TABLE OF CONTENTS

Collections

Collections

Collections is a process that gathers, filters, and archives information from a wide variety of data sources. You can create collection to collect data on a computer, network share, public data repository, email account, or all of the above within the application. The collection can be set up with filters to find only the files that are needed for the case. After collection, the data is processed and reviewed for relevance and transferred to the legal counsel.

Elements of Collection

Managing Collections	Creating Collections Approving Collections Executing Collections Processing Collections Cancelling Collection Process Resubmitting Collections Viewing Collection Details Generating Reports for Collections Editing Collections Deleting Collections
Configuring data sources for collection	Custodian (specific data sources) Data Sources Collection Filters for data source

Creating Collections

To create a collection:

From the home page, click Collection.
- The Manage page of Collection is displayed.

2. Click Create New Collection.

The collection creation page is displayed.

Collection Options

3. Select the Collection Type based on the below description:

File Scan – To collect all the target files.
Agent Scan - To run collection jobs related to RAM/Volatile analysis, Software Inventory, Agent Remediation and IOC jobs. (Refer the Agent Scan Collections section for more details)
Report Only – To collect a list of endpoint files. This is used primarily to help you identify the data that can be collected by giving you a report collection in the file list.

4. Provide a Name for the collection.

5. Provide a Description for the collection.

6. Select the case associated to the collection from the Case drop-down field.

Note: The location for Results Path will be automatically populated based on the case selected in which the collected files will be stored. However, you can change the path if required. To do so,

Click Folder  against the Results Path field.
The below page appears.

Enter the Server Path.
Click Go to view the directories available on the server.
Select the folder to be where the results are to be saved.

4. Click Select.

Target Options

Select either of the Target Options section as stated below:

Note: Selecting Custodian’s with the Custom option will collect only the data from the data sources selected for a particular Custodian and selecting one from the Data Sources section will collect all the data from the particular data source, both associated and unassociated to custodians.

Alternatively, using the Group option will allow collection of all custodian associated data sources within an assigned group.

Enable the required Custodian’s option and select any or all of the below data sources:

Select Custodian’s Computers
Select Custodian’s Shares
Select Custodian’s Exchange
Select Custodian’s Gmail
Select Custodian’s OneDrive
Select Custodian’s Box
Select Person’s Google Drive

(OR)

Select any or all of the following Data Sources:

Computers
Network Shares
SharePoint
Microsoft Teams
Slack
Box

Advanced Options

Enable the Advanced Options Activated checkbox to configure the following advanced collection functionalities:

Select any of the following options for AD1 Encryption field:

Disabled – To turn off encryption of an AD1 evidence image file.
Certificate – To encrypt an AD1 evidence image file with a certificate. Certificates use public keys for encryption and corresponding private keys for decryption. You can configure the certificates that appear in the drop-down menu.
Password - To encrypt an AD1 evidence image file with a password that you specify.

2. Enable Create AD1 Files on Agent to create a AD1 image on the machine.

3. Enable Skip PST Creation checkbox to avoid creating a PST file while collecting email files.

4. Enable Maximum Concurrent Agent(s) toggle to limit the amount of active agent jobs running concurrently.

Job Expiration

Select any one of the below provided options to define the time the system (site servers) should try and contact data sources within a job from the Job Expiration field:

Single Attempt – To try only one once and terminate the unsuccessful attempt.
Cancel Pending – To define the time after which a pending job should be terminated. Agents that have already contacted the server will continue to run until the task is complete regardless of the expiration date.
Cancel Incomplete - To define the time after which an incomplete job should be terminated.

Warning:     When cancelling a recurring job, only the job that is currently running in Site Server will cancel. The next occurrence of the job will start at its appointed time

Processing And Remediation Options

Enable the Auto Process Collection option to process the evidence automatically.

Note: If this option is disabled, you will have to manually trigger the processing.

2. Select the required processing profile from the Processing Option drop-down field.

Auto Deploy

3. Enable the Auto Deploy Agents option if you want to deploy agents to computers included in the collection. Refer to the Agent Credentials section.

Batching Options

While multiple collections can run simultaneously, Batching Options allow jobs to run in groups. I.e., A selection of 3 Maximum Concurrent Agents will only allow 3 concurrent jobs to be run at once until finished, which would then allow the next batch of jobs to be started.

Warnings:

The Auto Deploy is applicable only when the Target Option is selected as Computer against the Custodians or the Data Sources.
The Auto Deploy option will not be applicable if multiple options are selected against the Custodians or Data Sources.

(OR)

2. Click Save and Next.

Data Sources

Based on the data sources selected in the Target Options, the corresponding data source configuration sections will be displayed for you. Detailed steps to configure the required data source is provided in the Data Source Configuration section.

Scheduling & Approvers

1. Select the Execution Mode for the Collection based as required:

Manual – You should initiate the collection process manually.
Scheduled – You can configure the Collection Start Date during when the collection will be initiated.
Automatic – The collection is automatically initiated based on the approval mode selected.

2. Select the Approval Mode based on the below description:

None – No approvals required for the collection.
By Role – Only users with selected roles assigned to them can approve this collection. After the collection is created, the job must first be approved and then it must be executed.
By User List – Only the users selected in the corresponding list can approve this collection. After the collection is created, the job must first be approved (by all the selected users) and then it must be executed.

Summary

3. Review and ensure all the configurations made for the collection are correct.

Note:  You can click Back to navigate back to the previous page to make any changes.

4. Click Submit Collection.

The collection will be created and the process will be initiated based on the selected Execution Mode.

Agent Scan Collections

You are able to run agent jobs that range from remediation, software inventory to threat scans:

Software Inventory
Agent Remediation
Volatile Job
Threat Scan
Memory Acquisition
Memory Analysis

Setting up Agent Scan Jobs

To set up agent scan job:

From the homepage, click Collection.
Click Create New Collection.
- The Create New Collection page will be displayed.

