Investigate: Investigate Files

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on Apr 3, 2018
Version 2Show Document
  • View in full screen mode
 

Note: The information in this topic applies to RSA NetWitness® Suite Version 11.1 and later.

Analysts can use the Files view (INVESTIGATE > Files) to identify suspicious files by examining the file name, file size, entropy, format, company name, signature, and checksum.

For example, when looking at a file name, if an environment is infected by the WannaCry ransomware, using this file name, the analyst can filter the list. You can also look for this ransomware using the checksum.

The file size can be an indicator when assessing a file. Trojans are usually less than 1 MB, and the majority of them are less than 500 KB.

Filter Files

You can either filter the files on the operating system, or select the fields in the Add Filter drop-down menu.

Note: While filtering on a large data set, use at least one indexed field with the Equals operator for better performance. The following fields are indexed in the database - Filename, MD5, Operating System, First Seen Time, and Format.

Filter Files

Click Save to save the search and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the name and click Delete.

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

For example, filtering files with the filename malware using the Equals operator.

Filter files using the Equals operator

Note: For the file size, 1 KB is calculated as 1024 bytes. For example, if the actual size of the file is 8421 bytes, the UI will display it as 8.2 KB instead of 8.22 KB. It is recommended to search using the bytes format when using the Equals operator.

Pivot to Navigate and Event Analysis Views

If you need to investigate a particular filename or hash (SHA256 and MD5) in the global files to look for related activity across a time range, you can pivot to both the Navigate and Event Analysis views to get the entire context of the file. By default the time range is set to 1 day. You can change the time range accordingly.

To pivot to Navigate or Event Analysis view:

  1. Go to INVESTIGATE > Files.
  2. Click Pivot to Investigate beside the Filename or Hash.

Pivot to Navigate and Event Analysis views

  1. In the Select Service dialog, select any of the services required for investigation.
  2. Click Navigate or Event Analysis to analyze the data.

Note: While pivoting to the Navigate or Event Analysis view, if the values are not indexed, the results take time to load. For more information, see Troubleshooting NetWitness Investigate.

Set Files Preference

By default, the Files view displays a few columns and the files are sorted based on the first seen time. If you want to view specific columns and sort data on a specific field:

  1. Go to INVESTIGATE > Files.
  2. Select the columns by clicking Settings in the right-hand corner. The following example shows the screen displayed while adding columns:
    Select Columns for Files
  3. Sort the data on the required column.

Note: This is set as your default view every time you log in to the Files view.

Export Global Files

To extract the list of global files to a CSV file.

Note: While filtering on a large data set, use at least one indexed field with the Equals operator for better performance. You can export up to 100k files at a time.

  1. Go to INVESTIGATE > Files.
  2. Filter the files by selecting the required filter option.
  3. Add columns by clicking Settings in the right-hand corner.
  4. Click Export to CSV.

You can either save or open the CSV file.

You are here
Table of Contents > Investigating Hosts and Files > Investigate Files

Attachments

    Outcomes