Links

Evidence Repositories

Where to save your collected data
AIR supports saving the collected evidence either locally on the asset itself, or to a remote location like a network share, or Cloud Storage such as Azure Blob Storage and AWS S3 Bucket.
The term Evidence Repository describes a remote location whether it is a password protected network share, an anonymous access NAS directory, or a cloud storage provider.
You can create Evidence Repositories in three different ways:
  • From the “Evidence Repositories” page
  • During Policy creation
  • During Acquisition task creation

Creating evidence repository from “Evidence Repositories”

1. Navigate to the Evidence Repositories section by clicking the Settings button in the Main Menu button and then select “Evidence Repositories” from the Secondary Menu.
2. Click the “+Add New” button on the top of the page.
3. From the New Evidence Repository window, provide a name to the repository and then select the relevant repository.
4. Depending on the type of evidence repository you choose, the required fields are adjusted accordingly:

SMB

  • Path: The location that is polled for evidence. If the IP address of the repository is "172.16.1.1", and the folder name is "Share", the path will be “\\172.16. 1.1\Share” without quotes.
  • Username (if required)
  • Password (if required)

SFTP

  • Host: Hostname or IP address of the SFTP server.
  • Port: The port on which the SFTP server is listening to. The default port for SFTP is 22.
  • Path: The location directory that is polled for evidence.
  • Username (if required)
  • Password (if required)

Amazon S3

  • Region: Region name for the bucket that was created in.
  • Bucket: Name of the bucket
  • Access Key ID
  • Secret Access Key
Note: IAM user must have proper rights and permissions to access the S3 bucket.

Azure Blob

Creating evidence repository during Policy creation

1. Select the Settings button in the Main Menu button and then select “Policies” from the Secondary Menu.
Click the “+Add New” button on the top of the page
2. Provide a name to the repository and then select the relevant repository type:
3. Select the relevant repository type by clicking on it.
4. Click the “Save” button.
5. The newly created repository will appear in the drop-down list, select the relevant repository and finalize the process.

Creating evidence repository during acquisition task creation

1. From the “Acquire Evidence” pane, click on the Evidence Repository radio button under the "Save Collected Evidence To" section.
2. Click in the "Repository" box“ and then select “+ Add new repository”:
3. From the window 'New Repository' complete the mandatory fields and select the type of repository you with to add there are six options:
  • SMB
  • SFTP
  • FTPS
  • Amazon S3
  • Azure Blob
  • Network Shares
4. The newly created repository will appear in the drop-down list, select the repository you want for this particular acquisition and finalize your Acquisition Task via the wizard.