Fortinet white logo
Fortinet white logo

Administration Guide

Retrieving memory

Retrieving memory

The Retrieve Memory function enables you to retrieve the stack-memory of a specific Collector. This option enables you to retrieve memory from a specific communicating device in order to perform deeper analysis by analyzing the actual memory from the device. This function is only accessible from the Stack view.

Memory is fetched by the Collector in binary (*.bin) format, compressed, encrypted and then sent to the user’s local machine. The returned file is password-protected. The password is enCrypted.

If the file cannot be sent, it is saved locally on the host by the Collector.

To retrieve memory for a Collector:
  1. In the Stack view, select the stack(s) that you want to analyze by selecting its checkbox(es).

  2. Click Retrieve. The following window displays:

  3. Select one of the following options:
    1. Retrieve memory of selected stack entries: Select this radio button to retrieve memory for one or more specific stack entries. Then, select the stack entries you want to analyze by checking their checkboxes, as shown below:

      You must also specify whether to retrieve the memory from memory, disk, or both by selecting the respective checkbox. The Memory option is the default. You can select either option or both options. It is important to remember that the retrievable data may be different in the memory and on disk. In addition, the stack entry may no longer reside in memory, for example, if the system was rebooted.

      After you make your selection, the window indicates how many stack entries were selected, as shown below. For example, the figure below shows that three stack entries were selected for analysis.

    2. Retrieve memory region from address: Select this option to retrieve memory from a specific memory region. Specify the To and From addresses for the region in the adjacent fields.

    3. Retrieve the entire process memory: Select this option to retrieve memory for an entire process. This option retrieves all the stack entries comprising the process.
  4. Click Retrieve.

Retrieving memory

Retrieving memory

The Retrieve Memory function enables you to retrieve the stack-memory of a specific Collector. This option enables you to retrieve memory from a specific communicating device in order to perform deeper analysis by analyzing the actual memory from the device. This function is only accessible from the Stack view.

Memory is fetched by the Collector in binary (*.bin) format, compressed, encrypted and then sent to the user’s local machine. The returned file is password-protected. The password is enCrypted.

If the file cannot be sent, it is saved locally on the host by the Collector.

To retrieve memory for a Collector:
  1. In the Stack view, select the stack(s) that you want to analyze by selecting its checkbox(es).

  2. Click Retrieve. The following window displays:

  3. Select one of the following options:
    1. Retrieve memory of selected stack entries: Select this radio button to retrieve memory for one or more specific stack entries. Then, select the stack entries you want to analyze by checking their checkboxes, as shown below:

      You must also specify whether to retrieve the memory from memory, disk, or both by selecting the respective checkbox. The Memory option is the default. You can select either option or both options. It is important to remember that the retrievable data may be different in the memory and on disk. In addition, the stack entry may no longer reside in memory, for example, if the system was rebooted.

      After you make your selection, the window indicates how many stack entries were selected, as shown below. For example, the figure below shows that three stack entries were selected for analysis.

    2. Retrieve memory region from address: Select this option to retrieve memory from a specific memory region. Specify the To and From addresses for the region in the adjacent fields.

    3. Retrieve the entire process memory: Select this option to retrieve memory for an entire process. This option retrieves all the stack entries comprising the process.
  4. Click Retrieve.