Performing Host Forensics

Note: The information in this topic applies to NetWitness Version 11.4 and later.

You can perform the following forensic investigation on a host:

  • Master File Table (MFT)
  • System Dump
  • Process Dump

Note: This is applicable only for Windows agent (in Advanced mode) with NetWitness Platform version 11.4. Downloading system dump files may take significant time. Additional requests to the agent during system dump download are queued and processed when the download is complete.
MFT, system dump, and process dump downloads are not supported for agents communicating through Relay server.

Note: MFT, system dump, and process dump are stored in the Endpoint Server which may fill up the disk space. For large deployments, to utilize the storage efficiently without impacting the health of Endpoint Server, NetWitness recommends you to configure an external storage mount, so all the Endpoint Server can use the configured location to store the downloaded data.
By default, all files are downloaded to /var/netwitness/endpoint-server/<file type>/, where <file type> is MFT, system dump, or process dump. If you want to change the location, make sure that you have endpoint-server.configuration.manage permissions and do the following:
1. In the Explore view, go to endpoint/download.
2. In the base-path, provide the location of the directory.

Download Master File Table

Master File Table contains metadata of every file on the host. It keeps track of information, such as filename, size, timestamps, permissions, and location of the file on the host. It consists of two sets of timestamps - Standard Information ($SI) and File Name ($FN). Each set has the following timestamps - creation, access, update, and modification.

Time stomping is a technique that modifies the timestamps for a file (creation, access, update, and modification time) to mimic files that are in the same folder, making it difficult to identify suspicious files on a host. To perform forensic investigation of a suspicious file, you can download and analyze the MFT, and focus on files that are time stomped. For more information, see Analyze Downloaded MFT.

During MFT analysis, you can also search for suspicious filenames, and also files that were created before or after a known malicious event. You can also download files from the MFT viewer for further analysis.

Download MFT to Server

To download MFT to the server from the Hosts view:

  1. Go to Hosts and do one the following:

    • Select one or more hosts and select Download MFT to Server from the right-click context menu, or from the More Actions drop-down list in the toolbar.

      netwitness_12.1_downloadmft_1122.png

    • Select the hostname to open the host details, click netwitness_moreicon.png (More) beside the hostname, and select Download MFT to Server.

  2. In the Download MFT to Server dialog, select one of the following:
    • System Drive - to download MFT to the system drive.
    • Select Drive - to download MFT on assigned drive.
      You can select any drive from the Drive drop-down list. By default the selected drive is C.
    • Specify NTFS mount path - to download MFT on the path to the folder where it is mounted

    Click Download.

    netwitness_mft_sysdrive.png

  3. View details of the downloaded MFT in the Downloads tab within the host details. For more information, see Hosts View - Downloads Tab.

    netwitness_12.1_downloadtab_1122.png

Analyze Downloaded MFT

You can use the MFT viewer to begin analysis where you can search for files based on file name, time stamps, and identify files that are timestomped.

View MFT

To view the content of the downloaded MFT:

  1. Go to Hosts.
  2. Select the hostname to open the host details and select the Downloads tab.

  3. Click the file name. The MFT viewer is displayed.

    All available files are displayed in a tree view similar to the Windows Explorer in the All Files folder. The Deleted Files folder contains a sequential list of all deleted files.

    netwitness_12.1_treeviewmft_1122.png

  4. Click netwitness_pagnxtpg.png to view the folder structure. Click the row to view the folder content.

    The details of the MFT is displayed in the table. By default, the table is sorted on the creation time ($FN). If the $SI and $FN timestamps are different, the columns are highlighted in red (netwitness_timestompicon.png) indicating that it is time stomped.

    netwitness_12.1_timestomped_1122.png

  5. Select one or more files and click Download File to Server on the toolbar to download files to the server.

    Note: Downloading a folder is not supported and hence the option is grayed out for folders.

Filter MFT

You can filter files on file name, creation time ($FN), creation time ($SI), access time ($FN), access time ($SI), update time ($FN), update time ($SI), modified time ($FN), and modified time ($SI).

netwitness_12.1_filterfolder_1122.png

Click Save to save the filter and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the filter name and click netwitness_deleteicon_24x24.png.

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

To filter, save, and delete MFT, see Filter Downloaded Files, Save Downloaded File, and Delete Downloaded Files.

System and Process Memory Dump

To perform forensic investigation during an incident response, you can request a memory dump of a host or a process running on the host. You can analyze these dumps using third-party tools, such as Volatility, Rekall.

