FortiGuard Forensics service 7.0.6
FortiClient Cloud 22.1, which runs EMS 7.0.6, introduces the FortiGuard Endpoint Forensic Analysis service, which provides remote endpoint analysis to help you respond to and recover from cyber incidents. An EMS administrator can request detailed analysis of the endpoint from the forensics team if they observe high risk applications, malware, intrusion attempts, malicious emails, high-risk traffic, lateral movement, and so on, on that endpoint. For each engagement, forensic analysts from Fortinet’s FortiGuard Labs remotely assist in collecting, examining, and presenting digital evidence, including a final detailed report.
This feature requires the FortiGuard Endpoint Forensic Analysis license. The following instructions assume that you have purchased the license and registered it to your FortiCloud account. You can have a maximum of five forensic analysis requests in progress at a given time.
The following instructions give an example of requesting analysis on a Windows endpoint.
To request forensic analysis on an endpoint:
- Enable FortiGuard Forensics Analysis:
- In FortiClient Cloud, go to System Settings > Feature Select.
- Enable FortiGuard Forensics Analysis. Click Save.
- Go to Endpoint Profiles > System Settings.
- On the desired profile, enable Forensics License. Click Save.
- Request analysis:
- Go to Endpoints > All Endpoints.
- Select the desired endpoint.
- On the Summary tab, under Forensic Analysis, click Request Analysis.
- FortiClient Cloud displays a questionnaire. Enter details as necessary, then click Next.
- Click Click to Download to download the forensic installer, then click Finish.
- Run the downloaded installer on the endpoint to install the forensic analysis application. The installer package includes a readme document that includes instructions to install, verify, and uninstall the forensics agent. To install the agent, open Command Prompt, go to the desired directory, and enter
enwindows.exe -c
. - Verify that the agent is running by entering
netstat -aon | findstr :4445
. The following shows expected output for this command: - Keep the endpoint connected to the Internet and online for the next three days. The forensics team remotely connects to the endpoint and obtains required logs and events information from the endpoint for these three days.
- You can uninstall the application after the analysis completes by entering
enwindows.exe -r
. - When a request is successfully created in EMS, a new task is created in FortiSOAR. After the forensics team completes analysis, the task is updated in the FortiSOAR portal to include the updated status and verdict. The team uploads the analysis report as an attachment. The following shows the status mapping between FortiSOAR and FortiClient Cloud:
FortiSOAR
FortiClient Cloud
Assign
Inprogress
Accepted
Inprogress
Onhold
Pending
Skipped
Inprogress
Failed
Failed
Cancelled
Cancelled
Completed
Completed
In FortiClient Cloud, you can download the report by going to Endpoints > All Endpoints, selecting the desired endpoint, then clicking Download Report.
You can also view the forensic analysis status and report on the Forensics Analysis tab in the portal.