Investigate: Hosts View - Files Tab

Document created by RSA Information Design and Development on Mar 2, 2018Last modified by RSA Information Design and Development on Sep 11, 2018
Version 7Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.1 and later.

The Files tab displays all files scanned on the host. To access this tab, select a host from the Hosts view and click the Files tab. By default, it displays 100 files. To display more files, click Load More at the bottom of the page.

Workflow

high-level Investigate workflow with Investigate Endpoints and associated actions highlighted

What do you want to do?

                                                          
User RoleI want to ...Show me how
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1)*Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

Threat Hunterview the files scanned on the host* Analyze Files

Incident Responder

view alerts and incidents generated

Investigate Files

*You can perform this task in the current view.

Related Topics

Quick Look

Below is an example of the Files tab:

Files tab

                                           
FieldDescription
FilenameName of the file. For example, 7-zip.dll.

Entropy

Entropy of the image data, excluding the PE headers. It determines if the contents are packed (compressed or encrypted).

Size

Size of the file. It can be an indicator when assessing a file.

Path

Path of the file. Sometimes malware authors put the file on directories where there are typically no such files. Malicious files are typically standalone files (for example, a file in the root C:\ProgramData) versus a group of files in a legitimate folder (for example, files in C:\Program Files\<folder name>\).

Signature

Indicates if the file is signed or unsigned, valid or invalid, and provides signatory information.

Created

Time stamp of the file.

User Name

User of the file (for Linux). For example, root.

Group NameGroup to which the user belongs (for Linux). For example, root (0).

File Properties Panel

This panel displays all properties of the selected file. It is grouped as follows:

                                   
CategoryDescription
Reputation
  • Reputation status of the file as obtained from Reversing Lab. Various status are Unknown, Suspicious, Malicious, and Good.
  • General
  • General information about the file, such as file name, entropy, size, and format.
  • SignatureProvides signatory information.
    HashHash type of the file (MD5, SHA256, and SHA1).
    TimeTime when the file was created, modified, or accessed.
    LocationLocation of the file.
    You are here
    Table of Contents > Investigate Reference Materials > Hosts View - Files Tab

    Attachments

      Outcomes