TRIFORCE ANJP. THE POWER TO PROVE sm USER S GUIDE USER S GUIDE TRIFORCE ANJP VERSION 3.13

Transcription

1 TRIFORCE ANJP THE POWER TO PROVE sm USER S GUIDE USER S GUIDE TRIFORCE ANJP VERSION 3.13

2 TRIFORCE ANJP USER S GUIDE 2 Contents LET'S BEGIN... 6 SAY HELLO TO ANJP... 6 RUNNING ANJP... 7 SOFTWARE ACTIVATION... 7 Online Activation... 7 Offline Activation... 8 LICENSE RENEWAL Online Renewal Offline Renewal Software Updates ANJP S USER INTERFACE MENU BAR File Menu Connections Menu Help Menu PARSE STATUS PROCESS TAB Case Information Case Options REPORTS TAB Database Connection Reports Tab Panes Report Options Report Navigation THE POWER OF PARSE AND PROCESS PARSING FILES Acquire NTFS Files Start ANJP Enter Case Information Processing Events after Parsing Customizing Event Processing Specifying Case Options Parse CONNECTING TO A DATABASE Start ANJP Connect to the Database PROCESSING EVENTS Event Selection How to Create a Custom File List VIEWING REPORTS THE REPORTS LIST HOW TO VIEW A REPORT Start ANJP... 31

3 TRIFORCE ANJP USER S GUIDE 3 Opening a Report MFT REPORTS MFT File Listing MFT Filelist Hits MFT Time Anomalies LOGFILE REPORTS File Interactions Overview LogFile Events LogFile Time Anomalies USN REPORTS USN Record Listing USN Events OTHER REPORTS Log2Timeline Events Summary FILTERING DATA FILTERING REPORTS FILTER LOGIC COLUMNS, CONDITIONS, AND VALUES Integers Timestamps Strings Event IDs HOW TO CREATE A FILTER Start ANJP Opening the Filter Window Configuring the Filter Adding the Filter ADDITIONAL FILTER OPTIONS Exporting and Importing Filters Clearing Filters Removing Individual Filters Exporting Filtered Data EXPORTING REPORTS EXPORTING REPORTS TO A FILE Start ANJP Opening the Export Window Configuring Export Options SENDING REPORTS TO ELASTICSEARCH How to Connect to an ElasticSearch Node and Send Reports APPENDIX A: NTFS FILES EXTRACTING NTFS FILES AnExtractor: ANJP Companion Tool Commercial and Free Tools How to Extract NTFS Files... 43

4 TRIFORCE ANJP USER S GUIDE 4 APPENDIX B: COLUMN REFERENCE MFT REPORTS MFT File Listing MFT Filelist Hits MFT Time Anamolies LOGFILE REPORTS File Interactions Overview LogFile Events LogFile Time Anamolies USN REPORTS USN Record Listing USN Events OTHER REPORTS Log2Timeline Events Summary... 56

5 [This page intentionally left blank.] TRIFORCE ANJP USER S GUIDE 5

6 TRIFORCE ANJP USER S GUIDE 6 Say Hello to ANJP Let's Begin ANJP provides a novel way of linking information contained in three important NTFS files that are responsible for maintaining the file system: The MFT, LogFile, and USN. Fullpath enumeration in the LogFile and USN through Rollback. By linking the LogFile and USN to the MFT, the fullpath (path and filename) for a given record within a LogFile or USN record can be enumerated. However, this linkage cannot be used to maintain fullpaths while parsing the entire LogFile or USN Journal. This is because as records are added to the LogFile and USN files can be deleted, created, and renamed, which potentially changes the path or filename for a given MFT entry. To overcome this, it is necessary to roll back the LogFile and USN to affect the correct fullpath for a given entry. Thus, parsing the LogFile and USN records from newest to oldest records, and applying changes to the fullpaths as files are deleted, created, and renamed results in the knowing exactly where a file was located and what its name was, when a change occurred. Find evidence of changes that happened in the past with Event Searching. A key feature of ANJP is its ability to search for events using Event Signatures within the LogFile and USN. There are two kinds of signatures that can be searched for: Predictable Sequence of Operations (PSO Events) and Presence of a Series of Indicators (PSI Events). PSO Events: A PSO Event is a predictable sequence of operations that occurs within a transaction. A transaction contains many different kinds of operations that are performed by the file system when something is changed, and each change that occurs results in a transaction with a particular set of operations that are specific to that type of change. PSO events search every transaction in either the LogFile, or the USN to determine if transactions contain matching criteria. PSO events include file and folder deletions, creations, renames, moves, and more. PSI Events: A PSI Event is the presence of a series of indicators that are not contained within one transaction and span multiple types of transactions within the LogFile or the USN. When ANJP searches for PSI events, it searches the entire LogFile or USN for matching criteria to show that an event has taken place. This can include virus infections, application installation, application usage, file wiping and more. Export Your Data. While realizing the need to use external software to analyze parsed data, ANJP provides options for exporting full reports, or only selected rows to an excel spreadsheet or a delimited text file. If an ElasticSearch node is available users have the option to send it individual reports to take advantage of ElasticSearch s powerful indexing and searching capabilities. Filters. Finally, ANJP s user interface also supports applying filters to report data, effectively narrowing down a large report to what is relevant.

