Forensic logs
The Sophos Diagnostic Utility (SDU) can generate forensic logs for Sophos incident response teams to use.
This feature is only available for Windows devices.
Run SDU in forensic mode
To use forensic mode, you must run SDU from the command line as follows:
- In your program files, go to
Sophos/Sophos Diagnostic Utility
. - Run
sducli.exe -forensics
.
You can also use parameters to customize the forensic logging.
Forensics parameters
The available parameters are as follows.
Forensics
Collects forensics details. The default is off.
-[no-]forensics
Forensics mode
Specifies how much data is collected. Use this with the "fast" (least data), "standard", or "full" (most data) mode. "standard" is used if you don't specify a mode.
SDU Checks the configuration file to see which data your selected mode should collect.
-forensics="<mode>"
Configuration file
Name of the configuration file that specifies which data is collected by "fast", "standard", or "full" mode. The default file supplied is sduconfig.xml
.
-config="<filename>"
Forensic and standard SDU logging
When you turn on forensic logging, standard SDU logging options such as collection of system information are turned off by default.
However, you can combine forensic logging with standard SDU logging if you want to. For example, enter this command:
sducli.exe -forensics=fast -sysinfo
This collects system information as well as forensics data. For details of the standard SDU options, see Troubleshoot.