3. Select the Collection Type as Agent Scan.

4. Provide the collection’s Name.

5. Provide a brief description of the collection in the Description field.
6. Select the case associated to the collection from the Case drop-down field.

Note:  The location for Results Path will be automatically populated based on the Case selected in which the collected files will be stored. You can modify the path if required.

7. Select the Computers options from the Data Sources column for the Target Options field.

Note: Alternatively, you can enable the Custodians option > Select Person’s Computers.

Enable the Auto Process Collection option to process the evidence automatically.
Enable the Auto Deploy Agents option if you want to deploy agents to computers included in the job.
Customize the Batching Options to run collection jobs on computers in batches.
Click Save and Next.
If Auto Deploy Agents was selected, you will be navigated to the Agent Operations section where the following information should be configured:
Install– Select to push an agent to the endpoint. This can cause the machine to restart without warning.
1. Make Public Instance - Configure the agent to check a public instance after the agent is installed.
2. Agent Type: Local Storage
3. Use Site Server Default Port – Configure the default port the site server is using.
4. Use Custom Port – Configure the custom port for agent usage.
5. Service Name – Configure the name of the agent service.
6. Executable Name – Configure the name of the agent executable.

(OR)

Uninstall – Select to remove an agent from the endpoint.

7. Click Save and Next.

8. Select the required Computers.

9. Select any one of the below provided Agent Scan Type.

Software Inventory
Agent Remediation
Volatile Job
Threat Scan
Memory Acquisition
Memory Analysis

Follow the sections below to configure Agent Scan types.

Scheduling an Agent Scan Job

To schedule agent scan job:

From the Scheduling & Approvers section, select the Execution Mode as Scheduled.
Check Enable Recurrence.

Configure the Recurrence Pattern based on your requirement.
Configure the End Recurrence based on your requirement.
If required, select the Incremental Collection option for the Collection Options field. This allows you to view data as soon as it becomes available rather than having to wait for the whole collection to be completed.

Software Inventory

The Software Inventory collection job will retrieve data relating to the software installed on the machine as well as any hardware utilization data. The installedsoftware.xml associated with this collection will be stored in the job data path related to the job named during the collection.

To set up the software inventory job:

Select Software Inventory as the Agent Scan Type.
Click Save and Next.
Configure the Scheduling & Approvers section based on your requirements.
Click Save and Next.
Click Submit Collection.

Tip: The System Inventory column set in review mode can be utilized to efficiently review the system data.

Agent Remediation

The Agent Remediation job allows processes to be stopped, scripts to be sent and executed and file deletion.

Note: When Executing or Sending Files, ensure paths provided are absolute. Additionally, ensure they are not UNC paths.

To setup the agent remediation:

Select Agent Remediation as the Agent Scan Type.
Click Add New Row in the Agent Remediation section.
Select any one of the below provided options for the Remediation Command field.

Kill process by process ID.
Kill all process by name.
Delete file.
Execute.
Send file.

Tip: Multiple options can be run by clicking Add New Row consecutively.

Kill process by process ID

To kill processes by process ID on an endpoint:

Ensure the Kill process by process ID option has been selected for the Remediation Command field.
Enter the Process ID in the Remediation Data field.
Click Save.
Click Save and Next.
Configure the Scheduling & Approvers section based on your requirements.
Click Save and Next.
Click Submit Collection.

Kill process by name

To kill processes by name on an endpoint:

Ensure the Kill all process by name option has been selected for the Remediation Command field.
Enter the process name in the Remediation Data field.
Click Save.
Click Save and Next.
Configure the Scheduling & Approvers section based on your requirements.
Click Save and Next.
Click Submit Collection.

Delete File

To delete files on an endpoint:

Ensure the Delete file option has been selected for the Remediation Command field.
Provide the Description.
Enter the Target File Path (for the file to be deleted).
Click Save.
Click Save and Next.
Configure the Scheduling & Approvers section based on your requirements.
Click Save and Next.
Click Submit Collection.

Execute

To execute files on an endpoint:

Ensure the Execute option has been selected for the Remediation Command field.
Provide a Description.
Enter the Target File Path (for the file to be executed) – this is the file located on the local machine. Example: Powershell.exe.
Enter any Command Arguments if required.
Enable the Spawn the process option to automatically start any processes during execution.
Click Save.
Click Save and Next.
Configure the Scheduling & Approvers section based on your requirements.
Click Save and Next.
Click Submit Collection.

Send File

To send a file to an endpoint:

Ensure the Send File option has been selected for the Remediation Command field.
Provide a Description.
Enter or browse & select the Source File Path (the file being sent).
Enter the Destination File Path (where the file will be stored).
Select any one of the following operation commands if required:

Delete File
Execute
1. Arguments

6. Click Save.

7. Click Save and Next.

8. Configure the Scheduling & Approvers section based on your requirements.

9. Click Save and Next.

10. Click Submit Collection.

Volatile Job

Volatile job performs an analysis of the processes, connections, services running on the operating system as well as any (customizable) registry files using Volatility. The subsequent XML files generated from Volatility can be found within the case folder. This data can be processed through Cerberus if required.

To set up the volatile job for agent scan collections:

Select Volatile Job for the Agent Scan Type field.
Check the required Volatile Options.

Note:  If required, you can enable the Select All option to select all Volatile Options.

3. Select any one of the below provided Registry options:

None

Include Registry – To include information relating to the selected registry key.
Include Registry On Disk – To include information relating to the selected registry key as well as any hidden values.

4. Upon selecting a Registry option, select any one of the below provided pre-defined templates from the drop-down and click on Add Rows From Template.

AutoStart
General
Hardware
UserActivity

Warning:  The above field will be disabled if None is selected as the Registry option.

5. Click Save and Next.

6. Configure the Scheduling & Approvers section based on your requirements and click Save and Next.

7. Click Submit Collection.

Note:  When collecting processes from a Linux endpoint, some processes may return a hash value of 0. This is correct as these particular items are forked processes, drivers or routines from a parent process.

