In this article, you will learn everything you need to know about the Forensics module. To access the Forensics module, you need to log in to the HEIMDAL Dashboard, click on Products -> Forensics -> Forensics.
1. Description
2. Functionality
Description
Your account manager must activate the module, by enabling “Forensics” option in Licensing option.
Further, the customer needs to enable the module at the Endpoint Settings view - by selecting the Group Policy - clicking the General Settings, and he will find 2 new options added in General Tab, under “ADMIN SETTINGS” section:
Both options are disabled by default.
Enable Thor Forensics - by activating it the Antivirus, DarkLayer Guard and Privileged Access Management will send alerts to Forensics Module (also named as Insights Module), if, of course, each of them are activated and enabled.
Antivirus will raise alerts on every Infected or Suspicious file detected, DarkLayer Guard will send alerts for blocked or blacklisted requests, Privileged Access Management will send notifications only for processes started with admin rights during a session elevation.
Enable Memory Management - by activating it, Heimdal will scan periodically all running processes from each active client and save average memory usage.
This new module was created, in order to collect statistics from agent. There are 2 main sub-components: one that gathers information from the other modules (if those other modules are enabled) – Antivirus, DarkLayer Guard and Privileged Access Management, and one that gathers statistics from memory usage, similar to the task manager, the only difference being that it collects data on a time routine and displays some average calculations.
After accessing it, user will be redirected to the main view, where it will see the list with all alerts gathered:
In this grid, the user will be able to search through data by process name, process id, hostname or remote IP. Also, data can be ordered by process name, hostname, source and score. “Download CSV” will export a CSV report with all data available from the specified timeframe.
If the customer has licensing option enabled for Application Control, he will be able to create rules for one alert at a time.
For some processes (the one that we could calculate MD5 hash), a link to VirusTotal will be present in grid. Please note that not all alerts are having a valid VirusTotal hash, for some of them there is a small chance that VirusTotal could not get any data.
For processes what have process ID different than zero, performing a click on process name will redirect user to a new page, in order to see more details regarding selected process, like in the screenshot below:
Over here you will see the main details in the left-upper side of the page. Next, under the details from left-upper side, there is a graph displayed with processes hierarchy that spawned the current process. For each process in the graph, the details from the right side of the page will be updated with data for selected node. In the screenshot above, “EXCEL.EXE” was selected. After switching to “explorer.exe”, the content changed in:
For each process, we are monitoring network activity performed by that process and we display all requests made in “Network Activity” grid, from right-lower side. The other details that are presented are: the owner of the process, session ID, full path of the process, command line arguments, thread count, total read operations, total write operations.
Memory Load view :
The second sub-tab will contain the list of all processes that were running in the selected timeframe.
If the option “Enable Memory management” is activated in Group Policy, in agent, at every 20 minutes we take a snapshot of processes that are running in that moment and we save them in a local database. If there are multiple processes spawned under same parent, like in the screenshot below, we take all processes with same name, and save only one record in data base:
For each process, we save the owner, number of handles, number of threads, working set, measured in KB, peak working set (also in KB), total read operations and total write operations. If there is a situation like in the screenshot above, we save only one instance of chrome in local database, and for each of the properties saved, we make the sum of each child process’s properties. Only for the Peak Working set we take the maximum value.
On every 6 hours, we take all the data saved in local database and we create an average snapshot that we send to our servers. The above screenshot contains average values for all properties saved, except the Peak Working set, where, again, we take the maximum value.
After sending the snapshot to server, the local database is deleted.
IMPORTANT ! We store average snapshots on our servers of only 7 days!
Also, a detailed view is available for each process, by performing a click on each hostname.
In the detailed page, user will be able to two options : Alerts & Memory usage.
Alerts view - collects all the notifications from the Forensics module for that hostname and display them in a single view.
In the Memory usage view - you are able to see all average snapshots from the last 7 days (the ones calculated in agent at every 6 hours).
Functionality
The module main functionality is to gather information related to:
- Privileged Access Management and more precisely the processes that are running with Admin rights while the user is elevated through Privileged Access Management session;
- Next-gen Antivirus - collects information about infected and suspicious files and sends them as notifications in the Forensics view.
- Threat Prevention Endpoint - collects information related to the pages blocked and backlisted by this module.
This Forensics module uses the "Heimdal Insights" service to monitor the processes of the modules to be reported in the dashboard.