 |
|
CXI - Cyber Exploit IdentiKit Frequently Asked Questions
Note: This document will be updated with user feedback as they are
received. Please check back from time to time for the latest revision.
Q.
What are the major features of CXI?
Q.
What are the major components of CXI?
System Requirements
Q.
What Operating Systems are supported by CXI?
A.
Microsoft Windows XP (32-bit and 64-bit) with Service Pack 2 and above
and Microsoft Windows Vista (32-bit and 64-bit) with Admin Privileges.
Your system should also have the latest Java Virtual Machine installed.
If you cannot launch CXI Console Window after the installation, please
verify your Java Virtual Machine installation and version.
The setup package should come with all other Windows system dependencies
needed to run CXI and will install the appropriate CXI component software
for your OS automatically. To install CXI, please run CXI_Install.EXE
and follow the on-screen instructions.
The Two Modes of CXI
Q.
How does CXI operate in Forensic Mode?
A. CXI Engine and CXI Console Windows
Cyber forensics involves the preservation, identification, extraction,
and documentation of computer evidence. CXI Engine Service assists Cyber
Forensic Experts in intercepting digital data and archiving forensic
information for evidentiary preservation in real-time and automatically.
Additionally, CXI Engine Service provides filtering mechanisms to highlight
"process behaviors" of interest to allow Cyber Forensic Experts to use
their time more efficiently in sorting through the myriad of recorded forensic
data.
The CXI Forensic Engine Service works as a "Process Activity Recorder" by
recording crucial change events for all live processes impacting system states
including file creation/modification/deletion, folder creation/deletion, as
well as changes to the system Registry. For each specific change event, the
CXI Engine Service takes note of the following context:
- WHO: Names of the processes that made the changes and their Process ID
- WHAT: Report of what changes were made
- WHERE: Path to what changes were made
- WHEN: Chronology of all changes
After the installation has completed, the CXI Service is started by default.
Clicking on the CXI shield tray icon will display a pop-up window which provides
access to program controls. From here, you can manually start or stop the CXI
Service as well as alter the way CXI Service behaves after system reboots.
You can also access the CXI Console from this window or alternately, by
clicking on the CXI Console desktop shortcut.
The CXI Service records the process activities in 24 hour log sessions assuming
it is uninterrupted. Current log sessions are concluded at 12:00 midnight
every day while a new log session is created for the next 24 hour period.
Manually stopping the CXI Service, or powering down your system will
conclude the current session as well. Once CXI Service is manually started
again or the system is powered back on, a new log session will be created.
For more detailed description of the CXI Console Window, please see the
CXI Console Help page.
Q.
How does CXI operate in Discovery Mode?
A. Event Data Mining and System Discovery Windows
Real-time Exploit Discovery will data mine CXI events to identify and report
application process with recognized behaviors. The System Discovery is
pre-configured to detect reboot surviving behavior and will display activities
relevant to both intended as well as unintended software installations. An
unintended software installation could be a cyber exploit which would indicate
the first step of a malware intrusion process.
System Discovery Windows display the result of data mining over CXI event
database. The data collection process starts with CXI acting as a process
activity recorder capturing and recording CXI system change events of file,
folder, and registry hives, and attributing these CXI events to the process
and process tree that triggered these CXI events. Real-time Exploit Discovery
goes beyond the process activity recording function by performing data mining
against CXI events and tagging certain CXI events as crucial for further analysis.
System Discovery identifies Application Processes with multiple tagged CXI
crucial events, and finally report Application Processes with recognized
behaviors.
For more detailed description of the System Discovery Window, please see the
CXI System Discovery Help page.
CXI Windows
Q.
What information is depicted in the CXI Console Windos?
A.
CXI Console Window displays the captured and recorded system change events.
In the left window, CXI organizes information on processes and process families.
In the right window, CXI presents all recently monitored events.
Process Window:
The Processes Window contains a list of all of the systems' processes
which are currently monitored by CXI. These processes can be displayed
in two different forms: Tree Hierarchy Form and List Form. To obtain the
Tree Hierarchy Form, click on the "Process Tree" button under the
"Processes" tab. This view organizes the processes into a tree representing
their proper parent/child node order. To obtain the List Form, click on the
"Process List" button under the "Processes" tab. This view organizes the
processes into a regular list that can be sorted alphabetically or
chronologically. To sort alphabetically, simply click on the "A-Z" button
and to sort chronologically, click on the "Clock" button. You may also
reverse the sort order by clicking on the arrow button.
The blue window icons next to the process entries represents that those
processes are currently active. When a process finishes and goes inactive,
it will be represented by the blue icon changing to a faded white icon.
If that process is restarted and becomes active again, the previous entry
will remain the same while a new entry is created for this new process cycle.
Details Window:
The Details Window displays all of the recent events monitored. Each event
in the main window is color coded to represent what type of event it is.
The event types include: Process Events, File Events, Folder Events and
Registry Events. These events can be filtered according to which types
of events you would like to view simply by selecting or deselecting the
corresponding Event Buttons above the Details Window. Additionally, when
you click on an individual event, the corresponding process that is
responsible for creating the selected event is then highlighted in the
Process Window to the left. Clicking on an individual process in the
Process Window will reveal all of the CXI events that correspond to this
process.
The Details Window displays all events in chronological order from most
recent to less recent. These events are shown in blocks of time. This
setting can be changed according to 10 minute blocks, 30 minute blocks and
1 hour blocks. Additionally, you can "rewind" or "fast forward" this
display by the same block increments in order to view past events. This
action can be performed all the way back to the start of the session for
the CXI Service.
All CXI Service logging is performed within 24 hour sessions. In the event
that your PC is left continually running, new database sessions will be
created every 24 hours and will roll over to the new session at 12:00
midnight. You can view past sessions by accessing the "Session" Menu
at the top and clicking on "Change Session". The session you are viewing
through CXI Console is displayed together with the host computer name on the
upper left corner immediately below the menu bar.
Q.
What information is depicted in the CXI System Discovery Window?
A.
The System Discovery Window consists of the Upper Pane (Discovery Pane) and
the Lower Pane (Details Pane). In the Details Pane, the left window is for
displaying the "involved Processes" of CXI events. The right window in the
Details Pane displays the Event View for Tagged CXI Events.
Tagging CXI Events:
CXI's data mining actions include built-in algorithms that enable it to label
or tag CXI Events that merit further analysis. Examples of the kind of
information that such analysis reveals includes whether a Portable Executable
file (PE) was created in a system folder; whether a load point was set ensuring
it survives reboot; or whether an Alternate Data Stream file has been created;
Actions that meet these conditions get passed to the next level for identification.
These tagged CXI events are reported on the right window of the Details Pane.
Identify Application Process with tagged events
When multiple related Tagged events are observed, they are then correlated with
their originating parent process. These actions may be from the same process
or from multiple processes, but ultimately they would have a common application
such as a particular instance of Internet Explorer, File Explorer, or some other
identifiable application. The result is displayed on the Discovery Pane.
Report Detected Behavior
When the behavior data mining and analysis completed by CXI concludes that the
behavior represents a serious risk to the system such as a Reboot Surviving
behavior, it is reported to the user through the Discovery Pane or by clicking
the "Red Flag" tool button.
Feedback and Problem Report
Q.
What should I do if I have more questions?
|
|
|