7 TRIFORCE ANJP USER S GUIDE 7 Running ANJP ANJP is a stand-alone program that requires no installation. Before ANJP can be used it must first be activated. See Software Activation on page 7. Once ANJP is activated, simply double-click the executable to begin using ANJP. Software Activation There are two ways that ANJP can be activated: Online Activation and Offline Activation. Online Activation: Used to activate a machine that has an internet connection. See Online Activation on page 7. Offline Activation: Used to activate a machine that does not have an internet connection. See Offline Activation on page 8. Online Activation 1. Create a folder that will be used to store the ANJP executable and the license files generated in the upcoming steps. 2. Double-click the ANJP executable provided to begin the online activation process. 3. Read the ANJP End User License Agreement. Click Agree if you agree, otherwise click Decline to stop the activation process. 4. If this is the machine that will activated for use click Yes. If this is not the Machine that will be activated for use click No and follow the instructions provided in Offline Activation on page Enter the Order Id that was provided when your ANJP license was purchased. The Activation Id field is automatically populated. 6. Click Submit. Upon clicking Submit the License files are created. They should remain in the same folder as the ANJP executable.

8 TRIFORCE ANJP USER S GUIDE 8 NOTE: The License files must be stored in the same folder as the ANJP executable. Do not delete, modify, or move the license files outside of the folder containing the ANJP executable. 7. ANJP is now activated for use. Offline Activation To activate a machine that does not have an internet connection (Offline Machine), a machine that does have an internet connection (Online Machine) is used to activate the Activation Id generated by the Offline Machine. The Offline Machine: A machine that will be licensed for use but does not have an internet connection. The Online Machine: A machine that may or may not be licensed for use but is connected to the internet and will be used to complete activation on behalf of the Offline Machine. Obtaining the Activation Id of the Offline Machine 1. Within the Offline Machine create a folder that will be used to store the ANJP executable. 2. Double-click the ANJP executable to begin the offline activation process. 3. Read the ANJP End User License Agreement. Click Agree if you agree, otherwise click Decline to stop the activation process. 4. Since this is the Offline Machine to be activated click Yes. 5. By clicking Yes the Activation Id field will be populated with the Activation Id of the Offline Machine. 6. To save the Activation Id to a text file click Export. In the resulting window navigate to the location to save the text file and specify the filename to use. Click Save. 7. Copy the Activation Id File and ANJP Executable to a Removable Drive 8. The text file created in step 6 contains the Activation Id of the Offline Machine. Copy the text file and a copy of the ANJP executable to a removable drive. 9. Once the files are copied remove the external drive from the Offline Machine and close ANJP.

9 TRIFORCE ANJP USER S GUIDE 9 Generating the License Files using the Online Machine 10. Insert the removable drive that contains the Offline Machine s Activation Id file from step 7 into the Online Machine. Navigate to the location of the ANJP executable on the removable drive and double-click to run. 11. Read the ANJP End User License Agreement. Click Agree if you agree, otherwise click Decline to stop the activation process. 12. In the resulting Activation window click No since this IS NOT the machine that will be activated for use. (This is the Online Machine and is being used as an intermediary in the activation process) 13. Within the ANJP Activation Tool window click Import. Navigate to the location of the text file that was created on the Offline Machine and click Open. 14. This will populate the Activation Id field with the Id of the Offline Machine that was generated in step 6 and copied to the external drive in step 7. STOP: Before proceeding to the next step, ensure that the Activation Id supplied was generated by the Offline Machine to be activated and IS NOT the Activation Id of the machine performing the activation request on behalf of the Offline Machine. 15. In the Order Id field enter the Order Id that was provided when you purchased ANJP.

10 TRIFORCE ANJP USER S GUIDE Click Submit. Upon clicking Submit the license files signature and license.xml will be created in the folder on the removable drive that ANJP was executed from. 17. Unplug the removable drive from the Online Machine, and insert the drive into the Offline Machine to transfer the newly generated license files. Copying the License Files to the Offline Machine 18. With the removable drive plugged in to the Offline Machine, navigate to the location of the license files located on the removable drive. 19. Copy the license files named signature and license.xml to the Offline Machine, placing them into the same folder as the local copy of the ANJP executable. NOTE: The License files must be stored in the same folder as the ANJP executable. Do not delete, modify, or move the license files outside of the folder containing the ANJP executable. 20. When ANJP is run on the Offline Machine it will check the activation status using the license files copied. If the check is successful ANJP will be ready for use on the Offline Machine.

11 TRIFORCE ANJP USER S GUIDE 11 License Renewal ANJP License Renewal is available for those who have previously activated their software but their maintenance period has ended and would like to renew their license. With the purchase of ANJP you have access to one year of software updates and technical support. The maintenance period begins when you purchase ANJP. When the maintenance period ends you will no longer receive important updates to your ANJP software. To view information related to your license from within ANJP open the About page from the Help dropdown menu. There are two ways to renew your ANJP license: Online Renewal and Offline Renewal. Online Renewal: Used to renew the license of a machine that has an internet connection. See Online Renewal in the next section. Offline Renewal: Used to renew the license of a machine that does not have an internet connection. See Offline Renewal on page 12. Online Renewal 1. Open ANJP. 2. Click on Help from the menu bar and select Renewal. 3. If the License Id field is not populated click Get License Id. 4. Click Renew. 5. When prompted to replace the current Signature and License files select Yes. 6. On the pop-up stating License files exist, are you sure you want to overwrite click Yes. 7. Your license will be updated with the new expiration date.

