How does the / Forensic Acquisition and Investigation Host deployment script operate?

The / Forensic Acquisition and Investigation Host script is used to download, execute, and clean up the / Forensic Acquisition and Investigation Host binary from a system. Below is a breakdown of how the script works for Linux - the script is similiar in function for Windows and MacOS.

Summary of Key Steps:

1. Directory creation: A temporary directory is created for storing the / Forensic Acquisition and Investigation Host binary.
2. Download handling: The script checks if either curl or wget is installed and uses one to download the / Forensic Acquisition and Investigation Host binary.
3. Download verification: After downloading, the script verifies that the binary exists.
4. Execution of / Forensic Acquisition and Investigation Host: The binary is given executable permissions and run with specific options.
5. Clean-up: After running, the script removes the temporary directory to clean up.

Script Breakdown

mkdir -p /tmp/cado-host-67c03a16

• Creates a temporary directory:
  The script starts by creating a directory named /tmp/cado-host-67c03a16. This directory is used to store the downloaded / Forensic Acquisition and Investigation Host binary. The -p option ensures no error is thrown if the directory already exists. The end of the directory is a random identifier to avoid conflicts.

if command -v curl > /dev/null

• Checks for curl availability:
  The script checks whether the curl command is available on the system by verifying if it can return a version without error. This is done by checking if the command exists (command -v curl), and if it does, the script proceeds to use curl for downloading.

then sudo curl -s https://cado-public.s3-accelerate.amazonaws.com/cado-host/$version/linux/cado-host --output /tmp/cado-host-67c03a16/cado-host

• Downloads / Forensic Acquisition and Investigation Host using curl:
  If curl is available, it silently (-s) downloads the / Forensic Acquisition and Investigation Host binary from the provided URL and stores it in the newly created directory. The file is saved as /tmp/cado-host-67c03a16/cado-host.

elif command -v wget > /dev/null

• Checks for wget availability:
  If curl is not found, the script checks if wget is installed on the system.

then sudo wget -q --output-document /tmp/cado-host-67c03a16/cado-host https://cado-public.s3-accelerate.amazonaws.com/cado-host/$version/linux/cado-host

• Downloads / Forensic Acquisition and Investigation Host using wget:
  If wget is available, it silently (-q) downloads the / Forensic Acquisition and Investigation Host binary from the same URL, storing it in the /tmp/cado-host-67c03a16/ directory.

else echo "Cado Host requires curl or wget for unattended mode."; exit 1;

• Handles missing curl and wget:
  If neither curl nor wget is available on the system, the script outputs an error message, and the script exits with a status code of 1, indicating failure.

fi

• End of conditional block:
  This marks the end of the block that checks for curl or wget.

if [ ! -f /tmp/cado-host-67c03a16/cado-host ]; then
  echo "Cado Host failed to download, check if the machine has an active network connection."; exit 1;
fi

• Validates the download:
  This step checks if the / Forensic Acquisition and Investigation Host binary was successfully downloaded. If the binary is not found in the /tmp/cado-host-67c03a16/ directory, the script prints an error message about network issues and exits.

cd /tmp/cado-host-67c03a16/

• Changes the working directory:
  The script changes the current working directory to /tmp/cado-host-67c03a16/, where the downloaded binary resides.

sudo chmod +x ./cado-host

• Makes the binary executable:
  The script changes the permissions of the cado-host binary to make it executable using the chmod +x command.

sudo ./cado-host capture --skip_linux_memory || echo "Cado Host has failed. For troubleshooting steps, pass the --verbose and --no_cleanup flags, or visit https://docs.cadosecurity.com/cado-host/deploy#considerations, or contact support@cadosecurity.com.; sudo ./cado-host upload --presigned_data $pre-signed-data"

• Runs the / Forensic Acquisition and Investigation Host binary and removes the collected archive:
  The script executes the cado-host binary with two options: --presigned_data and --skip_linux_memory, which skips memory data collection on Linux.
  If the execution fails, it displays an error message with troubleshooting instructions.

Note the --no_cleanup flag is not passed, so the script will clean up after the binary has run by deleting the collected archive. If this flag is passed, or pre-signed data is not given to / Forensic Acquisition and Investigation Host, the script will not delete the collected archive.

The pre-signed data is a JSON object that contains information required to upload data to a cloud storage provider. An example of this JSON object is as follows:

{
  "url": "https://s3.us-west-2.amazonaws.com/my-cado-bucket",
  "fields": {
    "key": "cado-collector/project-401/cado-host/2024/10/11/${filename}",
    "x-amz-algorithm": "AWS4-HMAC-SHA256",
    "x-amz-credential": "AAA/us-west-2/s3/aws4_request",
    "x-amz-date": "20241011T163440Z",
    "x-amz-security-token": "AAA"
  },
  "policy": "AAA"
  },
  "bucket": "my-cado-bucket",
  "folder": "cado-collector/project-401/cado-host/2024/10/11",
  "provider": "aws"
}

Description of the Encoded JSON Object:

1. URL: This points to an Amazon S3 URL where data might be uploaded or stored.
2. Fields:
   • key: Represents the path or key where the file will be stored, with a placeholder for ${filename}.
   • x-amz-algorithm: Specifies the AWS signature algorithm being used, AWS4-HMAC-SHA256.
   • x-amz-credential: Contains the AWS credential used to sign the request, including the access key and date information.
   • x-amz-date: The timestamp of when the request was made, formatted as 20241011T163440Z.
   • x-amz-security-token: This is a temporary security token used for authentication.
3. Policy: The policy field contains a base64-encoded policy document such as this, to securely scope the upload operation:

{"expiration": "2024-10-12T16:34:40Z", "conditions": [["starts-with", "$key", "cado-collector/project-401/cado-host/2024/10/11"], {"bucket": "my-cado-bucket"}, ["starts-with", "$key", "cado-collector/project-401/cado-host/2024/10/11/"], {"x-amz-algorithm": "AWS4-HMAC-SHA256"}, {"x-amz-credential": "AAA"}, {"x-amz-date": "20241011T163440Z"}, {"x-amz-security-token": "AAA"}]}

4. Bucket: Specifies the S3 bucket name, my-cado-bucket.
5. Folder: The folder path within the bucket where the file is being stored.
6. Provider: The cloud provider for this storage operation, which is AWS in this case.

This JSON is part of a typical AWS S3 presigned URL setup, often used to allow file uploads to S3 with specified credentials and conditions.

sudo rm -r /tmp/cado-host-67c03a16

• Cleans up temporary files:
  Once the binary has run, the script removes the temporary directory /tmp/cado-host-67c03a16 and its contents to clean up any residual files.

exit 0

• Exits the script:
  Finally, the script exits with a status code of 0, indicating successful completion.