Forensics
The Forensics API triggers evidence collection from enrolled devices and manages the resulting artifacts — memory dumps, process snapshots, network captures, event logs, and more — all tied to a specific incident.
Artifact types
| Name | Type | Required | Description |
|---|---|---|---|
| memory_dump | string | No | Full RAM capture from the target device. |
| process_list | string | No | Snapshot of all running processes with full context. |
| network_connections | string | No | Active and recently-closed network connections. |
| file_listing | string | No | Directory listing with timestamps and hashes. |
| registry_export | string | No | Windows Registry export (Run keys, services, etc.). |
| event_logs | string | No | Windows Event Log or syslog export. |
| disk_image | string | No | Forensic disk image. Large — ensure adequate storage. |
| pcap | string | No | Network packet capture from the device. |
| custom | string | No | Custom collection via params.command. |
List artifacts for an incident
bash
GET /v1/sentinel/forensics/:incidentId/artifactsjson
{
"data": [
{
"id": "art_01hxyz",
"incident_id": "inc_01hxyz",
"device_id": "dev_01hxyz",
"type": "memory_dump",
"status": "ready",
"size_bytes": 8589934592,
"hash_sha256": "e3b0c4...b855",
"download_url": "https://forensics.hldgroup.org/artifacts/art_01hxyz?token=...",
"download_expires_at": "2025-06-01T04:14:00Z",
"requested_by": "usr_01hxyz",
"created_at": "2025-06-01T03:14:00Z",
"completed_at": "2025-06-01T03:18:32Z"
}
]
}Request an artifact
bash
POST /v1/sentinel/forensics/:incidentId/artifacts| Name | Type | Required | Description |
|---|---|---|---|
| type | string | Yes | Artifact type to collect. |
| device_id | string | Yes | Device to collect from. |
| params | object | No | Type-specific parameters. For file_listing: path. For event_logs: log_name, hours. For custom: command. |
bash
curl -X POST https://api.hldgroup.org/v1/sentinel/forensics/inc_01hxyz/artifacts \
-H "Authorization: Bearer hld_live_xxxx" \
-H "Content-Type: application/json" \
-d '{
"type": "process_list",
"device_id": "dev_01hxyz"
}'Returns 201 Created with an artifact object in status: collecting. Subscribe to the forensics.artifact.ready webhook event, or poll the list endpoint for completion. Download URLs are signed and expire after 15 minutes.
Warning:Memory dumps and disk images can be several gigabytes. Ensure your collection workflow handles large downloads and stores artifacts in secure, access-controlled storage. Artifacts are retained for 90 days by default — contact HLD to adjust retention for your compliance requirements.
Chain of custody
Every artifact is SHA-256 hashed at collection time. The hash is stored in the artifact record and can be used to verify integrity before and after transfer. Include the artifact ID and hash in your incident report for chain-of-custody documentation.