Collect and manage digital evidence to support threat investigation and incident response.

The Evidence Archive tab of Forensics allows you to collect and manage evidence packages from the endpoints in your environment.
The following table outlines the actions available on the Evidence Archive tab.
Click Collect Evidence to collect evidence from the endpoints in your environment.
Filter endpoints
Use the search field and drop-down list to locate specific endpoints.
View evidence packages collected from an endpoint
Identify an endpoint and click the right arrow (simulationsrightarro.png) at the beginning of the row to display all packages collected from an endpoint.
The Evidence Archive tab displays the following information about evidence packages:
  • Package: Name of the collected evidence package
  • File size: Size of the package
  • Collection: Collection status of the evidence
    Collection statuses include:
    • In progress... (inprogress.png): Evidence is being processed
    • Successful (successful_001.png): The evidence was processed successfully
    • Partially Successful (partsuccesssful.png): Forensics was unable to process some of the evidence types in the package
    • Unsuccessful (unsuccessful_001.png): An error or time-out occurred when processing the evidence package
  • Source: The product or method that uploaded the evidence package to Forensics
  • Collected: The date and time the evidence package was uploaded to Forensics
  • Deletion: The date and time the package will be deleted
    Evidence packages are automatically deleted one year after upload.
Take additional actions
Click the options button (options.png) at the end of the row and choose to take additional actions on the evidence package:
  • Download Package