Attachments

doc/4.0.0/Working With Finder/Explore/Understanding Objects

Contents

  1. Objects, Activities and Events
    1. Objects
      1. Users
      2. Sources
      3. Packages
      4. Applications
      5. Executables
      6. Binaries
      7. Ports
      8. Destinations
      9. Printers
    2. Activities
      1. Installations
      2. Executions
      3. Connections
      4. Print jobs
      5. System boot
      6. User logons
    3. Events
      1. Source Warnings
      2. Execution warnings
      3. Source errors
      4. Execution errors
  2. Editing object properties

1. Objects, Activities and Events

In this section we will discuss the basic objects which are at the root of all information provided by NEXThink. Understanding and manipulating these objects is very important to create investigations and obtain good results when using NEXThink V4. When we create or edit an investigation, we find on the top of the page a list of 19 elements categorized into 9 Objects, 6 Activities and 4 Events as shown in the screenshots below.

  • NEXThink V4 Objects

  • Object List in NEXThink V4

  • NEXThink V4 Activities

  • Activity List in NEXThink V4

  • NEXThink V4 Events

  • Event List in NEXThink V4

These elements are associated to a physical object on your network (e.g., source) or a concrete activity (e.g., connection). An overview of the different elements with their definitions can be found in the following tables:

Objects

Description

Users

A Windows user account

Sources

A Windows machine on which the NEXThink Collector is installed

Packages

A software package (program or update) that is installed on a source

Applications

An application is a set of executables grouped by a logic, normally the same product name (e.g. Microsoft Office)

Executables

A group of binaries with the same attributes such as name, product, company, etc (all files with name word.exe)

Binaries

A specific executable file (e.g. file c:/windows/word.exe with MD5 hash: 0x123456789ABCDEF)

Ports

Port number associated to a connection UDP or TCP

Destinations

The destination machine of a connection

Printers

A local or network connected printer

Table 1 Objects

Activities

Description

Installations

An installation (or uninstallation) of a package

Executions

One or more instances of binary executions

Connections

One or a set of UDP or TCP connections

Print jobs

A print job refers to a printer, source, and user

System boots

A computer booting up to the Windows Logon screen

User logons

A user logging into a Windows account on a computer

Table 2 Activities

Events

Description

Source warnings

Issues related to the computer as a whole such as High CPU, I/O, memory, page faults

Execution warnings

A warning reported by a computer running a Windows executable

Source errors

An operational error from a computer running Windows

Execution errors

An error reported by a computer running a Windows executable

Table 3 Events

1.1. Objects

1.1.1. Users

A NEXThink user is a Windows user. A User is identified by a security identifier or SID. On Windows environments, there are three types of users:

  • System users which have well-known SIDs, e.g., S-1-5-18.
  • Local users whose SID is composed of the machine SID postfixed with a local unique id.
  • Network users whose SID is composed of a Windows Domain SID postfixed with a domain unique id.

The field "Name" of a User will contains the following information:

  • "Local administrator", "NT Authority" or "Local system" for system users
  • the username of the User as defined in the Active Directory if the AD is configured in the Engine and the SID can be found
  • the local username otherwise; it will appear with the format "username@source_name"

Note: As part of privacy rules compliance, Users' collected AD information and names cannot be accessed by a NEXThink user unless explicit rights were granted to their NEXThink user account.

1.1.2. Sources

A NEXThink source is a Windows machine on which the NEXThink Collector is installed. In a Windows workstation network, each host can be uniquely identified by its security identifier or SID. Unfortunately, most often networked workstations are deployed by cloning a master installation. If this installation is not performed correctly, the security identifier is sometimes cloned as well.

This is why with NEXThink, a machine is not only identified by its SID but also by its network interface MAC addresses. Again, the uniqueness of the MAC addresses is a key factor in being able to uniquely identify a machine. However identifying a unique source from a not always unique MAC addresses scheme is a complex task based on the following considerations:

  • Physical and logical network interfaces are difficult to set apart on a Windows workstation. As an example, a logical network interface using a VPN connection, will get a new MAC address on each new connection.
  • Some virtual machines assign random MAC address to their network interface and this may change at boot time if a conflict is detected.
  • Mobile network interfaces e.g. Wi-Fi or GSM interfaces can be moved from one machine to another one.
  • Even some network interface manufacturers do not comply to the IEEE 802 standard regarding non-unique MAC address.

NEXThink V4 Engine uses black, grey and white lists based on the IEEE OUI and known non-unique MAC addresses ranges as an heuristic method to determine MAC address uniqueness. While this method has turned out to be very robust, it has failed on some rare occasions. This is why, starting from version 3.2.1, when MAC addresses cannot be trusted for their uniqueness, the NEXThink Engine also uses information based on the hardware in order to ensure a proper and unique identification.

