welcome to Advanced Elementary Forensic acquisition. Today, we're gonna do Dong Galis Cloud and persistent Cloud acquisitions. So hold onto your pants.
So I've logged myself into the ah,
to the elementary portal here that my have a metric portal.
And then, as I said, I'm gonna come over here to live, and I'm going to say Deploy Cloud agent.
so, um, nice, simple, easy to follow instructions here. Really makes it hard to mess it up.
There are some little warnings up here about the recommended minimum of two Giga Ram, Um, things like that. So you have to have a little bit of a machine there, uh, to actually do the collection on this case, I haven't a bun to 16.4 system running for my collector. My agent.
Someone save. Go ahead with that. I said there's only one version of the cloud agent to select. So you say Yep. Deploy that particular agent
and then it automatically builds for you a little w get
pull here along with a
temporary string that will give it a license for that. So we're gonna grab all of that
to control sea
and then over here is actually my ah aws cloud instance of
ah, about 2 16.4 So I'm just gonna paste that Ah w get command in there
and hit. Enter,
and it's going to
very quickly pull all the necessary files for that, um, to my machine. Uh, you mileage may vary. I've run this on here a bunch of different times. So if you ah, you might have toe say yes to a couple different installs and downloads and things like that as it goes,
you know, it should be pretty straightforward. It is important to note that I am doing this from the root command propped on that system. So I do need to be route there
on the live agent or the cloud age of machine that I'm going to store the data on. Ah, so now all I really need to do is
ah, since it's right, there is just say, install.
Yeah, some to see, install dot, slash install script
about two s age, and it's going to go ahead and go through a little bit of a process here.
All right, don't install this stuff. I'm just gonna follow along with the
the install questions here and say yes every time because, well, I do want to do it.
All right, So it's gonna automatic. We build the necessary packages on this system for me and I'm ready to go. And then at the end, it lets me know that everything is OK, that it's created a repository on that's called slash repository, um,
and that it's configured the cloud agent, the version the Cloud Age and I have there.
Ah, everything else. It's also telling me that the elementary installed and started Ah, and point your controller to 172.30 dot 0.115 on port 9 92 which is a standard poor that ever met your works over. Now, for those of you that her
smart network e types out there, you realize that's a internal I p. It's not gonna be raw, edible on the Internet, all that sort of thing. So if I point to that, I'm not going to get any sort of connection. Um, and that would be sad. So
the way we make sure that that's not a problem for us
is we come over here to our instances and ah,
trying to move my
slider a bit.
Um Right. So that's actually this instance right here. This plants can have a metre machine that I have set up their um
and you can see there's that 17 to 30.0 dot 115 i p address. But it's the private I p. Ah. So the public i p is actually 3.2 10.1 85.1 59. That's where I really wanna point to,
but I need to make sure that my security rules we're gonna let that happen. So if I
come right in here to view inbound rules
and of course that's gonna pop up where I can't use it,
There we go. Ah, so if I click on view inbound rules here, the standard rule that's always applied is ah, poor 22 TCP Ah, for everybody is allowed so that you can actually ssh to your aws instance and I've gone ahead and added port 998 to which is again TCP for
which, of course, is ah, the
the port that ever met trees going to connect on, um
and of course, Aiken can use the little wizard tool here to go ahead and create new inbound and outbound rules, which is exactly what I've done previously. I created a custom rule to add that and so on. So
we have that all set up. Now we're ready to go on, and we just need to point it to this I p address on port 9982 So we dropped back over here to our elementary controller,
and we say, connect myself to
that I, p address street out to 10. That 1 85 don't want 39 Colon 9982
And if everything went well,
look at that.
And when it hadn't authenticated with that set up and I now have
and the agents set up over there the light agent,
if we click on it here, every metric agent device,
is there 3.2 point five, just like we we thought we'd have.
And we have the repository set up for free space there. Ah, and we get about what, 28 gig of of actual space there. So that's our repository. All right,
so we've set up the cloud agent at this point, we know where we're gonna collect to. But what about where we're gonna collect from? That's the next step here in this story.