Browse Files on Machines

Note

To use these features, you can add the DFIR package to your instance of the Cybereason platform for an additional cost. Contact your Customer Success representative to request access to this package.

When you perform incident response or forensic analysis, you may want to browse the file system on machines to search for malicious files. For example, if you find evidence of a known artifact or known malicious file, you may want to search the machine to find additional evidence of the activities the attacker performed on the machine.

To assist you with these investigation efforts, the Cybereason platform enables you to browse files on selected machines.

You can browse the file system of a machine from the following screens:

File search results
The Element Details pane when running investigation queries

In this topic:

Enable the DFIR package
Assign the appropriate role
Browse files from the Element Details screen
Browse files during a file search
Filter file search browsing results

Enable the DFIR package

Note

To enable the DFIR package, you must upgrade your environment. You cannot enable the DFIR package on an existing version without a version upgrade.

After you purchase the DFIR package, in order to browse files on a machine, you must open a Technical Support case to upgrade your environment and enable the DFIR package to your environment.

Assign the appropriate role

The ability to see the Browse Files feature to browse file systems is available for users with the Responder L2 role.

User admins assign the Responder L2 role to Cybereason users from the Users screen.

Note

Users with the Responder L2 role cannot be assigned the Sensor Admin L1, Local Analyst L1, Local Analyst L2, or Local Responder roles.

Browse files from the Element Details screen

When running investigation queries, you can browse files on a machine through the Element Details pane for a specific machine.

Note

You can only browse the file system for machines that are currently online.

To browse files from the Element Details screen, follow these steps:

Access the Element Details pane using one of the following options:

Option	Steps
Option 1	From the Investigation screen, build a query based on the Machine Element. You can add filters for the Machine Element as needed, or add other Elements in the query. However, before you run the query to retrieve results, ensure you select the Machine Element. Double-click a machine in the query results. The Element Details pane appears for that machine.
Option 2	Navigate to the System > Sensors screen Select a sensor. Above the sensor list, click Actions and select Investigate. The Details pane appears for that machine.

In the Details pane, to the right of the machine name, you will see the option to Browse files:
Click Browse files. The Cybereason platform opens the file directory in a separate tab:
Navigate around the file directory as needed.

Browse files during a file search

The Live File search feature also allows you to browse through folders and files on a machine. This is useful in cases where you are aware that there is suspicious activity on a specific machine, or within a specific folder on a machine.

To browse and download files from file search results, follow these steps:

Run a live file search.
In the results list for a file search operation, click the folder icon.

A new browser tab opens, displaying the root of the file structure on the machine. This is the same location displayed when a user navigates to My Computer on their machine.

Note

You can view a maximum of 1000 files by default. Open a Technical Support ticket to increase this limit.

Folders are indicated with a + symbol before the name. Click a folder to display the folder contents.
To download a file, click the file. The Cybereason platform downloads the file to your local machine.

You cannot download critical OS files, or files that are in use or locked for reading. The maximum file size for the download is 2 GB.

Note

The downloaded file is not stored on Cybereason servers.

When you open the downloaded archive folder, ensure you use a program, such as Zip or WinRAR, that enable you to open (not extract) and view the folder contents and add a password as part of their standard use.
To navigate to a Windows shortcut destination:
1. Download the shortcut file.
2. Retrieve the target path from the file properties.
3. Update the URL with the target path.

Note

If you receive any errors during browsing, please consult Technical Support.

Filter file search browsing results

You can filter the results displayed in the browser window by adding query strings to the end of the URL in your address bar. This can be helpful for narrowing down results in folders with a large number of files.

For example, you can enter this query string to search for the file Techpub.txt in the C:/support folder:

https://46.155.122.10/c:/support?find=Techpub.txt

If the file Techpub.txt exists in this folder, only it will be displayed.

Query string filters include:

Query String	Description	Examples
?find=<string>	Searches for file name(s) that match the string value. You can use the special characters: * and ? in your search, as follows: * - wildcard for one or more characters. ? - wildcard for one character.	*?find=.bak Displays all the files with a .bak extension. ?find=exam?le.pdf** Displays all the files that match the string, such as: example.pdf examsle.pdf
?limit=<number>	Limits the results displayed to a specific number of results.	?limit=50 Displays the first 50 files/folders in the folder. If you do not enter a limit, the default limit is 1000. The maximum limit is 20000.
?files=true	Displays only files in the results, and not folders.
?directories=true	Displays only folders in the results, and not files.
?creationafter=<epoch time>	Displays files that were created after the specified time. Use epoch time format (The number of seconds that have elapsed since 00:00:00 Coordinated Universal Time (UTC), Thursday, 1 January 1970, not counting leap seconds)	?creationafter=1492068983 Displays files and folders created after the specified time.
?modifiedafter=<epoch time>	Displays files that were modified after the specified time. Use epoch time format.	?creationafter=1492068983 Displays files and folders modified after the specified time.
<query string>&<query string>	You can concatenate multiple query strings using the & symbol.	*?find=.txt&creationafter=1492068983** Displays all files with a .txt extension that were created after the specified time.