Lets say you have NetWitness packet capture and you are at the point where you have located a suspicious executable which you want to check against VirusTotal or another hash lookup site to see if there are any matches ... How would you go about that the most efficient way possible ?
Luckily there is the context menu function which can save your copy paste madness.
To use this context menu you need to be in the events section of investigator and looking at the files in the session.
Investigator > Events (where filename exists) > double click on session
You will see the hashes on the right for each of the files located in the session
You can right click on the has and select the options to submit the hash to VirusTotal (or whatever site you want to add to check on the hash)
You will open VT in a new tab with the hash passed over to search/report on
Here is the context menu:
{
"displayName": "[VirusTotal Hash]",
"cssClasses": [
"ctxmenu-hash-lookup"
],
"description": "",
"type": "UAP.common.contextmenu.actions.URLContextAction",
"version": "Custom",
"modules": [
"investigation"
],
"local": "false",
"urlFormat": "https://www.virustotal.com/en/search/?query={0}",
"disabled": "",
"id": "vtHashLookup",
"moduleClasses": [
"UAP.investigation.reconstruction.view.content.ReconstructedEventDataGrid"
],
"openInNewTab": "true",
}