12 TRIFORCE ANJP USER S GUIDE 12 Offline Renewal To renew a machine that does not have an internet connection (Offline Machine), a machine that has an internet connection (Online Machine) is used to renew the License Id from the Offline Machine. The Offline Machine: The machine that will have its license renewed but does not have an internet connection. The Online Machine: The machine that may or may not be activated for use but is connected to the internet and will be used to complete renewal on behalf of the Offline Machine. Obtaining the License Id of the Offline Machine 1. Insert the removable drive you will use to save the generated files into the offline machine. 2. Double-click the ANJP executable to begin the offline activation process. 3. Within ANJP click Help from the menu bar and choose Renewal. 4. Record your Order Id from the Order Id field, it will be needed to generate the license files on the Online Machine. 5. If the License Id field is not populated click Get License Id. 6. Save the License Id to a text file by clicking the Export button. 7. In the resulting window navigate to a location to save the text file and specify the filename to use. Click Save. Copying the License Id File and ANJP Executable to a Removable Drive 8. The text file created in step 7 contains the License ID of the Offline Machine. Copy the text file and the ANJP executable to a removable drive.

13 TRIFORCE ANJP USER S GUIDE Once the files are saved, remove your external media from the Offline Machine and close ANJP. Generating the Renewed License Files using the Online Machine 10. Insert the removable drive that contains the Offline Machine s License Id file from step 9 into the Online Machine. Navigate to the location of the ANJP executable and double-click to run. 11. Read the ANJP End User License Agreement. Click Agree if you agree otherwise click Decline to stop the activation process. 12. In the resulting Activation window click No since this IS NOT the machine that will be renewed for use. (This is the Online Machine, and is being used as an intermediary in the activation process) 13. Click the Renewal Tool button. 14. In the Renewal Tool window enter the Order Id you recorded in step To populate the License Id field click Import. Navigate to the location of the text file that was created by the Offline Machine in step 7 and click Open. 16. This will populate the License Id field with the ID contained in the text file and was generated by the Offline Machine in step 6.

14 TRIFORCE ANJP USER S GUIDE 14 STOP: Before proceeding to the next step, ensure that the License Id supplied was generated by the Offline Machine to be activated and IS NOT the License Id of the machine that is performing the renewal request on behalf of the Offline Machine. 17. Click Renew. Upon clicking Renew the license files will be created in the folder that ANJP was executed from. 18. Unplug the removable drive from the Online Machine and insert the drive into the Offline Machine to transfer the newly generated license files. Copying the License Files to the Offline Machine 19. With the removable drive plugged in to the Offline Machine navigate to the location of the newly generated license files located on the removable drive. 20. Copy the license files named signature and license.xml to the Offline Machine, placing them into the same folder as the local copy of the ANJP executable. 21. If the license files already exist on the Offline Machine ensure that the check box for Do this for the next 1 conflicts is selected. Then click Copy and Replace.

15 TRIFORCE ANJP USER S GUIDE 15 NOTE: The License files must be stored in the same folder as the ANJP executable. Do not delete, modify, or move the license files outside of the folder containing the ANJP executable. 22. When ANJP is run on the Offline Machine it will check the activation status using the license files copied. If the check is successful, ANJP will be ready for use on the Offline Machine. Software Updates ANJP is always being improved and updated, and your unexpired licenses entitles you to these updates. Updates can be easily acquired for both online and offline computers. You will be notified of updates by and by your ANJP client, giving you a choice on how you wish to update your system. Updating your copy of ANJP There are two methods of retrieving an updated version of ANJP. Within ANJP: Use your current activated ANJP software to obtain the update. Proceed to Updating in ANJP the next section. Via Use the download link sent to your when an update was released. This option is useful when performing an update for an Offline Machine. Proceed to Step 4 on page 16. Updating in ANJP When ANJP is run it checks the internet to determine if a newer version is available. If an update is available it will inform you in the bottom right window of the program. NOTE: If ANJP is not able to connect to the internet you will not see the update status change. If this is an Online Machine ensure that ANJP is not being blocked by your firewall. Alternately, you can download an update using the download link sent to your when an update is released.

16 TRIFORCE ANJP USER S GUIDE From the Menu toolbar within ANJP click the Help menu, then click Update. 2. Within the Update window information related to the new release is provided. 3. To download the latest version click the Update button. 4. No matter which option you used to download your copy of ANJP ( or within ANJP), create a new folder or use an empty directory to save the new ANJP executable. 5. Copy the license files signature and license.xml that were located in the same folder as the outdated ANJP executable. Place the copied license files into the folder that contains the new ANJP executable. NOTE: If the update process is being performed for an Offline Machine you must first copy the new ANJP executable from the Online Machine to the Offline Machine. 6. Double-click the new ANJP executable to launch the program. If the license files have been copied correctly ANJP will display a prompt indicating that the event_rules directory could not be found and that it is creating the directory. 7. ANJP has now been updated for use.

