Request Forensic Data
Click to view navigation pane


Request Forensic Data

The Request Forensic Data feature allows you to perform forensic analysis of an incident and perform the necessary response action.

Prerequisites

At a time you can send 10 request to generate forensic data. 

In this section, we have covered the following:

Request Forensic Data from Assets tab

To request Forensic Data for a specific asset, perform the following steps on the Assets tab:

  1. Hover the mouse on the required event and click the drop-down icon drop-down icon.

  2. From the Quick Actions menu, click Request Forensic Data. A notification message confirms the request has been submitted. 

    Request Forensic Data option in Quick Actions menu in Assets tab.

  3. Click the Forensics tab to monitor the asset's requested forensic data status.

    Once the request is complete, the Status column displays the result as Success. You can Download, View Asset Details, or Delete the instances from the Quick Actions menu of the Status column in the Forensics tab.

    The following screenshot is an example that shows the Quick Actions menu of a successful instance:

    Quick Actions menu in Forensics tab

The data is downloaded for all successful data requests in a .7z folder on your local system. The downloaded file consists of the output files of each script that ran on the Agent. For more information about the scripts executed on the Agent, see Scripts Executed for Forensics

Request Forensic Data from Forensics tab

To request Forensic Data for a specific asset, perform the following steps on the Forensics tab:

  1. Click Request Forensic Data.
  2. Select the asset for which you want the forensic data, in the Request Forensic Data page.

    Once the request is complete, the Status column displays the result as Success. You can Download, View Asset Details, or Delete the instances from the Quick Actions menu of the Status column in the Forensics tab. The following screenshot is an example that shows the Quick Actions menu of a successful instance:
    Quick Actions menu in Forensics tab

Auditing Forensic Logs from the Administration Application

Any actions performed on the Forensics tab, can be monitored from the Administration application. The following screenshot is an example of the Activity Logs that lists the action performed in the Forensics tab:
    Activity Logs in the Administration application.

Agent Response Time Out Status

If a Forensic Request has been running (In Progress status) for more than 15 minutes, the Status column displays the instance as Failed, Agent Response Timed Out. In such scenario, you need to request for the forensic data again.  In the meanwhile, if there is any response update for the earlier failed request the status gets updated.

The following screenshot is an example that shows the Failed instance:
    Failed instance in the Forensic tab.

Additional Resource