Investigation Center

 

Investigation Center Overview

Investigation Center is an extension of the Aggregation Servers. Investigation Users (once defined) can restore data and results of selected historic dates and perform forensic investigation. Once the days are restored, the investigation users can define and view reports using the standard Guardium UI, only in the scope of the investigated dates.

Each Guardium appliance maintains a Catalog of all the data and results archived; The Catalog contains information about the archive, its location and credentials to access them. The Catalog is exported from the collectors and merged into a complete Catalog on the Aggregation Server as part of the aggregation process. With the Catalog in place, investigation users can now select the desired dates for restoration and these dates will automatically be uploaded to the Investigation Center and merged into that investigation user’s view. In addition to merging collectors’ Catalogs through the Aggregation Server, it is also possible to Export and Import Catalogs from the Admin Console UI (See the Guardium Administration Guide for additional information).

 

Users & Roles

In a Guardium aggregation server there is a special investigation role ('inv'). Users with the 'inv' role can perform forensic investigations on historic data.

An investigation user for the most part utilizes the same query and report definitions as any other user would. The biggest difference is that the investigation user sees only data selected for his investigation database (multiple investigators can be configured to share an INV database). Selected data can be restored from archive or viewed from the current database in the case of data that was not purged yet. An investigation user can also restore archived audit process results and view them.

 

Caution: Role "inv" is a special role which will cause the user to be connected to a separate, investigation-only internal database. It should be combined with the role "user" and in general it is incompatible with all other roles.

Note: To correctly configure an investigation user, the user's Last Name must be set to the name of one of the three investigation databases - 'INV_1', 'INV_2', or 'INV_3' (case-sensitive).

 

When creating an investigation user, it is suggested that the user's name correspond or have some representation that denotes which investigation database that will be used. For instance, if a user will be using the INV_1 database the user's name could be ’john1’ or ’inv1’ .

 

 

Investigation Context

Guardium’s Investigation Center supports up to three concurrent investigation periods, dubbed INV_1, INV_2 and INV_3, each can hold separate historic data and provides means to forensic investigation of that period. When creating an investigation user, the user's last name is must be either INV_1, INV_2, or INV_3 to associate that user with one of the investigation databases. When logged into the Investigation Center (using one of the investigation users) a label at the top of the screen specifies the selected investigation period.

 

GUI

A user with the investigation role will see two additional tabs that are particular to the Investigation Center.

 

Working with Investigation Center

 

Restore an Investigation Period

After logging into the Guardium interface as a user with the 'inv' role:

  1. Click on the Volume Management tab.

  2. Click on the Data Restore link in the left hand column menu to bring up the Restored Data panel. If a prior restore was performed, this panel will display the currently mounted data periods being used. At this point, you may click on the Discard Data button to un-mount all previously mounted data periods.

  3. Click on the Re-Select Investigation Period button to bring up the Data Restore Search Criteria panel.

  4. Enter the start date in the From: box for the beginning time period you wish to search

  5. Enter the end date in the To: box for the ending time period you wish to search

  6. Optionally, enter a Host name to aid in filtering the result set on the host name

  7. Click the Search button to view the result set - this will search the catalog for all archives matching the search criteria.

  8. From the result set produced, check the Select box(s) of those periods you wish to restore. You may also click on the Select All and Unselect All buttons to speed the selection process.

  9. Click the Restore Button to restore the selected periods. Depending on the number of periods to restore, and whether the datasets are local to the system, the restore process could take long time.

  10. You can monitor the progress of the restore process in the View Restore Log panel.

 

Restore Audit Results

A checkbox in Audit Process builder allows to specify if results of a process should be archived or not. Only results of processes marked for archive for which all signers had signed are archived. Results of a specific runs are packed, zipped and stored, the location is recorded in the catalog and is used by the Restore Audit Results for selection and restore. Archived results from the Guardium Audit process can be restored to an Investigation Center and contain the results, the view and signoff trails as well as the comments associated with these results.

After logging into the Guardium interface as a user with the 'inv' role:

  1. Click on the Volume Management tab.

  2. Click on the Audit Results Restore link in the left hand column menu to bring up the Restored Results panel. If a prior restore was performed, this panel will display the currently restored results being used. At this point, you may click on the Discard Data button to un-mount all previously mounted results.

  3. Click on the Audit Results Restore button to bring up the Results Restore Search Criteria panel

  4. Enter the start date in the From: box for the beginning time period you wish to search

  5. Enter the end date in the To: box for the ending time period you wish to search

  6. Optionally, enter a Host name, Audit Process, or Run No to aid in filtering the result set

  7. Click the Search button to view the result set

  8. From the result set produced, check the Select box(s) of those results you wish to restore. You may also click on the Select All and Unselect All buttons to speed the selection process.

  9. Click the Restore Button to restore the selected results. Depending on the number of results to restore, and whether the datasets are local to the system, the restore process could take long time.

  10. You can monitor the progress of the restore process in the View Restore Log panel

 

View Restore Log

The restore log provides a view to the Archive/Restore of past and current restore attempts and filtered for the user currently logged in. This log enables the user to validate a successful restore for both data and audit results.

After logging into the Guardium interface as a user with the 'inv' role:

  1. Click on the Volume Management tab.

  2. Click on the Restore Log  link in the left hand column menu to bring up My Restore Log panel. From this panel you will be able to see the status of all restore attempts.

 

Viewing Restored Audit Results

After logging into the Guardium interface as a user with the 'inv' role:

  1. Click on the Audit Results tab

  2. Click on the Results Navigation link in the left hand column menu to bring up the Audit Process Finder panel

  3. From the drop down list, select choose the Select Process For Results

  4. Click the View button to open another window and view the available reports for the audit results