Evidence Repositories

Where evidence gets saved to

AIR supports saving the collected evidence either locally or to a remote location such as a network share, or Cloud Storage providers such as Azure Blob Storage/AWS S3 Bucket (development in progress).

The term Evidence Repository describes a remote location whether it is a password-protected network share, an anonymous access NAS directory, or some cloud storage provider.


You can create Evidence Repositories in three different ways:

  • From the “Evidence Repositories” page
  • During Policy creation
  • During Acquisition task creation

    Creating evidence repository from “Evidence Repositories”:

    1. Navigate to the Evidence Repositories section by clicking the button and then select “Evidence Repositories” from the drop-down list.
    2. Click the “New Repository” button on the top right corner.
    3. From the New Evidence Repository window, provide a name to the repository and then select the relevant repository type:



    4. Depending on the type of evidence repository you choose, the required fields are adjusted accordingly:
    • SMB
      • Path: The location that is polled for evidence. If the IP address of the repository is "172.16.1.1", and the folder name is "Share", the path will be “\\172.16. 1.1\Share” without quotes.
      • Username (if required)
      • Password (if required)
        • SFTP
          • Host: Hostname or IP address of the SFTP server.
          • Port: The port on which the SFTP server is listening to. The default port for SFTP is 22.
          • Path: The location directory that is polled for evidence.
          • Username (if required)
          • Password (if required)
          • Amazon S3
            • Region: Region name for the bucket that was created in.
            • Bucket: Name of the bucket
            • Access Key ID
            • Secret Access Key

            Note: IAM user must have proper rights and permissions to access the S3 bucket.  

            Creating evidence repository during Policy creation:

            1. From the “New Policy” window, select the “Evidence Repository “option by clicking the radio button next to it and then click the “New Repository” button:

            2. Provide a name to the repository and then select the relevant repository type:



            3. Select the relevant repository type by clicking on it.
            4. Click the “Save” button.
            5. The newly created repository will appear in the drop-down list, select the relevant repository and finalize the process:



            Creating evidence repository during acquisition task creation:

            1. From the “Acquire Evidence” pane, click options and select “Use custom options” from the drop-down list:



            2. “Save To” section will appear. Select “Evidence Repository “option by clicking the radio button next to it and then click “New Repository”:



            3. Provide a name to the repository and then select the relevant repository type by clicking on it:

            4. Click the “Save” button.
            5. The newly created repository will appear in the drop-down list, select the relevant repository and finalize the process:

             
            Previous Article                                                                                                                     Next Article