Performing Host Forensics

Note: The information in this topic applies to NetWitness Version 11.4 and later.

You can perform the following forensic investigation on a host:

  • Master File Table (MFT)
  • System Dump
  • Process Dump

Note: This is applicable only for Windows agent (in Advanced mode) with NetWitness Platform version 11.4. Downloading system dump files may take significant time. Additional requests to the agent during system dump download are queued and processed when the download is complete.
MFT, system dump, and process dump downloads are not supported for agents communicating through Relay server.

Note: MFT, system dump, and process dump are stored in the Endpoint Server which may fill up the disk space. For large deployments, to utilize the storage efficiently without impacting the health of Endpoint Server, NetWitness recommends you to configure an external storage mount, so all the Endpoint Server can use the configured location to store the downloaded data.
By default, all files are downloaded to /var/netwitness/endpoint-server/<file type>/, where <file type> is MFT, system dump, or process dump. If you want to change the location, make sure that you have endpoint-server.configuration.manage permissions and do the following:
1. In the Explore view, go to endpoint/download.
2. In the base-path, provide the location of the directory.

Download Master File Table

Master File Table contains metadata of every file on the host. It keeps track of information, such as filename, size, timestamps, permissions, and location of the file on the host. It consists of two sets of timestamps - Standard Information ($SI) and File Name ($FN). Each set has the following timestamps - creation, access, update, and modification.

Time stomping is a technique that modifies the timestamps for a file (creation, access, update, and modification time) to mimic files that are in the same folder, making it difficult to identify suspicious files on a host. To perform forensic investigation of a suspicious file, you can download and analyze the MFT, and focus on files that are time stomped. For more information, see Analyze Downloaded MFT.

During MFT analysis, you can also search for suspicious filenames, and also files that were created before or after a known malicious event. You can also download files from the MFT viewer for further analysis.

Download MFT to Server

To download MFT to the server from the Hosts view:

  1. Go to Hosts and do one the following:

    • Select one or more hosts and select Download MFT to Server from the right-click context menu, or from the More Actions drop-down list in the toolbar.

      DownloadMFT.png

    • Select the hostname to open the host details, click netwitness_moreicon.png (More) beside the hostname, and select Download MFT to Server.

  2. In the Download MFT to Server dialog, select one of the following:
    • System Drive - to download MFT to the system drive.
    • Select Drive - to download MFT on assigned drive.
      You can select any drive from the Drive drop-down list. By default the selected drive is C.
    • Specify NTFS mount path - to download MFT on the path to the folder where it is mounted

    Click Download.

    netwitness_mft_sysdrive.png

  3. View details of the downloaded MFT in the Downloads tab within the host details. For more information, see Hosts View - Downloads Tab.

    downloadtab.png

Analyze Downloaded MFT

You can use the MFT viewer to begin analysis where you can search for files based on file name, time stamps, and identify files that are timestomped.

View MFT

To view the content of the downloaded MFT:

  1. Go to Hosts.
  2. Select the hostname to open the host details and select the Downloads tab.
  3. Click the file name. The MFT viewer is displayed.

    All available files are displayed in a tree view similar to the Windows Explorer in the All Files folder. The Deleted Files folder contains a sequential list of all deleted files.

    TreeviewMFT.png

  4. Click netwitness_pagnxtpg.png to view the folder structure. Click the row to view the folder content.

    The details of the MFT is displayed in the table. By default, the table is sorted on the creation time ($FN). If the $SI and $FN timestamps are different, the columns are highlighted in red (netwitness_timestompicon.png) indicating that it is time stomped.

    Timestomped.png

  5. Select one or more files and click Download File to Server on the toolbar to download files to the server.

    Note: Downloading a folder is not supported and hence the option is grayed out for folders.

 

Filter MFT

You can filter files on file name, creation time ($FN), creation time ($SI), access time ($FN), access time ($SI), update time ($FN), update time ($SI), modified time ($FN), and modified time ($SI).

