In this article, you will learn everything you need to know about the Forensics module. To access the Forensics module, you need to log in to the HEIMDAL Dashboard, click on Products -> Forensics -> Forensics.
The Forensics module uses the HEIMDAL Agent's intelligence to gather information on the possible issues a computer in your organization might have. It uses the DarkLayer Guard, Antivirus, Ransomware Encryption Detection and Privileges Access Management engines to collect information on the processes that are intercepted to be performing malicious behavior.
HOW DO FORENSICS WORKS?
The Forensics module uses the Heimdal Insights service to monitor the processes of the modules to be reported in the dashboard. Forensics' functionality is to gather information related to:
A. Threat Prevention - Endpoint - collects information related to the pages blocked and backlisted by this module;
B. Endpoint Detection - Next-Gen Antivirus - collects information about infected and suspicious files and sends them as notifications in the Forensics view;
C. Endpoint Detection - Ransomware Encryption Protection - collects information about processes that are intercepted with a malicious behavior similar to ransomware that encrypts files on the hard drive;
D. Privileges & App Control - Privileged Access Management - collects information on the processes that are running with Administrator permissions while the user is elevated through a Privileged Access Management session.
The Forensics comes with 2 sub-components: one that gathers information from the other modules (if those other modules are enabled) - DarkLayer Guard, Antivirus, Ransomware Encryption Detection and Privileged Access Management, and one that gathers statistics from memory usage, similar to the task manager, the only difference being that it collects data on a time routine and displays average calculations. Every 20 minutes, the HEIMDAL Agent takes a snapshot of the processes that are running saves it in a local database. If there are multiple processes spawned under the same parent process (like in the screenshot below), the HEIMDAL Agent saves all the processes with the same name, but save only one record in the database:
For each process, we save the owner, number of handles, number of threads, working set, measured in KB, peak working set (also in KB), total read operations and total write operations. If there is a situation like in the screenshot above, we save only one instance of Google Chrome in the local database, and for each of the saved properties, we calculate the sum of each child process’s properties. For the Peak Working Set we get the maximum value. Every 6 hours, the data that is saved in the local database is turned into an average snapshot that is sent to the HEIMDAL servers. The above screenshot contains average values for all saved properties, except the Peak Working Set, where, again, we get the maximum value. After sending the snapshot to the server, the local database is deleted and average snapshots are stored for 7 days on our servers.
The Forensics view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the processes that are intercepted by the DarkLayer Guard, Antivirus, Ransomware Encryption Detection and Privileges Access Management engines and that could be performing malicious operations on a specific computer/device. On the top, you see a statistic regarding the number of Alerts.
The collected information is placed in the following views: Executions.
This view displays a table with the following details: Process, Process ID, VirusTotal, Hostname, Local IP, Remote IP, Source, Score and Session ID. This view allows you to select one process and Block it with Application Control (only if Application Control is included in the Licensing Options).
In the Process column, you can click on the process (the processes that have a Session ID that is not 0) to see the process details or you can click on the VirusTotal icon to get a detailed VirusTotal analysis. For some processes (the ones that we can calculate the MD5 hash for), a link to VirusTotal will be present in the grid. Please note that not all alerts have a valid VirusTotal hash, while for some of them there is a small chance that VirusTotal could not report any data.
The Process Details view gives information on the parent process and the spawned processes, their PIDs, username, File Name, Path, Command-Line, Thread Count, top 3 encrypted files, Write Operations, Read Operations, MD5, Signature, and Owner.
You also get information on the Network Activity of the detected process, where you can select one or multiple IP Addresses to block them in the Firewall (on one, multiple, or all Group Policies).
The IP Addresses in the table above can be added to a block list by selecting one or more and by selecting Block IP (from the dropdown menu) and pressing the Apply button.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
In the Device Information, you can see the collected information placed in the following 2 tabs: Alerts and Memory usage.
This view displays a table with the following details: Process, Process ID, VirusTotal, Local IP, Remote IP, Source, and Score. This view allows you to select one process and Block it with Application Control (only if Application Control is included in the Licensing Options).
- Memory usage
This view displays a table with the average snapshots from the last 7 days (the ones calculated by the HEIMDAL Agent every 6 hours) with information about Process, Username, Handles, Threads, Working set (KB), Peak working set (KB), Read operations and Write operations.
The Forensics module can be enabled by the HEIMDAL Security Support Team and this request can be fulfilled by submitting a request to your Account Manager.