Cado Host Documentation

How to Run Cado Host

You can either set parameters in a file (named config.cfg) or on the command line.

The parameter “light” will exclude any files over 100 Mb in size.

You can view the list of forensic artefacts collected by Cado Host here.

If no cloud storage is set, the file will remain on disk locally.

If you do not execute the application with administrative privileges there are some files you will not be able to acquire.

Cado Host is designed to be run through the command line on windows , if you execute it without the use of the command line you may be prompted by the Windows SmartScreen. If you wish to run cado-host.exe by manually clicking it, you will have to select Properties and Untick this box:

How to Deploy Cado Host

You can execute Cado Host individually on a machine.

You may also want to deploy it to a number of machines that may be compromised, for example through Group Policy or other systems management software.

When running on Linux or OSX, you may need to set the binary as executable, i.e.:

chmod +x ./cado-host
./cado-host

Creating Secure Cloud Storage Credentials

It is important to use credentials with access limited to only write objects to your cloud storage. Otherwise, if an attacker finds your credentials they could compromise data.

Before using Cado Host, you will need to create secure credentials to upload with:

Using Local Storage

If you do not set a cloud storage option, files will be saved to the same folder that Cado Host is run from. You can not set a different storage location at this time.

Command Line Parameters

It is very important to follow the advice above on creating write-only credentials if you are entering credentials on the command line.

cado-host:
  Cado Host

Usage:
  cado-host [options]

Options:
  --light                              Exclude large files (over 100 Mb) from the collection
  --storage <storage>                  The cloud storage to use (File will be stored locally if none selected)
  --bucket <bucket>                    The Bucket to store data in
  --access_key <access_key>            The Access Key
  --secret_key <secret_key>            The Secret Key
  --region <region>                    The bucket region eg; US-EAST-1 (Optional)
  --account_name <account_name>        The Azure Account Name
  --container_name <container_name>    The Azure Container Name
  --sas_string <sas_string>            The Azure SAS string
  --gcp_bucket <gcp_bucket>            The Google Cloud Bucket to store data in
  --gcp_access_key <gcp_access_key>    The Google Cloud Access Key
  --gcp_secret_key <gcp_secret_key>    The Google Cloud Secret Key
  --version                            Show version information
  -?, -h, --help                       Show help and usage information

Example Command Line

cado-host.exe –storage aws –access_key xxx –secret_key xxx –bucket cado-live-test

Example Config.cfg

The file config.cfg should be in the same current working directory as the cado-host binary.

[CORE]
storage = google
light = true

[AWS]
access_key = xxx
secret_key = xxx
bucket = xxx

[GOOGLE]
gcp_access_key = xxx
gcp_secret_key = xxx
gcp_bucket = xxx

[AZURE]
access_signature= xxx
account_name = xxx
container_name = xxx