FortiGuard Forensics Analysis

The FortiGuard Endpoint Forensics Analysis service provides remote endpoint analysis to help you respond to and recover from cyber incidents. You can request detailed analysis of the endpoint from the Forensics team if you observe high-risk applications or traffic, malware, intrusion attempts, malicious emails, lateral movement, and so on, on that endpoint. For each engagement, forensics analysts from Fortinet’s FortiGuard Labs remotely assist in collecting, examining, and presenting digital evidence, including a final detailed report. See the FortiClient Forensic Service datasheet.

FortiSASE supports requesting a new FortiGuard Forensics Analysis for a suspicious endpoint and viewing a summary of analysis requests from Network > Managed Endpoints. You must complete a request form, download the Forensics Analysis agent onto the endpoint, and run the agent.

The verdict along with a downloadable report are updated in FortiSASE within five business days. You can have a maximum of five forensic analysis requests in progress at a given time.

To be configurable, the FortiGuard Forensics Analysis feature requires an Advanced remote users FortiSASE license or a Comprehensive remote users FortiSASE license. Otherwise, FortiSASE grays out this option. See the FortiSASE Ordering Guide.

Currently, the FortiGuard Forensics Analysis feature only supports Windows endpoints.

The endpoint must be connected to FortiSASE Endpoint Management Service and must be online at the time that you submit a forensics analysis request.

To request a FortiGuard Forensics Analysis on a Windows endpoint:

1. Go to Network > Managed Endpoints.
2. In the Endpoint tab, select the desired endpoint and click View Endpoint Details.
3. In the FortiGuard Forensics Analysis tab, click Request analysis.
4. FortiSASE displays a request form. Enter request details as necessary.
5. Click Download Forensics Agent to download the Forensics Analysis Agent onto the affected endpoint.
6. Click OK to submit the request.

   

7. Install the Forensics Analysis Agent using these steps:
   1. Create a new folder and copy the agent into it.
   2. Right-click the agent and select Run as administrator.
   3. A Command window opens and shows the progress. If progress hangs, press any key after a brief pause to resume. Once completed, the agent produces one file with the extension .enc.
   4. Fortinet provides an upload link via a Forensic Service Request to upload the .enc file. Upload the file.
8. At this point, a forensics analysis service request is initiated for the endpoint and is forwarded to a Forensics analyst. The request form slide-in closes and returns to the FortiGuard Forensics Analysis tab with the option to Download Forensics Agent if you have not downloaded and installed it already along with the instructions for installing the agent as step 7 describes. In the app header, you see a FortiGuard Forensic Analysis notification indicating a service request has been initiated for the endpoint. Click View to open the Forensic Service portal, which allows further communication between the administrator and the Forensics team.
9. Once the Forensics team completes the analysis, in the app header, you see a FortiGuard Forensic Analysis notification indicating that the report is ready. Click Download to download the report.

To view a list of FortiGuard Forensics Analysis service requests:

1. Go to Network > Managed Endpoints.
2. In the FortiGuard Forensics Analysis tab, you can view a list of analysis requests initiated from FortiSASE. Under Report, click Download to download a completed report.
3. Under Service Request, click View to open the request in the Forensic Service portal.