Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=forensic-snapshot

Forensic snapshots

Forensic snapshots capture recent activity on a device.

When we detect a threat, a snapshot is created automatically on the device and used to create a threat graph, which shows how an attack developed.

You can also create forensic snapshots on demand and do your own analysis.

This page tells you how to do the following:

  • Create forensic snapshots.
  • Access forensic snapshots.
  • Set the time period for forensic snapshots.

You can also do the following:

You can upload snapshots only from Windows devices. You must also have an XDR or MDR license.

Create a forensic snapshot

You can create a forensic snapshot from the device details in Sophos Central or from a threat graph.

Create a snapshot from device details

To create a snapshot from the device details, do as follows:

  1. In Sophos Central, go to My Products > Computers and servers.
  2. Click the name of the device for which you want to generate a snapshot.
  3. On the Summary tab in the device's details page, click More actions and select Create forensic snapshot.
  4. In Create forensic snapshot, click Create now.

By default, a snapshot is created in %PROGRAMDATA%\Sophos\Endpoint Defense\Data\Forensic Snapshots\.

Alternatively, you can upload snapshots to an S3 bucket. See Upload forensic snapshots to an AWS S3 bucket.

You must convert your snapshot to a format that lets you analyze it. See Convert forensic snapshots.

Create a snapshot from a threat graph

To create a snapshot from a threat graph, do as follows:

  1. In Sophos Central, go to Threat Analysis Center > Threat Graphs.
  2. Select a detected threat associated with the device for which you want to generate a snapshot.
  3. In the Threat Graph, click Create forensic snapshot below the artifact table.

By default, a snapshot is created in %PROGRAMDATA%\Sophos\Endpoint Defense\Data\Forensic Snapshots\.

Alternatively, you can upload snapshots to an S3 bucket. See Upload forensic snapshots to an AWS S3 bucket.

You must convert your snapshot to a format that lets you analyze it. See Convert forensic snapshots.

Access forensic snapshots

You can access forensic snapshots on the device.

Note

With tamper protection turned on, you must be running from an elevated command prompt to get access to saved snapshots.

By default, snapshots you create are in %PROGRAMDATA%\Sophos\Endpoint Defense\Data\Forensic Snapshots\.

Snapshots we create automatically based on detections are in %PROGRAMDATA%\Sophos\Endpoint Defense\Data\Saved Data\.

Set time period for snapshots

By default, a snapshot includes data for the previous two weeks.

You can change the time period or choose to include all the available data, as follows:

  1. In Sophos Central, go to General Settings > Forensic Snapshots.
  2. In Set time period for forensic snapshot, select a time period or All log data.

Upload snapshots to an S3 bucket

You can upload forensic snapshots to an AWS S3 bucket. This lets you access your snapshots easily in a single location, rather than going to each device.

For details of how to set up an AWS S3 bucket so you can upload snapshots, see Upload forensic snapshots to an AWS S3 bucket.

  • Forensic Log Collection

    If you set up uploads to an AWS S3 bucket here, our new Forensic Log Collection feature uses the same settings to upload logs.

    Forensic Log Collection is currently only available via our Sophos Central API. See https://developer.sophos.com/api.