5. Analyzing The Host Data

Once you have added data to Cyber Triage® from one of the collection methods previously listed, then analysis begins. Your goal during this process is to review the data to make a conclusion about if the system is compromised and how badly. Cyber Triage® will help you as much as possible.

5.1. Threat Scores

As data comes in from the remote host, file, or disk image, Cyber Triage® will start to analyze it and assign a score:

  • Bad: The item is believed to be bad because several malware scanners thought so, it is on a bad list, the user manually identified it, or some other low false positive-based approach.

  • Suspicious: The item has characteristics that make it anomalous or similar to what is seen during an attack. The approaches used to identify these items have false positives and Cyber Triage® is going to need you to make the final decision.

  • Good: The item was part of a hash database of known items, part of a Good List, or the user manually identified it as good. This score is for items that are OK and not associated with an attack.

  • Unknown: No score was assigned to the item.

Your main responsibility is to confirm the Bad items and decide on the Suspicious items. You can also review the other items.

5.2. Interface Overview and Workflow

When Cyber Triage® starts, you’ll see the Dashboard that displays the number of Bad and Suspicious items, the number of background tasks, and other general session information.

../_images/3_CT_Interface.png

Dashboard Interface

As you can see from the interface, there are three sections:

  • The left-hand side menu allows you to navigate between the dashboard and the various data types that were collected.

  • The middle part displays the selected data type

  • The right-hand side displays a timeline of the items that have a Bad score.

The middle section for non-dashboard selections has a table on top and a set of tabs on the bottom. The table shows the items of the selected data type and the bottom shows details that are related to a selected item.

../_images/3_2.jpg

Bad Items

As you navigate around the UI investigating the endpoint, you can use the arrows in the upper left to go back in your history. This is useful when you see something suspicious, click around to investigate it, and then want to go back to your original place to continue your review.

../_images/3_3.jpg

Backward and Forward Arrows

5.3. Marking an Item as Good, Bad, or Suspicious

When you select an item in the table, you can choose to change its score in the area below.

../_images/3_4.jpg

Change Score

  • Bad: Use this score if you know the item is related to an incident and want it to be reported on.

  • Suspicious: Use this score if you want to make sure you review it again in the future. This can be used as a bookmark for your workflow.

  • Good: Use this score if Cyber Triage® marked and item as Good or Suspicious and you want to override that score because you know it is not related to an incident.

If the item is initially Suspicious, you can change the score to Bad if it is in fact bad or mark it as Good if it was a false positive. Changing a Suspicious item to Good or Bad will decrease the number of suspicious items listed on the dashboard and the counters on the left-hand menu.

You can use the Add Comment button to store a comment for the file. This will get included in the final report and be visible to future investigations that come across the same item.

5.3.1. Keyboard Shortcuts

If you would rather not use the mouse and prefer keyboard shortcuts, you can also apply scores as follows:

Keyboard Shortcuts

Keys

Meaning

SHIFT + B

Bad

SHIFT + S

Suspicious

SHIFT + G

Good

SHIFT + U

Unknown

SHIFT + C

Add Comment

CTRL + Z

Undo

5.5. Viewing Bad and Suspicious Items

Items with a Bad score are found in the Bad Items menu, as shown in the previous section. These items were found from automated analysis or manually identified as bad. The rows in this table are grouped (typically by path) and have columns for:

  • Type: What type of item was found to be a threat.

  • Description: High level description of the item

  • Malware: Indicates if an executable has been scanned by the external analysis service.

  • New: threats seen for the first time on this host have an asterisk icon.

What Should You Do: You should review the data here and confirm that it is indeed bad in your environment. A program that gets flagged as malicious could be normal in your environment. If it is, mark it as Good and consider adding it to a Global Good List.

5.6. Exporting Files

You may want to export files from Cyber Triage so that you can share them or analyze them in other tools. You have two ways of doing this depending on what kind of file it is.

If you want to extract a single file or folder that you found from one of the data types or file explorer, then simply right click and you’ll see two “Export File” options.

