Integrate Windows IR collector
The IR Collector integration allows admins with local and domain permissions to connect to Windows endpoints remotely, copy IR tools, run commands on the endpoint and collect digital artifacts for future analysis. After the IR Collector is configured, it will collect incident related forensic data by accessing the attacker's unit via the deployment network where the attack originated from.
To configure the IR Collector:
- Go to Fabric > Quarantine Integration and click Quarantine integration with new device. The Integrate With New Device pane opens.
- From the Integrate method dropdown, select IR collector and configure the integration settings as required.
The Username should be a user who is either a local admin or a domain user with administrative privileges to access the endpoints.
- Click Save.
- Configure the Windows endpoint. Both IR and Windows network isolation in the Fabric require the same setting for the endpoints. For information, see Mitigation using windows Remote Command.
- After you configuring FortiDeceptor and the Windows endpoint, perform a connection check.
- Go to Fabric > Quarantine Integration
- Select the IR Collector integration and click Credential Test.
To download the artifacts:
- Go to Incident > Analysis.
- Click an incident in the table.
- Click Download Forensic Data. The artifacts are saved as a Zip file.
Artifacts list
Extracted from the file system:
- IE/Firefox/Chrome History
- Named Pipes
- Prefetch Startup
- Directories
- etc.
Extracted from the registry:
- Installer Folders
- Recent Docs
- Services
- UserAssists
- Networks List
Extracted from in-memory processes:
- Opened Files
Other information:
- Drives List Network
- Drives Network Cards
- Processes
- Routing Table
- Sessions
- Sockets
Artifacts labeled etc are files that contain more information. |