Collecting forensic data

Forensics data is collected to help you investigate devices when an incident is generated. You can collect forensic data for both Windows and Linux devices during an incident investigation without having to remotely log in to the device or use any third-party tools.
You can run the forensic data capture operation from the following pages of the console:
  • Investigate page
    The security events generated for a device are displayed for the
    Search (tab) > Cloud Database
      option. You can capture the forensics data for a device listed here through the 
    Capture Forensics Data
    menu that displays on clicking the vertical dots of the row. The status of the forensic data collection operation is displayed in the
    Status
    tab of this page.
  • Devices page
    The
    Capture Forensics Data
    menu displays for a device on clicking the vertical dots of the row.  The status of the forensic data collection operation is displayed in the
    Investigate > Status (tab)
    page.
To collect forensic data from the Devices page
  1. From the main console window, select
    Devices
    .
  2. For a given device, click the three vertical dots at the end of the row.
  3. On the menu, click
    Collect Forensic Data
    .
    A success message displays indicating that forensics data collection has been triggered.
  4. Navigate to the
    Investigate >Status
    page to open the collected forensics data.
    The results pane displays all of the events collected from the specified device.
  5. Click the ">" for a given event to expand and display additional information.
  6. Select the event row to view the event information in a flyout. Forensics captured for the various entities are displayed in the flyout.
Forensic collection entities
Following are the entities for which forensics data is collected:
Forensics Entities
Windows Modules with Fields
Linux Module with Fields
Process Information
  • Device time, Os type, Endpoint IP Address, Process name etc
Process Information
  • Running processes and services: Process name, User name, Parent command line, Process SHA2, etc.
Process Memory Analysis
  • Potential Privileges Escalated (true/false indicates potential attack technique using escalated privileges).
  • Malicious Ranking Score (a score from least to most potentially malicious as determined by the analysis engine)
  • AI Suspicious (true/false indication of potentially malicious activity as determined using the artificial intelligence component of the analysis engine).
Module Information
  • Modules loaded in system memory: Module path, Module name, Module size, Module SHA2, etc.
To collect network forensic data, the netstat package is required on the Linux client.
Advanced Network Statistics
  • Windows event drivers
  • Schedule services
  • Sysclear software install
Network Information
  • Active network collections: Source IP, Source port, Destination IP, Destination port, Connection protocol, etc.
Local User Accounts
User Information
  • Local users: User name, User full name, User SID, User exists, etc.
Local Services
User Group Information
  • Local groups: Group name, Group exists, User names in group, etc.
More information