Sophos EDR enabled devices are continually capturing data related to process, file, network and other system activity. When a threat detection occurs, a snapshot file of current activity is created on the disk of the device. This snapshot helps generate the Threat Case in Sophos Central, which attempts to piece together the threat chain of an attack and identify related activities.
EDR enabled customers have the ability to create Forensic Snapshots and perform detailed analysis on demand. Note: To analyse the snapshot you'll first need to convert it into a usable format using a tool that Sophos provides. The following sections are covered:
Admins can generate a forensic snapshot from within two areas in the Sophos Central Console or from within Threat Cases.
For Endpoints: From Sophos Central Admin > Endpoint Protection > Computers, select the endpoint that you want to generate a snapshot for. In the Status tab select the link to Create forensic snapshot.
For Servers: From Sophos Central Admin > Server Protection > Servers, select the server that you want to generate a snapshot for. In the Status tab select the link to Create forensic snapshot.
From Sophos Central Admin > Threat Analysis Center > Threat Cases, select a Threat Case associated to the device you want to generate a snapshot for. Once in the Threat Case at the top of the artifact table, click the link to Create forensic snapshot.
Customer generated forensic snapshots can be located in the %PROGRAMDATA%\Sophos\Endpoint Defense\Data\Forensic Snapshots\ directory.
%PROGRAMDATA%\Sophos\Endpoint Defense\Data\Forensic Snapshots\ directory
Snapshots based on detections can be located in the %PROGRAMDATA%\Sophos\Endpoint Defense\Data\Saved Data\ directory.
%PROGRAMDATA%\Sophos\Endpoint Defense\Data\Saved Data\ directory
Note: With tamper protection enabled admins must be running from an elevated command prompt to get access to saved snapshots.
The SDR Exporter utility is the tool used to convert snapshots on a device into a format where advanced queries can be run. The snapshots can then be converted to a SQLite database or a JSON formatted file.
The tool is available from the Sophos Downloads. There is a 64 bit version and 32 bit version of the tool available:
The minimal usage for the tool would be to specify the path and filename of the snapshot to be converted with path and filename of the output file and the requested format as seen below:
SDRExporter.exe –i <path to snapshot tgz> -o <path to output file> -f <format to output sqlite or json>
Help for the tool can be seen by running the command SDRExporter.exe –h command:
-h [ --help ]
-i [ --input-path ]
-o [ --output-path ]
-f [ --output-format ]
-v [ --output-version ]
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.