../_images/3_exportFile.png

Right-Click to Export Files

The “Export File” will save the file in its original form. The “Export File as ZIP” will place the file into a ZIP file with the password “infected” (without the quotes). The ZIP file is useful to prevent malware from being quarantined or deleted.

If you want to export all source files (such as registry hives, event logs, prefetch files, etc.), then go to the Collection Details panel. See Collection Details Panel.

5.7. Analysis Scoring Techniques

There are a variety of analysis techniques that Cyber Triage® uses to score items as bad, suspicious, or good. This section outlines some that you may encounter the most. These are not used in the free Lite mode.

5.7.1. Executable Analysis

As previously described in Adding a Host, Cyber Triage® uses ReversingLabs to analyze executables for malware. If you configured the session to upload file content and/or MD5 values, then Cyber Triage® will know the malware results from many scanners.

Scores are assigned based on ReversingLabs’s proprietary algorithms that combine results from many scanning engines as well as their own techniques.

You can get the malware details by going to the File tab at the bottom and choosing Scan Results.

5.7.2. Document Analysis

Office and PDF files are common vectors for phishing attempts to gain initial access to systems. Cyber Triage has basic analysis methods for detecting suspicious documents. These files are not uploaded to ReversingLabs, like executables can be, because they may contain sensitive information.

Cyber Triage will review Office and PDF files and mark them suspicious if they have: * Automatic actions that require no user interaction (such as those that occur when a document or page is opened) * Scripts (JavaScript, Macros, etc.) with certain actions.

Please contact us for a more specific list.

5.7.3. Previous Incidents

Cyber Triage tracks what items you manually scored as Bad and will ensure that they are marked as Bad in future hosts. Items scored in versions prior to 3.7.0 will not have their score propagated. The propagation is done via an exact match algorithm, which often relies on file hashes. For example, if a file with the same name as a previously Bad item is seen again, then it will not get scored if the hash values are different.

If you are seeing false positives from this feature (because an item is no longer considered Bad), you can suppress future items from getting the Bad score by scoring it as Good in the current incident. Cyber Triage will then prompt you to see if you want to stop automatically scoring it in the future.

You can see the list of suppressed items in the Options panel under “Past Hosts”.

5.7.4. Malware Sandbox Analysis

Cyber Triage® integrates with the Recorded Future Sandbox so that you can get dynamic analysis of a suspicious EXE or document. The file will be run on a remote system (managed by Recorded Future) and you will get a report of what processes were created, files opened, etc.

Note

Any file submitted to Recorded Future for analysis will not be available to the public and will remain in the Cyber Triage® Recorded Future enclave.

To use this feature:

  • Right-click on a file and select “Submit to Recorded Future Sandbox”

  • Agree to the Recorded Future Sandbox Privacy Agreement

  • Click the “Details” link next to Online File Reputation section on the main Dashboard.

../_images/3_recordedFuture_RightClick.jpg

Right-Click on File and select Submit to Recorded Future Sandbox

../_images/3_sandboxPrivacy.jpg

Agree to Privacy Terms

../_images/3_fileReputationDetailsLink.jpg

Click the “Details” link next to Online File Reputation section on the main Dashboard

../_images/3_Malware_Sandbox_Results.png

Viewing your report “Recorded Future Sandbox Results” tab in the File Reputation Service Status panel

5.7.5. Yara Rules

Cyber Triage will score files as Bad if they match a Yara signature. Refer to Yara Signatures for details on configuring Yara rules, but the basic idea is that all rules will go into a single folder.

Each time a session is ingested or a Yara rescan is initiated Cyber Triage® will take all .yar files in the above folder and compile them into a single compiled Yara file.

If a file matches a Yara signature and has not already been marked as malware, then it will get a Bad score and the rule name will be specified.

For memory images, the same Yara rules will be used by the yarascan Volatility module. Documentation to the yarascan Volatility module can be found here: https://github.com/volatilityfoundation/volatility/wiki/Command-Reference-Mal#yarascan

5.7.6. Good and Bad Lists

Cyber Triage® ships with some basic programs and file names on its default Bad List that will cause files to be marked as Bad. And items that will be marked as Good. Good List entries help to fix false positives that could be triggered by your environment.