Tip:  To classify volatile jobs efficiently, the ObjectType and ObjectSubType columns can be used during review.

Threat Scan

Threat Scan jobs are jobs that search for threats in the data. Threat Scan jobs apply filters from the IOCs and YARA rules to the data and alert you to suspicious files.

IOCs are XML documents that allow you to capture information about threats to your enterprise, including malware, registry changes, and memory artifacts. YARA rules are custom rules that you import that allow you to hunt for malware by values found in the binary or in physical memory.

Note:  When creating or locating a YARA rule, make sure that the YARA rule identifier (the first line of the YARA rule) contains only alphanumeric characters and the underscore ‘_’ character. For more information about writing YARA rules, see the YARA user manual at http://plusvic.github.io/yara/ .

Criteria for Successful IOCs

When either creating or examining an IOC, make sure that IOC contains the following criteria:

The focus of the IOC should be narrow. Rules specified in the IOC should focus on one particular aspect instead of casting a wide net in the data. For example, instead of an IOC rule specifying the examination of an entire system, the rule should specify a file path within the system. Or if a registry is to be examined, the IOC should examine a hive in the registry, not the full registry.

The IOC should not consume massive system resources. Rules specified in the IOC should avoid taxing system resources. For example, if you are searching for a specific item, you should specify that the IOC examines the metadata, which can be restricted by filter. If you specify that the IOC examines the inner details, the system must open and examine every file. This consumes more system resources and taxes the system.

An IOC with more indicator items is better than an IOC with fewer indicator items. Rules specified in the IOC should have as many indicator items as necessary. This allows the IOC to filter the data to a more manageable subset. For example, an IOC that searches for a file that is smaller than 10MB and is larger than 5MB (5<x>10) will be more successful than an IOC that only searches for a file that is smaller than 10MB (10<x).

IOC

To perform an IOC threat scan on an endpoint:

Select Threat Scan as the Agent Scan Type.
Click Import.

The Threat Filter Import Wizard prompt is displayed.

3. Select IOC for the Threat Filter Type field.

4. Click Next.

5. Click Add Files or Add Folder to browse and import the required set of rules.

Note: You can enable the Directory processing is recursive option in order to process the child folders and files.

6. Click Save and Next.

7. If required, enter a Source, Category, Tag and Group.

8. Click Submit.

9. Check the imported rules.

10. If required, select and configure the required Advanced Options provided below:

Perform String Content Search
Disable File Hashing
1. Disable only for files larger than
Disable YARA for files larger than
Archive Drill Down

11. Click Save and Next.

12. Configure the Scheduling & Approvers section based on your requirements.

13. Click Save and Next.

14. Click Submit Collection.

YARA

To perform YARA threat scans on an endpoint:

Select Threat Scan as the Agent Scan Type.
Click Import.

The Threat Filter Import Wizard prompt is displayed.

3. Select YARA for the Threat Filter Type field.

4. Click Next.

5. Click Add Files or Add Folder to import the required set of rules.

Note: You can enable the Directory processing is recursive option in order to process the child folders and files.

6. Click Save and Next.

7. Select any of the below provided Yara Advanced Filtering options:

Target Process - Allows the YARA rule to target memory and other processes.
Target Files- Allows the YARA rule to target files. You can filter the files by the following:
1. Extension - Allows you to filter files by extension. List multiple extensions in a comma separated list. You can filter the extensions by either an equal or not equal operator. You can use a star (*) as a wildcard.
2. Path Contains - Allows you to filter files by the path contains. You can enter a partial path in the field as well as enter a fully qualified path.
3. File Size (Bytes) - Allows you to filter files by file size. You can filter file size by the following operators: any, equal, greater than, or less than. Specify the file size by bytes, kilobytes, or megabytes.
4. File Creation Date - Allows you to filter files by file creation date. You can filter the file creation date by the following operators: any, range, or single. For range, you can specify either outside of the range or between the range.
5. File Modified Date - Allows you to filter files by file modification date. You can filter the file modification date by the following operators: any, range, or single. For range, you can specify either outside of the range or between the range.
6. File Last Accessed Date - Allows you to filter files by file last accessed date. You can filter the file last accessed date by the following operators: any, range, or single. For range, you can specify either outside of the range or between the range.
Target Both - Allows the YARA rule to target both memory and other processes.

8. Click Save and Next.

9. If required, enter the information for Source, Category, Tag and Group fields.

10. Click Submit.

11. Check the imported rules.

12. If required, select any of the below provided Advanced Options:

Perform String Content Search
Disable File Hashing
1. Disable only for files larger than
Disable YARA for files larger than
Archive Drill Down

13. Click Save and Next.

14. Configure the Scheduling & Approvers section based on your requirements.

15. Click Save and Next.

16. Click Submit Collection.

Collecting Matched Files

When a Threat Scan is complete and has found matches on an endpoint, FTK Central will create a Threat Scan Filter which can be found in the case. The item will be listed in the review grid as Threat Scan Filter. While the threat scan filter will list the name of the matched files, it will further include the path, created date, modified date, accessed data, MD5 hash as well as size.

To collect the matched files:

From the homepage, click Case.
Select a case that has had a successful threat scan job completed.
Click on the case name.
Click Enter Review.
Locate the Threat Scan Filter in the grid.
Check the required files to be collected.
Click Collect Files.

This will automatically collect the matched items and the processed files will be displayed in the case Review.

Memory Acquisition

Executes a memory acquisition job that includes a page file and creates an archive file. The file can be found in the jobs folder associated to the case configured during collection.

To acquire memory from an endpoint:

Select Memory Acquisition as the Agent Scan Type.
Select the required Memory Acquisition options.
Include a page file
Include Archive file
Click Save and Next.
Configure the Scheduling & Approvers section based on your requirement.
Click Save and Next.
Click Submit Collection.

