3. Analyzing The Host Data

Once you have added data to Cyber Triage® from one of the collection methods previously listed, then analysis begins. Your goal during this process is to review the data to make a conclusion about if the system is compromised and how badly. Cyber Triage® will help you as much as possible.

3.1. Threat Scores

As data comes in from the remote host, file, or disk image, Cyber Triage® will start to analyze it and assign a score:

  • Bad: The item is believed to be bad because several malware scanners thought so, it is on a bad list, the user manually identified it, or some other low false positive-based approach.

  • Suspicious: The item has characteristics that make it anomalous or similar to what is seen during an attack. The approaches used to identify these items have false positives and Cyber Triage® is going to need you to make the final decision.

  • Good: The item was part of a hash database of known items, part of a Good List, or the user manually identified it as good. This score is for items that are OK and not associated with an attack.

  • Unknown: No score was assigned to the item.

Your main responsibility is to confirm the Bad items and decide on the Suspicious items. You can also review the other items.

3.2. Interface Overview and Workflow

When Cyber Triage® starts, you’ll see the Dashboard that displays the number of Bad and Suspicious items, the number of background tasks, and other general session information.

../../_images/3_CT_Interface.png

Dashboard Interface

As you can see from the interface, there are three sections:

  • The left-hand side menu allows you to navigate between the dashboard and the various data types that were collected.

  • The middle part displays the selected data type

  • The right-hand side displays a timeline of the items that have a Bad score.

The middle section for non-dashboard selections has a table on top and a set of tabs on the bottom. The table shows the items of the selected data type and the bottom shows details that are related to a selected item.

../../_images/3_2.jpg

Bad Items

As you navigate around the UI investigating the endpoint, you can use the arrows in the upper left to go back in your history. This is useful when you see something suspicious, click around to investigate it, and then want to go back to your original place to continue your review.

../../_images/3_3.jpg

Backward and Forward Arrows

3.3. Marking an Item as Good, Bad, or Suspicious

When you select an item in the table, you can choose to change its score in the area below.

../../_images/3_4.jpg

Change Score

  • Bad: Use this score if you know the item is related to an incident and want it to be reported on.

  • Suspicious: Use this score if you want to make sure you review it again in the future. This can be used as a bookmark for your workflow.

  • Good: Use this score if Cyber Triage® marked and item as Good or Suspicious and you want to override that score because you know it is not related to an incident.

If the item is initially Suspicious, you can change the score to Bad if it is in fact bad or mark it as Good if it was a false positive. Changing a Suspicious item to Good or Bad will decrease the number of suspicious items listed on the dashboard and the counters on the left-hand menu.

You can use the Add Comment button to store a comment for the file. This will get included in the final report and be visible to future investigations that come across the same item.

3.3.1. Keyboard Shortcuts

If you would rather not use the mouse and prefer keyboard shortcuts, you can also apply scores as follows:

Keyboard Shortcuts

Keys

Meaning

SHIFT + B

Bad

SHIFT + S

Suspicious

SHIFT + G

Good

SHIFT + U

Unknown

SHIFT + C

Add Comment

CTRL + Z

Undo

3.5. Viewing Bad and Suspicious Items

Items with a Bad score are found in the Bad Items menu, as shown in the previous section. These items were found from automated analysis or manually identified as bad. The rows in this table are grouped (typically by path) and have columns for:

  • Type: What type of item was found to be a threat.

  • Description: High level description of the item

  • Malware: Indicates if an executable has been scanned by the external analysis service.

  • New: threats seen for the first time on this host have an asterisk icon.

  • Seen Before: List of other hosts that contain this threat item in the Incident or among all hosts in the database.

What Should You Do: You should review the data here and confirm that it is indeed bad in your environment. A program that gets flagged as malicious could be normal in your environment. If it is, mark it as Good and consider adding it to a Global Good List.

3.6. Exporting Files

You may want to export files from Cyber Triage so that you can share them or analyze them in other tools. You have two ways of doing this depending on what kind of file it is.

If you want to extract a single file or folder that you found from one of the data types or file explorer, then simply right click and you’ll see two “Export File” options.

../../_images/3_exportFile.png

Right-Click to Export Files

The “Export File” will save the file in its original form. The “Export File as ZIP” will place the file into a ZIP file with the password “infected” (without the quotes). The ZIP file is useful to prevent malware from being quarantined or deleted.