17 TRIFORCE ANJP USER S GUIDE 17 ANJP s User Interface This chapter discusses the layout and features of the ANJP user interface. Menu Bar Use the Menu Bar to access ANJP s core features. There are two items in the Menu bar: the File Menu and the Connections Menu. File Menu The File Menu provides access to features related to processing events. Options: Used to open the Options window where various settings can be changed. For more details see Case Options on page 20. Event Selection: Used to open the Events window. The Events window is used to customize the events to include when processing events is initiated. See Event Selection on page 27.

18 TRIFORCE ANJP USER S GUIDE 18 Process Events: Used to initiate processing events on a database that is currently connected in the Reports tab. See Processing Events on page 27. Connections Menu The Connections menu provides access to ElasticSearch configuration settings. ElasticSearch: Used to open the ElasticSearch Connection window. The ElasticSearch window is used to enter node information and establish a connection to an ElasticSearch service using a perviously configured ElasticSearch node IP address and port. See Sending Reports to ElasticSearch on page 41 for additional information. Help Menu The Help menu provides access to version maintenance tools and information. Update: Used to open the ANJP Update Tool. The Update Tool is used to download new releases of ANJP. See Updating your copy of ANJP on page 15. About: Used to open the About page. The About window contains information including copyright status, ANJP version, Events version, and Database Schema version. License: Used to open the License page. The License page contains the software license agreement terms and conditions. Activation: Used to open the ANJP Activation Tool. The Activation Tool is used to activate a copy of ANJP and generate the associated license files. See Software Activation on page 7. Renewal: Used to open the ANJP Renewal Tool. The Renewal Tool is used to renew the license of a copy of ANJP and generate the associated license files. See License Renewal on page 11. Parse Status The Process tab contains visual indicators and information that reveal the status of ANJP s parsing and processing of events. Progress Bar: Used to view the real-time progression through each stage of parsing or processing events. Progress Log: Used to log information related to each stage of parsing and the results of event processing once the event engine is finished processing. The Progress Log can be saved by clicking the Save Log button in the Process Tab and specifying the path and filename of the output log file.

19 TRIFORCE ANJP USER S GUIDE 19 Process Tab The Process tab is used to enter case information, select the NTFS files be parsed and processed, set case options, select events, and initiate parsing and processing of events. Case Information Use the Case Information fields to specify a Case Name, Case Path, and locations of the NTFS files to be parsed. When parsing is initiated, ANJP uses the information provided in these fields to create an ANJP database. Case Name (Required): Used to name the ANJP created database. Case Path (Required): The location to save the database. MFT (Optional): The path and filename of the MFT file to be parsed. Multiple MFT files that were extracted from a system and its Volume Shadows can be added to this field by pressing ctrl then selecting each MFT to be parsed. Refer to AnExtractor User s Guide for more information related to extracting MFT files from Volume Shadows. LogFile (Optional): The path and filename of the LogFile file to be parsed. This field may only contain one LogFile. USN (Optional): The path and filename of the USN file to be parsed. Multiple USN files that were extracted from a system and Volume Shadows can be added to this field by pressing ctrl then selecting each USN to be parsed. Refer to AnExtractor User s Guide for more information related to extracting USN files from Volume Shadows. Carved USN Folder (Optional): The path to the folder containing carved USN records for ANJP to parse. Refer to AnExtractor User s Guide for more information related to carving USN files.

20 TRIFORCE ANJP USER S GUIDE 20 Case Options Case Options are used to customize the parsing and processing of NTFS files. Options: Use the button to open the Options window. Use Options to adjust settings related to parsing files, report formatting, timezone and debug logging. Table 1: Case Options Timezone Cluster Size MFT Entry Size Rows Per Page USN Transactions Per Grouping LogFile Transactions Per Grouping L2T Date Format Case Options Use to select the timezone that will applied to timestamps parsed from the NTFS files. By default ANJP will record timestamps in UTC (+00:00). Used to select the cluster size (bytes) geometry for the drive the system files were stored on. Default value is Used to select the MFT record entry size in bytes as it is stored in the MFT. Default value is Used to specify the number of rows per page to be displayed when viewing a report in the Reports tab. Default value is Used to specify the number of USN transactions grouped together when events are processed. Larger groups will require more memory. Default value is The number of LogFile transactions processed together when events are processed. Larger groups will require more memory. Default value is The date format preferred of LT2 output

21 TRIFORCE ANJP USER S GUIDE 21 Process Events After Parsing: Used to initiate event processing immediately after parsing has completed. This is checked by default. Uncheck to disable processing events after parsing. See Processing Events on page 27. Event Selection: Used to open the Events window. The Events window is used to customize the list of events to be included when processing events is initiated. By default, all events are selected for inclusion. See Event Selection on page 27.

22 TRIFORCE ANJP USER S GUIDE 22 Reports Tab The Reports tab contains features and panes that relate to connecting to a database and viewing reports. Database Connection Database Connection options are related to connecting to an ANJP database. Database Field: The path and filename of the ANJP database to connect to. Connect Button: Used to connect to the database specified in the Database field. Database Connection Status: Used to display the connection status of a database opened using the Database field and Connect button.

