Try Buy

Overview

The Evimetry Persistent Cloud Agent provides a centralised point for building distributed forensics solutions. Endpoints running the Evimetry Live Agent connect to the cloud agent and wait for further instructions. Examiners connect to the cloud agent using the Evimetry Controller to gather evidence from remote agents and perform live examination of remote systems. Evidence is stored in-cloud, or can be transferred to the Examiner.

The following instructions describe the setup of a Cloud Agent, using Rackspace as an example.

Provision Cloud OS

Acquisition and analysis of computers in the cloud benefits from the close placement of an evidence repository, typically a cloud server provisioned in the same data centre.

1. Provision a Ubuntu 18.04 server in the same data centre as your target system. You must use 4G or more of RAM. Factor on 2G of RAM per concurrent acquisition.


2. Ensure that the server has large enough storage for your acquired image, and high network throughput.


Install Cloud Agent

1. Login to the cloud server by SSH.

2. Create a storage location for your forensic images.

mkdir /Repository
			

3. Login to the Evimetry portal.

4. Go to the Download menu copy the link for the "Evimetry Agent Server Ubuntu Server x64". This is an Ubuntu DPKG package.

5. In the ssh session, use wget to download the package.

wget "https://sdl.evimetry.com/releases/3.2.5/agents/evimetry.agent_3.2.5_amd64.deb?Expires=1572922288&Signature=mNZQGcxUbTOYddNDXdL4X125yPfGU-lswP8V3YtWhUAzjjvcloAx20mdcuh4rwSJxAlup-WIsZilktya6Zy1cn9adh2WC0cU8r-FQSHTgxlJQEiGyiInQBV1l4UCso4o1rabYNFGltrzlfQog4xzFZMZka~1hXhLdcPnSxlQjDbjasKZtJwGaCb9FnBel4-GoKS~8wdRR~hzgeRbs5qaBvfUr6deAl1I64sGcmPGGn73YHc2az22M-e3eQphVmAbcBWDH16w5cXBWBlTSx5o54ALWQ3QYAJHS~l80BiXQSGQAQHB8Du12D1tP1DdSHA-xxes7RX0SnLRd2TaBdLHjQ__&Key-Pair-Id=APKAJA2J6ENFXOSD7ABQ"
			

6. Install dependencies and the package (adjusting for the package version).

apt-get install openjdk-8-jre-headless libssl1.0-dev libaio1 libaio-dev pcscd pcsc-tools opensc
dpkg -i evimetry.agent_3.2.5_amd64.deb
apt-get -f install
systemctl stop evimetry.agent
			

Configure Cloud Agent

7. Configure the cloud agent by setting the following in /etc/evimetry/agent/config.properties.

# Set the evidence storage (repository) location
com.evimetry.agent.repository=/Repository

# Disable SSDP autodiscovery
com.evimetry.agent.ssdp=false

# Set the TokenID (your Cloud Agent licence ID provided to you)
com.evimetry.agent.tokenID=fb140417-6857-48fa-8945-9e09a96d111a

# Log only successful (authenticated) connections to the lab server.  
com.evimetry.router.channels.connections.log=false

# Store your organisation specific key material in /etc 
com.evimetry.agent.cacert=/etc/evimetry/ca.cer
com.evimetry.agent.publickey=/etc/evimetry/agent.cer
com.evimetry.agent.privatekey=/etc/evimetry/agent.key

			

8. Start the cloud server with the new configuration.

systemctl enable evimetry.agent
systemctl start evimetry.agent
			

Check agent startup

9. Access the Cloud Agent logs per the following:

 

journalctl -u evimetry.agent.service

Oct 15 05:41:24 ip-172-31-26-155 systemd[1]: Started Evimetry Agent Service.
Oct 15 05:41:24 ip-172-31-26-155 java[6324]: [ INFO] [05:41:24.901] Application Log path set to: /var/log/evimetry
Oct 15 05:41:24 ip-172-31-26-155 java[6324]: [ INFO] [05:41:24.950] Device UUID set to: 5ef969b9-9f7d-4082-baa9-24f59f976972
Oct 15 05:41:24 ip-172-31-26-155 java[6324]: [ INFO] [05:41:24.950] Repository Location: /Repository
Oct 15 05:41:24 ip-172-31-26-155 java[6324]: [ INFO] [05:41:24.950] Base listening port: 9982
Oct 15 05:41:24 ip-172-31-26-155 java[6324]: [ INFO] [05:41:24.951] Device enumeration enabled: false
Oct 15 05:41:24 ip-172-31-26-155 java[6324]: [ INFO] [05:41:24.951] Using SSDP: true
Oct 15 05:41:24 ip-172-31-26-155 java[6324]: [ INFO] [05:41:24.951] CA Cert Location set to: /opt/evimetry/agent/certs/ca.cer
Oct 15 05:41:24 ip-172-31-26-155 java[6324]: [ INFO] [05:41:24.951] Public Key Location set to: /opt/evimetry/agent/certs/agent.cer
Oct 15 05:41:24 ip-172-31-26-155 java[6324]: [ INFO] [05:41:24.951] Private Key Location set to: /opt/evimetry/agent/certs/agent.key
Oct 15 05:41:24 ip-172-31-26-155 java[6324]: [ INFO] [05:41:24.951] Auto connection to agent(s) disabled: true
Oct 15 05:41:24 ip-172-31-26-155 java[6324]: [ INFO] [05:41:24.951] Syslog file to monitor:
Oct 15 05:41:24 ip-172-31-26-155 java[6324]: [ INFO] [05:41:24.951] Logging to syslog: false

Adjust firewalling

10. Evimetry uses TCP port 9982 for communications. Make sure that the cloud server has the right firewall rules in place to allow connections to this port.


Connect to Cloud Agent

11. Start the Evimetry controller.

12. Use Tools | Connect to display the connection dialog.

13. Enter the public IP address of the Cloud OS.



On connection, the Cloud Agent will be visible in the Fabric Nodes view of the Controller. An evidence storage location (present on the OS disk) is automatically configured and mounted.



Restrict access

The above configuration is sufficient for testing using the default key material which ships with Evimetry.

Don't run in production with the default keys. Anyone who has ever downloaded Evimetry has received a copy of the default keys.

11. Generate and deploy key material specific to your organisation to ensure data security. Make sure you put it in the /etc/ config area per the properties.conf example above.

Logging

The Cloud Agent sends audit logs to the "evimetry.agent.service" unit using systemd logging. Examine using journalctl or forward to your SEIM using the standard techniques.