If you want to export all source files (such as registry hives, event logs, prefetch files, etc.), then go to the Collection Details panel on the left side. Choose the “Export All” button. That will save all of the source files into a folder.

../../_images/3_export-all-collection_details_panel.png

3.7. Analysis Scoring Techniques

There are a variety of analysis techniques that Cyber Triage® uses to score items as bad, suspicious, or good. This section outlines some that you may encounter the most. These are not used in the free Lite mode.

3.7.1. Executable Analysis

As previously described in Collecting Data From Remote Host, Cyber Triage® uses ReversingLabs to analyze executables for malware. If you configured the session to upload file content and/or MD5 values, then Cyber Triage® will know the malware results from many scanners.

Scores are assigned based on ReversingLabs’s proprietary algorithms that combine results from many scanning engines as well as their own techniques.

You can get the malware details by going to the File tab at the bottom and choosing Scan Results.

3.7.2. Document Analysis

Office and PDF files are common vectors for phishing attempts to gain initial access to systems. Cyber Triage has basic analysis methods for detecting suspicious documents. These files are not uploaded to ReversingLabs, like executables can be, because they may contain sensitive information.

Cyber Triage will review Office and PDF files and mark them suspicious if they have: * Automatic actions that require no user interaction (such as those that occur when a document or page is opened) * Scripts (JavaScript, Macros, etc.) with certain actions.

Please contact us for a more specific list.

3.7.3. Malware Sandbox Analysis

Cyber Triage® integrates with the Recorded Future Sandbox so that you can get dynamic analysis of a suspicious EXE or document. The file will be run on a remote system (managed by Recorded Future) and you will get a report of what processes were created, files opened, etc.

Note

Any file submitted to Recorded Future for analysis will not be available to the public and will remain in the Cyber Triage® Recorded Future enclave.

To use this feature:

  • Right-click on a file and select “Submit to Recorded Future Sandbox”

  • Agree to the Recorded Future Sandbox Privacy Agreement

  • Click the “Details” link next to Online File Reputation section on the main Dashboard.

../../_images/3_recordedFuture_RightClick.jpg

Right-Click on File and select Submit to Recorded Future Sandbox

../../_images/3_sandboxPrivacy.jpg

Agree to Privacy Terms

../../_images/3_fileReputationDetailsLink.jpg

Click the “Details” link next to Online File Reputation section on the main Dashboard

../../_images/3_Malware_Sandbox_Results.png

Viewing your report “Recorded Future Sandbox Results” tab in the File Reputation Service Status panel

3.7.4. Yara Signatures

Yara signatures are a way that malware researchers share signatures about malicious files. Cyber Triage® can use a set of rules to analyze the collected files. Files that match a rule will be scored as Bad.

Cyber Triage® uses libyara 3.8.1. Documentation can be found at: https://yara.readthedocs.io/en/v3.8.1/

3.7.4.1. Adding Yara Files

To include Yara signatures in the analysis, you need to copy them into a specific folder. You can find that folder by going to the Options panel.

../../_images/3_6.jpg

Options Panel

The default path is %localappdata%\cybertriage\config\yara_rules. However, this location is can be changed by changing the data folder location in the Cyber Triage® options panel.

Cyber Triage® will not search sub directories for Yara files. If you would like to organize your Yara rules with sub directories, then you’ll need to have a Yara file in the root directory that uses an include statements to refer to the other files.

Note

You will not be able to import the entire Yara Rules GitHub repository. This repository has links between its .yar files and causes many false positives. You should copy in only the rules that you are searching for.

3.7.4.2. Scanning Files

Each time a session is ingested or a Yara rescan is initiated Cyber Triage® will take all .yar files in the above folder and compile them into a single compiled Yara file.

Cyber Triage® will use that rule against each file that has not already been marked as Bad by malware scanning.

If a rule matches a file, then the rule name will be specified in the Cyber Triage® score.

3.7.4.3. Memory Images

If you import a memory image, the same Yara rules will be used by the yarascan Volatility module. Documentation to the yarascan Volatility module can be found here: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal#yarascan

3.7.4.4. File Location in Team Deployment

When running in a Team environment, processing happens in different locations depending on the type of data you are adding.

  • The Yara rules on the Server will be used for all types of collections except for Memory Images.

  • The Yara rules on the Client will be used for Memory Images. Volatility is run on the client system and the results are sent to the system for processing.

