You can begin an investigation in several ways in NetWitness Suite; for detailed procedures see Beginning an Investigation of a Service or Collection. After you begin an investigation, there is no specific order in which to conduct the investigation. Instead, NetWitness Suite offers various methods of displaying the data, filtering the data, querying the data, acting on a drill point, and inspecting specific events.
Analysts who use NetWitness Suite Investigation need to have the appropriate system roles and permissions set up for their user accounts. See Roles and Permissions for Malware Analysts. An administrator must configure roles and permissions.
To conduct an investigation, log in to NetWitness Suite, and go to INVESTIGATE. The Investigate view opens with the fields in which you select the service, time range, and an optional query for specific metadata. Select a service and click LoadValues.
These are the basic steps for conducting an investigation.
- Submit a query or pivot to Investigate from a Respond entity (see Beginning an Investigation of a Service or Collection).
- View query results in the Navigate view (see Refining Results Displayed in the Navigate View) and Events view (see Examining Events).
- Reconstruct an Event (see Reconstruct an Event) or view the interactive Event Analysis of an event (see Analyze Events in the Event Analysis View).
- Act on a drill point or an event (see Acting on a Drill Point in the Navigate View and Examining Events. For example, you can View Additional Context for a Data Point, Launch a Malware Analysis Scan from the Navigate View, or Add Events to an Incident for Response.