1.1.3. Packages

A package represents a software package installed on a machine and can be of two different types: "program" or "update". An "update" is always linked to the "program" it has patched. Packages are the items that can be observed in the "Add / Remove Programs" dialog of the Windows operating system.

1.1.4. Applications

An application is a set of executables bundled together by a software manufacturer to make a software product. For instance, the Firefox product is composed of the firefox.exe executable together with the updater.exe and crashreporter.exe executables. Some products, such as the Microsoft Windows Operating System, are composed from a lot of executables, other products consist of only one.

1.1.5. Executables

An executable is an executable program, which might reflect to a group of similar binaries. For instance, if three minor versions of winword.exe coexist on the same network, winword.exe is the executable program, grouping binaries version 10.0.6843, 10.0.2384 and 10.1.7853.

In order to map a new binary to the right application, the NEXThink engine compares the executable, product and company names as well as the path of the new binaries to the known binaries. If no known binary is matching, then a new product and application is created in the database.

Binaries whose resources do not contains any information about software manufacturer are mapped into a special unknown group. While this is rarely the case for well-known manufacturers, it is quite often so for free software compiled with the gcc compiler.

1.1.6. Binaries

A binary is a specific executable which can be identified by its MD5 checksum.

A binary is tagged by a version and may be installed in more than one directory. Standard controlled binaries are usually always installed in a dedicated directory, but some executables, especially those implemented without any controlled install process, may be found in different directories. In a Windows environment, product software manufacturers and binary information, may be extracted from the executable resources and are used to automatically sort binaries into applications and products. In order to avoid the NEXThink collector reporting inconsistent paths, well known directories are mapped into logical paths.

For instance, the NEXThink collector maps C:\Program Files into %ProgramFile% to avoid this well known directory, which is subject to localization, being reported as C:\Program Files as well as C:\Programmes.

The NEXThink collector uses the following mapping:

  • System-wide aliases:

    • %Windows%: Windows installation directory. i.e.: C:\WINDOWS\

    • %System%: Windows System directory. i.e.: C:\WINDOWS\SYSTEM32\

    • %ProgramFiles%: Directory where software is usually installed. i.e.: C:\Program Files\

    • %NetDrive%: all network shares. i.e.: \\SERVER1\

    • %RemovableDrive%: non-permanent storage devices. e.g.: USB sticks or CD-Rom drives.

    • %AllProfile%: Directory containing data accessible by all users. e.g.: C:\Document and Settings\All Users\

  • User-specific alias:

    • %UserProfile%: Directory containing user-specific data. e.g.: C:\Document and Settings\johndoe\

    • %ProfileTemp%: Directory where temporary files are usually stored. e.g.: C:\Document and Settings\johndoe\Local Setting\Temps\

Notes:

  • The Engine keeps a maximum of 20 paths per binary. If more than 20 paths are reported, the newest one replaces the oldest one.
  • Drive letters (C:\, D:\, etc.) of non-aliased paths are not kept within the internal database

  • %ProfileTemp% is sometimes used as an alias for paths that look like a temporary location. Ex.: C:\a213ebf232211208abde421\

  • it is not possible to bind a specific path to another object (e.g. source, user).

1.1.7. Ports

A port is identified by its port number and associated used connection type i.e. UDP or TCP. There are two special NEXThink port group names:

  • multiple_tcp which represents a detected TCP port scanning. The first and last scanned ports can be found in the associated event. Note that events that are associated with a TCP port scanning are always unsuccessful connection events.

  • multiple_udp which represents an UDP port scanning. The first and last scanned ports can be found in the associated event.

1.1.8. Destinations

A destination is identified by its IP address. There are two special destinations:

  • external which represents the Internet or more generally networks that are not under NEXThink Engine supervision.

  • multiple which represents a network scanning.

The network mask on which the network scanning took place can be found in the associated event. Events that are associated with a TCP network scanning are always unsuccessful events.

Note: Understanding NEXThink external definition: The external network logical definition is deduced from the list of IP range addresses defined in the Engine configuration by the Engine administrator

1.1.9. Printers

A printer is defined by its name, model, location and type.

1.2. Activities

1.2.1. Installations

An installation activity is generated each time a package is installed or uninstalled on a source. As the Windows operating system is not able to signal installations / uninstallations, NEXThink Collector polls the list of installed packages at regular intervals. If a change is detected, it creates the corresponding installation event. This explains why the installation time reported by NEXThink is not the exact time of installation but rather the time when the Collector detected that something had changed.

1.2.2. Executions

An execution represents the actual execution of a binary, i.e. a process running on the machine.

