Views:

Collect and manage digital evidence to support threat investigation and incident response.

Forensics Evidence Archive allows you to collect and manage evidence packages from the endpoints in your environment.
The following table outlines the actions available for Evidence Archive.
Action
Description
Click Collect Evidence to gather evidence from the endpoints in your environment.
Filter endpoints
Use the search box and filters to locate specific endpoints.
View evidence packages collected from an endpoint
Identify an endpoint and click simulationsRightArrow=20220525102311.png to display all packages collected from an endpoint.
Evidence Archive displays the following information about evidence packages:
  • Package: Name of the collected evidence package
  • File size: Size of the package
  • Collection: Collection status of the evidence
    Collection statuses include:
    • In progress... (inProgress=763d5319-3680-4b10-abca-a75782d8eb48.png): Forensicsis processing the evidence.
    • Successful (successful=d385863c-ae1f-4a76-8500-6d60d7a2de8f.png): Forensicsprocessed the evidence.
    • Partially Successful (partSuccesssful=cc794327-0b7f-45d7-ac71-463e5d02d6d1.png): Forensics could not process some of the evidence types in the package.
    • Unsuccessful (unsuccessful=e4c3ece6-3776-45dc-b99a-67195d7d21e0.png): An error or time-out occurred when processing the evidence package.
  • Source: The product or method that uploaded the evidence package to Forensics
  • Collected: The date and time Forensics received the uploaded evidence package
  • Deletion: The date and time that Forensics will delete the package
    WARNING
    WARNING
    Forensics automatically deletes evidence packages one year after upload.
Take additional actions
Click options=ddb0b67f-0654-4aa5-8bc7-48ec554c5448.png and select an additional action:
  • Download Package