23 TRIFORCE ANJP USER S GUIDE 23 Reports Tab Panes The Reports Tab Panes contain features that allow for selecting, viewing, and navigating through reports. The Reports List Pane: Contains the list of reports available for viewing. Expand or collapse the list by clicking the or icons, respectively. Open a report by double-clicking the report to be viewed. See How to View a Report on page 31. The Report View Pane: Displays the contents of a report that was opened from the list of reports in the Reports List Pane.

24 TRIFORCE ANJP USER S GUIDE 24 Report Options Report Options are used to filter or export a report that is currently loaded into the Report View Pane. Filter Button: Used to open the Filter window. The Filter window provides access to options related to filtering report data and managing filter lists. See Filtering Reports on page 35. Export Button: Used to open the Export window. The Export window provides access to options related to exporting report data. See Exporting Reports to a File on page 40. Report Navigation Report Navigation is used to navigate through a report currently loaded into the Report View Pane. See How to View a Report on page 31. Navigation Buttons: Used to navigate to the next or previous page of a report. Arrows will go to next set based on Rows Per Page set in options. By default ANJP displays 5000 rows at a time. Row Range Status Bar: Located in the status bar, the Row Range is used to determine the range of rows, or row numbers currently loaded into view as well as displaying the total number of rows. By default ANJP displays 5,000 rows of report data at a time.

25 TRIFORCE ANJP USER S GUIDE 25 The Power of Parse and Process ANJP s Power of Parse rests in its ability to scour the MFT and assess the current state of the file system and dredge the LogFile and USN to discover changes that occurred in the past. ANJP s Power of Process is the amplification of its parsing power via Processing Events. The LogFile and USN can be searched to identify the presence of historical events related to file creations, deletions, renames, wiping, virus infections, cd burning, software usage, and more. Parsing Files The goal of parsing is to create an ANJP database. This is the first step towards gleaning information from the system to be analyzed. Acquire NTFS Files 1. Refer to AnExtractor User s Guide for detailed information about obtaining NTFS files. Start ANJP 2. Open ANJP and go to the Process tab. Enter Case Information See Case Information on page 19 for detailed information. 3. In the Case Name field enter a name that will be used for the database ANJP creates. NOTE: The Case Name field accepts alpha-numeric characters, spaces, dashes - and underscores_ only. Special characters are not permitted. 4. In the Case Path field, enter the location to save the database. 5. In the MFT, LogFile, and USN fields, enter the path and filename of each file to be used in parsing. TIP: You can analyze multiple MFT s and USN Journals at once by selecting (ctrl+right click) all the desired files of that type when browsing or using drag and drop. You must add them all together, trying to add an additional file while the field is already populated will result in the original file(s) being replaced by the new file.

26 TRIFORCE ANJP USER S GUIDE 26 TIP: You can parse USN journals without an MFT, however, the file path will not be included in the USN report tables. Processing Events after Parsing See Processing Events on page 27 for detailed information. 6. The Process Events After Parsing checkbox is checked by default. Uncheck this option to disable event processing immediately after parsing has completed. Customizing Event Processing See Processing Events on page 27 for detailed information. 7. If events are to be processed immediately after parsing, click the Event Selection button and choose which events you would like ANJP to look for. If you would like to add an MFT File List, refer to Adding and Deleting MFT File Lists on page 29. Specifying Case Options Parse 8. Specify additional options to be used by ANJP when parsing and processing by clicking the Options button. Refer to Case Options on page 20 for detailed information. 9. Click Parse. Clicking Parse will parse data from the NTFS files specified in step 4, and place the data into an SQLite database using the name specified in step 3 (Case Name) and the path specified in step 4 (Case Path).

27 TRIFORCE ANJP USER S GUIDE 27 Connecting to a Database The next step to analyzing the data is connecting to an ANJP created database. In this section, the steps needed to connect to an existing ANJP database will be covered. If a database has not yet been created, refer to Parsing Files on page 25. Start ANJP 1. Open ANJP and go to the Reports tab. 2. In the Database field enter the path and filename of the ANJP created database file. Connect to the Database 3. With the Database field populated click Connect. Processing Events The MFT, LogFile, and USN can contain copious amounts of information. Manually sorting through potentially millions of parsed records would be time consuming and expensive. Event Processing attempts to overcome the vast stores of mined data by using event signatures. Event signatures are used by ANJP to zero in on specific types of events that take place within the file system. This includes but is not limited to: file creations, deletions, renames, application usage, file wiping, and more. There are two different scenarios where event processing can be initiated: When Parsing Files o In the Process tab check Process Events After Parsing. While Connected to a Database Event Selection o From the menu bar select File > Process Events. Event Selection is used to customize what events ANJP will search for when event processing is initiated (immediately following parsing or manually launched). To customize which events ANJP should search for, open the Events window in one of the following ways: Process Tab > Event Selection File Menu > Event Selection Within the Events window, place a check next to each event to be included when events are processed.

