Forensics on deleted files on Endpoint

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Forensics on deleted files on Endpoint

L0 Member

need to know if XDR has the capability to perform forensics on Endpoint if user deleted any files on computer.  If so, how would you go about performing this task.

4 REPLIES 4

L4 Transporter

Hi @Noe.ortega 

thanks for writing us in LiveCommunity. 

with xdr forensic add-on you can recover files that are in the recycle bin which is one of the artifacts covered. 

 

Take into account that forensic add-on wont cover:

Information about files that existed on the endpoint and were deleted before the Cortex XDR agent was installed.

 

Please you can find more information on: 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Forensic-Da...

 

I hope this helps, 

 

Luis 

L0 Member

i am assuming that users can cover their tracks by clearing the Recycle Bin if they are deleting files on purpose. it would be nice to recover the files but i am really just looking for any logs that would indicate that user maliciously deleted files.  You mentioned an "add-on" that would need to be installed prior to someone doing malicious acts on Endpoint.  Where would i download this "add-on" and is there a cost to this?

L4 Transporter

Hi @Noe.ortega 

in order to perform forensic analysis in CXDR you need to purchase forensic add-on licenses for your endpoints. 

In the AMcache artifact you have the details of deleted files and you can recover the deleted files that are still in the recycle bin

 

Please check:

https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resour...

 

I hope this helps, please feel free to click on like or mark it as a solution

Luis 

L3 Networker

You may also use XQL without the need for additional licenses. 

File [ action type = delete ] AND Host [ host name = [ [WHATEVERHOST] ] AND Time [ [WHATEVERTIME] ]

This will show the hard deletes as well as soft deletes into the RB. 

  • 1532 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!