When Traps encounters a security-related event, such as a file execution or an exploit attack, it logs real-time forensic details about the event on the endpoint. The forensic data includes the memory dump and other information associated with the event. You can retrieve the forensic data by creating an action rule to collect the data from the endpoint. After the endpoint receives the security policy that includes the action rule, the Traps agent sends all the forensic information to the forensic folder, which is sometimes referred to as the quarantine folder.
During the initial installation, you specify the path of the forensic folder that the Endpoint Security Manager uses to store forensic information it retrieves from endpoints. The Endpoint Security Manager supports multiple forensic folders and enables the Background Intelligent Transfer Service (BITS) on the folder during installation. If the forensic folder specified during installation cannot be reached, Traps defaults to the forensic folder specified in the ESM Console. You can change the default folder at any time using the ESM Console.
For more information, see Forensics Flow .