28 TRIFORCE ANJP USER S GUIDE 28 MFT File Lists The Events window also provides the option to add MFT File Lists. MFT File Lists are text files containing a list of search terms which are used by ANJP to search for matching fullpaths or filenames from the MFT File Listing report. MFT File Lists can be added in the Events window so that a custom list of files and folders can be used when event processing is initiated. How to Create a Custom File List In order to use a file list in the Events list, you must first create one. You can create your own file list by following the rules and steps below: File Name and Full Path Terms: An acceptable file list must include terms that are all structured the same. Terms that are structured as filenames cannot be combined in the same file list with terms that are structured as fullpaths, and vice versa. Regex and String Terms: The terms in the file list must all be interpreted the same way by ANJP. Terms that are regular expressions cannot be combined with terms that are strings within the same file list, and vice versa. When you add a file list to ANJP you must select the search type for the list: Regex or String. Therefore, if you include regular expressions within your file list and you select String as the search type, regular expressions will not be interpreted as such. NOTE: The regex used by ANJP is perl regex. Regular expressions should be formatted with this in mind. Open a Text Editor 1. Open a text editor to begin adding terms to the file list. Add terms to your list 2. Each term in your list should be placed on a new line within the list. Refer to the Sample File List on the next page for an example of what an MFT File List contains.

29 TRIFORCE ANJP USER S GUIDE 29 Sample File List The file list below contains a list of regular expressions that can be used by ANJP to find matching fullpaths within the MFT File Listing report. Terms Used: ^\\users\\.{1,}\\appdata\\local\\temp\\.{1,}[.]exe Match any filename with an exe extension located in \user\{any users}\appdata\local\temp ^\\users\\(.{1,}\\)+.{1,}[.]lnk$ Match any filename in any folder under the directory \users\ and has the extension.lnk ^\\Windows\\Prefetch\\.{1,}[-][A-F0-9]{1,8}[.]pf$ Match any filename in the folder \Windows\Prefetch\ that contains a followed by up to 8 characters A though F, or 0 through 9, and has the extension.pf. Adding and Deleting MFT File Lists With a file list created, it can be added to the list of events. If a file list has not been created, see How to Create a Custom File List on page 28. Start ANJP 1. Open ANJP and go to the Process tab. 2. Open the Events window by clicking the Event Selection button, or go to File > Event Selection from the menu bar. Opening the MFT File List Window 3. Open the MFT File List window by clicking the Add MFT File List button. Configuring the MFT File List Event 4. In the Id Name field type a unique name for the MFT File List event to be created. 5. In the Filelist field type the path and filename of the list, click Browse and navigate to the location of the list, or drag-and-drop the list directly into the Filelist field.

30 TRIFORCE ANJP USER S GUIDE Select the appropriate Case, Search Type, Match Value, and Encoding options that reflect the contents and type of search to be used. See Table 2: MFT Filelist Options below for descriptions of each option. Table 2: MFT Filelist Options CASE SEARCH TYPE MATCH VALUE ENCODING OPTIONS insensitive sensitive string regex file name full path ANSI UTF-8 (No BOM) UTF-8 USC-2 (LE) USC-2 (BE) DESCRIPTION Ignore the character case. Find matches using the same character case as the search term. The file list is a list of strings. The file list is a list of Perl Regular Expressions. Match only file or folder names. Match full paths. Non-Unicode text file. Unicode text files without byte-order mark. Unicode text files with byte-order mark. 2-byte Universal Character Set text file. (Little Endian) 2-byte Universal Character Set text file. (Big Endian) Adding Your MFT File List Event 7. In the MFT File List window click Create. The file list will be added to the Events window as an MFT Event. Deleting an MFT File List Event 1. To delete an MFT File List highlight the MFT Event to be deleted and click Delete MFT Event in the Event Selection window. This will remove the MFT Event from the list.

31 TRIFORCE ANJP USER S GUIDE 31 Viewing Reports This chapter discusses the reports that are stored within an ANJP created database after parsing and processing NTFS files, and are available for viewing. The Reports List The Reports List is located in the Process Tab > Reports List Pane and contains the parent item reports which are divided into four categories: MFT, LogFile, USN, and Other. Reports listed under those categories can be selected for viewing. How to View a Report Start ANJP 1. Open ANJP and go to the Reports tab. 2. Connect to an ANJP created database. Opening a Report 3. Expand the Reports List by clicking the icons. Open a report by double-clicking the report to be viewed. NOTE: While a report is being loaded into view you will not be able to perform additional tasks within ANJP. The time it takes to open a report depends on the amount of data it contains. The larger the report, the longer it will take to open.

32 TRIFORCE ANJP USER S GUIDE 32 MFT Reports MFT Reports are report views generated by ANJP after parsing the $MFT and processing events. MFT File Listing The MFT File Listing report contains the record entries that were parsed from the $MFT. See the MFT File Listing report reference on page 46 for a complete list of column names and descriptions contained within this report. MFT Filelist Hits The MFT Filelist Hits report contains a listing of hits found after processing MFT Events against the MFT File Listing report. See the MFT Filelist Hits report reference on page 47 for a complete list of column names and descriptions contained within this report. NOTE: If no MFT Events were found during processing or no MFT Events were selected using Event Selection this report will be empty. See MFT File Lists on page 28 for information about how to include these types of events when event processing is initiated. MFT Time Anomalies The MFT Time Anomalies report contains MFT entries where timestamps from a MFT entry contain entries that may indicate suspicious activity. For example, FN timestamps are set at creation and are generally not updated afterwards. Therefore SIA timestamps should be equal to or greater than FN timestamps. If a SIA timestamp is older than its matching FN timestamp it may indicate the timestamps have been tampered with. The MFT Time Anomalies report will alert you to these mismatched timestamps. LogFile Reports LogFile Reports are report views generated by ANJP after parsing the $LogFile and processing events. NOTE: If a LogFile was not selected for parsing when the database was first created, all LogFile reports will be empty. File Interactions The File Interactions report contains records parsed from the $LogFile that relate to file and folder changes. See the File Interactions report reference on page 48 for a complete list of column names and descriptions contained within this report. Overview The Overview report contains all records parsed from the $LogFile. It focuses on more LogFile detail than file detail within the records. See the Overview report reference on page 50 for a complete list of column names and descriptions contained within this report.

