:

  1. Conduct an investigation until you reach the desired drillpoint.
  2. In the toolbar, select Actions > Export and select one of the export options: PCAP, Logs, or Meta.
    The drill point is extracted, and a message advises that the job is scheduled. You can check the jobs page for the status.
  3. When the scheduled file extraction is complete, it is displayed in the Job Notifications tray.
    Job Notifications tray with completed jobs
  4. Click the View link in the Jobs tray sand download the specific extraction file requested.
You are here
Table of Contents > Conducting an Investigation > Acting on a Drill Point in the Navigate View > Export a Drill Point