Sophos EDR enabled devices are continually capturing data related to process, file, network and other system activity. When a threat detection occurs, a snapshot file of current activity is created on the disk of the device. This snapshot helps generate the Threat Case in Sophos Central, which attempts to piece together the threat chain of an attack and identify related activities.
EDR enabled customers have the ability to create Forensic Snapshots and perform detailed analysis on demand. Note: To analyse the snapshot you'll first need to convert it into a usable format using a tool that Sophos provides. The following sections are covered:
Admins can generate a forensic snapshot from within two areas in the Sophos Central Console or from within Threat Cases.
For Endpoints: From Sophos Central Admin > Endpoint Protection > Computers, select the endpoint that you want to generate a snapshot for. In the Status tab select the link to Create forensic snapshot.
For Servers: From Sophos Central Admin > Server Protection > Servers, select the server that you want to generate a snapshot for. In the Status tab select the link to Create forensic snapshot.
From Sophos Central Admin > Threat Analysis Center > Threat Cases, select a Threat Case associated to the device you want to generate a snapshot for. Once in the Threat Case at the top of the artifact table, click the link to Create forensic snapshot.
Customer generated forensic snapshots can be located in the %PROGRAMDATA%\Sophos\Endpoint Defense\Data\Forensic Snapshots\ directory.
%PROGRAMDATA%\Sophos\Endpoint Defense\Data\Forensic Snapshots\
Snapshots based on detections can be located in the %PROGRAMDATA%\Sophos\Endpoint Defense\Data\Saved Data\ directory.
%PROGRAMDATA%\Sophos\Endpoint Defense\Data\Saved Data\
Note: With tamper protection enabled admins must be running from an elevated command prompt to get access to saved snapshots.
The SDR Exporter utility is the tool used to convert snapshots on a device into a format where advanced queries can be run. The snapshots can then be converted to a SQLite database or a JSON formatted file.
The tool is available from the Sophos downloads. There is a 64 bit version and 32 bit version of the tool available and due to changes in functionality an updated version has been provided as detailed below:
The minimal usage for the tool would be to specify the path and filename of the snapshot to be converted with path and filename of the output file and the requested format as seen below:
64 bit: SDRExporterx64.exe –i <path to snapshot tgz> -o <path to output file> -f <format to output sqlite or json> 32 bit: SDRExporterx86.exe –i <path to snapshot tgz> -o <path to output file> -f <format to output sqlite or json>
SDRExporterx64.exe –i <path to snapshot tgz> -o <path to output file> -f <format to output sqlite or json>
SDRExporterx86.exe –i <path to snapshot tgz> -o <path to output file> -f <format to output sqlite or json>
Help for the tool can be seen by running the command SDRExporter.exe –h command:
-h [ --help ]
-i [ --input-path ]
-o [ --output-path ]
-f [ --output-format ]
-v [ --output-version ]
Note: This functionality is currently available for Central Windows Endpoint protection only and requires Core Agent 2.5.0 and above. It will be available in an upcoming release for Sophos Central Server protection.
By default, snapshots are saved on the local computer. You can upload snapshots to an AWS S3 bucket instead. This lets you access your snapshots easily in a central location, rather than going to each computer.
This requires you to have an available AWS S3 bucket, create a new Policy and IAM Role to allow snapshots to be uploaded to the S3 bucket.
Create a manged policy:
Add the AWS Account to Sophos Central:
Creating a bucket policy
While it is not a Sophos requirement for the upload of forensic data we do recommended you create a bucket policy to apply restrictions on a bucket. The following is an example policy to restrict access to the bucket contents:
Are there any issues that I should be aware of?
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.