After the analysis portion of the task list has been completed, you may now view the associated report on the CSA MC. The report is available by choosing Analysis > Application Behavior Reports > Windows Behavior Reports. The information listed next to the report name is the description of the analysis that was entered during configuration, the name of the host that was analyzed, and the operating system of the host. Figure 11-9 shows a sample report list.
To view the report, click the name of the report. Doing so opens the report in the main browser window. The report has five sections:
File Events
Registry Events
COM Events
Network Events
Summary Events
To view the various sections of the report, click the title of the section in the left navigation pane.
The File Events section is divided into three sections:
Directory Summary
Individual File Summary
All Events
To open the corresponding section and view detailed information, click that link in the navigation pane. You might notice that the number of directories accessed by the application is far higher than you expected. Much of this is related to the file-saving process in Microsoft Word, which uses file browsing to locate the appropriate folder.
The Directory Summary portion of the File Events section provides the following information, as shown in Figure 11-10:
Directory name
Number of files in the directory
The file extension of the file accessed in the directory
The operation performed (read or write)
NOTE
If network file shares were used by the application during the analysis, they will be at the top of the directory listing because they begin with the backward slash special characters (\), as in \fileserversharedirectoryfilename.txt.
The Individual File Summary portion of the File Events section provides the following information, as shown in Figure 11-11:
Directory name
Number of events related to this specific action
The filename that was accessed
The operation performed (read or write)
This view is limited to 100 entries per page with the option to view the next or a specific page of data.
NOTE
The filenames listed in this report also list directories, which display in all capital letters to show what READ and WRITE operations occurred to those directories.
The All Events portion of the File Events section provides the following information, as shown in Figure 11-12:
Time at which the action took place
Directory of the affected file
Filename
File extension
The operation performed (read or write)
Process ID (PID, the process that performed the action on the file)
Process name
This view is limited to 100 entries per page with the option to view the next or a specific page of data.
You can also filter this data by a text string within the Directory, File Name, or Process Name fields. In addition, you can sort the presented data by time, operation, file extension, or directory. The various sort and filter methods provide you with a simple and intuitive way to get to the specific data you need to view quickly and easily. Figure 11-13 shows a sample filtered view of the data collected.
The Registry Events section is divided into two sections:
Key Summary
All Events
To open the corresponding section and view detailed information, click that link in the navigation pane.
The information provided by the Key Summary portion of the Registry Events section includes the number of events affecting the registry key and the key name that was affected, as shown in Figure 11-14. Editing the Windows registry can seriously impact the usability of a system, so closely monitor this information.
The All Events portion of the Registry Events section provides the following information:
Time of the access
Key name impacted
Value of the accessed key
PID (ID of the process that accessed the registry key)
Process name
You can filter this data by a text value in the Key Name, Value Name, or Process Name fields, as shown in Figure 11-15. You also can sort by process, key name, or time to easily view the necessary registry access without the need for an exhaustive search.
The COM Events section is divided into two sections:
Object Summary
All Events
To open the corresponding section and view detailed information, click that link in the navigation pane.
The Object Summary portion of the COM Events section provides information about the number of events affecting the COM object and the object name that was affected. Figure 11-16 shows a sample view of the Object Summary section.
The All Events portion of the COM Events section provides the following information:
Time of the access
COM object name impacted
PID (process ID)
Process name
You can filter this data by a text value in the Object Name or Process Name fields, as shown in Figure 11-17. You can sort also by process, object name, or time.
The Network Events section is divided into two sections:
Destination Port Summary
All Events
To open the corresponding section and view detailed information, click that link in the navigation pane.
The Destination Port Summary portion of the Network Events section provides the following information:
Number of events related to this type of network access
Role (A client connection displays as CONNECT, whereas a server connection or termination of a connection displays as ACCEPT.)
Protocol (TCP or UDP)
Destination port used
Figure 11-18 shows a sample view of the Destination Port Summary section.
The All Events portion of the Network Events section provides the following information:
Time of the access
Role (CLIENT=CONNECT/SERVER=ACCEPT)
Protocol (TCP or UDP)
Source address
Source port
Destination address
Destination port
PID (process ID)
Process name
You can filter this data by a text value in the Source Address, Destination Address, or Process Name fields. You also can sort by process, protocol, role, destination port, or time. In Figure 11-19, you can see that as part of the test of the Microsoft Word application, the transmitted file to and from a network file share uses the common Windows ports of UDP/137-138.
The Summary Reports section is divided into two sections:
Behavior Summary
Behavior Summary by Process
To open the corresponding section and view detailed information, click that link in the navigation pane.
The information provided by the Behavior Summary portion of the Summary Reports section is an overall summarized view of the various events logged during the investigation and the corresponding number of events associated. As shown in Figure 11-20, the sections summarized are as follows:
COM (All Events)
File (All Events)
File (Read Operations)
File (Write Operations)
File (Writes of Executables)
Network (All Events)
Network (Acting as Client)
Network (Acting as Server)
Registry (All Events)
The Behavior Summary by Process portion of the Summary Reports section provides the following information:
PID (process ID)
Process name
Event type
Associated number of events
Figure 11-21 shows a sample view of the Behavior Summary by Process section.
18.223.151.158