Memory Analysis

Executes a memory analysis job collecting DLLs, Drivers, Handles, Registry, Sockets, and VAD information.

To configure the memory analysis job:

Select Memory Analysis as the Agent Scan Type.
Select the required Memory Analysis options:

Include Interrupt Descriptor Table Analysis	Include Service Descriptor Table Analysis
Include Driver Analysis	Include DLLs
Include Handles	Include Sockets
Include VAD	Include Crypto
Include Registry

3. Click Save and Next.

4. Configure the Scheduling & Approvers section based on your requirement.

5. Click Save and Next.

6. Click Submit Collection.

Tip:  The Memory Analysis column set in review mode can be utilized to efficiently review memory data.

Job Template

Creating a Job Template

The job templates can be utilized to create a pre-configured collection intended to assist you during collection creation. Templates can be edited during execution, if required.

To create a job template:

From the homepage, click Collections.
Click Create New Collection.

The Create New Collection page will be displayed.

3. Configure the Collection Options.

4. Enable the Save As Job Template ONLY option in order to save the configured information as a template to be used later.

Note:  You can enable the Include Target Options in Template option to also save the Target Options configuration to the template.

5. Select further collection options.

Note:  These changes made to the collection plan after enabling the Save As Job Template ONLY option will also be saved to the template.

6. Click Submit Template.

Selecting a Job Template

To select a job template:

From the homepage, click Collections.
Click Create New Collection.

The Create New Collection page will be displayed.

3. Configure the Collection Options.

4. Enable the Use Job Template option.

5. Select the required template from the drop-down list.

6. Upon selecting the template, corresponding information will be auto-populated to the relevant fields.

Note:

You can choose to delete the selected job template by clicking on the Delete Job Template icon displayed against the selected template.

If the Include Target Options in Template option is enabled while creating a template, the corresponding targets information will also be selected during collection creation.

Managing Collections

After creating a collection, based on the approval, execution, and processing options, you will have to manage the collection to complete it. This section helps you in managing the collection at various statuses.

Depending on the stage on which the collection is at a moment, there are 8 statuses for a collection as listed below:

Collection Status	Description
Not Started	Collection has been created but no collection data has been retrieved.
Collecting	Collection process has started and data is being collected.
Completed	Collection is completed and data has been retrieved.
Cancelled	Collection has been cancelled.
Terminated	Collection has been terminated by a user.
Failed	Collection has failed.
Completed with Errors	Collection is completed but with some errors during collection.
Pending	Collection is yet to start, pending approval.

Tip: To filter the grid efficiently, you can simply enter a keyword into the search box  located at the top of any grid and click the search button or press enter.

Approving Collections

Depending upon the Approval Mode selected, the collection has to be approved before it can be executed.

Warning: If multiple approvers were selected during the collection creation, all the selected users must approve the collection.

To approve a collection:

From the home page, click Collection.
Click on the Context menu against the required collection.
Click on Approve Collection.

The Job Approve prompt is displayed.

4. Click Approve.

Notes:  You can click on Approve & Execute to concurrently approve and execute the collection process.
The collection will be approved for processing and the process will be initiated based on the Execution Mode configured for the collection.

Executing Collections

Executing a collection initiates the process of collecting the data from the target data sources. Based on the execution mode selected, you may have to manually trigger the execution for a collection. It is to be noted that you can execute a collection only after it is approved.

To execute a collection:

From the home page, click Collection.
Click on the Context menu against the required collection.
Click on Execute Collection.

The Job Execution prompt is displayed.

4. Click Yes.

Processing Collections

If you automatically process a collection, the full collection is processed each time. For example, for the first collection, 100 files are processed. The second collection, 105 files are processed. The third collection, 145 files are processed.

During the review process you will see 350 files. If the same file occurs during all three collections, then the object names will remain identical, but the objectids will be unique.

To process a collection:

From the home page, click Collection.
Click on the Context menu against the required collection.
Click on Process Collection.

The Job Process prompt is displayed.

4. Click Yes.

Cancelling Collection Process

To cancel a collection process:

From the home page, click Collection.
Click on the Context menu against the required collection.
Click on Cancel Collection.

The Job Cancellation prompt is displayed.

4. Click Yes.

Resubmitting Collections

There may be situations where collection jobs have been stopped or failed due to your circumstances. Resubmitting a collection will allow you to run a collection job against the target again.

To resubmit a collection job:

From the home page, click Collection.
Click on the Context menu against the required collection.
Click on Resubmit Collection.

The Resubmit Job prompt is displayed.

4. Provide a name for the resubmitted collection in New Job Name.

5. Select any one of the following Resubmit Types based on their descriptions:

Include Failed Items Only – To collect only the failed files.
Include all Incomplete Items Only – To collect all the files that were not collected in the previous iteration.
Include all Failed Files (Shares Only) – To collect all the files that were not collected in the previous iteration from just the Network Shares data source.
Copy Job – To duplicate the collection process and re execute the collection based on the Collection Option.

6. Select any one of the following Collection Options based on their descriptions:

Full – To collect all the files present in the data sources associated to the collection.
Incremental – To collect only the files newly added to associated data sources after completing the collection process.

7. Click Resubmit.

Viewing Collection Details

You can view a snapshot of collection which includes information about the name of the collection, collection progress (in terms of percentage), total volume of files collected, time taken to collect the files, number of data sources targeted, last collected file, etc.

To view the collection details:

From the home page, click Collection.
Click on the Context menu against the required collection.
Click on Collection Details.

The Collection Progress prompt is displayed.

Note:  You can click on Responsive File Path button  against the required data source to view the location path where the collected files are stored.

Generating Reports for Collections

You can generate detailed information reports on collected files, emails, file statistics, remediated files, etc. of a collection.

Warning:     You can generate a report only after the collection is processed.

To generate the reports specific to a collection:

From the home page, click Collection.
Click on the Context menu against the required collection.
Click on Collection Details.
From the Collection Progress pop-up, click on the Download Reports button .