FilterFolder.png

Click Save to save the filter and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the filter name and click netwitness_deleteicon_24x24.png.

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

To filter, save, and delete MFT, see Filter Downloaded Files, Save Downloaded File, and Delete Downloaded Files.

System and Process Memory Dump

To perform forensic investigation during an incident response, you can request a memory dump of a host or a process running on the host. You can analyze these dumps using third-party tools, such as Volatility, Rekall.

Download System Dump to Server

To download system dump to the server from the Hosts view:

  1. Go to Hosts and do one the following:

    • Select a host and select Download System Dump to Server from the right-click context menu, or from the More drop-down list in the toolbar.

      sysdumpdwn_700x311.png

    • Select the hostname to open the host details and select Download System Dump to Server from the More option besides the hostname.

      sysdumpdwn1.png

  2. View the details of the downloaded system dump in the Downloads tab within the host details. For more information, see Hosts View - Downloads Tab.

Remote Shell

From version 12.3 or later, NetWitness Remote Shell feature (Hosts > Select the hostname > click 123_MorelOptions_Icon.png(More) beside the hostname > Remote Shell) allows you to access the agents installed on your Windows machine remotely and execute a list of commands to perform certain actions such as deleting the files, changing the directories, terminating specific processes, and executing the processes on the remote host.

Warning:
- Use NetWitness Remote Shell feature with utmost caution to avoid the potential for negative impact on the system. NetWitness Platform is not responsible for any damages, loss of data, or other consequences that may arise after using NetWitness Remote Shell feature.

- If you are an administrator, NetWitness recommends you to add roles and assign the role permissions only for the selected users in the Security > Roles view to avoid any damages to the system.

Note:
- NetWitness Remote Shell feature can be used only if Windows Advanced mode Agents are installed on the machine. The agent version must be 12.3 or higher to access the NetWitness Remote Shell feature.

- NetWitness Remote Shell feature supports connection with the agents that communicate through the relay servers (RAR). To access the NetWitness Remote Shell feature for the agent that communicates through the relay servers (RAR), you must download the latest relay packager from the Endpoint Server (EPS) and install it on the existing relay server.
For more information, see https://community.netwitness.com/t5/netwitness-platform-online/optional-installing-and-configuring-relay-server/ta-p/669551.

List of Supported Commands

The following table provides information about the list of supported commands displayed in the NetWitness Remote Shell console.

Supported Commands Description
help View the list of available commands
cd Change the current working directory
del Delete a file
rmdir Delete a folder
dir List the contents of a directory
mkdir Create a new directory
tasklist List all the active processes on the computer
taskkill Terminate a process

call

Execute a process on the remote computer

reg View or modify Windows registry settings

Note:
- You must use only the silent commands to perform the required actions.
- You must end the session and re-connect if you run any command that requires user inputs. Refer the following figure.

123_Commands_1120x606.png

Example Scenarios

Example 1: If you want to delete a specific file that exists in different subfolders, you must run the following command.

del /s /q <full_file_path>

Here,

- del refers to delete.

- /s refers to the deletion of the file from all the subfolders.

- /q refers to quiet or silent mode execution.

- <full_file_path> refers to the location where the file exists.

Example 2: If you want to terminate a specific process running on your Windows machine, you must run the following commands.

taskkill /f /im <process-name>

taskkill /f /pid <process-id>

Here,

- taskkill refers to terminate.

- /f refers to force shutdown.

- /im refers to image name.

- <process-name> refers to the specific process.

- <process-id> refers to the specific process ID.

- /pid refers to process ID.

Example 3: If you want to delete a specific registry, you must run the following command.

reg delete /f <keyname> [/v ]

Here,

- reg delete refers to deleting a registry key.

- /f refers to deleting the existing registry subkey or entry without asking for the confirmation.

- <keyname> refers to the registry key name.

- [/v] refers to deleting a specific entry under the subkey.

To execute commands using NetWitness Remote Shell:

  1. Go to Hosts. Do one of the following.

    • Click a row in the Hosts list view and go to More Actions > Remote Shell.

