Getting started with forensics investigations

To get started with forensics investigations in IBM QRadar Incident Forensics, use the Quick Start menu to navigate and filter data that is in the forensics repository. This launchpad contains pre-defined summary queries that you can use to start a search or get relationships for an entity.

To get started, follow these guidelines:

  1. Start a forensics recovery or search from an offense on the Offenses tab.
    • If you right-click an offense or any IP address and run a forensics recovery, forensics retrieves the raw capture data for the specified time ranges from the capture device, extracts and rebuilds documents, and then adds the results to the forensics repository.
    • If you right-click an offense or any IP address and run a forensics search, the forensics repository is filtered and searched for that IP address. Results are then shown in the main grid on the Forensics tab. You can refine your search by building queries.

    When QRadar Incident Forensics receives a search request, it processes the packet capture data and puts it back into the format that was sent to the intended recipient. Microsoft Word documents, for example, are recovered as Word files. Voice-over-IP phone calls are recovered as audio files. The recovered files are then indexed by using both metadata and file contents to make them searchable.

  2. On the Forensics tab, click Quick Start.

    After you run a recovery or a search, instead of doing free-form searches and building your own queries, you can quickly start your investigation by using the pre-defined queries from the Quick Start menu on the Forensics tab. For example, you can look at the Suspect Content category and run one of the queries such as entity alert. Suspect content is a based on a defined set of rules on content that signify suspicious activity. An entity alert flags a possible malicious entity that is involved in breaching a security policy.

    The content categorization and filtering capabilities help to reduce the volume of data returned

  3. From the Grid, select documents to look at.

    QRadar Incident Forensics returns prioritized search results. Similar to the way that search engine optimization prioritizes sites in an Internet search, the most frequent occurrences appear at the top of the list.

    You can start to pivot the data by clicking links and searching the metadata that is associated with the document. The data pivot capabilities provide various search views and data summaries.

  4. To investigate relationships between all actions and the security incident, in the document view, select a link and right-click Get relations for.

    After you investigate attributes, filter the information that you gather by connecting entities.

  5. Click Digital Impressions to follow the identity trail and get a compiled set of associations.

    A digital impression is an index of metadata that can help identify suspected attackers or rogue insiders by following malicious user trails. In building these relationships, QRadar Incident Forensics uses data from network sources such as IP addresses, MAC addresses, and TCP ports and protocols. It can find information such as chat IDs, and it can read information such as author identification from word processing or spreadsheet applications. A digital impression can help uncover associations by linking the entity’s identity to identifying information for other users or entities.