3.7.5. Bad Lists

Cyber Triage® ships with some basic programs and file names on its default Bad List that will cause files to be marked as Bad. You can expand this list based on your threat intelligence. See Advanced Topics for details.

3.7.6. Country Resolution

IP addresses and host names will be resolved to a country using GeoLite2 data created by MaxMind. There should either be a column in each relevant table with this data or it is available in the Hosts tab at the bottom of the screen.

3.7.7. Dynamic DNS

Cyber Triage® will mark hostnames as suspicious if they are part of a dynamic DNS setup, which can be used by malware to avoid network-based detection. If a hostname uses dynamic DNS, then it will be marked as Suspicious.

Cyber Triage® ships with a set of Dynamic DNS providers that it will detect. You can add more providers by going to Options, Dynamic DNS. The domains hosted by dynamic DNS providers are detected using the DNS server for the domain. To add a provider, you add the DNS server names.

../../_images/3_7.jpg

Dynamic DNS providers

3.7.8. Ransomware

Cyber Triage® has several ransomware-specific detection techniques. Ransomware incidents are much like any other incident where attackers laterally move through an environment, but the difference is on their final action (where they encrypt the data instead of just stealing it).

The ransomware-specific techniques include:

  • Detection of ransomware notes based on known naming patterns

  • Detection of possible ransomware notes based on heuristics

  • Detection of data recovery techniques disabling, such as Volume Shadow and Microsoft Backup

Cyber Triage® focuses on making sure you quickly determine when the encryption started so that you can work backwards to determine how ransomware was deployed.

Cyber Triage® does not have decryption features.

3.8. Data Types

We will not review the types of data that Cyber Triage® collected. The data types on the left hand side are organized by user-oriented data and malware-oriented data.

3.8.1. Accounts

The Accounts menu item shows all local and domain user accounts that:

  • Have accounts on the host

  • Logged into the host

  • Are referenced in log files

This means that depending on the filter settings, you will see accounts that did not log into the system. You can use the filters to focus in on different types of users.

Note

Not all data will be available for all users in this view because some data exists only for local accounts and other data is from logs that roll over.

../../_images/3_Accounts_Panel.png

Accounts Interface

What Should You Do: Review the accounts to identify those with an abnormal naming convention, in appropriate permissions, or creation times that are similar to the incident timing.

The following filters exist in this view:

  • Show all suspicious items: This option will show only accounts that have been scored as suspicious.

  • Account Type: Select what types of accounts to include in the view:
    • Regular: Accounts that currently exist on the system. Pulled from SAM and Software hives.

    • Inferred: Accounts that are found in an artifact, but do not map back to a Regular, Service, or Limited account. This can be a deleted “regular” account or a reference to a user that may not even exist on the system, such as the destination user for an outgoing logon session.

    • Service: A Windows service account

    • Limited: A Windows limited access user account, such as Guest.

    • Unknown:

  • Time: Date range that the user had activity

  • Observed Actions: Select what kind of activity that the account must have:
    • Interactive logon or program run: Accounts for which there is evidence that the user had a local or remote interactive login with the system or launched a program (locally or remotely) on the system.

    • File or service access: Accounts for which there is evidence that the user interacted with a file or service on the system. Examples include accessing a file share or owning a file that got copied to the system.

    • No observed actions: Accounts where there was a reference to the user on the system, perhaps in an event log or registry, but no evidence was found of them doing anything on this specific system. Examples include accounts that were created and never used or entries in a log server.

  • Hide disabled accounts: Accounts that are not active will be hidden

  • Hide system / virtual accounts: Accounts that are created by the OS will be hidden (such as ‘Font Driver Host/DWM-1’)

  • Hide non-admin accounts: Show only the accounts with known administrator access.

When looking at a domain controller and who had access to it, you can focus on accounts with Interactive Logins and filter out the accounts that only authenticated with the system.

../../_images/3_Accounts_Filter.png

3.8.2. Inbound Logons

Note

As of version 3.4.0, the “Logins” section has been replaced by the new “Inbound Logons” and “Outbound Logons” sections.

This menu item shows the local interactive, inbound interactive, and network logons onto the system. They are grouped together to show you when the system was being used, regardless of how the user got onto the system.

Cyber Triage merges together from multiple sources to provide these sessions. For example, it will parse events from the Security and Terminal Services log to identify events that correspond to the same time when a user logged in and show them to you as a single session. The various places that were used to determine a session can be found in the Sources tab.