You can expand these lists based on your threat intelligence. See Configure Bad and Good Lists for details.

In addition to the automated scoring, many of the tables will hide items on the Good List from you, but you can choose to Include Items on Good List.

../_images/5_6.jpg

Startup Items (Good List)

5.7.7. Country Resolution

IP addresses and host names will be resolved to a country using GeoLite2 data created by MaxMind. There should either be a column in each relevant table with this data or it is available in the Hosts tab at the bottom of the screen.

5.7.8. Dynamic DNS

Cyber Triage® will mark hostnames as suspicious if they are part of a dynamic DNS setup, which can be used by malware to avoid network-based detection. If a hostname uses dynamic DNS, then it will be marked as Suspicious.

Cyber Triage® ships with a set of Dynamic DNS providers that it will detect. You can add more providers by going to Options, Dynamic DNS. The domains hosted by dynamic DNS providers are detected using the DNS server for the domain. To add a provider, you add the DNS server names.

../_images/3_7.jpg

Dynamic DNS providers

5.7.9. Ransomware

Cyber Triage® has several ransomware-specific detection techniques. Ransomware incidents are much like any other incident where attackers laterally move through an environment, but the difference is on their final action (where they encrypt the data instead of just stealing it).

The ransomware-specific techniques include:

  • Detection of ransomware notes based on known naming patterns

  • Detection of possible ransomware notes based on heuristics

  • Detection of data recovery techniques disabling, such as Volume Shadow and Microsoft Backup

Cyber Triage® focuses on making sure you quickly determine when the encryption started so that you can work backwards to determine how ransomware was deployed.

Cyber Triage® does not have decryption features.

5.8. Data Types

We will now review the types of data that Cyber Triage® collected. The data types on the left hand side are organized by user-oriented data and malware-oriented data.

5.8.1. Accounts

The Accounts menu item shows all local and domain user accounts that either:

  • Have accounts on the host

  • Logged into the host

  • Are referenced in log files

This means that depending on the filter settings, you will see accounts that did not log into the system. You can use the filters to focus in on different types of users.

Note

Not all data will be available for all users in this view because some data exists only for local accounts and other data is from logs that roll over.

../_images/analysis_accounts.png

Accounts Interface

What Should You Do: Review the accounts to identify those with an abnormal naming convention, in appropriate permissions, or creation times that are similar to the incident timing.

The following filters exist in this view:

  • Show all bad and suspicious items: This option will show only accounts that have been scored as suspicious or bad.

  • Account Type: Select what types of accounts to include in the view:
    • Regular: Accounts that currently exist on the system. Pulled from SAM and Software hives.

    • Service: A Windows service account

    • Limited: A Windows limited access user account, such as Guest.

    • Unknown: Accounts for which a reference was found (either by SID or user name), but do not map back to registry data for a Regular, Service, or Limited account. This can be a deleted “regular” account or a reference to a user that may not even exist on the system, such as the destination user for an outgoing logon session.

  • Active Time: Date range that the user had activity

  • Observed Actions: Select what kind of activity that the account must have:
    • Process or interactive logon: Accounts for which there is evidence that the user had a local or remote interactive login with the system or launched a process (locally or remotely) on the system.

    • File or service access: Accounts for which there is evidence that the user interacted with a file or service on the system. Examples include accessing a file share or owning a file that got copied to the system.

    • No observed actions: Accounts where there was a reference to the user on the system, perhaps in an event log or registry, but no evidence was found of them doing anything on this specific system. Examples include accounts that were created and never used or entries in a log server.

  • Hide accounts: Select what kinds of accounts that you do not want to view, often because they are not typically interesting during an intrusion:
    • Disabled: Accounts that are not active (and therefore can’t be used).

    • Non-existent: Incorrect user names that were used for attempted logons.

