Best Practices for Managing Forensic Data

• Configure the Forensic Folder to Communicate Over SSL—To encrypt forensic data, we strongly recommend that you use SSL to communicate with the forensic folder. To use SSL, specify the HTTPS prefix and use port 443 when configuring the Forensic Folder URL (for example, HTTPS://ESMserver.Domain.local:443/BitsUploads).
• Collect full memory dumps for all processes—When a security event occurs on the endpoint, Traps can capture the contents of memory related to the protected process and automatically send the data to the ESM Server. This information enables you to further analyze security events when they occur. By sending the full memory dump, Traps captures the most complete amount of data.
• Create a script to monitor the disk quota—Due to the lack of an automated deletion mechanism, data related to a large number of prevention events can fill the disk quota on the server that hosts the quarantine folder. As a result, new prevention information will not be written once the quota is full. After the disk quota is full, you cannot erase the prevention data. By creating a script to monitor the disk quota, you can ensure that you are able to monitor and then delete older data, as needed.
• Enable forensics collection—When a security event occurs on the endpoint, Traps can collect additional forensic data including which files were accessed, modules that were loaded into memory, URIs that were accessed, and ancestor processes of the process that triggered the security event. You can use the data collected by Traps when troubleshooting a security event. For more information, see Define Forensics Collection Preferences.