Introduction to the Evimetry Cloud Agent

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

39 minutes
Video Transcription
welcome to Advanced Elementary Forensic acquisition. Today, we're gonna do Dong Galis Cloud and persistent Cloud acquisitions. So hold onto your pants. All right, so that was Don Galis.
Simple. Easy.
All right,
the next thing not so easy, but really relevant here.
All right, so we're gonna talk about the ever metric cloud Agent of metric lot agent designed to collect data to a cloud A bunt to 14. 16 or 18.0, for instance. Ah, from another AWS or azure instance. Right? Has a PCI ws or,
you know, pretty much anything. You get that up and running on.
So this is some sort of cloud environment.
Ah, for example, ***. Actually going to use an AWS environment
just because
I have one in a Tandy? Um, so the data is actually collected via the internet and stored to storage on the cloud. Agent instance. So you have to make sure that your cloud agent instance that it's running on has enough storage for whatever you're gonna choir to it, right? You don't want
did overrun the cloud agent
disk and not your capture
is probably not something where I'm going to do a full disk. Capture right. I'm not gonna do a full linear acquisition of my target system. What I'm most likely going to do is a nonlinear partial, the old file type acquisition, right? I'm just gonna grab, you know, log files or something like this.
Um, you know, maybe some user directories, things like this
event laws, whatever it might be or unallocated Onley acquisition. So, you know, I'm not not looking a car of the disc up. I'm just trying to get the data is quickly there, Um, you know, loud. So let me collect less data. I can perform some triage, and I could decide whether I need a complete image of that system. Um, in a kind of rapid manner.
All right, so So how it works. This actually involves three systems at this point. So I have my local windows every metric controller. I'm gonna be using that to to do the whole acquisition. So controlling it from there,
um, and it's it's going to be talking to the my eight of us Windows server running alive. Agent. I'm actually using ah, 2020 19 Windows Server Edition. So it's gonna be running the live agent on that machine
I'm also going to be talking to an AWS a bun to server running the cloud agent knots where
data is actually going to get stored from this acquisition. So I'm not gonna pull it back to the controller or anything like that. I'm just gonna transfer it from one machine to a storage location in the same AWS cloud. Instance
that aws a bun to server is actually going to be running the cloud agent.
All right, The process for doing this gets a little bit. Gets a little bit long, but don't worry, I'm gonna walk through with you. Um, so the first thing we're gonna do is we're gonna log in to the elementary portal. Um, we're gonna select live and deploy Cloud agent. We have select our cloud agent operating system.
We're going to select the elementary cloud agent version that we won. There's only currently one version, so that's
that's easy on. And then we're gonna follow the w getting execution commands toe, actually, get the clouds agent up and running, and then we're gonna point our elementary controller to the external I p of your cloud agent. Um, Now
you have to make sure that it's that it's by default. It's gonna bind whatever the internal I P addresses. Um, but you want to make sure that sport forwarded to the external I p s so that you can actually connect to it.
All right, So why don't we go ahead and do that right now? And then we'll come back, Teoh the second part with live agent
and, uh,
and run that part?
Up Next