Digital Forensics
warning
The Digital Forensics module is currently in development and is not yet available.
What's Coming
The Digital Forensics module is planned to include:
| Feature | Description |
|---|---|
| Disk Imaging | Forensic disk capture and analysis |
| Memory Analysis | RAM dump investigation and artifact extraction |
| Timeline Builder | Reconstruct the sequence of events from collected artifacts |
| Evidence Chain-of-Custody | Immutable logging of all evidence handling actions |
| Automated Artifact Collection | One-click collection of key forensic data from enrolled endpoints |
Integration Plan
When released, the Forensics module will integrate with:
- Incidents — Forensic collections will be linkable to open incidents
- Defend — The Defend EDR agent will support remote artifact collection
- CMDB — Asset data will pre-populate collection targets
Current Alternatives
While Forensics is in development, use the following for incident investigation:
- Threat Investigation in The One Defend — Process tree, device timeline, lateral movement graph for EDR-enrolled endpoints
- Incident Detail — Full timeline and notes capture for manual forensic documentation
- Evidence in GRC — Can be used to attach forensic artifacts to compliance controls
Check back for updates when this module moves out of development.