Export or Print a Drill Point in the Navigate View

In NetWitness Investigate, when the data for a drill point is displayed in the Navigate view, you can:

  • Extract files from a session and choose the type of files to extract: archives, audio BitTorrent, documents, executable, images, other, video, and web.
  • Export the drill point as a packet capture (PCAP) file, a log file, or a metadata file.
  • Print the drill point.

The details being exported are affected by both the time range and drill point at the time of exporting.

Note: When you export the drill point as a log file, only the log sessions are exported. The job queue message refers to the total number of sessions in the drill point rather than the number of logs. For example, if the drill point has 505 sessions and only five log sessions, the job queue message states that NetWitness is extracting logs for 505 sessions.

To export a drill point from the Navigate view

  1. Conduct an investigation until you reach the desired drill point.
  2. For Version 11.0, In the toolbar, select Actions > Export and select one of the export options: PCAP, Logs, or Meta.
    The drill point is extracted, and a message advises that the job is scheduled. You can check the jobs page for the status.
  3. For Version 11.1, in the toolbar, select Save Events > and select one of the export options: PCAP, Logs, Files, or Meta.
    A dialog gives you an opportunity to edit the default filename for the file. The default filename is in the form investigation-Feb-21-15-44-33. When you are exporting a PCAP, the file is exported with no choice of formats. If you are using one of the other export options, a dialog is displayed.
  4. In the dialog, select:
    • The export log format: Text, XML, CSV, or JSON.
    • The file types to export: Archives, Audio, BitTorrent, Documents, Executables, Images, Other, Video, and Web.
    • The Meta format: Text, CSV, TSV, JSON.
  5. When the scheduled file extraction is complete, it is displayed in the Job Notifications tray.
    netwitness_invnottray.png
  6. Click the View link in the Jobs tray and download the specific extraction file requested.

To print the current drill point

In the Navigate view, you can display the contents of the current drill point in printer friendly format in the browser window.

To display the current drill point in a print view:

  1. With a drill point open in the Navigate view, select Actions > Print in the toolbar.
    A new tab is created with the print view of the current drill point.

    DrillPrint.PNG

  2. Use the print option in your browser to send the printable view to the printer.