This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Investigator 9.8 bookmark backup

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-01-23 03:00 PM

Hello,

 

Anyone know of a file that holds the bookmarks created in investigator?  It'd be nice to be able to save it off to network drive incase of uninstalling the client or moving to different machine, maybe you could put it back into original location and all the bookmarks would carry over. 

 

Thanks

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-01-24 10:26 AM

OK since none of you are letting me be lazy by answering my question, I decided to fire up Sysinternals Process Monitor and then add a bookmark and see where the program was writing to.  Turns out my idea will work as I just tested recovering bookmarks from one Win profile to another.

 

The file is  %userprofile%\AppData\Roaming\NetWitness\NwInvestigator9.settings

 

In this XML-like file there is a cleartext section that is semi-colon separated that holds the bookmarks between open/close tags below.  Just cut/paste them from one profile's file to another one and save it (you'll have to be local admin).  Maybe one day the bookmark feature functionality will be expanded as it's pretty weak now, I have over 50 bookmarks and I can't even put them in folders, change to a friendly name, etc.

 

<Bookmarks>

 

</Bookmarks>

 

PS:  I was able to recover bookmarks from this file even after uninstalling/reinstalling the NW client when bookmarks weren't showing up in Investigator anymore, not sure why that was and YMMV.

View solution in original post

0 Likes
4 REPLIES 4

Go to solution
RSAAdmin
Beginner
Beginner

‎2013-01-24 10:26 AM

OK since none of you are letting me be lazy by answering my question, I decided to fire up Sysinternals Process Monitor and then add a bookmark and see where the program was writing to.  Turns out my idea will work as I just tested recovering bookmarks from one Win profile to another.

 

The file is  %userprofile%\AppData\Roaming\NetWitness\NwInvestigator9.settings

 

In this XML-like file there is a cleartext section that is semi-colon separated that holds the bookmarks between open/close tags below.  Just cut/paste them from one profile's file to another one and save it (you'll have to be local admin).  Maybe one day the bookmark feature functionality will be expanded as it's pretty weak now, I have over 50 bookmarks and I can't even put them in folders, change to a friendly name, etc.

 

<Bookmarks>

 

</Bookmarks>

 

PS:  I was able to recover bookmarks from this file even after uninstalling/reinstalling the NW client when bookmarks weren't showing up in Investigator anymore, not sure why that was and YMMV.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2013-02-13 09:42 PM

Sorry it took so long to reply, but you are right about storing that information in the settings file.  For those that use the enterprise administrator program, there is a similar file for your decoder, concentrator and broker settings.  That file is useful for sharing among multiple administrators.  You set up your stack once and then share that file among different users rather than setting it up one by one across different machines.

 

I'm a bit curious as to why you are relying on bookmarks?  Are these for quick access to common drill points you frequently use?  If so, creating a capture rule will make those drills much quicker to access.

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2013-02-20 01:10 PM

Hi Fielder,

 

 

  Thanks for the response, I'm open to learning different ways to use investigator as it's still fairly new to me.  To answer your question, I like to use bookmarks to save my progress of pivoting through the data within the prod Netwitness collection while I'm narrowing down what would be a good report or rule in informer, or just find interesting traffic that I can look into that day.

 

As I understand it using either network or app rules within Investigator Client would not apply to the collection history just to either live capture or pcap imports?  Where as I need to use the history of network activity to know if the rule is going to FP too much almost like back testing a strategy. Also, I wouldn't want to put anything into the decoder or concentrator to apply to the live collection stream as these are really just ephemeral ideas that randomly pop into my head where I might delete them after one run. Bookmarks seems to fit my needs well just there's no organization of them possible.   Hope that makes sense, and let me know if I have to wrong idea about rules you are referring too.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2013-02-21 09:05 AM

With Security Analytics you could apply drill templates to look at specific meta keys.  But if you are still using investigator you might want to consider building your own documented bookmark file in a text format-  The address bar at the top of investigator that shows your bread crumb trail of your drill is actually a url.  You can copy that url out and paste it into notepad and label which drill it is.

 

For an advanced trick, since you mentioned you have Informer is to create a report, add a text box to it and put your bookmarks there.  Enclose your descriptions with HREF tags and it will create active hyperlinks back into Investigator to your favorite drill points.

 

Admittedly these are both "hacks" to get around the lack of bookmark organization, but I'm confident you won't be relying on bookmarks too much once you become more adept at quickly navigating Investigator as you seek answers to your use cases.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.