Managing Collections

 

An Administrator can create and delete Workbench collections and view Workbench statistics and logs. This topic provides all of these procedures and an example procedure for restoring a collection for Reporting and Investigation.

  • Mount Archiver Directories
  • Create a Collection
  • Delete a Collection
  • Investigate a Collection
  • View Workbench Collection Statistics
  • View Workbench Logs

 

Mount Archiver Directories

If data is in offline storage or cold-tier storage, you need to mount the Archiver directories in order to restore the data for reporting and investigation purposes:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select an Archiver from the Services panel and select netwitness_actions_icon.png > View > Explore.
    The Explorer view for the Archiver is displayed
  3. Right-click on the Database node in left-hand tree and select properties to open them in the right-hand panel.
  4. Run the manifest command for a time range, for example, 2017-April-01 to 2017-April-10.
    The search returns all files that need to be restored for the selected query.

Create a Collection

Administrators can create collections of restored data from a backup or from an existing set of data.

Note: You can point the source path to the location of the database files and the restore command copies them to the workbench. You need to mount those directories to the Archiver (where the Workbench is installed) before a restoration collection can be created.

To create a collection using data restored from the backed up data or existing subset of data:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services view, select a Workbench, then select netwitness_actions_icon.png > View > Config.
    The Services Config view is displayed with the General tab open.
    netwitness_wbsvccnfvw.png
  3. Click the Collections tab.
    The Collections panel is displayed.
  4. Click netwitness_add_icon.png in the toolbar.

    The Restoration Collection dialog is displayed.

    netwitness_wbrestorecoll_758x454.png

  5. Provide the following information:

    • Name: Name of the Workbench collection that you want to restore.
    • Source: Location where the Archiver database files have been moved from cold storage.

    Note: Target is the location where the collection is created.

  6. Click Save to restore the collection.

    Note: If the source path provided to create the restoration collection does not exist, the following error message is displayed:
    The source path does not exist '/xxx/xxx/'.

    If there is insufficient storage to restore your collection, the following error is displayed:
    Error during disk space checking. Insufficient disk space in location '/xxx/xxx'.

    The Schedule Job dialog is displayed with the following message:
    Restoring data into a new collection. Check the jobs page for progress.

  7. ​Click the Jobs icon netwitness_wbjobsicon_42x31.png in the NetWitness toolbar to expand the list of restoration collection jobs with their current status.

Note: Restoring a collection that is larger than 550 GB may take several hours to process.

Delete a Collection

Administrators can delete collections from the Workbench service.

Perform the following steps to delete a collection:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. From the Services view, select a Workbench and click netwitness_actions_icon.png > View > Config.

    The Services Config view opens with the General tab displayed.

    121_WbSvcCnfVw_1122.png

  3. Select the Collections tab.

    The Collections panel is displayed.

    121_WbCollGrid_1122.png

  4. In the Collections panel, select the collection that you want to delete.
  5. Click netwitness_delete_icon.png from the toolbar.

    A warning dialog requests confirmation.

  6. If you want to delete the collection, click Yes.

    The collection is removed from the Workbench service.

Example Procedure: How to Restore a Collection for Reporting and Investigation

The following steps illustrate how to restore data for reporting and investigation purposes that is in offline storage or cold-tier storage. In the following example, data is restored for the time range beginning on 2015-April-01 through 2015-April-10.

To restore data for reporting and investigation purposes:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. Select the Archiver from the Services panel and Click netwitness_actions_icon.png > View > Explore.
    The Explorer view for Archiver is displayed
  3. Right click on Database node in left-hand tree and select properties to open them in the right-hand panel.
  4. Run the manifest command for the selected time range 2015-April-01 to 2015-April-10.
    The search returns all files that need to be restored for your selected query.

Example Search:

time1="2015-04-01 00:00:00" time2="2015-04-10 00:00:00" timeFormat=simple

netwitness_newcoldstore.png

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services view, select a Workbench, then select netwitness_actions_icon.png > View > Config.

    The Services Config view is displayed with the General tab open.

    121_WbSvcCnfVw_1122.png

  3. Select the Collections tab.
  4. Create a restoration collection with the source path pointing to files listed in the manifest command output.
  5. Save the collection.

    After successfully creating a collection, you can use this collection for reporting and investigation purposes.

Investigate a Collection

To perform an investigation on a workbench collection:

  1. Select Investigate.

    The Investigate dialog is displayed.

    netwitness_wbinvcoll.png

  2. Click the Collections tab in the Investigate dialog.
  3. Select a Workbench service in the left panel.
  4. Select the collection you want to investigate in the right panel.
  5. Click Navigate.

The Navigate view is displayed showing data pertaining to the Workbench collection that you selected.

netwitness_wbinvcoll.png

Note: For detailed information about using Investigation, see Investigation and Malware Analysis Guide.

View Workbench Collection Statistics

The same statistics available for other services are provided for the Workbench service. The Services Stats view displays key statistics and system information that pertain to your selected Workbench service. The information is displayed in several different sections within the Stats view: Workbench, Gauges, Timeline Charts and Chart Stats Tray. The Chart Stats Tray lists all available statistics for the Workbench. Any statistic in the Chart Stats Tray can be displayed in a gouge or a timeline chart.

Perform the following steps to view workbench statistics:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.

  2. In the Services view, select a Workbench , then select netwitness_actions_icon.png > View > Stats.

    The Services Stats view is displayed.

    121_WbVwStats_1122.png

Note: For more information about Workbench statistics, see the Host and Services Getting Started Guide.

View Workbench Logs

Perform the following steps to view logs on a Workbench service:

  1. Go to netwitness_adminicon_25x22.png (Admin) > Services.
  2. In the Services view, select a Workbench, then select netwitness_actions_icon.png > View > Logs.

    The Services Logs panel is displayed.

Note: For information about viewing and configuring audit logs, see the topic "Configure Global Audit Logging" in the System Configuration Guide .