5. Select any of the below mentioned reports to download it in .xlsx format.

Report Name	Description
Details Report	Provides a detailed snapshot of the collection which includes the Collection options, data sources, collection results (success/failure) for nodes.
Results Report	Displays information on collection results for the job. When using a collection job to collect emails, an EmailID is generate for each email by FTK Central. This EmailID is displayed in a column in the collected email and failed email tabs of the jobs results report. *Note:* The Microsoft Teams data sources collected via ‘Export API’ will have the following limitations: The ‘File Breakout’ tab will be empty since the export chats are collected as message files. The files attached to the messages will not be displayed under the ‘Collected Files’ tab. The ‘Subject’ column under ‘Collected Email’ tab is empty since they are collected as email files.
Errors Report	Displays a breakdown of failed targets and the errors associated to the collection.

Tip:  The downloaded reports will also be available in the Case Folder Path.

To generate a system wide collection report:

From the home page, click Collection.
Click on the Generate System Wide Collection report button .

A job will be initiated to generate the System Wide Collection report. Upon job completion, you can download the report from the Job Queue

Editing Collections

To edit a collection:

From the home page, click Collection.
Click on the Context menu against the required collection.
Click on Edit Collection.

The Edit Collection page is displayed.

4. Make the necessary changes.

5. Click Submit Collection.

Deleting Collections

To delete a collection:

From the home page, click Collection.
Click on the Context menu against the required collection.
Click on Delete Collection.

The Please confirm prompt is displayed.

4. Click Delete.

Reviewing Collections

To review a collection:

Users can access an associated case to a collection efficiently by using the review icon. This icon will navigate users to the review mode.

From the home page, click Collection.
Click on the Review icon against the required collection.

The associated case will open in review mode.

Data Source Configuration for Collection

In order to collect information from the required data sources, you should select the required options from the Target Options field while creating a collection. Here, the options in Custodian’s and Data Sources are mutually exclusive i.e., you can select either Custodian’s or Data Sources.

Notes:

Only upon enabling the Custodian’s checkbox, the corresponding options will be enabled.
You can select more than one options for Custodian’s and Data Sources fields.
Ensure the Creating Collections Section has been reviewed before attempting a Data Source collection.

Custodian-based Collections

To configure the custodian data source for collection:

Upon selecting the required data sources under the Custodian’s section,

Select the required custodians from the list

2. Click Save and Next.

Based on the selected data sources, any or all of the following data sources are to be configured:

Computers

Computer-based collections allow endpoint collections with exclusive configuration options as listed below.

Auto Deploy Agents

The Auto Deploy option will be applicable only when the computer is selected in the target options, either against the Custodians or Data Sources.

(OR)

Upon enabling the Auto Deploy Agents checkbox and clicking on Save and Next, the below Agent Operations section will be displayed.

On the Agent Operations page, select from the following options:

Option	Description
Uninstall	Select to remove the agent from the machine
Install	Select to push the agent to the machine. Remember that the agent install may cause the machine to restart without a warning.
Make Public Instance	Configure the agent to check a public instance after the agent is installed.
Configure Periodic Check-In	Configure the agent to communicate back to the server.
Agent Type – Local Storage	Agent uses local files for configuration and data. Agent is installed (persists after reboot).
Use Site Server Default Port	Enabling this will force the agent to use Port:54545
Use Custom Port	Enter the port designated to communicate with the agent.
Service Name	Enter the name that you want the agent to be displayed as.
Executable Name	Enter the name of the file that is being run.

Upon selecting the required agent operations and clicking on Save and Next, you will be navigated to the Custodians section.

(OR)

If the Agent Deploy option is not selected in the Collection Options section, the Agent Operations section will be skipped and you will be navigated to the Custodians section.

Upon selecting the required custodians and clicking on Save and Next from the Custodians section, you will be navigated to the Computers section.

1. Select the required computers from the list.

Warning:     You cannot proceed to collect all the data from the computer. You must include at least one among the Extension, Size, Date, Path, Luhn, Keyword, or MD5 Hash filter properties within the Include/Exclude filters to perform a targeted collection.

2. Click Save and Next.

Batching Options

While multiple collections can run simultaneously, Batching Options allow jobs to run in groups. I.e. A selection of 3 Maximum Concurrent Agents will only allow 3 concurrent jobs to be run at once until finished, which would then allow the next batch of jobs to be started.

Advanced Filter Options

You can configure the Advanced Filters section in the right pane to filter and collect only the required information based on the type of Collection. The applicable filters for the collection types are listed below:

For Filtered Collection:

Type	Options	Description
Source Type	File System	To collect the drives from the target’s file system.
	Logical Disk	To collect only the target’s logical drive space.
	Physical Disk	To collect the target’s entire physical drive.
Search Type	Siteserver	To search using the Site Server.
	Agent & Siteserver	To search first with the agent and then with the Site Server.
	Agent	To search files using the agent.
	Collect System Files	To search system files that are normally hidden from view. Files with “$” contain system meta data and in NTFS, the $MFT contains the file system pointers to all files.
	Scan Deleted Files	To scan free space of a partition for files matching the filter criteria.
	Scan Unused Disk Area	To scan unallocated disk space for files matching filter criteria.
	Archive Drill Down	If archive files exist in any of the available data sources that contain compressed files of interest, this option lets you open the archive files as part of the job and checks them against keywords supplied in the keyword filter.
	Collect Responsive Archives	Collects any archive that contains files that match filter criteria.
	Custom Drill Down Extensions	Allows you to specify the extension for the archive drill down. If you do not specify the extension, the default will be used.
	Include Deleted Files	Will scan free space of a partition for files matching filter criteria.
	Use Internal File Identification	Sees the software’s file identification when checking file extensions.
	Collect Non-Extension Files	Collects all files that do not have an extension.
	Collect Unsearchable Encrypted Files	Will collect encrypted files that cannot be accessed to search for keyword filter criteria.
	Enable PreScan	Will scan the collection target before collecting. Enables accurate completion percentage, file counts, and size predictions for Real Time Status screen.
	Parse $130 INDX Records	Gets additional information about deleted files.
	Exclude Removable Drives/Media	Excludes removable drives that are recognized by Site Server from the collection. This option is only available for collection jobs. Not all removable drives are recognized as such so this option may not exclude ALL removable drives

For Full Disk Acquisition

A Full Disk Acquisition job would collect the entire contents of a computer’s hard drive, so the advanced options will include fewer choices as listed below:

Collect from Target Options

Logical Disk: To collect only the target’s logical drive space.
Physical Disk: To collect the target’s entire physical drive. You can choose the sectors required.

