Collect a Memory Image - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-10-10
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

Collect a memory image from a Windows endpoint.

Certain forensic artifacts exist only in the computer’s memory, such as volatile data created by running processes. The Memory Collection option from the Define an Action procedure, enables Cortex XDR to capture the memory of a Windows endpoint. After the memory image has been captured from the Cortex XDR endpoint, the image is available to download. Use the image to perform a full analysis using industry-standard tools.

Note

  • Memory collection requires a Forensics add-on license.

  • This feature is not currently supported on Windows 11.

  1. From the Action Center select +New Action Memory Collection.

  2. Select the target endpoint (only one endpoint at a time).

    Select the target Windows endpoint from which you want to collect the memory image. When you’re done, click Next.

  3. Review the summary and initiate the action.

    Cortex XDR displays the summary of the memory collection action. If you need to change your settings, go Back. If all the details are correct, click Done. The Memory Collection action is added to the Action Center.

  4. Review the collection results.

    In the Action Center, you can monitor the action progress in real-time and view the status for the target endpoint. For a detailed view of the results, right-click the action and select Additional data. Cortex XDR displays the action, timestamp, and real-time status of the action on the target endpoint.

  5. Download the file of the image.

    In the Detailed Results - Memory Collection screen, right-click the action and select Download files.

    The file is downloaded to the local computer.