You should review this data to look for sessions with suspicious locations or users. Remote logons are used to move laterally within corporate environments and to launch programs.

3.8.2.1. Inbound Logon Summary Panel

When you first open this section, you’ll see a summary panel that can help you focus on certain types of data.

../../_images/3_Inbound_Logon_Summary_Panel.png

Inbound Logons Summary Interface

  • The Overview section gives you an overview of what kind of logon data exists. It gives the number of sessions and date ranges that were found in various logs. This will give you some idea about how much historical data you’ll be seeing.

  • The Suspicious section will give you the unique descriptions of why logons were scored as suspicious.

  • The Recent Failed Logons section will show you which remote interactive logons were recently failed. This can be helpful to look for password attacks.

  • The Histogram section shows you which users logged in and from where for the last 12 months of the system (if there is enough data). For accounts that logged in within the past two months, it will also show what host was used. The term “Various” in the host column means that multiple hosts were merged into a single row.

  • The bottom part of the UI will show an overview of possibly interesting data from the last 45 days of the system:
    • The New Interactive Users section shows users who logged in for the first time using a remote interactive session. This could be from an attacker who used compromised credentials to log into this system. Or, it could be a new employee or a change in job responsibility.

    • The New Interactive Hosts (Old Users) section shows which hosts that existing users started to use. For example, if user ‘jdoe’ has used a computer for 1-year, then they will only show up in this table if they start to come in from a new IP/host. This could be a sign that the user’s account is compromised and the attacker is coming in from atypical locations. Or, it could be that a user comes in from different IPs based on VPN or DHCP.

    • The Network Logons section shows all of the recent, unique network logons (i.e. that are not interactive). These happen when a remote user mounts a file share, uses a tool like PsExec, and various other methods. There are some routine IT network logons and this data should be reviewed to look for unexpected combinations.

3.8.2.2. Inbound Logon Search Panel

The second tab allows you to search for logon sessions. By default, all logon sessions are shown and grouped by unique combinations of local user and source host (“local” is used for local interactive logons).

../../_images/3_Inbound_Logon_Search.jpg

Inbound Logons Interface

You can change the search criteria to focus on time ranges or types of logons. The following filters exist:

  • Show all suspicious items will show only logons that are scored as suspicious.

  • Group by will allow you to group the hundreds or thousands of sessions so that you can identify anomalous combinations of hosts and users. By default, the sessions are grouped by remote host and local user, but you can focus instead only on local users or on remote hosts.

  • Time will allow you to focus on sessions that occurred within the time range. This allows you to, for example, ignore sessions that happened a year ago.

  • Logon status will allow you to only focus in on failed logons or to ignore them if they are a lot of noise.

  • Type will allow you to focus on only local logons, remote interactive, or network logons. By default, all three are shown.

  • Order By allows you to specify how the groups are sorted. By default, it shows the most recent logons first, but you can also order by host, etc.

You can select a group and then see individual sessions. Selecting a session allows you to see details on the bottom about the user and hosts.

What Should You Do: Review this data to look for suspicious hosts, users, and times. Cyber Triage® may mark some of them as being suspicious and you should review those and others to identify them as Good or Bad.

3.8.2.3. Logon Info Panel Tabs

Once an incoming/outgoing logon is selected, you can view more information about that logon in the Logon Info Panel and the related tabs shown below.

This tab shows related logon sessions.

../../_images/3_Related_Logon_Session_Tab.png

Logon Info Panel - Related Login Session Tab

The “Sources” tab will show from which artifact we pulled any logon data associated with a particular logon session.

../../_images/3_Logon_Sources_Tab.png

Logon Info Panel - Related Login Session Tab

3.8.3. Outbound Logons

The same panels are present for Outbound Logons. The Outbound Logon menu item shows logons that local users made to other systems. This data often does not have all logons, but may have data from applications that save which hosts were used and from some event logs.

3.8.3.1. Outbound Logon Summary Panel

Like the Inbound Logon section, this area starts off with a summary panel to show recent destinations and users.

../../_images/3_Outbound_Logon_Summary_Panel.png

Inbound Logons Summary Interface

The following areas exist:

  • The Overview section gives you an overview of what kind of logon data exists. It gives the number of sessions and date ranges that were found in various logs. This will give you some idea about how much historical data you’ll be seeing.