Use Redirected Acquisition: Uses the agent to push the collected data directly to the Job Data path given in the Job Options screen instead of moving it to the temporary storage location and then to the Job Data path.

Include/Exclude Filter Options

When creating a filtered collection, Include/Exclude filters will be available. The table below lists all available options when creating a File Scan/Report Only collections.

Options

Descriptions

Filter Name

Allows you to name a filter when attempting to save it as a template.

Extensions

Allows you to filter files by extension. List multiple extensions in a comma separated list. You can filter the extensions by either an equal or not equal operator. You can use a star (*) as a wildcard.

Example:

Field	Clause	Example
Extension	Extension with full stop	.pdf
Extension	Extension with multiple spaces	.pdf, .jpg
Extension	Multiple extensions without spaces	pdf,jpg
Extension	Combination of extensions with/without full stops	.pdf, jpg

Path

Allows you to filter files by the path contains. You can enter a partial path in the field as well as enter a fully qualified path. For example, if you added “confidential”, it would include all folders with “confidential” in the path.

Example:

Field	Clause	Example
Path	Forward slashes	//data/49ers
Path	Multiple folders	D:\Files\New test\Credit Card
Path	Parent folder as a filter with multiple child filters	D:\Files\New test\

File Size (bytes)

Allows you to filter files by file size. You can filter file size by the following operators: any, equal, greater than, or less than. Specify the file size by bytes, kilobytes, or megabytes.

File Creation Date

Allows you to filter files by file creation date. You can filter the file creation date by the following operators: any, range, or single. For range, you can specify either outside of the range or between the range.

File Modified Date

Allows you to filter files by file modification date. You can filter the file modification date by the following operators: any, range, or single. For range, you can specify either outside of the range or between the range.

File Last Accessed

Allows you to filter files by file last accessed date. You can filter the file last accessed date by the following operators: any, range, or single. For range, you can specify either outside of the range or between the range.

Keywords

Allows you to include files that match any or all regular expressions/keywords entered into the text field.

When writing queries for the Keyword(s) field, use the terms AND or OR to help refine your search. For example:

Apple AND orange returns files with both terms apple and orange.
Apple OR orange returns files with either the term apple or orange.
(Apple AND orange) OR (banana) returns files with either the terms apple and orange or files with the term banana.
‘Apple and orange’ OR banana returns files with either the term apple and orange or files with the term banana.

Credit Card Numbers

Used in conjunction with the Keyword option, the credit card option allows you to include credit card numbers using Luhn testing. Luhn testing distinguishes valid credit card numbers from what could be a random selection of digits.

Search File Name Only

Used in conjunction with the Keyword option, this forces the keyword search to only apply to file names.

Custom

Allows you to include a custom regex expression. To filter by regular expressions, enter the regular expression delimiters. For example: \d\d\d\d.

You are not able to use dashes when creating a custom regex expression. For example: \d\d\d\-\d\d\-\d\d\d\d

MD5 Hash

Allows you to add specific MD5 hash values to be included in the job.

Network Shares

Upon selecting the required custodians and clicking on Save and Next from the Custodians section, you will be navigated to the Network Shares section.

Select the required network share locations from the list.

Note:  You can filter the files from the data source by using the Include/Exclude filters.

2. Click Save and Next.

Advanced Filter Options

You can configure the Advanced Filters section in the right pane to filter and collect only the required information by using any of the filters provided below:

Filter	Description
Collect System Files	To search system files that are normally hidden from view. Files with “$” contain system meta data and in NTFS, the $MFT contains the file system pointers to all files.
Archive Drill Down	If archive files exist in any of the available data sources that contain compressed files of interest, this option allows you to open the archive files as part of the job and checks them against keywords supplied in the keyword filter.
Collect Responsive Archives	Collects the archive/container files (ZIP, RAR and so forth) of any responsive file when using the drill-down option.
Custom Drill Down Extensions	Allows you to specify the extension for the archive drill down. If you do not specify the extension, the default will be used.
Collect Non-Extension Files	Collect all files that do not have an extension.
Use Internal File Identification	Sees the software’s file identification when checking file extensions.
Collect Unsearchable Encrypted Files	Collects files that cannot be accessed to search for keyword filter criteria.
Enable PreScan	Will scan the collection target before collecting. Enables accurate completion percentage, file counts, and size predictions for Real Time Status screen.

Exchange

Upon selecting the required custodians and clicking on Save and Next from the Custodians section, you will be navigated to the Exchange section.

Select the required Exchange mailbox connectors from the list. Ensure the Connector Type is appropriately selected. Exchange Admin Center (EAC), Exchange Web Services (EWS), Export API, and Graph API options will be listed in the drop-down list if configured.

Note:  You can filter the files from the data source by using the Include/Exclude filters.

2. Select additional collection options if required. Applicable to EWS/Graph API collections only.

Collection Option	Description
Include Recoverable Deletes	Allows you to collect deletions. Deletions are enabled by default in Exchange. There’s no need to specify a folder path because there is no folder structure retained for those items.
Include Recoverable Purges	Allows you to collect purges (hard deletes) of data. In order to collect purges from an Exchange server, enable purges in the Exchange server. There is no need to specify a folder path because there is no folder structure retained for those items.
Include Recoverable Versions	Allows you to collect versions of data that have been saved. In order to collect versions from an Exchange server, enable versions in the Exchange server. There is no need to specify a folder path because there is no folder structure retained for those items.
Include Archive MailBox	Allows you to collect from an archive mailbox.

