Phase 4: Collection of Forensic Data

After analyzing the files, Traps notifies the ESM about the security event and can send additional forensic data to the forensic folder.
If your security policy contains a forensic data collection rule, Traps collects one or more specified data types and uploads the file(s) to the forensic folder. Depending on the preferences, Traps can collect URI that were accessed, drivers, files, and relevant DLLs that are loaded in memory under the attacked process, and ancestor processes of the process that triggered the security event. For more information, see Define Forensics Collection Preferences.
By default, Traps uses a web-based Background Intelligent Transfer Service (BITS) folder that utilizes idle network bandwidth to upload data. For more information, see Change the Default Forensic Folder.
You can also manually retrieve forensic data for a specific security event by creating a one-time action rule to retrieve the data. For more information, see Retrieve Data About a Security Event. To view the status of the forensic upload select
Monitor
Data Retrieval
.

Recommended For You