Browse Disk

When you select a piece of disk evidence in the Project Overview tab, a Browse Disk Tab will appear.

Browse Disk shows a hierarchical view of the file system. Cado marks directory structures where Cado has found Alarms or Suspicions with red or yellow dots respectively. Clicking on a folder allows you to drill down into that structure.

Clicking on a file takes you to the details for that file, including links to search Open Threat Exchange (OTX) and VirusTotal if you have those set up. Cado will index and show a preview of the text in a file, up to the first 1000 lines. You can download the full contents of the file, optionally as an encrypted zip file. Files are hashed with SHA256, and the hash is viewable and searchable.

This tab also shows any key events (alarms, suspicions) associated with this file.

For running processes collected by Cado Host this tab also shows a diagram of information about running processes.