    • System or virtual: Accounts that are created by the OS (such as ‘Font Driver Host/DWM-1’).

    • Non-admin: Accounts that have normal user access.

../_images/analysis_accounts_filter.png

Domain controllers require special attention if you want to know who logged into it because every user in the domain will have some kind of reference on it (from accessing a file share or using the controller for authentication). Filter on accounts that had Interactive Actions to focus on the accounts that logged in.

5.8.2. Inbound Logons

Note

As of version 3.4.0, the “Logins” section has been replaced by the new “Inbound Logons” and “Outbound Logons” sections.

This menu item shows the local interactive, inbound interactive, and network logons onto the system. They are grouped together to show you when the system was being used, regardless of how the user got onto the system.

Cyber Triage merges together from multiple sources to provide these sessions. For example, it will parse events from the Security and Terminal Services log to identify events that correspond to the same time when a user logged in and show them to you as a single session. The various places that were used to determine a session can be found in the Sources tab.

You should review this data to look for sessions with suspicious locations or users. Remote logons are used to move laterally within corporate environments and to launch programs.

5.8.2.1. Inbound Logon Summary Panel

When you first open this section, you’ll see a summary panel that can help you focus on certain types of data.

../_images/analysis_inbound_logon_summary.png

Inbound Logons Summary Interface

  • The Overview section gives you an overview of what kind of logon data exists. It gives the number of sessions and date ranges that were found in various logs. This will give you some idea about how much historical data you’ll be seeing.

  • The Suspicious section will give you the unique descriptions of why logons were scored as suspicious.

  • The Recent Failed Logons section will show you which remote interactive logons were recently failed. This can be helpful to look for password attacks.

  • The Histogram section shows you which users logged in and from where for the last 12 months of the system (if there is enough data). For accounts that logged in within the past two months, it will also show what host was used. The term “Various” in the host column means that multiple hosts were merged into a single row.

  • The bottom part of the UI will show an overview of possibly interesting data from the last 45 days of the system:
    • The New Interactive Users section shows users who logged in for the first time using a remote interactive session. This could be from an attacker who used compromised credentials to log into this system. Or, it could be a new employee or a change in job responsibility.

    • The New Interactive Hosts (Old Users) section shows which hosts that existing users started to use. For example, if user ‘jdoe’ has used a computer for 1-year, then they will only show up in this table if they start to come in from a new IP/host. This could be a sign that the user’s account is compromised and the attacker is coming in from atypical locations. Or, it could be that a user comes in from different IPs based on VPN or DHCP.

    • The Network Logons section shows all of the recent, unique network logons (i.e. that are not interactive). These happen when a remote user mounts a file share, uses a tool like PsExec, and various other methods. There are some routine IT network logons and this data should be reviewed to look for unexpected combinations.

5.8.2.2. Inbound Logon Search Panel

The second tab allows you to search for logon sessions. By default, all logon sessions are shown and grouped by unique combinations of local user and source host (“local” is used for local interactive logons).

../_images/analysis_inbound_logon_search.png

Inbound Logons Interface

You can change the search criteria to focus on time ranges or types of logons. The following filters exist:

  • Show all suspicious items will show only logons that are scored as suspicious.

  • Group by will allow you to group the hundreds or thousands of sessions so that you can identify anomalous combinations of hosts and users. By default, the sessions are grouped by remote host and local user, but you can focus instead only on local users or on remote hosts.

  • Time will allow you to focus on sessions that occurred within the time range. This allows you to, for example, ignore sessions that happened a year ago.

  • Logon status will allow you to only focus in on failed logons or to ignore them if they are a lot of noise.

  • Type will allow you to focus on only local logons, remote interactive, or network logons. By default, all three are shown.

  • Order By allows you to specify how the groups are sorted. By default, it shows the most recent logons first, but you can also order by host, etc.

You can select a group and then see individual sessions. Selecting a session allows you to see details on the bottom about the user and hosts.

What Should You Do: Review this data to look for suspicious hosts, users, and times. Cyber Triage® may mark some of them as being suspicious and you should review those and others to identify them as Good or Bad.

