Configuring the forensics repository

The forensics repository contains complete information about transactions monitored by Forcepoint DLP. For SMTP transactions, for instance, the repository stores the original email message. For other channels, the system translates transactions into EML.

The forensics repository is different from the incident database, in that the former contains raw transactions, while the latter contains information about the rules that were violated, violation triggers, and more.

To configure the forensics repository, select it on the System Modules screen and complete the fields as follows:

  1. Enter the Name of the module (up to 128 characters).
  2. Enter a Description of the module (up to 4000 characters).
  3. Use the Forensics path field to enter the complete path to use for hosting the forensics repository. By default, it’s stored in the \Forensics subdirectory under the Forcepoint DLP installation path.
  4. Under Log on as, specify how the system connects to the forensics path:
    • Select Local account to log on as a local user (primarily used when the path is local).
    • Select This account to log on with specific user credentials, then enter the user name and password to use. Domain is optional.
  5. Set the maximum disk space to use for Network forensics (100 MB minimum; 50000 MB, by default). When the maximum is reached, the oldest records are moved to the archive folder to free space.
  6. Click OK to save your changes and return to the System Modules page.

The page also displays the module type and FQDN, which cannot be changed, as well as a sum of the total disk space allocated for the forensics repository.