33 TRIFORCE ANJP USER S GUIDE 33 LogFile Events The LogFile Events report contains a listing of hits found after searching for LogFile events within the File Interactions report. See the LogFile Events report reference on page 51 for a complete list of column names and descriptions contained within this report. The following scenarios will result in an empty LogFile Events report: No LogFile was selected when the database was first created. Event processing was not performed on the database. See Processing Events on page 27. Event processing was performed but no LogFile events were selected using Event Selection. See Event Selection on page 27. Event processing was performed but no LogFile events were found. LogFile Time Anomalies Similar to the MFT Time Anomalies, the LogFile Time Anomalies report provides information on LogFile entries with timestamps that may suggest tampering with time. USN Reports USN Reports are report views generated by ANJP after parsing the $UsnJrnl:$J (USN) and processing events. NOTE: If a USN was not selected for parsing when the database was first created, all USN reports will be empty. USN Record Listing The USN Record Listing report contains all records parsed from the USN. See the USN Record Listing report reference on page 53 for a complete list of column names and descriptions contained within this report. USN Events The USN Events report contains the hits found after processing USN events against the USN Record Listing report. See the USN Events report reference on page 54 for a complete list of column names and descriptions contained within this report. The following scenarios can result in an empty USN Events report: No USN was selected for parsing when the database was first created. Event processing was not performed on the database. See Processing Events on page 27. Event processing was performed but no USN events were selected using Event Selection. See Event Selection on page 27. Event processing was performed but no USN events were found.

34 TRIFORCE ANJP USER S GUIDE 34 Other Reports Other Reports contains additional reports available for viewing. Log2Timeline The Log2Timeline report consolidates rows with timestamp information from the MFT File Listing, LogFile File Interactions, and USN Record Listing reports into a Log2Timline format. See the Log2Timeline report reference on page 55 for a complete list of column names and descriptions contained within this report. Events Summary The Events Summary report contains statistics related to event processing which includes the event IDs and hit counts for each event that was included when event processing was initiated. See the Events Summary report reference on page 56 for a complete list of column names and descriptions contained within this report.

35 TRIFORCE ANJP USER S GUIDE 35 Filtering Data This chapter discusses filtering a report currently being viewed within ANJP. Filtering Reports Report data within ANJP can contain such a wealth of information that finding relevant information may feel like trying to find a needle in a haystack. Filters help to narrow the report data haystack down to a manageable size. ANJP filters narrow report data using Logic, Columns, Conditions, and Values. Filter Logic Logic is used to enhance the filtering process by comparing multiple filters and decide if the filtered data should match all criteria (AND), or only needs to match one (OR). AND: Show filtered data where filter criteria 1 is true AND filter criteria 2 is true. Scenario: Filter for all.doc files created in February of Criteria 1: Filename contains.doc ; AND, Criteria 2: SIA Created Time contains OR: Show filtered data where filter criteria 1 is true OR filter criteria 2 is true. Scenario: Filter for files that have an extension of either.doc OR.xls. Criteria 1: Filename contains.doc ; OR, Criteria 2: Filename contains.xls

36 TRIFORCE ANJP USER S GUIDE 36 Columns, Conditions, and Values When adding filters in the Filter window, the Column selected determines what Conditions can be used and how the filter Value should be formatted. There are four types of Columns that determine what Conditions can be selected: Integers, Timestamps, Strings, and Event IDs. Integers When the Column selected contains integers, use values that are integer based. Table 3: Integer Filter Conditions Condition Description Sample Value For column selected, find a row that contains: == Equals Integers equal to < Less than 1024 Integers less than 1024 <= Less than or equal to 4096 Integers less than or equal to 4096 > Greater than Integers greater than >= Greater than or equal Integers greater than or equal to != Not equal to 1 Integers not equal to 1 <> Greater or Less than 0 Integers greater or less than 0 but not equal to Timestamps When the Column selected contains timestamps, use values that match the selected column s timestamp format. When using the Conditions LIKE or NOT LIKE, format the value using SQLite LIKE syntax, where the wildcard _ represents one character, and % represents one or more characters.