5.8.2.3. Logon Info Panel Tabs

Once an incoming/outgoing logon is selected, you can view more information about that logon in the Logon Info Panel and the related tabs shown below.

This tab shows related logon sessions.

../_images/analysis_related_logon_session_tab.png

Logon Info Panel - Related Login Session Tab

The “Sources” tab will show from which artifact we pulled any logon data associated with a particular logon session.

../_images/analysis_logon_sources_tab.png

Logon Info Panel - Related Login Session Tab

5.8.3. Outbound Logons

The same panels are present for Outbound Logons. The Outbound Logon menu item shows logons that local users made to other systems. This data often does not have all logons, but may have data from applications that save which hosts were used and from some event logs.

5.8.3.1. Outbound Logon Summary Panel

Like the Inbound Logon section, this area starts off with a summary panel to show recent destinations and users.

../_images/analysis_outbound_logon_summary_panel.png

Inbound Logons Summary Interface

The following areas exist:

  • The Overview section gives you an overview of what kind of logon data exists. It gives the number of sessions and date ranges that were found in various logs. This will give you some idea about how much historical data you’ll be seeing.

  • The Suspicious section will give you the unique descriptions of why logons were scored as suspicious.

  • The Histogram section shows you which users logged into other systems and where they went for the last 12 months of the system (if there is enough data). For accounts with activity within the past two months, it will also show what host was used. The term “Various” in the host column means that multiple hosts were merged into a single row.

  • The bottom part of the UI will show an overview of possibly interesting data from the last 45 days of the system:
    • The New Interactive Users section shows users started to have outbound logons. This could be from an attacker gained access to this system and started to laterally move around. Or, it could be a new employee or a change in job responsibility.

    • The New Interactive Hosts (Old Users) section shows which hosts that existing users started to use. For example, if user ‘jdoe’ has used the computer for 1-year, then they will only show up in this table if they start to log onto new hosts. This could be from an attacker or change in job responsibility.

5.8.3.2. Outbound Logon Search Panel

The search interface allows you to view all outbound logons organized by local user and remote host.

../_images/analysis_outbound_logon_search.jpg

Outbound Logons Interface

You can change the search criteria to focus on time ranges or types of logons. The following filters exist:

  • Show all suspicious items will show only logons that are scored as suspicious.

  • Group by will allow you to group the sessions so that you can identify anomalous combinations of hosts and users. By default, the sessions are grouped by remote host and local user, but you can focus instead only on local users or on remote hosts.

  • Time will allow you to focus on sessions that occurred within the time range. This allows you to, for example, ignore sessions that happened a year ago.

  • Order By allows you to specify how the groups are sorted. By default, it shows the most recent logons first, but you can also order by host, etc.

You can select a group and then see individual sessions. Selecting a session allows you to see details on the bottom about the user and hosts.

What Should You Do: Review this data to look for suspicious hosts, users, and times. Cyber Triage® may mark some of them as being suspicious and you should review those and others to identify them as Good or Bad.

5.8.4. Network Shares

This Network Shares menu item shows the remote network shares that were accessed. These are determined by explicit mounts and paths in processes, data accessed, etc.

../_images/analysis_network_share.jpg

Network Shares Interface

The rows in this table are grouped by remote host and rows include share name, users, and times.

What Should You Do: You should review this data to look for shares that the user should not have needed access to. This could indicate that the account was compromised or the user is looking for sensitive data.

5.8.5. Web Artifacts

The Web Artifacts menu item shows web history, bookmarks, downloads, and cookies from Chrome, Firefox, Edge, and IE browsers. You can use this information to see what the user was viewing or what they downloaded. This is useful for phishing campaigns that cause the user to download executables or when you suspect an insider.

../_images/analysis_web_artifact.jpg

Web Artifacts Interface

What Should You Do: Review these items to look for suspicious downloads or search queries. You can filter based on type and date range.

5.8.6. Data Accessed

The Data Accessed menu item shows files or folders that a user accessed. This could have been because they opened or saved a file on the machine. Example contents of this section include Most Recently Used (MRU) lists.

