Run an on-demand forensic backup on a workload

As part of your investigation into an attack, EDR enables you to run an on-demand forensic backup for audit or further investigation purposes. Note that this feature is available only if the partner's workload has a subscription for Advanced Backup.

To run a forensic backup

1. In the cyber kill chain, click the workload node you want to run a forensic backup on.
2. In the displayed sidebar, click the Response Actions tab.
3. In the Investigate section, click Forensic backup.

   

4. [Optional] In the Backup name field, click the edit icon to edit the backup name.
5. In the Forensic options field, click the displayed link. In the displayed Forensic options dialog, select one of the following:
   • Collect raw memory dump
   • Collect kernel memory dump

   You can also select the Snapshot of running processes check box to add information about the processes running at the moment the backup starts. This information is stored in a backup image.

   Click Save to close the Forensic options dialog.

6. In the Where to back up field, click the displayed link to define a location for the backup.
7. [Optional] Click the Encryption option to enable encryption. In the displayed dialog, enter the password for the encrypted backup and select the relevant encryption algorithm.
8. [Optional] In the Comment field, add a comment. This comment is visible in the Activities tab (for a single node or the entire incident), and can help you (or your colleagues) recall why you took the action when you revisit the incident.
9. Click Run.

   The forensic backup is started. This action can also be viewed in the Activities tabs of both the individual node and the entire incident. For more information, see Understand the actions taken to mitigate an incident.