Download a File for Analysis During Investigation

In this tutorial, we will explain, step-by-step, how to download a file from the Cybereason platform to analyze it in your own environment.

Sometimes, when performing MalOp analysis and triage, you will want to retrieve a file that you found and run and/or analyze this file in your production environment or in your sandbox environment. In order to do this, normally you would need to access the local machine and find the file, and then retrieve the file to another location. However, using the Cybereason platform, you can download files directly to the platform to your local machine so you can then perform analysis anywhere you want.

For the purposes of this tutorial, you will download a malicious file associated with a Malop. You need to have the Analyst L3 role to perform this task.

Download the file

In order to download the file, you must first identify the file of interest, then run a separate investigation query to return details on that specific file. From the query results, you have the ability to download a file.

Note

This tutorial shows an example of a file from a demonstration environment. You can perform these steps on any file in any environment.

1. In your environment, open the MalOp for which you want to investigate the file.

2. In the MalOp details, navigate to the Process tab.

3. On the left side of the Process tab, locate the Processes profile section. You should see a list of files for the process identified with the MalOp.

   

4. Below the Processes profile section, select a process and click Investigate. This will create and run the relevant query for this specific process in the MalOp and automatically open the Element Details for that process.

   

5. In the Element Details for the process, scroll down until you find the File section of the Element Details.

   

6. At the top of the File section, there will be a string that lists the number of image files or the name of the image file for the process. Click this string.

   

7. The Cybereason platform displays the name of the image file or the list of images files (if there are multiples).

8. Scroll to the bottom of the list of files.

9. At the bottom of the list of files, click the Download __ files button.

   

10. When you click Download, the Cybereason platform retrieves the files from the machines in question and displays a download icon at the top of the main Investigation screen.

    

11. Click the Download button to see the success of the retrieval operation. Note that in some cases, depending on whether the machines on which the file was found are online, there may be failures in retrieving the files which are indicated in the list of downloads.

    

12. In the list of files and machines, for those machines on which the Cybereason platform was able to retrieve the files, there is a link to download the file.

    In the list of files, click Download. The browser window automatically saves an archive file with the files to your local machine.

Open the downloaded files

When you download the file from the Cybereason platform, the files are downloaded in an encrypted zip file to ensure you or other analysts do not accidentally open and run what could be a very malicious file. You must access the special password file inside the zip file with the password to open the archive.

1. On your machine, open (not extract) the zip file.

   When you open the downloaded archive folder, ensure you use a program, such as Zip or WinRAR, that enable you to open and view the folder contents and add a password as part of their standard use.

2. In the zip file, locate the file with a name ending in METADATA.

3. Open this METADATA file in a text editor and locate the line with the password for safe access.

4. Extract the file and enter the password when prompted.

You are now able to take the file and analyze and run as needed.