You can use this information to see what data the user accessed during their session. Attackers may open files while looking for sensitive information. It can also show if Phishing documents were opened.

../_images/analysis_data_accessed.jpg

Data Accessed Interface

What Should You Do: Review these items to look for suspicious data the user may have accessed, which you can filter by date range.

5.8.7. Startup Items

The Startup Items menu item shows the various files that are executed when the system starts. It uses dozens of registry and file system locations to identify the startup files that may contain malware.

../_images/analysis_startup.jpg

Startup Items Interface

What You Should Do: Review the suspicious entries, which are often based on pat and if they are signed. Mark them as good or bad and consider adding them to the Good or Bad Lists.

5.8.8. Triggered Tasks

The Triggered Tasks menu item shows the Windows Scheduled Tasks, WMI Actions, BITS Jobs, and services that ran on a periodic basis.

../_images/analysis_triggered_task.jpg

Triggered Tasks Interface

What Should You Do: Review the scheduled tasks and actions to identify ones that could be malicious programs that periodically run to check the system status or query a remote server. Look for suspicious paths, times, or names. You may find it useful to add the scheduled tasks that are known and common in your environment to a Global Good List.

5.8.9. Processes

The Processes menu item shows the programs that were running at the time of collection or that ran in the past. The historical data comes from registry data and other system files (such as Prefetch).

You should review this data to look for suspicious processes. Cyber Triage will flag ones that ran out of unexpected places or had unexpected parents.

There are two UI panels that you can change via the tabs on the top:

  • Processes: Is a search-like interface that allows you to search for processes with certain features (such as times, signatures, etc.)

  • Process Tree: Shows the tree hierarchy of the processes at the time of collection.

5.8.9.1. Process Search Panel

When you first open the Processes section, you’ll see the search panel, which shows the list of processes that meet the specified criteria. By default, the processes are grouped by executable and arguments, but the grouping can be changed to simply focus on executable or to also include the user.

../_images/analysis_process_search.png

Processes Search Interface

By default, the groups are sorted by those that ran most recently.

There are several search parameters that you can specify:

  • Show Bad and Suspicious Items: Show only the processes that have been scored as bad or suspicious. You can use this to understand what was already scored by Cyber Triage.

  • Group by: Allows you to change how all of the processes are grouped.
    • Exe & Arguments: The default, that shows the executable name and arguments. Arguments can dramatically change the behavior of a process, so it can be important to group by this to identify good versus bad usage.

    • Exe: Use this to see what programs were run, regardless of what arguments were supplied.

    • Exe, Arguments, & User: Use this to also differentiate who ran a process.

    • No Grouping: Use this to get a long list of all processes. This creates a process timeline.

  • Run date: Show only processes that were running within that time frame, relative to time of collection. Note that some places that store historical process information do not have times and they will not be included in the search.
    • Last 1 day: Processes that were running in the 24-hours before collection (including a live collection snapshot). You can use this to look for unexpected processes. Note that other filters hide standard Windows processes, so this list is shorter than all processes.

    • Last 30, 60, etc: Same idea as “Last 1 day”, just for longer periods of time.

  • Hide items: Allows you to not see certain types of processes IF you are looking for outliers and unexpected processes. Note that some of these filters may make it harder to detect Living Off the Land (LOL) usage.
    • Scored as Good: Hide processes that got a Good score from either a good list, malware analysis, or manual score. This is enabled by default.

    • Files signed by trusted certificate: Hide processes with an executable that is signed by a certificate that was trusted by the host. This is enabled by default.

    • In standard location: Hide processes running out of Windows or Program Files. This is disabled by default.

  • Order by: How to order the groups. The default is to order by most recent execution first. But, you can also sort by path or by frequency of usage.

When you select a group, you can go into it to see the individual process instances.

Once you’ve selected an instance, you maybe able to see its parent and children processes if it was running at the time of collection and you used the Cyber Triage collection tool. The “Process” tab in the lower right has a “Tree” tab that will show the parent and children. It will be disabled if this instance was known only from historical data.

