Skip to content

Forensic snapshots

Forensic snapshots get data from a Sophos log of a computer’s activity so that you can do your own analysis.

You can create a forensic snapshot from a threat graph or from the Status tab in a device’s details page.

Go to My Products > General Settings > Forensic Snapshots.

You can configure how much data you want in your snapshots and where you want to put them.


The configuration options may not be available for all customers yet.

Set the time period for the forensic snapshot

By default, a snapshot includes data for the previous two weeks.

Here you can set a different time period or choose to include all the available data.

Upload forensic snapshot to an AWS S3 bucket

By default, snapshots are saved on the local computer.

You can upload snapshots to an AWS S3 bucket instead. This lets you access your snapshots easily in a central location, rather than going to each computer.

  1. Enter the S3 bucket name and directory where you want to upload snapshots.
  2. Go to your AWS console and create a new IAM role. You need to include the details of the Sophos proxy account that will put the snapshot data in your S3 bucket. Use the AWS Account ID and AWS External ID we provide.

    For full details of how to set up an AWS S3 bucket so that you can upload snapshots, see Upload a forensic snapshot to an AWS S3 bucket.

  3. Go back to the Forensic Snapshots page and enter your ARN (Amazon Resource Name).

  4. Click Save.


If you use Sophos Firewall, it might block traffic to the S3 bucket. If this happens, update the firewall's policy to allow this traffic.


A limitation that is set by AWS means that uploads time out if they take longer than one hour. This is more likely if the data in the snapshot covers a long time period.