  • The Suspicious section will give you the unique descriptions of why logons were scored as suspicious.

  • The Histogram section shows you which users logged into other systems and where they went for the last 12 months of the system (if there is enough data). For accounts with activity within the past two months, it will also show what host was used. The term “Various” in the host column means that multiple hosts were merged into a single row.

  • The bottom part of the UI will show an overview of possibly interesting data from the last 45 days of the system:
    • The New Interactive Users section shows users started to have outbound logons. This could be from an attacker gained access to this system and started to laterally move around. Or, it could be a new employee or a change in job responsibility.

    • The New Interactive Hosts (Old Users) section shows which hosts that existing users started to use. For example, if user ‘jdoe’ has used the computer for 1-year, then they will only show up in this table if they start to log onto new hosts. This could be from an attacker or change in job responsibility.

3.8.3.2. Outbound Logon Search Panel

The search interface allows you to view all outbound logons organized by local user and remote host.

../../_images/3_Outbound_Logon_Search.jpg

Outbound Logons Interface

You can change the search criteria to focus on time ranges or types of logons. The following filters exist:

  • Show all suspicious items will show only logons that are scored as suspicious.

  • Group by will allow you to group the sessions so that you can identify anomalous combinations of hosts and users. By default, the sessions are grouped by remote host and local user, but you can focus instead only on local users or on remote hosts.

  • Time will allow you to focus on sessions that occurred within the time range. This allows you to, for example, ignore sessions that happened a year ago.

  • Order By allows you to specify how the groups are sorted. By default, it shows the most recent logons first, but you can also order by host, etc.

You can select a group and then see individual sessions. Selecting a session allows you to see details on the bottom about the user and hosts.

What Should You Do: Review this data to look for suspicious hosts, users, and times. Cyber Triage® may mark some of them as being suspicious and you should review those and others to identify them as Good or Bad.

3.8.4. Network Shares

This Network Shares menu item shows the remote network shares that were accessed. Explicit mounts for these shares as well as references to them in programs that were run and folders accessed determine these.

../../_images/3_11.jpg

Network Shares Interface

The rows in this table are grouped by remote host and rows include share name, users, and times.

What Should You Do: You should review this data to look for shares that the user should not have needed access to. This could indicate that the account was compromised or the user is looking for sensitive data.

3.8.5. Programs Run

The Programs Run menu item will show the programs that were executed on the system. This is based on registry data and other system configurations.

../../_images/3_12.jpg

Programs Run Interface

There are a lot of programs that are run on the system and this section can be quite overwhelming. You want to be looking for malicious programs that were run by an authorized or unauthorized user. Cyber Triage® will group these rows based on naming patterns that we have found for many programs, such as having a version number as a folder.

Filtering options on the top you to focus on just the suspicious items, which are those running from temporary folders and folders that should contain only data files. Many of the items in this list will be for deleted files that no longer have content or come from programs that use a consistent naming convention. Cyber Triage® allows you to filter out the items without content and will group items based on similar names.

You can see specific examples execution times at the bottom in the “Execution History” tab.

What Should You Do: Review the items and identify the programs that are bad or suspicious based on their path and malware results. In a corporate environment, you may find it useful to add the events that are known and common to a Good List. For example, many auto update programs will run from the AppData folder and be shown here, but you can choose to add them to a Global Good List.

3.8.6. Web Artifacts

The Web Artifacts menu item shows web history, bookmarks, downloads, and cookies from Chrome, Firefox, Edge, and IE browsers. You can use this information to see what the user was viewing or what they downloaded. This is useful for phishing campaigns that cause the user to download executables or when you suspect an insider.

../../_images/3_13.jpg

Web Artifacts Interface

What Should You Do: Review these items to look for suspicious downloads or search queries. You can filter based on type and date range.

3.8.7. Data Accessed

The Data Accessed menu item shows files or folders that a user accessed. This could have been because they opened or saved a file on the machine. Example contents of this section include Most Recently Used (MRU) lists.

You can use this information to see what data the user accessed during their session. Attackers may open files while looking for sensitive information. It can also show if Phishing documents were opened.

../../_images/3_Analysis_Data_Accessed_Main_Panel.jpg

Data Accessed Interface

What Should You Do: Review these items to look for suspicious data the user may have accessed, which you can filter by date range.

