Evidence Repositories
Where evidence gets saved to
AIR supports saving the collected evidence either locally or to a remote location such as a network share, or Cloud Storage providers such as Azure Blob Storage/AWS S3 Bucket (development in progress).
The term Evidence Repository describes a remote location whether it is a password protected network share, an anonymous access NAS directory, or some cloud storage provider.
You can create Evidence Repositories in three different ways:
  • From the “Evidence Repositories” page
  • During Policy creation
  • During Acquisition task creation

Creating evidence repository from “Evidence Repositories”

1. Navigate to the Evidence Repositories section by clicking the
button and then select “Evidence Repositories” from the drop-down list.
2. Click the “New Repository” button on the top right corner.
3. From the New Evidence Repository window, provide a name to the repository and then select the relevant repository.
4. Depending on the type of evidence repository you choose, the required fields are adjusted accordingly:

SMB

  • Path: The location that is polled for evidence. If the IP address of the repository is "172.16.1.1", and the folder name is "Share", the path will be “\\172.16. 1.1\Share” without quotes.
  • Username (if required)
  • Password (if required)

SFTP

  • Host: Hostname or IP address of the SFTP server.
  • Port: The port on which the SFTP server is listening to. The default port for SFTP is 22.
  • Path: The location directory that is polled for evidence.
  • Username (if required)
  • Password (if required)

Amazon S3

  • Region: Region name for the bucket that was created in.
  • Bucket: Name of the bucket
  • Access Key ID
  • Secret Access Key
Note: IAM user must have proper rights and permissions to access the S3 bucket.

Azure Blob

Creating evidence repository during Policy creation

1. From the “New Policy” window, select the “Evidence Repository “option by clicking the radio button next to it and then click the “New Repository” button.
2. Provide a name to the repository and then select the relevant repository type:
3. Select the relevant repository type by clicking on it.
4. Click the “Save” button.
5. The newly created repository will appear in the drop-down list, select the relevant repository and finalize the process.

Creating evidence repository during acquisition task creation

1. From the “Acquire Evidence” pane, click options and select “Use custom options” from the drop-down list:
2. “Save To” section will appear. Select “Evidence Repository “option by clicking the radio button next to it and then click “New Repository”:
3. Click the “Save” button.
4. The newly created repository will appear in the drop-down list, select the relevant repository and finalize the process.
Last modified 26d ago