Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.b
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiEndpoint Administration Guide

    Retrieving memory

    Retrieving memory

    The Retrieve Memory function enables you to retrieve the stack-memory of a specific Collector to perform deeper analysis by analyzing the actual memory from the device. Memory is fetched by the Collector in binary (*.bin) format, compressed, encrypted and then sent to the user’s local machine. The returned file is password-protected with the password enCrypted. If the file cannot be sent, it is saved locally on the host by the Collector.

    This function is accessible from the Investigation View (detailed in the procedure below) or by connecting to the device directly using the EDR Connect functionality.

    To retrieve memory for a Collector from the investigation view:
    1. Right-click the node of the relevant activity event and select Retrieve.

      Alternatively, select the node of the relevant activity event and click the Retrieve button in the Details Pane that appears on the right.

      Note

      The Retrieve button is also available from the Stacks view, which is available when an edge is selected.

    2. The following window displays:

    3. Select one of the following options:
      1. Retrieve memory of selected stack entries: Select this radio button to retrieve memory for one or more specific stack entries. Then, select the stack entries you want to analyze by checking their checkboxes.

        You must also specify whether to retrieve the memory from memory, disk, or both by selecting the respective checkbox. The Memory option is the default. You can select either option or both options. It is important to remember that the retrievable data may be different in the memory and on disk. In addition, the stack entry may no longer reside in memory, for example, if the system was rebooted. After you make your selection, the window indicates how many stack entries were selected.

      2. Retrieve memory region from address: Select this option to retrieve memory from a specific memory region. Specify the To and From addresses for the region in the adjacent fields.
      3. Retrieve the entire process memory: Select this option to retrieve memory for an entire process. This option retrieves all the stack entries comprising the process.
    4. Click Retrieve.
    Previous
    Next

    Retrieving memory

    Retrieving memory

    The Retrieve Memory function enables you to retrieve the stack-memory of a specific Collector to perform deeper analysis by analyzing the actual memory from the device. Memory is fetched by the Collector in binary (*.bin) format, compressed, encrypted and then sent to the user’s local machine. The returned file is password-protected with the password enCrypted. If the file cannot be sent, it is saved locally on the host by the Collector.

    This function is accessible from the Investigation View (detailed in the procedure below) or by connecting to the device directly using the EDR Connect functionality.

    To retrieve memory for a Collector from the investigation view:
    1. Right-click the node of the relevant activity event and select Retrieve.

      Alternatively, select the node of the relevant activity event and click the Retrieve button in the Details Pane that appears on the right.

      Note

      The Retrieve button is also available from the Stacks view, which is available when an edge is selected.

    2. The following window displays:

    3. Select one of the following options:
      1. Retrieve memory of selected stack entries: Select this radio button to retrieve memory for one or more specific stack entries. Then, select the stack entries you want to analyze by checking their checkboxes.

        You must also specify whether to retrieve the memory from memory, disk, or both by selecting the respective checkbox. The Memory option is the default. You can select either option or both options. It is important to remember that the retrievable data may be different in the memory and on disk. In addition, the stack entry may no longer reside in memory, for example, if the system was rebooted. After you make your selection, the window indicates how many stack entries were selected.

      2. Retrieve memory region from address: Select this option to retrieve memory from a specific memory region. Specify the To and From addresses for the region in the adjacent fields.
      3. Retrieve the entire process memory: Select this option to retrieve memory for an entire process. This option retrieves all the stack entries comprising the process.
    4. Click Retrieve.
    Previous
    Next