Sophos EDR enabled devices are continually capturing data related to process, file, network and other system activity. EDR licensed customers have the ability to generate a forensic snapshot on demand where all activity being monitored is packaged up and made available so that customers can do a detailed analysis on this data. In the past, after a forensic snapshot was generated, admins would need to retrieve the snapshot file from the device where the snapshot was taken but with our latest endpoint release customers can now automatically upload snapshots to an Amazon S3 bucket that you own (requires the Core Agent of 2.5.0 and above). A new Forensic Snapshots -> Global Settings page has been added where this new setting can be enabled:


For more detail on how to enable this new functionality and how to configure your Amazon S3 bucket to allow snapshots to be uploaded see the 'Upload forensic snapshot to an AWS S3 bucket' section in this Help with Forensic Snapshots KBA.


This functionality is currently available for EDR enabled Windows Endpoints, it will be available in an upcoming release for EDR enabled Servers.

The KBA also contains details on converting snapshots into the format you want where advanced queries can be run. Also see this video for a refresher on converting a forensic snapshot to a SQLite DB and performing analysis on that data.