Files
The Files page displays details of all infected files that were transferred from/to your network.
File Details
Click Analysis > Files. The right pane on the user interface displays sessions with basic file details in a tabular form. Basic details of the files include the first and last occurrences of the PCAPs, file names, MIME types, file hashes, MD5 hashes, SHA1, SHA256, SHA512, ssdeep fuzzy hashes, file size, and link to click and view further details of the files.
InQuest supports the following compression formats: 7z, ar, arc, arj, bzip2, cab, compress, cpio, deb, flac, gzip, iso, lzma, rar, rpm, tar, xz, zip.
Note: For information on using available tips and options on the Files page, refer the Other Options in the Analysis Pages section.
Quick Search Rules
Quick search in the Files page appears on the left pane of the user interface and supports only file hashes. Results from the quick search are displayed in the right pane.
Advanced Search
Columns available in the Advanced Search menu for the Files page are:
- Exposure Score
- Filename
- First Seen As
- Hash List
- MD5
- MIME Type
- SHA1
- SHA256
- SHA512
- Threat Score
- Signature Category
- Signature Event Id
- Signature Name
- Size
- Threat Score
Select the column(s) and specify their respective criteria. You can also specify the session time from the Time Interval drop-down menu or select a date range from the built-in calendars by clicking the From/To option. Click Search to view the basic session details matching your specified columns and criteria on the right pane in a tabular form.
Advanced Search Usage- An Example
Consider an example where you want to do an advanced search to display file sessions between May 04, 2016 and May 05, 2016 where the criteria for columns are:
- filenames start with the word "MEkwRz" OR contain the word "login".
OR
- MD5 value of the file begins with "ceee6a8".
- Click Analysis > Files > Advanced Search.
- From the Add Column drop-down menu, select Or as the main conditional operator for all columns and select Filename as the column. This column gets added below with an option to select its criteria.
- Specify its criteria below by clicking the Add Criteria drop-down menu and selecting Starts with as its criteria and type MEkwRz in its corresponding textbox.
- Specify another criterion by clicking the Add Criteria drop-down menu and selecting Contains as its criteria and type login in its corresponding textbox.
- From the Add Column drop-down menu, select MD5.
- Specify its criteria below by selecting Starts with as its criteria and type ceee6a8 in its corresponding textbox..
- In Time Interval, click From/To and using the calendar, select the From time to be 2016-05-04 00:00 and the To time as 2016-05-05 00:00 as highlighted in the following screen.
- Click Search. Sessions matching the above search columns and criteria for the specified time interval are displayed on the right pane with their basic details.
Basic details of each session displayed (for both the Quick Search or Advanced Search methods) include the first and last occurrences of the PCAPs, file names, MIME types, file hashes, MD5 hashes, SHA1, SHA256, SHA512, ssdeep fuzzy hashes, file size, and link to click and view further details of the files.
Note: For viewing the further details of the file on a new screen, click the View link corresponding to that file session in the Actions column.
Viewing Further Details of the File
Click View in the Actions column corresponding to a file. The resulting page displays the transferred file information along with the option to view its content and download it as a raw or encrypted file. Encrypted file downloads are password protected using the password inquest. Details of TCP sessions containing the file can be viewed under the File Info section where you can view the fie name, MIME type, instance of the first and last occurrences of the file, file size, and entropy.
Note: Entropy is the randomness of the file. Files with structured data will have lower entropy percentage. Files with compressed or encrypted data will have higher entropy percentage.
The contents of a file can be viewed by clicking the "View Content" button.
Image files (PNG, JPG, GIF) can also be viewed within the UI by clicking the "View Image" Button.
