Cyber Triage 3.3.0 Release Updates Video

Austin Dyches • 
New Features

Austin- 00:07
Hi, my name is Austin Dyches.
I’m the product manager for cyber triage.
Thanks so much for tuning in today.
We’re very excited to bring you our 3.3 dot O release of cyber triage and we’ve got some cool new features.
We think you’re really going to like.
The first is data access, so that’s going to allow you to quickly view data that any user on any host machine within your incident accessed importing logical files, which is going to import logical files or allow you to import those ones into this you might get from a customer and run those through
cyber triages analysis and scoring modules.

Austin- 00:39
Finally, we’ve got PDF and office documents, so cyber Triage is now able to score and analyze every single office and PDF document that comes in with a collection you don’t have to do anything extra.
You can obviously upload them individually using or importing in logical files section, but with this feature we’re really looking to discover any potentially malicious PDF or office docs, and that includes things that automatically open macros that might be embedded JavaScript if we can see it up
front and a few other flags.
So we’ll talk about all that stuff.
But again, thanks so much for joining us.
We’re really excited for you to be here and to see the new release.
So without further ado, let’s jump right in.

Austin- 01:22
Alright, so the first thing I want to do is direct your attention to the new data access artifact category O. If you come down here on the side of the navigation menu under the users category, you’ll see the data access artifact category, so this new feature adds a brand new section to the
navigation menu called data access, and examining the results in this panel will allow an incident responder to view what data was accessed by user on the host machine.
So to populate this section, we now parse new artifacts and cyber triage.
Such as recent folder and link files, most recently used MRU by extension files opened by Internet Explorer and Edge office.
MRU and we have plans add more of these artifacts as we go and we’ll keep you posted on that as they come, so once you click on this link.
You’re you can come over here inside the explorer window.
This will be all the data that has been accessed by any particular user on a machine, so this is my work computer.

Austin- 02:20
I was actually sitting and selling a couple of new things.
So here you can see that on my desktop if I go to that Austin accessed or the user Austin accessed a couple different files.
Here’s one called admin dot TXT where I keep some info.
My bookmarks from a previous machine, a PDF evaluation guide.
So any data that was sitting around that I actually clicked on went.
Two looked at will be shown here and then down here in the info panel you can see a little bit about where we got some more details about this file.
So the item type is data accessed.

Austin- 02:54
Here’s the path where they found it and here’s my user information.
And then here’s the sorts path.
So this is a link file.
I came from Windows recent.
Alright, and that’ll should help you in your investigations, especially you know attacker activity on the host machine.
If an attacker opens a file, they’re looking for sensitive information, or you’ve detected potentially malicious activity on a host and you can use this artifact category to really drill down into the data that a user has access, so we hope that brings a lot of efficiency into your workflow.
Alright, so for importing logical files, sometimes logical files or individual files are all that you have access to, and so in order to maximize the amount of information you collect, cyber triage now supports the importing of logical files or folder so that you can use the full suite of cyber

Austin- 03:52
triage analysis and reporting modules to explore those files.
So to do that you’re just going to click on the new logical files button here right next to our newish Cape button.
You can add a host name, call it.
Files and.
Alright, so now that our logical file ingest has processed, it’s going to come to our regular dashboard just like it would with any incident or any host, because that’s what this is.
And at first you don’t see much going on here because we just grabbed a couple of files from PDF.

Austin- 04:23
So what you wanna do is come down to files.
And then with these PDFs in here, I’m just gonna talk quickly about actually the last section as well.
So for PDF at office DOC scanning these will now actually be marked if we think that they’re malicious, they have JavaScript within them.
They have a couple automatic action flags that we think you might want to take a look at, so those will be scored for you automatically.
But if you want some more information about it, you come down to the item details panel.
Even export the file if you choose, but it’ll have some information about the file itself.
The path that we got it from, any processes it is associated with.

Austin- 05:04
And of course, strings that are embedded within the file.
So that’s it for frankly, logical file ingest and PDF and office dot scanning.
So this is how you would come and look at those office talks if you wanted to.
Or PDF that you ingested or came as part of a larger collection.
You’d be able to see those details here.
And hopefully if there’s anything that you’re specifically targeting that might come to light in them, this new this new method for you.
So thanks so much for using cyber triage.

Austin- 05:34
We really hope these tips have helped, and if you have any questions please feel free to reach out to us at
You can read the user manual at read the
And that’s it.
So I’ll close out this video.
Thanks so much for watching.
All right, and that’ll do it for the 3.3 dot O release of cyber triage.
We hope you really enjoy it.

Austin- 05:56
We’re very proud of it.
If you have any questions about it, please feel free to reach out and
In the meantime, good luck and happy hunting.