Executions have two possible status values:

  • stopped: the process has stopped

  • started: the process is currently running

Note that an Execution can represent a binary that is executed by the Windows operating system. Reported activities of windows kernel services are mapped to a special System binary group.

The lifespan attribute of executions indicates the duration of the process in relation to the investigated time frame:

  • beforeduring.png Starts before time frame and ends within it

  • beforeafter.png Starts before time frame and ends after it

  • duringafter.png Starts within time frame and ends after it

  • duringduring.png Starts and ends within time frame

  • before.png Starts before time frame

  • during.png Starts during time frame

1.2.3. Connections

NEXThink Collector handles two connections types:

  • tcp which represents a TCP connection
  • udp which represents a UDP connection.

In addition, there are four other special NEXThink connection types reflecting TCP and UDP network and port scanning.

  • If a process makes unsuccessful TCP connections to more than 50 ports on the same destination within a 30 seconds period, those connections are automatically grouped into a TCP port scanning connection type (multiple tcp).

  • If a process makes UDP connections to more than 50 ports on the same destination within a 30 seconds period, those connections are automatically grouped into a UDP port scanning connection type (multiple udp).

  • If a process makes unsuccessful TCP connections to the same port on more than 50 different destinations within a 30 seconds period, those connections are automatically grouped into a TCP network scanning destination (multiple).

  • If a process makes UDP connections to the same port on more than 50 different destinations within a 30 seconds period, those connections are grouped into a UDP network scanning destination (multiple).

A TCP connection may have five different statuses:

  • established: The TCP connection has been accepted by the remote party and is still active.

  • closed: The TCP connection has been closed after been successfully established.

  • no service: The remote party acknowledged the initial SYN message by a RST message i.e. the remote party does exist but no service is bound to the request port. Note: Most personal computers are protected by a firewall that discards RST messages to prevent effective port scanning.

  • no host: The remote party does not acknowledge the SYN message i.e. the remote part does not exist or is protected by a firewall.

  • rejected: The TCP connection was rejected by the remote server.

The lifespan attribute of connections indicates the duration of the connection in relation to the investigated time frame:

  • beforeduring.png Starts before time frame and ends within it

  • beforeafter.png Starts before time frame and ends after it

  • duringafter.png Starts within time frame and ends after it

  • duringduring.png Starts and ends within time frame

  • before.png Starts before time frame

  • during.png Starts during time frame

A print job is a unit of work to be run on a printer and can consist of printing one or more files. The system assigns a unique print job number to each job as it is generated.

A print job can have four different statuses:

  • printing: The print job is being processed by the printer

  • printed: The print job has been completed

  • timed out: The print job was not completed within a predefined period

  • error: There was an error in the print job

The start and end time, status, source name, number of pages, document type, printer name, printer model, document size, duplex print, color print and print quality are recorded.

1.2.5. System boot

A System boot is recorded if a computer completes a cycle from POST (Power on Self Test) until the Windows user logon is displayed. Source, time and period from the completion of POST to Windows User logon display are recorded.

1.2.6. User logons

A User logon is recorded when a user logs into the Windows OS from the Windows logon screen.

Source, time, user name and period from the entry of Windows User logon credential until input is accepted from the user by the Windows OS is recorded.

1.3. Events

1.3.1. Source Warnings

Source warnings are given for high CPU, IO, memory, page faults and issues which are related to the source as a whole. Examples include:

  • More than 80% of CPU used during at least 5 minutes
  • More than 20Mb/s of disk read/write operation during at least 30 seconds
  • More than 80% of memory used during at least 5 minutes
  • More than 5000 page faults per second

Name, last IP address and time last seen are recorded.

1.3.2. Execution warnings

Execution warnings are related to the execution of a specific process. Examples:

  • More than 50% of CPU used during at least 30 seconds
  • More than 80% of memory used during at least 5 minutes

Start and End Time, warning type, application name and binary version are recorded per source.

1.3.3. Source errors

The following source errors are recorded:

  • Blue screens
  • Hard resets (or abrupt system halt as a result of a crash or power failure)
  • SMART disk failure (Increase in disk writing errors or reallocated sectors)

Source name and last IP address are recorded.

1.3.4. Execution errors

An Execution error is recorded for the following instances:

  • An Application is detected as 'not responding' by the system
  • The application crashes i.e. the Application is terminated as a result of an error

Start time, Execution error type, application name, executable name and binary version are recorded

2. Editing object properties

Most of NEXThink objects are defined by their collected properties such as their name, and the company name for an application. These properties can be altered using object Edit capabilities. To Edit an object property, on a Finder result list, select an object then right click to select Edit (see Tagging Objects for more information).

last modified 2012-05-16 11:56:14