If you have false positives from applications running out of non-standard locations (such as AppData), you can add them to the good list.

5.8.9.2. Process Tree Panel

An alternative view is to see the process tree. This works only if you did a live collection using the Cyber Triage collection tool. This view shows you the root processes and allows you to select a process and see its children. You can then recursively traverse the tree by pressing the “X children” text (if it has children).

../_images/analysis_process_tree.png

Processes Tree Interface

You can also use the “Export as PNG” button in the upper right to export the picture.

5.8.10. Active Connections

This Active Connections menu item shows the network connections that were open at the time the collection was made.

../_images/analysis_active_connection.jpg

Active Connections Interface

The rows are grouped by remote host and have columns for the process with the connection, remote and local ports, times, and direction.

What Should You Do: You should review this data for connections to unexpected hosts and for processes with unexpected network

5.8.11. Listening Ports

The Listening Ports menu item shows the ports that were listening for new connections when the collection was made.

../_images/analysis_listening_port.jpg

Listening Ports Interface

The rows are grouped by port number and have columns for the protocol, process, user, and information about what is usually at that port number.

What Should You Do: Review these to processes that you did not expect to be listening for a connection. These could be backdoor applications into your system. Consider adding ports that are normal in your environment to a Good List.

5.8.12. DNS Cache

The DNS Cache menu items shows the contents of the DNS cache, which contains references to the hosts that the computer tried to resolve to an IP address. You will find addresses in here that the system previously connected to.

../_images/analysis_dns_cache.jpg

DNS Cache Interface

The rows are grouped by remote host domain and have columns for IP and country.

What Should You Do: You should review the data here for suspicious items and connections to suspicious hosts or countries.

5.8.13. System Configuration

This area shows you various OS and application settings that were enumerated during the collection. These come from various registry keys and other configuration files.

../_images/analysis_os_config.jpg

Settings Interface

What Should You Do: Review the data to detect if any security settings were disabled or determine what the audit settings were.

5.9. Analysis Views

An alternative way of looking at the collected data is by date or file system location. Cyber Triage® supports both of these views.

5.9.1. Timeline

This area shows you the collected items organized by time. You can use this data to identify what happened before and after a specific event.

../_images/3_21.jpg

Timeline Interface

You can get to this data by either selecting Timeline from the left side and picking a date range or right clicking on most entries in their respective table and choosing View in Timeline.

../_images/3_22.jpg

Choose View Timeline

At any point, if the timeline becomes overwhelming, you can reduce the amount of data shown by filtering by type:

../_images/3_23.jpg

Filter by Type

5.9.2. File Explorer

The Files menu item can show several things:

  • If a full file system scan was performed, you can view all file metadata. Though, content for all files will not be available.

  • You can view only suspicious or bad files.

You can get to a file by either choosing the Files menu item and navigating the structure. Or, when you are reviewing an item associated with a file, such as a Startup item, you can right click and choose to View File in Directory.

../_images/analysis_file_manager_menu.jpg

View File in Directory

That will then bring you directly to the file:

../_images/analysis_file_manager.jpg

File Interface

What Should You Do: Review the suspicious entries. The files flagged as malware will also be in the Bad Items menu item. You can also use this to see what other files are located in the same folder as malware and other Bad Items.

5.9.4. Registry Entries

The Registry Entries menu item shows the suspicious registry entries on the system.

Note

The menu does not currently display the full registry hive. Only the entries that were found to be suspicious based on size and name.

What Should You Do: Review these and mark them as good or bad.

5.9.5. Collection Details Panel

The Collection Details Panel gives high-level information about what data was collected from the host and how it was added. This panel will also show you how many of each data type as collected.

../_images/analysis_collection_details.png

The “Source Files” section will list all files that were attempted to be collected (even if they didn’t exist). The Status column will show you if it was attempted and found. You can export all of the collected files with the “Export All Collected Source Files” option.

../_images/analysis_collection_details_export.png