      123_RemoteShell_Option_327x184.png

      The NetWitness Remote Shell window is displayed.

      123_RemoteShell.png

    • Click the Hostname and click 123_MorelOptions_Icon.png(More) beside the hostname in the Host Details view to select Remote Shell.

      The NetWitness Remote Shell window is displayed.

      123_RemoteShell.png

    • Right-click a row in the Hosts list view and select Remote Shell.

      123_AnalyseEvents_RemoteShell.png

      The NetWitness Remote Shell window is displayed.

  2. Enter the commands once the Agent is connected.

    123_RemoteShell_AgentConect1_1068x630.png

  3. Click Send Command or press the Enter key.

  4. Click End Session in the NetWitness Remote Shell window once the required action is performed.

    The confirmation window is displayed.

  5. Click End Session to close the NetWitness Remote Shell window.

RBAC Permissions for Remote Shell

Users with Analysts and other roles must have the endpoint-server.remoteshell.manage permission to view and access the NetWitness Remote Shell feature. Administrators can assign the endpoint-server.remoteshell.manage role permission to a specific user or to a specific role. The existing roles must be duplicated in the Security > Roles view and the new users must be assigned to the duplicated roles to assign the endpoint-server.remoteshell.manage role permission only to the specific new users. You must go to AdminIcon_25x22.png(Admin) > Services > select the Endpoint Server Service > View > Config > Permissions view to assign the endpoint-server.remoteshell.manage permission to the specific users. For more information on duplicating a role, adding a role and assigning permissions, and editing the role permissions, see System Security and User Management Guide for 12.3.

 

Administrators can configure the RBAC Permission at Endpoint Server level. You can allow the users assigned to a specific role to view and access the NetWitness Remote Shell feature on any specific Endpoint Server. When you allow the user to view and access the NetWitness Remote Shell feature only on a specific Endpoint Server such as EPS1, the user cannot view or access the NetWitness Remote Shell feature on any other Endpoint Servers such as EPS2 and EPS3. If the user has the access to the NetWitness Remote Shell feature on one of the Endpoint Servers such as EPS1, the user can view the NetWitness Remote Shell feature enabled in the Endpoint Broker Server view for all the agents. In this case, the user can access the feature and connect with the remote agent from the Broker view, if the selected remote agent is present only in EPS 1 and not in any other Endpoint Servers such as EPS2 and EPS3. If the user attempts to connect with the remote agent which is present only in EPS2, the NetWitness Remote Shell console screen keeps loading. This happens since the user can access the feature only on EPS1 and not on EPS 2.

Note: If you configure the endpoint-server.remoteshell.manage permission at the role level in the Security > Roles view, the users assigned to the role can access the NetWitness Remote Shell feature on any Endpoint Servers such as EPS 1, EPS 2, and EPS 3.
For more information on Configuring the RBAC permissions at the role level, see (Optional) Add a Role and Assign Permissions section in the System Security and User Management Guide for 12.3.

To configure Remote Shell RBAC permission to the specific users at the endpoint server level:

  1. Go to AdminIcon_25x22.png(Admin) > Services.

  2. In the Services view, select the required Endpoint Server service.

  3. Click Actions_Icon.pngand select View > Config.

  4. Go to Permissions tab.

  5. Select the role you duplicated in the Security > Roles view from the Roles panel on the left.

  6. Select the permission endpoint-server.remoteshell.manage from the Permissions section.

    123_Shell_RBAC_permission_829x373.png

  7. Click Save.

    For more information on configuring the permissions at the Endpoint Server level, see Manage Role Permissions at Endpoint Server Level.

Download Process Dump to Server

To download process dump to the server:

  1. Go to Hosts.

  2. Select the hostname to open the host details.

  3. In the Processes, Libraries, or Anomalies tab, select Download Process Dump to Server from the right-click context menu, or from the More Actions drop-down list in the toolbar.

    prcdumpdwn_710x457.png

  4. View the details of the download process dump in the Downloads tab within the host details. For more information, see Hosts View - Downloads Tab.

