Skip to main content

Importing Data

There are a number of options for importing data into the Cado platform. Once you select the data you would like to import, the Cado platform begins processing the data based on the platforms Processing Settings. Check out our help section on Processing Settings for more details.

Cado supports a wide range of file types across a number of cloud services which can be imported. To begin importing data, you simply select a Project and click the Import button

Import Button

Based on the evidence you would like to import, follow the on-screen instructions and select your source.

Import Data

Importing from Cloud Services

You can import evidence from cloud services across AWS, Azure and GCP, provided you have the correct credentials entered into the system, and your role has been assigned access to those credentials. Learn more

Importing from XDR

You can import data into the Cado platform via an eXtended Detection and Response (XDR) system.

Currently Cado supports importing from SentinelOne and Crowdstrike.

For more infomation about setting up this integration see the SentinelOne Integration Setup page and the CrowdStrike Integration Setup page

Once the integration is set up, from within a project click Import from XDR

Then choose the XDR Platform you have set up, and click Continue

Choose XDR Platform

Then search for or select the endpoint from which you want to collect, and click Continue

Import XDR Endpoints

Finally, confirm your selections and click Start Import

Importing from Cado Host

The Cado platform can use Cado Host to acquire forensic artifacts from on-premises system for analysis in the cloud. It can also generate credentials for Cado Host to upload evidence, such as a previously collected disk image.

For more information see the Cado Host Documentation

Importing from URL

You can import supported file types from a URL where you are storing forensic artifacts collected from on-premises systems.

On-Premises URL


During the EC2 Import process, an i3.4xlarge worker instance is deployed to allow for proper disk acquisition. During the Azure Instance Import process, a Standard_D8ds_v4 worker instance is deployed to allow for proper disk acquisition. You can configure the size of the worker instance in the Cado platform under Settings/Processing. This worker is spun down once the target disk is acquired.


By default when processing archive files Cado processes two layers of recursion and twenty folder branches. This provides faster processing but there is a slight risk that some malicious files or activites may be missed.

You can configure this at Settings/Processing Speed but increasing these numbers will increase the time taken to process disk images with archives.

Processing Speed