3. Provide the required folder’s name in the Mailbox Folder Path(s) field to collect the data present in the folder.

Note:  You can also provide multiple folder names separated with commas (,) to collect the data present in all the specified folders.

4. Click Save and Next.

Gmail

Upon selecting the required custodians and clicking on Save and Next from the Custodians section, you will be navigated to the Gmail section.

Select the required Gmail mailbox connectors from the list.

Note:  You can filter the files from the data source by using the Include/Exclude filters.

2. Click Save and Next.

OneDrive

Upon selecting the required custodians and clicking on Save and Next from the Custodians section, you will be navigated to the OneDrive section.

Select the required OneDrive connectors from the list.

Note:  You can filter the files from the data source by using the Include/Exclude filters.

2. Click Save and Next.

Google Drive

Upon selecting the required custodians and clicking on Save and Next from the Custodians section, you will be navigated to the Google Drive section.

Select the required Google Drive connectors from the list.

Note:  You can filter the files from the data source by using the Include/Exclude filters.

2. Click Save and Next.

Box

Upon selecting the required custodians and clicking on Save and Next from the Custodians section, you will be navigated to the Box section.

Select the required Box connectors from the list.

Note:  You can filter the files from the data source by using the Include/Exclude filters.

2. Click Save and Next.

Data Sources

To configure the data sources for collection:

Upon selecting the required options for Data Sources field, any or all of the following data source are to be configured:

Note:  Ensure the Creating Collections Section has been reviewed before attempting a Data Source collection.
Additionally, if attempting a collection of GCC environment, refer to the Office 365 Credentials section.

Computers

Auto Deploy Agents

The Auto Deploy option will be applicable only when the Computer is selected in the target options, either against the Custodians or Data Sources.

(OR)

And upon enabling the Auto Deploy Agents checkbox and clicking on Save and Next, the below Agent Operations section will be displayed.

On the Agent Operations page, select from the following options:

Option	Description
Uninstall	Select to remove the agent from the machine
Install	Select to push the agent to the machine. Remember that the agent install may cause the machine to restart without a warning.
Make Public Instance	Configure the agent to check a public instance after the agent is installed.
Configure Periodic Check-In	Configure the agent to communicate back to the server.
Agent Type – Local Storage	Agent uses local files for configuration and data. Agent is installed (persists after reboot).
Use Site Server Default Port	Enabling this will force the agent to use Port:54545
Use Custom Port	Enter the port designated to communicate with the agent.
Service Name	Enter the name that you want the agent to be displayed as.
Executable Name	Enter the name of the file that is being run.

Upon selecting the required agent operations and clicking on Save and Next, you will be navigated to the Custodians section.

(OR)

If the Agent Deploy option is not selected in the Collection Options section, the Agent Operations section will be skipped and you will be navigated to the Custodians section.

Upon selecting the required options for Data Sources field and clicking on Save and Next from the Collection Options section, you will be navigated to the Computers section.

Select the required computers from the list.

Warning:     You cannot proceed to collect all the data from the computer. You must include at least one among the Extension, Size, Date, Path, Luhn, Keyword, or MD5 Hash filter properties within the Include/Exclude filters to perform a targeted collection.

2. Click Save and Next.

Advanced Filter Options

For Filtered Collection:

Type	Options	Description
Source Type	File System	To collect the drives from the target’s file system.
	Logical Disk	To collect only the target’s logical drive space.
	Physical Disk	To collect the target’s entire physical drive.
Search Type	Siteserver	To search using the Site Server.
	Agent & Siteserver	To search first with the agent and then with the Site Server.
	Agent	To search files using the agent.
	Collect System Files	To search system files that are normally hidden from view. Files with “$” contain system meta data and in NTFS, the $MFT contains the file system pointers to all files.
	Scan Deleted Files	To scan free space of a partition for files matching the filter criteria.
	Scan Unused Disk Area	To scan unallocated disk space for files matching filter criteria.
	Archive Drill Down	If archive files exist in any of the available data sources that contain compressed files of interest, this option lets you open the archive files as part of the job and checks them against keywords supplied in the keyword filter.
	Collect Responsive Archives	Collects any archive that contains files that match filter criteria.
	Custom Drill Down Extensions	Allows you to specify the extension for the archive drill down. If you do not specify the extension, the default will be used.
	Include Deleted Files	To scan the free space of a partition for files matching the filter criteria.
	Use Internal File Identification	To view the software’s file identification when checking file extensions
	Collect Non-Extension Files	Collects all files that do not have an extension
	Collect Unsearchable Encrypted Files	Collects files that cannot be accessed via search by keyword filter criteria.
	Enable PreScan	Will scan the collection target before collecting. Enables accurate completion percentage, file counts, and size predictions for Real Time Status screen.
	Parse $130 INDX Records	Parses $130 INDX Records. *Note:* $I30 INDX records are the names given to NTFS MFT attributes containing file name indexes for directories.
	Exclude Removable Drives/Media	Excludes removable drives that are recognized by Site Server from the collection. This option is only available for collection jobs. Not all removable drives are recognized as such so this option may not exclude ALL removable drives

For Full Disk Acquisition:

A Full Disk Acquisition job would collect the entire contents of a computer’s hard drive, so the advanced options will include fewer choices as listed below:

Collect from Target Options

Logical Disk: To collect only the target’s logical drive space.
Physical Disk: To collect the target’s entire physical drive. You can choose the sectors required.

Use Redirected Acquisition: Uses the agent to push the collected data directly to the Job Data path given in the Job Options screen instead of moving it to the temporary storage location and then to the Job Data path.

