Investigate: Hosts View - Libraries Tab

Document created by RSA Information Design and Development on Mar 2, 2018Last modified by RSA Information Design and Development on Sep 11, 2018
Version 7Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.1 and later.

The Libraries tab lists the libraries loaded at the time of scan. To access this tab, select a host from the Hosts view and click the Libraries tab.

Workflow

high-level Investigate workflow with Investigate Endpoints and associated actions highlighted

What do you want to do?

                                                     
User RoleI want to ...Show me how
Threat Hunter

browse event metadata

Begin an Investigation in the Navigate or Events View

Threat Hunter

browse raw events

Begin an Investigation in the Navigate or Events View

Threat Hunter

analyze raw events and metadata

Begin an Investigation in the Event Analysis View

Threat Hunterinvestigate endpoints (Version 11.1)*Investigate Hosts

Threat Hunter

find suspicious endpoint files (Version 11.1)

Investigate Files

Threat Hunterscan files and events for malwareConducting Malware Analysis

Incident Responder

triage an incident in Investigate

NetWitness Respond User Guide

Threat Hunterview the libraries loaded* Analyze Libraries

*You can perform this task in the current view.

Related Topics

Quick Look

Below is an example of the Libraries tab:

Libraries tab

                                       
FieldDescription
Process ContextName and PID of the process that has loaded the library in the memory. For example, explorer.exe: 1916.
Filename

Name of the file. For example, 7-zip.dll.

Signature

Indicates if the file is signed or unsigned, valid or invalid, and provides signatory information. For example, signed, valid.

File Path

Path of the file. For example, C:\Program Files\7-Zip.

Hash

SHA256 of the file. For example, c3bb3b42dcdf80446c622219513070757e618c06afd9ee0ac37cbce5befcb897.

File Creation Time

Time when the file was created.

Last Modified Time

Time when the file was modified.

Library Properties Panel

This panel displays all properties of the selected file. It is grouped as follows:

                                   
CategoryDescription
General
  • General information about the file, such as file name, entropy, size, and format.
  • SignatureProvides signatory information.
    HashHash type of the file (MD5, SHA256, and SHA1).
    TimeTime when the file was created, modified, or accessed.
    LocationLocation of the file.
    ProcessDetails of the process, such as image size and PID.
    Previous Topic:Hosts View - Files Tab
    You are here
    Table of Contents > Investigate Reference Materials > Hosts View - Libraries Tab

    Attachments

      Outcomes