Skip to content

Forensic logs

The Sophos Diagnostic Utility (SDU) can generate forensic logs for Sophos incident response teams to use.

This feature is only available for Windows devices.

Run SDU in forensic mode

To use forensic mode, you must run SDU from the command line as follows:

  1. In your program files, go to Sophos/Sophos Diagnostic Utility.
  2. Run sducli.exe -forensics.

You can also use parameters to customize the forensic logging.

Forensics parameters

The available parameters are as follows.


Collects forensics details. The default is off.


Forensics mode

Specifies how much data is collected. Use this with the "fast" (least data), "standard", or "full" (most data) mode. "standard" is used if you don't specify a mode.

SDU Checks the configuration file to see which data your selected mode should collect.


Configuration file

Name of the configuration file that specifies which data is collected by "fast", "standard", or "full" mode. The default file supplied is sduconfig.xml.


Forensic and standard SDU logging

When you turn on forensic logging, standard SDU logging options such as collection of system information are turned off by default.

However, you can combine forensic logging with standard SDU logging if you want to. For example, enter this command:

sducli.exe -forensics=fast -sysinfo

This collects system information as well as forensics data. For details of the standard SDU options, see Troubleshoot.