Conducting a forensic analysis and trying to identify and track a threat is a difficult process on its own. But when an analyst is forced to break their investigation workflow across multiple systems, increases its complexity and can make it much more difficult. To address the information gathering aspects in an analysis, having to utilize multiple systems forces analysts have to flip between interrupts their workflow so it’s easier to make mistakes. This creates a less than desirable or ideal user experience for an analyst, adds complexity that can impact a forensic analysis activity. Every time an analyst has to stop their work and pivot to another system, they can lose a train of thought, miss an important element during the transition, or simply be distracted by the change and draw an incorrect conclusion.
Unfortunately being force to flip between systems has been the case with most forensic or inspection systems. FireEye HX addresses this with the release of a capability that is modeled after Redline, a freeware software product that FireEye/Mandiant created and has been in use for nearly 10 years. The new capability in HX is called Audit Viewer and is included with HX 3.2. In the past the an HX investigation process was using HX Triage Viewer for an initial inspection, then an analyst would pivot outside of HX into Redline to gather and inspect more details of an incident. This was necessary because HX Triage Viewer, only displayed a subset of data necessary for a complete audit, thus an analyst had to download a copy of the incident for further analysis in FireEye Redline. As mentioned earlier, every time an analyst has to pause their effort by switching into another system, with a different UI, they will have a disjointed user experience and increase their chances of making mistakes or missing something important.
The new Audit Viewer in HX is based on Redline capabilities, and provides the in-depth access to endpoint and system details for a forensic audits allowing analysts to keep their workflow all within HX. Redline is continually utilized in Incident Response training courses taught by SANS Institute, so its features and capabilities are proven by a multitude of professionals. Adding these capabilities to HX remedies the problem of pivoting between different systems for an investigation. HX now has full access to all audit data directly so analysts can pivot within HX instead of between systems. This is an important step as an analyst now has a single investigation and analysis workflow for gathering information and conducting their analysis. This can apply to an active incident investigation, or investigations where there isn’t an active incident but analysts are looking for telltale signs of past activity.
The is the kind of in-depth information viewing that analysts need to confidently conduct their work areas and lay out or view information in a straightforward manner such as a grid. This can display raw audit data in a tabular form via a basic grid so it is easier for an analyst to rapidly identify key information, and enables the quick filtering, searching, sorting and annotating of information so it can be easily digested and referred back to when needed. It also offers the ability to combine or separate data as the inspection requires. Whether the data is from an individual audit, or all data across multiple different audits, it provides a single powerful tool that allows the analyst to gather, retrieve and manipulate data as needed, all within one system that allows for a single effective workflow.