Download System Dump to Server

To download system dump to the server from the Hosts view:

  1. Go to Hosts and do one the following:

    • Select a host and select Download System Dump to Server from the right-click context menu, or from the More drop-down list in the toolbar.

      netwitness_12.1_sysdumpdwn_1122_700x311.png

    • Select the hostname to open the host details and select Download System Dump to Server from the More option besides the hostname.

      netwitness_12.1_sysdumpdwn1_1122.png

  2. View the details of the downloaded system dump in the Downloads tab within the host details. For more information, see Hosts View - Downloads Tab.

Download Process Dump to Server

To download process dump to the server:

  1. Go to Hosts.

  2. Select the hostname to open the host details.

  3. In the Processes, Libraries, or Anomalies tab, select Download Process Dump to Server from the right-click context menu, or from the More Actions drop-down list in the toolbar.

    netwitness_12.1_prcdumpdwn_1122_710x457.png

  4. View the details of the download process dump in the Downloads tab within the host details. For more information, see Hosts View - Downloads Tab.

To filter, save, and delete system dump or process dump, see Filter Downloaded Files, Save Downloaded File, and Delete Downloaded Files.

The following are some errors you might encounter during system and process dump download:

Issue Explanation
Parameter is incorrect. The process for which the dump is requested might be running with a different process ID.
Element not found The process for which the dump is requested is no longer active.
java.io.IOException:Unable to unwrap data, invalid status [CLOSED]

Connection to the agent is interrupted.
java.net.SocketTimeoutException The network is slow or the system is down.
One or more arguments are not correct Agent might be in the Insight mode or driver is not running.

Download Files Using Full Path or Wildcard

You can manually download files that help in investigations by either providing full path of the file or using wildcard.

Note: This is applicable only for agents in Advanced mode with NetWitness Platform version 11.5 and later.

To download files to the server:

  1. Go to Hosts and do one of the following:

    • Select one or more hosts from the same operating system, and select Download Files to Server from the right-click context menu, or from the More Actions drop-down list in the toolbar. You can download files from only top 100 selected hosts at a time.

      netwitness_12.1_downloadwcfile_1122_643x312.png

    • Select the hostname to open the host details, click netwitness_moreicon.png (More) beside the hostname, and select Download Files to Server.

      netwitness_12.1_dftoserver_1122.png

  2. In the Download Files to Server dialog, enter the full path where the files may be present or search using wildcard. For wild card search, you can use a maximum of two *, one at a folder level and the other at a file level.

    For example, to retrieve the registry hive, you can enter the full path, C:\Windows\System32\config\SYSTEM.

    If you want to retrieve user settings and configuration preferences for all users, download all files using the wildcard C:\Users\*\NTUSER.DAT.

    netwitness_filedownloadlimit_383x292.png

  3. For wildcard search, enter the number of files to download and size of the file. By default, the number of files is set to 10 and file size is set to 100 MB. For example, if the maximum number of files is set to 10 and file size is set to 10 MB, first 10 files within 10 MB are downloaded.

    Note: You can set a limit to the Maximum Number of Files field on the explore page of the Endpoint server (netwitness_adminicon.png > [Endpoint server] > explore > endpoint/command > max-file-count). By default, the limit is set to 100, and you can change it to any value between 100 - 1000 in each Endpoint server. In broker view, if the Endpoint servers have different max-file-count, the lesser value will be taken as the limit.

  4. Click Download.

All files downloaded as a part of wildcard search are grouped together based on the search criteria. For example, all files downloaded using C:\Users\*\NTUSER.DAT are grouped, and you can click netwitness_inv-openrelatedevens.png to expand and view all files under this group. You can sort the groups on the downloaded time and view the status of the download in the Downloaded column.

netwitness_12.1_downloadgroup_1122.png

Filter Downloaded Files

You can filter the downloaded files on wildcard downloads, file type, file name, SHA256 (for files), and downloaded time. In the Downloaded Time field, you can also filter by custom date.

netwitness_12.1_filterdwnmft_1122.png

Click Save to save the filter and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the filter name and click netwitness_deleteicon_24x24.png.

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

Save Downloaded File

You can retrieve the downloaded file and save it to your local file system for further analysis. To save the file:

  1. Go to Hosts.

  2. Select the hostname to open the host details and select the Downloads tab.

  3. Right-click the file you want to save and select Save a Local Copy from the context menu or from the toolbar.

    netwitness_12.1_savedwnmft_1122.png

  4. In the Save a Local Copy dialog, click Download.

Note: For wildcard downloads, select a file from the group that are downloaded successfully to save a local copy. You cannot save multiple files in the group at a time or save files with errors.

Delete Downloaded Files

If you want to delete the downloaded file from the server:

  1. Go to Hosts.

  2. Select the hostname to open the host details and select the Downloads tab.

  3. Right-click one or more files you want to delete, and select Delete File from the context menu or from the toolbar.

    netwitness_12.1_deletemft_1122.png

    Note: For wildcard downloads, you can select the group to delete all files that are downloaded.