You are here: Cookbook > Threat Prevention > Forensic Analysis

Forensic Analysis

This feature may not be available on all platforms. Please check your system's actual page to see if your device delivers this feature.

This example shows how to in-depth view the threat of the whole network and analyze the threat evidence.

Forensic Analysis provides evidence chain of network threats to collect, multi-perspective analysis and the depth of integration.

  • Evidence Collection: Through the configuration of Forensic Analysis function (packet capture), detect the attack generated at the same time evidence collection.
  • Evidence Analysis: Analyze the collected evidence.
  • Evidence Presentation: Display the threat details, logs, evidence pacp via iCenter, to achieve the threat of visualization.

At present, the system only supports the Forensic Analysis function of three threat detection engines (Advanced Threat Detection, Intrusion Prevention System, Anti Virus)

Advanced Threat Detection

Enable the packet capture for Advanced Threat Detection, the system will capture packets when generating logs.

Select Network > Zone, Select "trust" zone, click Edit, and select the <Threat Protection>tab . Select the Capture Packets check box.

Intrusion Prevention System

1. Enable the packet capture for IPS rules, it will enable all this profile's protocols.

Select Object>Intrusion Prevention System, click New, and select the Enable check box to enable capture packets.

2. According to your requirements, configure the capture packets for a specific protocol.

Select Object>Intrusion Prevention System, in the IPS rules list, click protocol type, for example ' DHCP', select the Enable check box to enable the capture packet for different attack levels.

Anti Virus

Enable the packet capture for Anti Virus rules.

Select Object > Antivirus, click New, Select the Enable check box before Capture Packet to enable the capture function.

Forensic Analysis Configuration Example

As follows, taking advanced threat detection (ATD) as an example to demonstrate the process of Forensic Analysis

Step 1: Threat Detection

Enabling Advanced Threat Detection and capture packets

Select Network > Zone. Select "trust" zone, click Edit, and select the <Threat Protection> tab.

  • Advanced Threat Detection: Select the Enable check box .
  • Capture Packets: Select the check box , the system will save the evidence messages, and support to download it.
Step 2: Evidence Collection

When ATD attacks occurred, the system will generate a relevant threat log and capture evidence, sent to the system database.

According to the source IP, Advanced threat detection engine capture relational pacp at the same time, it is the HTTP traffic data (including TCP interaction) in 5 minutes or 64K size package, and used to assist in the analysis.

Step 3: Evidence Analysis
1. Analyze and get the threat detail information .
2. Collect the analysis of evidence.
Step 4: Evidence Presentation

1. Display the threat information, including the threat name, type, severity, victim host, attack host, etc.

Click "iCenter", and select Threat tab.

Click the threat name link in the list, to view the threat details.

2. Viewing the evidence details.

Select the select the <Details>tab, and click View PACP.

3. Viewing the relational pacp details.

Select the select the <Details>tab, and click Relational Pacp.

4. Downloading evidence.

Select the select the <Details>tab, and click Download Pacp, the evidence will be downloaded to local.