Investigate: Investigate Files

Note: The information in this topic applies to RSA NetWitness® Platform Version 11.1 and later.

Analysts can use the Files view (INVESTIGATE > Files) to identify suspicious files by examining the file name, file size, entropy, format, company name, signature, and checksum.

For example, when looking at a file name, if an environment is infected by the WannaCry ransomware, using this file name, the analyst can filter the list. You can also look for this ransomware using the checksum.

The file size can be an indicator when assessing a file. Trojans are usually less than 1 MB, and the majority of them are less than 500 KB.

Filter Files

You can either filter the files on the operating system, or select the fields in the Add Filter drop-down menu.

Note: While filtering on a large data set, use at least one indexed field with the Equals operator for better performance. The following fields are indexed in the database - Filename, MD5, Operating System, First Seen Time, and Format.

Click Save to save the search and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the name and click .

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

For example, filtering files with the filename malware using the Equals operator.

Note: For the file size, 1 KB is calculated as 1024 bytes. For example, if the actual size of the file is 8421 bytes, the UI will display it as 8.2 KB instead of 8.22 KB. It is recommended to search using the bytes format when using the Equals operator.

Pivot to Navigate and Event Analysis Views

If you need to investigate a particular filename or hash (SHA256 and MD5) in the global files to look for related activity across a time range, you can pivot to both the Navigate and Event Analysis views to get the entire context of the file. By default the time range is set to 1 day. You can change the time range accordingly.

To pivot to Navigate or Event Analysis view:

1. Go to INVESTIGATE > Files.
2. Click beside the Filename or Hash.

3. In the Select Service dialog, select any of the services required for investigation.
4. Click Navigate or Event Analysis to analyze the data.

Note: While pivoting to the Navigate or Event Analysis view, if the values are not indexed, the results take time to load. For more information, see Troubleshooting NetWitness Investigate.

Set Files Preference

By default, the Files view displays a few columns and the files are sorted based on the first seen time. If you want to view specific columns and sort data on a specific field:

1. Go to INVESTIGATE > Files.
2. Select the columns by clicking in the right-hand corner. The following example shows the screen displayed while adding columns:
   
3. Sort the data on the required column.
   

Note: This is set as your default view every time you log in to the Files view.

Export Global Files

To extract the list of global files to a CSV file.

Note: While filtering on a large data set, use at least one indexed field with the Equals operator for better performance. You can export up to 100k files at a time.

1. Go to INVESTIGATE > Files.
2. Filter the files by selecting the required filter option.
3. Add columns by clicking in the right-hand corner.
4. Click Export to CSV.

You can either save or open the CSV file.