This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Value of NetWitness Investigation Recon

Anonymous
Not applicable

‎2016-09-28 03:20 PM

NetWitness provides several different entry points into the same data to support many different use cases. Ultimately trying to decide if we can better streamline our views into the data. Before looking at optimizations that can be done on each view want to take a further look at our current views to see which ones are really valuable to analysts.

If you had to rank the following views from an analyst value how would you? 

 

 

1) Text View - ASCII representation of the packet data
2) HEX View - HEX representation of the packet data
3) Packets View - RAW packet data
4) File View - Ability to view files present in sessions and extract them
5) Email View - ASCII rendering of email communications 
6) Web View - HTML rendering of web sessions
7) Meta View - All meta generated for session
😎 Best Reconstruction - System choice of best display option from above views
recon_views.png
0 Likes
1 REPLY 1

JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2016-09-28 05:22 PM

Well....

that's a deep subject....

and it depends...

 

The Basic views:

1) Text

2) Hex

4) Packet (only occasionally used)

 

The reconstruction views:

1) File       (has issues on files that span more than on session, so isn't always useful, generally have to find all the session fragments and export the pcap, then carve the files out of the pcap.)

2) E-mail  (useful for getting additional info out of an email, that may not be in meta.)

3) Web     (with all the proxies out there, it rarely has all the content needed to do a decent job of reconstruction and generally doesn't give you any better info, than the "text" view.

 

The Meta view is useful when going back and forth between several sessions and not wanting to have to drop back to the Event "Detail" view to see all the meta. One complaint I've seen (which just takes a little explanation of how NetWitness works) is that in the Event "Detail" View the "did (Decoder Source)" metakey is displayed (since it's coming from the concentrator meta), but in the Reconstruction Meta View the "did (Decoder Source)" metakey is not shown (since it's coming from the Decoder, which doesn't have the did meta on it).  It was confusing one of our customers until we explained it to them.

© 2022 RSA Security LLC or its affiliates. All rights reserved.