The Evimetry Persistent Cloud Agent provides a centralised point for building distributed forensics solutions. Endpoints running the Evimetry Live Agent connect to the cloud agent and wait for further instructions. Examiners connect to the cloud agent using the Evimetry Controller to gather evidence from remote agents and perform live examination of remote systems. Evidence is stored in-cloud, or can be transferred to the Examiner.
The following instructions describe the setup of a Cloud Agent, using Rackspace as an example.
Provision Cloud OS
Acquisition and analysis of computers in the cloud benefits from the close placement of an evidence repository, typically a cloud server provisioned in the same data centre.
1. Provision a Ubuntu 18.04 server in the same data centre as your target system. You must use 4G or more of RAM. Factor on 2G of RAM per concurrent acquisition.
2. Ensure that the server has large enough storage for your acquired image, and high network throughput.
Install Cloud Agent
1. Login to the cloud server by SSH.
2. Create a storage location for your forensic images.
3. Login to the Evimetry portal.
4. Go to the Download menu copy the link for the "Evimetry Agent Server Ubuntu Server x64". This is an Ubuntu DPKG package.
5. In the ssh session, use wget to download the package.
6. Install dependencies and the package (adjusting for the package version).
apt-get install openjdk-8-jre-headless libssl1.0-dev libaio1 libaio-dev pcscd pcsc-tools opensc dpkg -i evimetry.agent_3.2.5_amd64.deb apt-get -f install systemctl stop evimetry.agent
Configure Cloud Agent
7. Configure the cloud agent by setting the following in /etc/evimetry/agent/config.properties.
# Set the evidence storage (repository) location com.evimetry.agent.repository=/Repository # Disable SSDP autodiscovery com.evimetry.agent.ssdp=false # Set the TokenID (your Cloud Agent licence ID provided to you) com.evimetry.agent.tokenID=fb140417-6857-48fa-8945-9e09a96d111a # Log only successful (authenticated) connections to the lab server. com.evimetry.router.channels.connections.log=false # Store your organisation specific key material in /etc com.evimetry.agent.cacert=/etc/evimetry/ca.cer com.evimetry.agent.publickey=/etc/evimetry/agent.cer com.evimetry.agent.privatekey=/etc/evimetry/agent.key
8. Start the cloud server with the new configuration.
systemctl enable evimetry.agent systemctl start evimetry.agent
Check agent startup
9. Access the Cloud Agent logs per the following:
journalctl -u evimetry.agent.service Oct 15 05:41:24 ip-172-31-26-155 systemd: Started Evimetry Agent Service. Oct 15 05:41:24 ip-172-31-26-155 java: [ INFO] [05:41:24.901] Application Log path set to: /var/log/evimetry Oct 15 05:41:24 ip-172-31-26-155 java: [ INFO] [05:41:24.950] Device UUID set to: 5ef969b9-9f7d-4082-baa9-24f59f976972 Oct 15 05:41:24 ip-172-31-26-155 java: [ INFO] [05:41:24.950] Repository Location: /Repository Oct 15 05:41:24 ip-172-31-26-155 java: [ INFO] [05:41:24.950] Base listening port: 9982 Oct 15 05:41:24 ip-172-31-26-155 java: [ INFO] [05:41:24.951] Device enumeration enabled: false Oct 15 05:41:24 ip-172-31-26-155 java: [ INFO] [05:41:24.951] Using SSDP: true Oct 15 05:41:24 ip-172-31-26-155 java: [ INFO] [05:41:24.951] CA Cert Location set to: /opt/evimetry/agent/certs/ca.cer Oct 15 05:41:24 ip-172-31-26-155 java: [ INFO] [05:41:24.951] Public Key Location set to: /opt/evimetry/agent/certs/agent.cer Oct 15 05:41:24 ip-172-31-26-155 java: [ INFO] [05:41:24.951] Private Key Location set to: /opt/evimetry/agent/certs/agent.key Oct 15 05:41:24 ip-172-31-26-155 java: [ INFO] [05:41:24.951] Auto connection to agent(s) disabled: true Oct 15 05:41:24 ip-172-31-26-155 java: [ INFO] [05:41:24.951] Syslog file to monitor: Oct 15 05:41:24 ip-172-31-26-155 java: [ INFO] [05:41:24.951] Logging to syslog: false
10. Evimetry uses TCP port 9982 for communications. Make sure that the cloud server has the right firewall rules in place to allow connections to this port.
Connect to Cloud Agent
11. Start the Evimetry controller.
12. Use Tools | Connect to display the connection dialog.
13. Enter the public IP address of the Cloud OS.
On connection, the Cloud Agent will be visible in the Fabric Nodes view of the Controller. An evidence storage location (present on the OS disk) is automatically configured and mounted.
The above configuration is sufficient for testing using the default key material which ships with Evimetry.
Don't run in production with the default keys. Anyone who has ever downloaded Evimetry has received a copy of the default keys.
11. Generate and deploy key material specific to your organisation to ensure data security. Make sure you put it in the /etc/ config area per the properties.conf example above.
The Cloud Agent sends audit logs to the "evimetry.agent.service" unit using systemd logging. Examine using journalctl or forward to your SEIM using the standard techniques.