Forensic snapshots
Forensic snapshots get data from a Sophos log of a computer’s activity so that you can do your own analysis.
You can create a forensic snapshot from a threat case or from the Status tab in a device’s details page.
On the
page, you can configure how much data you want in your snapshots and where you want to put them.Set the time period for the forensic snapshot
By default, a snapshot includes data for the previous two weeks.
Here you can set a different time period or choose to include all the available data.
Upload forensic snapshot to an AWS S3 bucket
By default, snapshots are saved on the local computer.
You can upload snapshots to an AWS S3 bucket instead. This lets you access your snapshots easily in a central location, rather than going to each computer.
- Enter the S3 bucket name and directory where you want to upload snapshots.
- Go to your AWS console and create a new IAM role. You need to include the details of the Sophos
proxy account that will put the snapshot data in your S3 bucket. Use the AWS Account ID and AWS External ID we
provide.
For full details of how to set up an AWS S3 bucket so that you can upload snapshots, see Upload a forensic snapshot to an AWS S3 bucket.
- Go back to the Forensic Snapshots page and enter your ARN (Amazon Resource Name).
- Click Save.