Evidence Repositories

AIR supports saving the collected evidence either locally on the asset itself, or to a remote location like a network share, or Cloud Storage such as Azure Blob Storage and AWS S3 Bucket.

The term Evidence Repository describes a remote location whether it is a password protected network share, an anonymous access NAS directory, or a cloud storage provider.

You can create Evidence Repositories in three different ways:

• From the “Evidence Repositories” page

• During Policy creation

• During Acquisition task creation

A common query from our customers revolves around the configuration of the Evidence Repository and how it interacts with the AIR Console, especially concerning evidence uploads and the necessary network permissions. Here's what you need to know:

Evidence Upload Process

When configuring the Evidence Repository, it's essential to understand the pathway through which evidence files are uploaded. Specifically, there might be confusion about whether these uploads occur directly from the assets to the Evidence Repository or if they go through the AIR console.

To clarify: Evidence files are uploaded directly from the assets to the Evidence Repository. This process necessitates configuring your firewall to permit traffic from the asset to the Evidence Repository on the relevant ports. For example, if using SMB for evidence transfer, you must allow access through port 445.

AIR Console Access

For the File Explorer feature within the AIR console to function correctly, the AIR console requires access to the Evidence Repository. This setup ensures that users can seamlessly browse and interact with the stored evidence directly through the AIR console interface.

Configuring Your Firewall

Given these operational details, it's necessary to adjust your firewall settings accordingly:

• Allow traffic from your assets to the Evidence Repository, particularly if using specific protocols like SMB on port 445.

• Ensure the AIR Console has access to the Evidence Repository to enable full functionality of the File Explorer feature.

Creating evidence repository from “Evidence Repositories”

1. Navigate to the Evidence Repositories section by clicking the Settings button in the Main Menu button and then select “Evidence Repositories” from the Secondary Menu.

2. Click the “+Add New” button on the top of the page.

3. From the New Evidence Repository window, provide a name to the repository and then select the relevant repository.

4. Depending on the type of evidence repository you choose, the required fields are adjusted accordingly:

SMB

• Path: The location that is polled for evidence. If the IP address of the repository is "172.16.1.1", and the folder name is "Share", the path will be “\\172.16. 1.1\Share” without quotes.

• Username (if required)

• Password (if required)

SFTP

• Host: Hostname or IP address of the SFTP server.

• Port: The port on which the SFTP server is listening to. The default port for SFTP is 22.

• Path: The location directory that is polled for evidence.

• Username (if required)

• Password (if required)

Amazon S3

• Region: Region name for the bucket that was created in.

• Bucket: Name of the bucket

• Access Key ID

• Secret Access Key

Note: IAM user must have proper rights and permissions to access the S3 bucket.

Azure Blob

• Shared Access Signature (SAS) URL See https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview for details.

Creating evidence repository during Policy creation

1. Select the Settings button in the Main Menu button and then select “Policies” from the Secondary Menu.

Click the “+Add New” button on the top of the page

2. Provide a name to the repository and then select the relevant repository type:

3. Select the relevant repository type by clicking on it.

4. Click the “Save” button.

5. The newly created repository will appear in the drop-down list, select the relevant repository and finalize the process.

Creating evidence repository during acquisition task creation

1. From the “Acquire Evidence” pane, click on the Evidence Repository radio button under the "Save Collected Evidence To" section.

2. Click in the "Repository" box“ and then select “+ Add new repository”:

3. From the window 'New Repository' complete the mandatory fields and select the type of repository you with to add there are six options:

• SMB

• SFTP

• FTPS

• Amazon S3

• Azure Blob

• Network Shares

4. The newly created repository will appear in the drop-down list, select the repository you want for this particular acquisition and finalize your Acquisition Task via the wizard.