Focus
Focus
Table of Contents

Forensic Data Types

When a security event occurs on an endpoint, Traps can collect the following information:
Forensic Data Type
Description
Memory Dump
Contents of memory locations captured at the time of an event.
Accessed Files
Files that are loaded in memory under the attacked process for in-depth event inspection including:
  • Relevant DLL retrieval including their path
  • Relevant files from Temporary Internet Files folder
  • Open files (executables and non-executables)
Loaded Modules
PE image files that are loaded on the system at the time of a security event.
Accessed URI
Network resources that were accessed at the time of the security event and uniform resource identifier (URI) information.
The Traps agent can collect accessed URI from Internet Explorer and Firefox browsers only. When an event occurs that is related to other browsers (for example, Microsoft Edge), you will not be able to access URI data for further analysis.
Collected information includes:
  • URIs including hidden links and frames of the relevant attacked threads.
  • Java applet source URIs, filenames and paths, including parents, grandparents, and child processes
  • Collection of URI calls from browser plug-ins, media players, and mail-client software
Ancestor Processes
Information about ancestry processes—from browsers, non-browsers, and Java applet child processes—at the time of a security event including:
  • Separate sources and destinations for Thread Injection
  • Restricted child process parents and grandparents
To customize which types of files are collected, Create a Forensics Rule.