Investigation Feature - Endpoint Jobs - Directory Entry


I’ve tried to retrieve files from an endpoint using the endpoint job > directory entry feature inside an investigation. I used the raw as well as the zip on option and after a while the job is classified as complete but I can’t see the corresponding files. Where are these files being uploaded to?

Hi @Ge72w108

what directories are you looking for exactly?

I’ll admit it’s been a while since I look at this feature so I had to test it out to get it working for me.

As an example I passed this path into the Directory Entries

Screen Shot 2022-04-27 at 11.23.54 AM

Which looked like this after the job completes

Screen Shot 2022-04-27 at 11.24.34 AM

You can drill in on files by clicking on the Eye Icon
Screen Shot 2022-04-27 at 11.25.54 AM

If the job does not complete successfully it might look like this (note the Errors)

Screen Shot 2022-04-27 at 11.27.18 AM


Hi David, thank you. I was looking for files in a user’s desktop folder so basically
C:\Users\xxxx\Desktop and the listing itself was working fine. I can see all the files of the directory but if I select the “ZIP On” or the “Raw” Checkbox I’m supposed to retrieve the actual files, right?

However, the files aren’t there it’s just the directory listing (metadata like path, file name, file size) and I was wondering if the actual files are stored somewhere else.

Hello all, I’m wondering if it is possible to collect files with the Directory Entry function. Since there are also checkboxes for ZIP and Raw. I had a support case recently and I was told that it is not possible to collect files via this option. If so, the checkboxes are very misleading. Moreover, the documentation doesn’t even show the ZIP On or Raw option on the screenshot: Scheduled Forensics | InsightIDR Documentation