This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Forensics on deleted files on Endpoint

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Forensics on deleted files on Endpoint

Noe.ortega
L0 Member

‎01-24-2023 06:33 AM

need to know if XDR has the capability to perform forensics on Endpoint if user deleted any files on computer.  If so, how would you go about performing this task.

0 Likes Likes
4 REPLIES 4

eluis
L4 Transporter

‎01-24-2023 06:48 AM

Hi @Noe.ortega 

thanks for writing us in LiveCommunity. 

with xdr forensic add-on you can recover files that are in the recycle bin which is one of the artifacts covered. 

 

Take into account that forensic add-on wont cover:

Information about files that existed on the endpoint and were deleted before the Cortex XDR agent was installed.

 

Please you can find more information on: 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Forensic-Da...

 

I hope this helps, 

 

Luis 

0 Likes Likes

Noe.ortega
L0 Member

‎01-24-2023 06:56 AM

i am assuming that users can cover their tracks by clearing the Recycle Bin if they are deleting files on purpose. it would be nice to recover the files but i am really just looking for any logs that would indicate that user maliciously deleted files.  You mentioned an "add-on" that would need to be installed prior to someone doing malicious acts on Endpoint.  Where would i download this "add-on" and is there a cost to this?

0 Likes Likes

eluis
L4 Transporter

‎01-25-2023 03:14 AM

Hi @Noe.ortega 

in order to perform forensic analysis in CXDR you need to purchase forensic add-on licenses for your endpoints. 

In the AMcache artifact you have the details of deleted files and you can recover the deleted files that are still in the recycle bin

 

Please check:

https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resour...

 

I hope this helps, please feel free to click on like or mark it as a solution

Luis 

0 Likes Likes

eumbach
L3 Networker

‎01-25-2023 07:57 AM

You may also use XQL without the need for additional licenses. 

File [ action type = delete ] AND Host [ host name = [ [WHATEVERHOST] ] AND Time [ [WHATEVERTIME] ]

This will show the hard deletes as well as soft deletes into the RB. 

0 Likes Likes
  • 2261 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks