How to Deploy / Forensic Acquisition and Investigation Host
Deploy Through / Forensic Acquisition and Investigation Platform
You have two main options to deploy / Forensic Acquisition and Investigation Host:
- Script Builder: Build a custom script in the / Forensic Acquisition and Investigation Platform that can be run on any supported device. The script will collect triage artifacts, upload them to cloud storage, and automatically process the data in / Forensic Acquisition and Investigation.
- Direct Download: Download and run / Forensic Acquisition and Investigation Host independently without interacting with the Platform.
Using Script Builder
Follow these steps to deploy / Forensic Acquisition and Investigation Host via the Script Builder:
- Note: Pre-signed URLs and API keys generated in AWS expire 2 hours after creation, and AWS limits the total upload size to 5GB.
Make sure that devices running the scripts have HTTPS access to the AWS S3 endpoint, for example: https://<BUCKET_NAME>.s3.amazonaws.com/.
-
In the / Forensic Acquisition and Investigation Platform, go to Investigation > Import > / Forensic Acquisition and Investigation Host.
-
Select either Direct Download or Script Builder.
- Direct Download is suitable for manually downloading the / Forensic Acquisition and Investigation Host binary to endpoints via Group Policy or an MDM tool.
- Script Builder generates a script that can be run directly on a device via terminal, command prompt, or a remote execution tool.
-
In the Script Builder tab, select:
- Your Operating System.
- Your Cloud Storage (where Cado Host will upload the collected data).
- The / Forensic Acquisition and Investigation Host Binary Deployment Method.
tipIf you choose Manual under
Select Cado Host Binary Deployment, download the / Forensic Acquisition and Investigation Host binary separately and then copy/paste the generated command into your terminal. -
Copy the pre-generated command and run it on the target device, or click Download Script and run the downloaded script.
Using Direct Download
To manually download and deploy the / Forensic Acquisition and Investigation Host binary:
-
Select your Operating System.
-
Click Download.
-
Follow the instructions to run / Forensic Acquisition and Investigation Host locally on the device.
Running as Non-Administrator
/ Forensic Acquisition and Investigation Host is designed to be run through the command line. Without administrative privileges, some artifacts (e.g., memory or locked files) cannot be acquired.
Windows SmartScreen
On Windows, running Cado Host outside of the command line may trigger Windows SmartScreen. If you run cado-host.exe by manually clicking it, you will need to adjust the security settings:
-
Right-click the executable.
-
Select Properties.
-
Untick the "Blocked" box in the Security section.
Setting the Binary as Executable on Linux and macOS
For Linux and macOS, you may need to make the binary executable before running it:
chmod +x ./cado-host
./cado-host
Using Local Storage
If --presigned_data is not set, files will be saved to the same folder where / Forensic Acquisition and Investigation Host is run.
Deploying / Forensic Acquisition and Investigation Host to Multiple Devices
/ Forensic Acquisition and Investigation Host can be deployed to multiple devices at once, such as through Group Policy or other systems management tools.
Deployment from XDR Integrations
/ Forensic Acquisition and Investigation Host can also be deployed to compromised machines via XDR systems such as CrowdStrike and SentinelOne. For more information, refer to the integrations with SentinelOne and CrowdStrike.
Proxy and Network Access
/ Forensic Acquisition and Investigation Host will use the operating system defaults to connect to cloud storage. This means you may need to configure a proxy or network access for / Forensic Acquisition and Investigation Host to connect to the internet and upload data.