Batching Options

Network Shares

Upon selecting the required options for Data Sources field and clicking on Save and Next from the Collection Options section, you will be navigated to the Network Shares section.

Select the required network share locations from the list.

Note:  You can filter the files from the data source by using the Include/Exclude filters.

2. Click Save and Next.

Advanced Filter Options

You can configure the Advanced Filters section in the right pane to filter and collect only the required information based on the below provided filters options:

Filter	Description
Collect System Files	To search system files that are normally hidden from view. Files with “$” contain system meta data and in NTFS, the $MFT contains the file system pointers to all files.
Archive Drill Down	If archive files exist in any of the available data sources that contain compressed files of interest, this option allows you to open the archive files as part of the job and checks them against keywords supplied in the keyword filter.
Collect Responsive Archives	Collects the archive/container files (ZIP, RAR and so forth) of any responsive file when using the drill-down option.
Custom Drill Down Extensions	Allows you to specify the extension for the archive drill down. If you do not specify the extension, the default will be used.
Collect Non-Extension Files	Collect all files that do not have an extension.
Use Internal File Identification	Sees the software’s file identification when checking file extensions.
Collect Unsearchable Encrypted Files	Collects files that cannot be accessed to search for keyword filter criteria.
Enable PreScan	Will scan the collection target before collecting. Enables accurate completion percentage, file counts, and size predictions for Real Time Status screen.

SharePoint

Upon selecting the required options for Data Sources field and clicking on Save and Next from the Collection Options section, you will be navigated to the SharePoint section.

Select the required SharePoint locations from the list.

Note:  You can filter the files from the data source by using the Include/Exclude filters.

2. Click Save and Next.

Microsoft Teams

Upon selecting the required options for Data Sources field and clicking on Save and Next from the Collection Options section, you will be navigated to the Microsoft Teams section.

Select the required Microsoft Teams accounts from the list.

Note:  You can filter the files from the data source by using the Include/Exclude filters.

2. Click Save and Next.

Slack

Upon selecting the required options for Data Sources field and clicking on Save and Next from the Collection Options section, you will be navigated to the Slack section.

Select the required Slack accounts from the list.

Note:  You can filter the files from the data source by using the Include/Exclude filters.

2. Click Save and Next.

Collection Filters for Data Sources

To configure the collection filters for data sources:

Filter behaviors

The following are the fundamentals of using filters:

When writing queries for the Keyword(s) field, use the terms AND or OR to help refine your search. For example: “Apple AND Oranges” will return only the files with both terms “apple” and “oranges”.

In the extension field, you can use an asterisk (*) as a wildcard. For example, doc* which will include .DOC and .DOCX.

Note: You can specify multiple extensions by separating with a comma.

In the Path, you can include or exclude files based on folders/sub-folders in the share or on the computer. You can specify folders by doing the following:
1. Include or exclude a complete folder name. Example: \\documents\my_Work_files\
2. Include or exclude a folder name using wildcards. e.g. *work*
3. Spaces within a folder name are allowed. e.g. shared files

Note: You can specify multiple paths by separating with a comma.

Multiple properties are treated with AND: When you add a filter, you can configure one or more properties within the filter and the properties are combined as an AND function. For example, if you add an inclusion filter, and in that one filter specify an extension of PDF and also a file size of greater than 2MB, the logic is “PDF” AND “>2MB”. The results will include only PDF files that have a file size greater than 2 MB.
Multiple values in same property are treated with OR: When more than one values are provided for a same property, the values are treated with OR function. As another example, if you add an inclusion filter with two extensions “DOCX, XLSX” then the results will include both DOCX and XLSX files.
Path always takes precedence: If you include a path as a property in a filter, any other properties specified in the same filter will only apply to the specified path. Suppose you target a network share \\documents and you create an inclusion filter and specify the folder my_Work_files. Additionally, in the same filter you specify a file extension as PDF. In this example, only the PDF files in the my_Work_files folder is included.

Inclusion and Exclusion filters are treated with AND: You can add both Inclusion filter and Exclusion filter to get the required data. For example, specify an Inclusion filter with extension as PDF and an Exclusion filter, file size greater than 3MB. The result will include only PDF files that are less than 3MB.

From the data source section, click Include/Exclude.
The Apply Filter prompt is displayed.

3. Provide a name for the filter in Filter Name.

4. Select if you want to Include or Exclude the filtered files by enabling the required option in the top right corner of the prompt.

5. Configure the required filters as instructed in Filter Behaviors.

Note:  You can enable the Save Filter as Template checkbox to save the configured filter as a template.

6. Click Apply.

Load Saved Filters

To load a saved filter:

From the required data source section, click Load Saved Filter.

The Load Saved Filter prompt is displayed.

Note:  You can click on Delete  against the required filter template to delete it.

Collections Print

Collections

Creating Collections

Agent Scan Collections

Setting up Agent Scan Jobs

Scheduling an Agent Scan Job

Software Inventory

Agent Remediation

Kill process by process ID

Kill process by name

Delete File

Execute

Send File

Volatile Job

Threat Scan

IOC

YARA

Collecting Matched Files

Memory Acquisition

Memory Analysis

Job Template

Creating a Job Template

Selecting a Job Template

Managing Collections

Approving Collections

Executing Collections

Processing Collections

Cancelling Collection Process

Resubmitting Collections

Viewing Collection Details

Generating Reports for Collections

Editing Collections

Deleting Collections

Reviewing Collections

Data Source Configuration for Collection

Custodian-based Collections

Computers

Auto Deploy Agents

Batching Options

Advanced Filter Options

Include/Exclude Filter Options

Network Shares

Advanced Filter Options

Exchange

Gmail

OneDrive

Google Drive

Box

Data Sources

Computers

Auto Deploy Agents

Advanced Filter Options

Batching Options

Network Shares

Advanced Filter Options

SharePoint

Microsoft Teams

Slack

Collection Filters for Data Sources

Filter behaviors

Load Saved Filters

Related Articles