To filter, save, and delete system dump or process dump, see Filter Downloaded Files, Save Downloaded File, and Delete Downloaded Files.

The following are some errors you might encounter during system and process dump download:

Issue Explanation
Parameter is incorrect. The process for which the dump is requested might be running with a different process ID.
Element not found The process for which the dump is requested is no longer active.
java.io.IOException:Unable to unwrap data, invalid status [CLOSED]

Connection to the agent is interrupted.

java.net.SocketTimeoutException The network is slow or the system is down.
One or more arguments are not correct Agent might be in the Insight mode or driver is not running.

Download Files Using Full Path or Wildcard

You can manually download files that help in investigations by either providing full path of the file or using wildcard.

Note: This is applicable only for agents in Advanced mode with NetWitness Platform version 11.5 and later.

To download files to the server:

  1. Go to Hosts and do one of the following:

    • Select one or more hosts from the same operating system, and select Download Files to Server from the right-click context menu, or from the More Actions drop-down list in the toolbar. You can download files from only top 100 selected hosts at a time.

      downloadwcfile_643x312.png

    • Select the hostname to open the host details, click netwitness_moreicon.png (More) beside the hostname, and select Download Files to Server.

      DFtoServer.png

  2. In the Download Files to Server dialog, enter the full path where the files may be present or search using wildcard. For wild card search, you can use a maximum of two *, one at a folder level and the other at a file level.

    For example, to retrieve the registry hive, you can enter the full path, C:\Windows\System32\config\SYSTEM.

    If you want to retrieve user settings and configuration preferences for all users, download all files using the wildcard C:\Users\*\NTUSER.DAT.

    netwitness_filedownloadlimit_383x292.png

  3. For wildcard search, enter the number of files to download and size of the file. By default, the number of files is set to 10 and file size is set to 100 MB. For example, if the maximum number of files is set to 10 and file size is set to 10 MB, first 10 files within 10 MB are downloaded.

    Note: You can set a limit to the Maximum Number of Files field on the explore page of the Endpoint server (netwitness_adminicon.png > [Endpoint server] > explore > endpoint/command > max-file-count). By default, the limit is set to 100, and you can change it to any value between 100 - 1000 in each Endpoint server. In broker view, if the Endpoint servers have different max-file-count, the lesser value will be taken as the limit.

  4. Click Download.

All files downloaded as a part of wildcard search are grouped together based on the search criteria. For example, all files downloaded using C:\Users\*\NTUSER.DAT are grouped, and you can click netwitness_inv-openrelatedevens.png to expand and view all files under this group. You can sort the groups on the downloaded time and view the status of the download in the Downloaded column.

downloadgroup.png

Filter Downloaded Files

You can filter the downloaded files on wildcard downloads, file type, file name, SHA256 (for files), and downloaded time. In the Downloaded Time field, you can also filter by custom date.

FilterDwnMFT.png

Click Save to save the filter and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters panel on the left. To delete a filter, hover over the filter name and click netwitness_deleteicon_24x24.png.

Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

Save Downloaded File

You can retrieve the downloaded file and save it to your local file system for further analysis. To save the file:

  1. Go to Hosts.

  2. Select the hostname to open the host details and select the Downloads tab.

  3. Right-click the file you want to save and select Save a Local Copy from the context menu or from the toolbar.

    SaveDwnMFT.png

  4. In the Save a Local Copy dialog, click Download.

Note: For wildcard downloads, select a file from the group that are downloaded successfully to save a local copy. You cannot save multiple files in the group at a time or save files with errors.

Delete Downloaded Files

If you want to delete the downloaded file from the server:

  1. Go to Hosts.

  2. Select the hostname to open the host details and select the Downloads tab.

  3. Right-click one or more files you want to delete, and select Delete File from the context menu or from the toolbar.

    DeleteMFT.png

    Note: For wildcard downloads, you can select the group to delete all files that are downloaded.