CrowdStrike Falcon Forensics

CrowdStrike Falcon® Forensics streamlines the collection of point-in-time and historic forensic data for robust analysis of cybersecurity incidents and periodic compromise assessments.

Benefits of Falcon Forensics

Simplify forensic data collection and analysis

Falcon Forensics offers comprehensive data collection while performing triage analysis during an investigation. Forensic security often entails lengthy searches with numerous tools. Simplify your collection and analysis to one solution to speed triage.

Accelerate triage analysis with preset dashboards.

Incident responders can respond faster to investigations, conduct compromise assessments along with threat hunting and monitoring with Falcon Forensics. Pre-built dashboards, easy search, and view data capabilities empower analysts to search vast amounts of data, including historical artifacts, quickly.

Speed response time and hone in on attacker activity.

Falcon Forensics automates data collection and provides detailed information around an incident. Responders can tap into full threat context without lengthy queries or full disk image collections.


How Falcon Forensics Works

Extended visibility with preset dashboards

  • Provides incident responders a single solution to analyze large quantities of data both historically and in real-time to uncover vital information to triage an incident.
  • Identify attacker activity quickly with several preset dashboards to serve up specific information around an incident.
  • See trends for the past 24 hours with the Deployment Status Dashboard.
  • Examine a high-level view of telemetry within a single system with the Host Info Dashboard.
  • Use the Windows Hunting Leads to quickly identify potential misconfigurations and hacker activity with preset panel groupings.
  • Gather and analyze multiple artifacts for a single system and timeframe in the Host Timeline Dashboard. Use this dashboard to get a visual representation of artifacts for a specific timeline of events.
Falcon forensics extended visibility

Augment expertise with full threat context

  • Automate data collection and eliminate lengthy queries with a convenient console to view relevant artifacts pertaining to your research.
  • Enrich forensic data automatically by correlating collected artifacts with intelligence data streams.
  • Track attacker activity by analyzing the Master File Table (MFT), shim cache, shellbags, and other artifacts within your organization.
  • Utilize query capabilities within preset dashboards to zero-in on specific attacker activity.
  • Uncover attacker activity that may have occurred before Falcon EDR monitoring.
Falcon forensics augment expertise

Eliminate complex processes

  • Manage large scale deployments with ease. Deploy Falcon Forensics at any scale, from tens to hundreds of thousands of endpoints.
  • Falcon Fusion's integrated SOAR framework automates scans, accelerating MTTR and simplifying operations.
  • Leverage the CrowdStrike Cloud for processing.
  • Utilize CrowdStrike Real Time Response for fast deployment and decisive remediation.
Falcon forensics eliminate complex processes

Robust artifact collection types

  • Falcon Forensics collects a comprehensive set of artifact types to support incident response teams’ investigations. Data types include: directory and file metadata, file hashes, network data, detailed process listings, services and drivers enumeration, environment variables, scheduled tasks, users and groups information.
  • Web browser data collection
  • Event log information
  • Registry information
  • Process execution artifacts
  • Common persistence mechanisms
Falcon forensics robust artifact collection

Additonal solutions

Incident Response Services

The CrowdStrike IR team takes an intelligence-led, teamwork approach that blends real-world IR and remediation experience with cutting-edge technology, leveraging the unique CrowdStrike Falcon® cloud-native platform

Incident Response for Remote Workers

Join CrowdStrike Director of Professional Services James Perry as he discusses the heightened security challenges organizations are facing as they adjust to a remote workforce model.

Endpoint Recovery Services

CrowdStrike Endpoint Recovery Services delivers the right combination of technology, intelligence and expertise to assist you with the detection, analysis and remediation of known security incidents and enable rapid recovery with zero business interruption.

Tested and proven leader

CrowdStrike is proud to be recognized a leader by industry analyst and independent testing organizations.

Forrester logo

Read the report to see why CrowdStrike was Named a “Leader” in Forrester Wave for Endpoint Detection and Response Providers, Q2 2022.

IDC logo

See why CrowdStrike was named a “Leader” in the IDC MarketScape: Worldwide Modern Endpoint Security for Enterprise 2021 Vendor Assessment report.