Collecting forensic data

You can collect forensic data about an endpoint during an incident investigation without having to remotely log in to an endpoint or use third party tools. You can run the forensic capture from the Incidents and Device details pages.
The collected forensic data includes the following:
  • Process Information- device time, OS type, endpoint IP address, process name, etc.
  • Process Memory Analysis
  • Startup Folder Autoruns
  • Local Services
  • WMI Subscriptions
  • Registry Autoruns
  • Scheduled Tasks
  • Active Named Pipes
  • Last Changed System Files
  • Last Changed Temporary Files
  • Local User Accounts
  • Connected USB Devices
  • Active Network Adapters
  • RunKey History
  • Microsoft Office History
  • Hosts Files
  • USB Devices History
  • PowerShell 5 Command Line History
  • Browsing History
  • Download History
  • Advanced Network Statistics Windows events - drivers,schedule services, Sysclear, software install, etc.