Document export in QRadar Incident Forensics

In IBM QRadar Incident Forensics, all exported documents, except exported pcap documents, include the reconstructed document, the raw text of the document, attributes, and notes that are attached to the document.

When pcap documents are exported, no reconstruction is done. For example, when you export a web page, anything that the browser downloaded during the main connection is downloaded. Usually, most of the text content is downloaded during main connection. However, most modern browsers use multiple connections to download more items, such as style sheets and images, which are not part of the export. When you export, the pcap content is not first reconstructed.

Another example is complex protocols, such as FTP and VOIP, where there is a main command and control connection and a separate data connection. If you export the pcap files for a VOIP call or an FTP download, the data is not reconstructed and you might get results that you don't expect.