Requesting forensic analysis on an endpoint

You can request forensic analysis on a suspected device from EMS. The Fortinet forensics team investigates the logs and provides a detailed report with their verdict. You can download the report from EMS.

You can only request forensic analysis for Windows or macOS endpoints. FortiClient (macOS) 7.4.1 and later versions support forensic analysis.

You must apply the Forensics license to EMS to access this feature. The following assumes that you have acquired and applied the license as necessary.

To request forensic analysis for an endpoint:

1. Enable the forensic analysis feature:
   1. In EMS, go to System Settings > Feature Select.

   2. Enable FortiGuard Forensics Analysis.

   3. Click Save.

2. Configure forensic analysis in a profile:
   1. Go to Endpoint Profiles > System Settings.

   2. Create a new profile or edit an existing one.

   3. Under Endpoint Control, toggle Enable Forensics Feature on.

   4. Click Save.

      

   5. Include this profile in a policy, and apply the policy to the desired endpoint.

3. Request analysis:
   1. Go to Endpoints > All Endpoints.
   2. Select the desired endpoint.
   3. Under Forensics Analysis, click Request Analysis.
4. Complete the questionnaire:
   1. In the Summary of the Issue field, enter a description of the issue that you are observing on the endpoint.
   2. In the Reason of Escalation field, select the reason that you are escalating this issue to the forensics team. If you are submitting a request to test that the forensics feature is functioning correctly on your EMS or FortiClient Cloud instance, select Test Request.

      

   3. In the First Identified Activity field, enter the date that you first observed the issue.
   4. In the Actions Taken to Date field, select any actions you took to resolve this issue.
   5. In the Supplementary Logs field, enter the path to logs that you would like the analyst to review.
   6. If desired, provide details in the Comment field.

   Click Finish. Once you submit the request, EMS notifies FortiClient and the forensics agent on the endpoint starts collecting forensics logs. FortiClient uploads the logs to the cloud and shares a link with the analyst. In EMS, you can see status of the analysis request in the endpoint summary:

   Status	Description
   Ticket Status	Status of the ticket. Possible statuses are: Request Submitted: EMS is creating the forensics analysis request and sending the information to the team. Pending: Forensic analysis request has been initiated. The Forensics team has not yet assigned it to an analyst. In Progress: Forensics team has assigned the request to an analyst, who has begun working on it. Failed: request is in a failed state. This can be due to a variety of reasons, for example, the analyst may not be able to connect to the endpoint. The analyst may contact you regarding the reason for the failure. See the remaining steps in this procedure for how to contact the analyst. Cancelled: indicates one of the following: The analyst needed more information about the endpoint to perform the analysis. The EMS administrator canceled the request. Completed: analyst has completed analysis on the endpoint and shared the result in a PDF document. You can download the report from the endpoint summary's Forensic Analysis section.
   Agent Status	Status of the forensic agent collecting logs on the endpoint. Possible statuses are: Pending: EMS has notified FortiClient that a forensic analysis request is submitted, but the forensic agent is not running yet. Running: forensics agent starts collecting forensics logs. Collection Completed: forensics agent has completed collecting forensics logs. Upload Started: FortiClient has started to upload the logs to the cloud. Upload Completed: FortiClient has completed uploading the logs to the cloud. Upload Failed: FortiClient failed to upload the logs to the cloud.
   Task ID	Request ID in the FortiGuard forensics system.

   The following shows that EMS is creating the forensics analysis request and sending the information to the team. EMS has notified FortiClient that a forensic analysis request is submitted, but the forensic agent is not running yet:

   

   In the following screenshot, the Agent Status has updated to Upload Completed. FortiClient has completed uploading the logs to the cloud.

   

5. Do one of the following:
   • Log in to the Forensic Service portal using your FortiCloud credentials.
   • If using FortiClient Cloud, go to the Forensics Analysis tab on the left, then click the link to the Forensics Service portal. The link may not be available if the analyst has not created a service request for your analysis request.
6. The Service Requests dashboard shows your service requests. Select the current request, in this example, Antivirus Event.

   

7. The service request page displays information about your request. Click Comments in the upper right corner.

   

8. The Comments pane displays messages from the Fortinet forensics team. You can also send the team messages to clarify details of your request. While your forensics analysis request is in progress, ensure that you monitor panel to provide the team details of your request as needed. You will also receive an email when the forensics team sends a message via this Comments pane.

   

9. Once the analysis is complete, you can click Download Report in the endpoint summary to view the details. You can also view the verdict that the analyst arrived at. You can also filter the endpoint list based on whether the forensics service is enabled, the status, and verdict.