37 TRIFORCE ANJP USER S GUIDE 37 Table 4: Timestamp Filtering Examples Condition Description Sample Value For column selected, find rows that are: < Before Timestamps before :00: > After Timestamps after :00: LIKE Contains :% Timestamps in the twelfth hour of January 01, 2011 NOT LIKE Not contains 2014%:24:% Timestamps not at the 24 th minute in the year 2014 Strings When the Column selected contains strings, use values that are string based. Use SQLite syntax when using LIKE or NOT LIKE. Table 5: String Filter Conditions Condition Description Sample Value For column selected, find rows that are: LIKE Contains \Users\Admin Strings containing \Users\Admin NOT LIKE Not contains Directory Strings not containing Directory REGEXP Regular expression \\Windows\\.{1,} Strings matching \Windows\ followed by anything Event IDs When the Column selected contains Event IDs, the values will be in the form of a dropdown list containing Event IDs present in the current report. Table 6: Event ID Condition Samples Condition Description Sample Item For the column selected, find rows that are: LIKE Contains Creations Creation events NOT LIKE Not contains Deletions Not Deletion events

38 TRIFORCE ANJP USER S GUIDE 38 How to Create a Filter Start ANJP 1. Start ANJP. Go to the Reports tab and connect to a database. 2. Double-click a report from the Reports List to open it for viewing. Opening the Filter Window 3. Open the Filter window by either clicking the Filter button, or by right-clicking a cell within the report and selecting Filter By Value. Configuring the Filter 4. With the Filter window open select the Logic, Column, and Condition for the filter using the drop-down lists provided. See Columns, Conditions, and Values on page Enter a value in the Value field. Alternately, if the Filter By Value option was used, the Column drop-down and Value field will be automatically populated. Select a Condition from the dropdown list provided. Adding the Filter 6. Click Add to add the configured filter to the list. Filtering the Report 7. Click the Filter button to filter the report currently in view.

39 TRIFORCE ANJP USER S GUIDE 39 NOTE: While a report is being filtered, you will be unable to perform additional tasks within ANJP. The amount of time it takes to filter a report depends on how large the report is and how many filters are being applied. Additional Filter Options Exporting and Importing Filters When ANJP is closed, filters added during that session will be forgotten. Filters can be exported so that they may be imported and re-used at a later time. Exporting Filters: In the Filter window, click the Export button to export the filters for the report currently in view. Importing Filters: To import previously exported filters, click the Import button and select a filters file that is valid for the report currently in view. NOTE: When exporting and importing filters keep in mind that every report within ANJP has a different combination of columns. Filters created for one report might not be valid for another report. Therefore, it is recommended that the filename of the exported filters should include the name of the report to which the filter applies. Example: mft_file_listingfile_rcd_filter.txt Clearing Filters In the Filter window use the Clear button to remove all filters from the filter list and return the report to its unfiltered state. Removing Individual Filters In the Filter window remove individual filters by highlighting the filter to be removed and clicking Remove. Exporting Filtered Data If filters are applied to the report currently in view, export the filtered report by clicking Export in the Reports tab. See Exporting Reports to a File on page 40.

40 TRIFORCE ANJP USER S GUIDE 40 Exporting Reports This chapter discusses the export options available for a report currently being viewed. ANJP provides a number of options to export report data. Entire reports, filtered reports, or only selected rows can be exported to a text file or an Excel spreadsheet. Exporting Reports to a File Start ANJP 1. Start ANJP. Go to the Reports tab and connect to an ANJP database. 2. From the Reports List double-click a report to open it for viewing. Opening the Export Window 3. Open the Export window by clicking Export in the Reports tab. Configuring Export Options 4. With the Export window open, type the path and name to use for the exported report. Alternately, you can navigate to the folder and enter the filename by clicking the Browse button. 5. Configure the Delimiter, Export Type, Export Format, and Export Options. Export Options are covered below. Table 7: Export Options Export File Delimiter Export Type All Selected Export Format Text XLSX Export Options Overwrite Append Export Options The path and name to use for the exported report file. Delimiting character used to separate columns in the exported text report. Export all report data currently in view. Export only the report rows selected. Export the report data to a text file. Export the report data to an Excel spreadsheet. Overwrite the file specified in the Export File Field. If it does not exist, create a new file. Append the report data to the end of the file specified in the Export File Field. If the file does not exist, create a new file. Appending is not support for excel spreadsheets.

41 TRIFORCE ANJP USER S GUIDE Click Finish to export the report. NOTE: While a report is being exported, you will be unable to perform additional tasks within ANJP. The amount of time it takes to export a report depends on how much data is being exported and what Export Format is used. Sending Reports to ElasticSearch Individual reports can be sent to a pre-existing ElasticSearch node using ANJP s ElasticSearch Connection and Send to esearch options. NOTE: To use an ElasticSearch connection within ANJP, you must be connected to an ANJP database and have an existing ElasticSearch engine created, configured, functional, and accessible. How to Connect to an ElasticSearch Node and Send Reports In this section, the steps needed to connect to a pre-existing ElasticSearch node and send ANJP reports to ElasticSearch will be covered. Start ANJP 1. Open ANJP and go to the Reports tab. 2. Connect to a database. 3. From the Reports List double-click a report to open it for viewing. Opening the ElasticSearch Connection Window 4. To open the ElasticSearch Connection window go to Connections > ElasticSearch from the Menu bar. Connecting to a Node 5. Enter the node_ip:port (e.g :9200) of the ElasticSearch service. 6. Click Connect to establish the connection. NOTE: If ANJP is unable to establish a connection to ElasticSearch, a connection error message will be displayed.

42 TRIFORCE ANJP USER S GUIDE 42 Sending a Report to ElasticSearch 7. If a connection was successful, individual reports can be sent to ElasticSearch by right-clicking a report from the Reports List and clicking Send to esearch. NOTE: If the connection attempt was not successful or a previously established connection has timed out the Send to esearch option will be disabled.