3.8.8. Startup Items

The Startup Items menu item shows the various files that are executed when the system starts. It uses dozens of registry and file system locations to identify the startup files that may contain malware.

../../_images/3_14.jpg

Startup Items Interface

What You Should Do: Review the suspicious entries, which are often based on pat and if they are signed. Mark them as good or bad and consider adding them to the Good or Bad Lists.

3.8.9. Triggered Tasks

The Triggered Tasks menu item shows the Windows Scheduled Tasks and WMI Actions that ran on a periodic basis.

../../_images/3_15.jpg

Triggered Tasks Interface

What Should You Do: Review the scheduled tasks and actions to identify ones that could be malicious programs that periodically run to check the system status or query a remote server. Look for suspicious paths, times, or names. You may find it useful to add the scheduled tasks that are known and common in your environment to a Global Good List.

3.8.10. Processes

The Processes menu item shows the process tree for the computer when the collection was made.

../../_images/3_16.jpg

Processes Interface

What Should You Do: Review the suspicious processes that were flagged based on parent process or name. Mark them as Good or Bad.

3.8.11. Active Connections

This Active Connections menu item shows the network connections that were open at the time the collection was made.

../../_images/3_17.jpg

Active Connections Interface

The rows are grouped by remote host and have columns for the process with the connection, remote and local ports, times, and direction.

What Should You Do: You should review this data for connections to unexpected hosts and for processes with unexpected network

3.8.12. Listening Ports

The Listening Ports menu item shows the ports that were listening for new connections when the collection was made.

../../_images/3_18.jpg

Listening Ports Interface

The rows are grouped by port number and have columns for the protocol, process, user, and information about what is usually at that port number.

What Should You Do: Review these to processes that you did not expect to be listening for a connection. These could be backdoor applications into your system. Consider adding ports that are normal in your environment to a Good List.

3.8.13. DNS Cache

The DNS Cache menu items shows the contents of the DNS cache, which contains references to the hosts that the computer tried to resolve to an IP address. You will find addresses in here that the system previously connected to.

../../_images/3_19.jpg

DNS Cache Interface

The rows are grouped by remote host domain and have columns for IP and country.

What Should You Do: You should review the data here for suspicious items and connections to suspicious hosts or countries.

3.8.14. System Configuration

This area shows you various OS and application settings that were enumerated during the collection. These come from various registry keys and other configuration files.

../../_images/3_20.jpg

Settings Interface

What Should You Do: Review the data to detect if any security settings were disabled or determine what the audit settings were.

3.9. Analysis Views

An alternative way of looking at the collected data is by date or file system location. Cyber Triage® supports both of these views.

3.9.1. Timeline

This area shows you the collected items organized by time. You can use this data to identify what happened before and after a specific event.

../../_images/3_21.jpg

Timeline Interface

You can get to this data by either selecting Timeline from the left side and picking a date range or right clicking on most entries in their respective table and choosing View in Timeline.

../../_images/3_22.jpg

Choose View Timeline

At any point, if the timeline becomes overwhelming, you can reduce the amount of data shown by filtering by type:

../../_images/3_23.jpg

Filter by Type

3.9.2. File Explorer

The Files menu item can show several things:

  • If a full file system scan was performed, you can view all file metadata. Though, content for all files will not be available.

  • You can view only suspicious or bad files.

You can get to a file by either choosing the Files menu item and navigating the structure. Or, when you are reviewing an item associated with a file, such as a Startup item, you can right click and choose to View File in Directory.

../../_images/3_24.jpg

View File in Directory

That will then bring you directly to the file:

../../_images/3_25.jpg

File Interface

What Should You Do: Review the suspicious entries. The files flagged as malware will also be in the Bad Items menu item. You can also use this to see what other files are located in the same folder as malware and other Bad Items.

3.9.4. Registry Entries

The Registry Entries menu item shows the suspicious registry entries on the system.

Note

The menu does not currently display the full registry hive. Only the entries that were found to be suspicious based on size and name.

What Should You Do: Review these and mark them as good or bad.

3.9.5. Collection Details Panel

The Collection Details Panel gives high-level information about what data was collected from the host and how it was added. This panel will also show you how many of each data type as collected.

../../_images/3_collection-details-panel.png

The “Export All” option will export all collected source files (registry hives, logs, etc.) to a directory of your choice.

../../_images/3_export-all-collection_details_panel.png