ISSUE/CHALLENGE:
The minor challenge with this status is when reading from an archived PCAP.
As you know, RITA displays "XX hours ago" as the output,
Though this is very useful in rolling/dynamic PCAPs, it is only semi-useful in static PCAPs when correlating the displayed time to established investigatory timelines.
PROPOSED SOLUTION:
Include the triggering time/date stamp with the XX hours metric within the "First Seen" display area.
That additional information would add value for the analyst regardless of the type of analysis - static vs dynamic. Additionally, the analyst does not need to perform math to understand when it was "First Seen" unless they want to do day/date/time math while conducting their analysis ;)
Additionally, it can be leveraged as an additional check for the analyst to ensure they are reviewing and correlating evidence correctly.
ISSUE/CHALLENGE: The minor challenge with this status is when reading from an archived PCAP. As you know, RITA displays "XX hours ago" as the output,
Though this is very useful in rolling/dynamic PCAPs, it is only semi-useful in static PCAPs when correlating the displayed time to established investigatory timelines.
PROPOSED SOLUTION: Include the triggering time/date stamp with the XX hours metric within the "First Seen" display area.
That additional information would add value for the analyst regardless of the type of analysis - static vs dynamic. Additionally, the analyst does not need to perform math to understand when it was "First Seen" unless they want to do day/date/time math while conducting their analysis ;)
Additionally, it can be leveraged as an additional check for the analyst to ensure they are reviewing and correlating evidence correctly.