Evidence Repositories
Where evidence gets saved to
AIR supports saving the collected evidence either locally on the endpoint or to a remote location such as a network share, or Cloud Storage such as Azure Blob Storage and AWS S3 Bucket.
The term Evidence Repository describes a remote location whether it is a password protected network share, an anonymous access NAS directory, or a cloud storage provider.
You can create Evidence Repositories in three different ways:
- From the “Evidence Repositories” page
- During Policy creation
- During Acquisition task creation
1. Navigate to the Evidence Repositories section by clicking the
button and then select “Evidence Repositories” from the drop-down list.
2. Click the “New Repository” button on the top right corner.
3. From the New Evidence Repository window, provide a name to the repository and then select the relevant repository.
4. Depending on the type of evidence repository you choose, the required fields are adjusted accordingly:
- Path: The location that is polled for evidence. If the IP address of the repository is "172.16.1.1", and the folder name is "Share", the path will be “\\172.16. 1.1\Share” without quotes.
- Username (if required)
- Password (if required)
- Host: Hostname or IP address of the SFTP server.
- Port: The port on which the SFTP server is listening to. The default port for SFTP is 22.
- Path: The location directory that is polled for evidence.
- Username (if required)
- Password (if required)
- Region: Region name for the bucket that was created in.
- Bucket: Name of the bucket
- Access Key ID
- Secret Access Key
Note: IAM user must have proper rights and permissions to access the S3 bucket.
- Shared Access Signature (SAS) URL See https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview for details.
1. From the “New Policy” window, select the “Evidence Repository “option by clicking the radio button next to it and then click the “New Repository” button.
2. Provide a name to the repository and then select the relevant repository type:
3. Select the relevant repository type by clicking on it.
4. Click the “Save” button.
5. The newly created repository will appear in the drop-down list, select the relevant repository and finalize the process.
1. From the “Acquire Evidence” pane, click options and select “Use custom options” from the drop-down list:
2. “Save To” section will appear. Select “Evidence Repository “option by clicking the radio button next to it and then click “New Repository”:
3. Click the “Save” button.
4. The newly created repository will appear in the drop-down list, select the relevant repository and finalize the process.
Last modified 1mo ago