Skip to content
TensorGuard Docs

Taking Forensic Collections

TensorGuard Case Menu - Case Manager

Service Collection

Section titled “Service Collection”

Registering a Device

Section titled “Registering a Device”

Graphical User Interface (GUI)

Section titled “Graphical User Interface (GUI)”
  1. From the case menu, select the “New Enrollment” tool in the “Enrolled Devices” table.

TensorGuard Case Menu - New Enrollment Tool

  1. Copy the “Enrollment Key” and select close. This will only be shown once. The enrollment key is required on the device to register it to your case.

TensorGuard Case Menu - Copy Enrollment Key

  1. Click “Download Windows Collector” or “Download Linux Collector” based on the target device that you want to register. These same downloads are linked here: Downloads.

TensorGuard Case Menu - Download Collector

  1. Execute the collector program on your target device. Choose “Service Registration”. You must run it as administrator on Windows, or a sudo-user on Linux.

TensorGuard Collection Menu - Service Registration

  1. Paste in your enrollment key. Select “Install Service” to install the service agent to this device until uninstalled (this will launch the TensorGuardForensicCollector service on device startup). You will need to use this program again to uninstall the service. Alternatively, select “Run Integrated Service” to only run this service while the GUI program is running. Once you close this program, the device will no longer be accessible from the TensorGuard Console.

TensorGuard Collection Menu - Device Enrollment

Service Installation:

TensorGuard Collection Menu - Service Installation

Integrated Service:

TensorGuard Collection Menu - Integrated Service

Command Line Interface (CLI)

Section titled “Command Line Interface (CLI)”
  1. From the case menu, select the “New Enrollment” tool in the “Enrolled Devices” table.

TensorGuard Case Menu - New Enrollment Tool

  1. Copy the “Enrollment Key” and select close. This will only be shown once. The enrollment key is required on the device to register it to your case.

TensorGuard Case Menu - Copy Enrollment Key

  1. Click “Download Windows Collector” or “Download Linux Collector” based on the target device that you want to register. These same downloads are linked here: Downloads.

TensorGuard Case Menu - Download Collector

  1. Execute the collector program on your target device. You can run with --help to see the available commands.
Terminal window
> ./TensorGuardForensicCollector
The TensorGuard Forensic Collector


Usage: TensorGuardForensicCollector.exe [COMMAND]


Commands:
  collect    Create a point-in-time forensic 'spade' collection package
  service    Run the collector in service mode
  install    Install the collector in service mode
  uninstall  Uninstall the collector service
  help       Print this message or the help of the given subcommand(s)


Options:
  -h, --help     Print help
  -V, --version  Print version
  1. To install the service, in most cases, run the following command with your enrollment key:
Terminal window
> ./TensorGuardForensicCollector install --token <your_enrollment_key>

You can view additional options for the install command with --help:

Terminal window
> ./TensorGuardForensicCollector install --help
Install the collector in service mode


Usage: TensorGuardForensicCollector.exe install --token <TOKEN>


Options:
  -t, --token <TOKEN>  Install in service mode
  -h, --help           Print help
  -V, --version        Print version

You can later uninstall the service via:

Terminal window
> ./TensorGuardForensicCollector uninstall

You can view additional options for the uninstall command with --help:

Terminal window
> ./TensorGuardForensicCollector uninstall --help
Uninstall the collector service


Usage: TensorGuardForensicCollector.exe uninstall


Options:
  -h, --help     Print help
  -V, --version  Print version

Alternatively to run the integrated service, in most cases, run the following command with your enrollment key:

Terminal window
> ./TensorGuardForensicCollector service --token <your_enrollment_key>

You can view additional options for the service command with --help:

Terminal window
> ./TensorGuardForensicCollector service --help
Run the collector in service mode


Usage: TensorGuardForensicCollector.exe service [OPTIONS] --token <TOKEN>


Options:
  -t, --token <TOKEN>        Run in service mode, by command line
  -n, --non-interactive      Exec via service manager [DO NOT USE]
  -e, --endpoint <ENDPOINT>  Change the backend endpoint [DO NOT USE]
  -h, --help                 Print help
  -V, --version              Print version

Triggering a Collection and Report

Section titled “Triggering a Collection and Report”
  1. Back in the TensorGuard Console’s Case view, you should now see your device listed in the “Enrolled Devices” table. From here you can trigger a report for a single device, or multiple devices at once.

TensorGuard Case Menu - Device Selection

For a Single Device

Section titled “For a Single Device”
  1. Click on a device hostname to be led to the device view. From here you can view system information, daemon logs for the system, and a reports table.

TensorGuard Device Menu

  1. You can click on this “Send Signals” tool to trigger a new collection for this device.

TensorGuard Device Menu - Send Signal Tool

  1. From this menu you can configure the TensorGuard Intelligence Engine to process the collection, including None. None will generate a report with the raw forensic evidence, while the other options will generate a report with additional analysis and findings. After that, you can configure the alerts section to send push or email notifications based on the completion and results of the report.

TensorGuard Device Menu - Send Signal

For Multiple Devices

Section titled “For Multiple Devices”
  1. Select multiple devices from the “Enrolled Devices” table by clicking the rows or using the filter and select all/filtered tools. Once you have your range selected, click the “Send Signals” tool.

TensorGuard Case Menu - Send Signal Tool

  1. From this menu you can configure the TensorGuard Intelligence Engine to process the collection, including None. None will generate a report with the raw forensic evidence, while the other options will generate a report with additional analysis and findings. After that, you can configure the alerts section to send push or email notifications based on the completion and results of the report.

TensorGuard Case Menu - Send Signal

Manual Collection

Section titled “Manual Collection”

Taking a Collection

Section titled “Taking a Collection”

Graphical User Interface (GUI)

Section titled “Graphical User Interface (GUI)”
  1. Click “Download Windows Collector” or “Download Linux Collector” based on the target device that you want to register. These same downloads are linked here: Downloads.

TensorGuard Case Menu - Download Collector

  1. Execute the collector program on your target device. Choose “Manual Collection”. You must run it as administrator on Windows, or a sudo-user on Linux.

TensorGuard Collector Menu - Manual Collection

  1. Select a Save Path, and click start to begin the Forensic Collection. This process may take up to ~15 minutes for devices with heavy usage patterns.

TensorGuard Collector Menu - Manual Collection Options

  1. Wait for the forensic collection to complete.

TensorGuard Collector Menu - Manual Collection Progress

  1. Note the forensic package’s written location and save the key which was used to encrypt the package. You will need this key to generate a report later.

TensorGuard Collector Menu - Manual Collection Result

Command Line Interface (CLI)

Section titled “Command Line Interface (CLI)”
  1. Click “Download Windows Collector” or “Download Linux Collector” based on the target device that you want to register. These same downloads are linked here: Downloads.

TensorGuard Case Menu - Download Collector

  1. Execute the collector program on your target device. You can run with --help to see the available commands.
Terminal window
> ./TensorGuardForensicCollector --help
The TensorGuard Forensic Collector


Usage: TensorGuardForensicCollector.exe [COMMAND]


Commands:
  collect    Create a point-in-time forensic 'spade' collection package
  service    Run the collector in service mode
  install    Install the collector in service mode
  uninstall  Uninstall the collector service
  help       Print this message or the help of the given subcommand(s)


Options:
  -h, --help     Print help
  -V, --version  Print version
  1. To take a manual collection, in most cases run the following command:
Terminal window
> ./TensorGuardForensicCollector collect

You can view additional options for the collect command with --help:

Terminal window
> ./TensorGuardForensicCollector collect --help
Create a point-in-time forensic 'spade' collection package


Usage: TensorGuardForensicCollector.exe collect [OPTIONS]


Options:
  -s, --save-path <SAVE_PATH>  Save path for the generated package [default: ./pkg.spade]
  -r, --root-path <ROOT_PATH>  Change the root input path for the collection (not recommended)
  -f, --filter <FILTER>        Limit the collection to a specific set of forensic artifacts (not recommended)
  -k, --key <KEY>              Override the generated key with your own (not recommended)
  -h, --help                   Print help
  -V, --version                Print version