POST /forensics/capture/recoveries

Creates a new capture recovery.

Creates a new recovery.

Table 1. POST /forensics/capture/recoveries resource details
MIME Type

application/json

Table 2. POST /forensics/capture/recoveries request parameter details
Parameter Type Optionality Data Type MIME Type Description

fields

header

Optional

String

text/plain

Optional - Use this parameter to specify which fields you would like to get back in the response. Fields that are not named are excluded. Specify subfields in brackets and multiple fields in the same object are separated by commas.
Table 3. POST /forensics/capture/recoveries request body details
Parameter Data Type MIME Type Description Sample

recovery

Object

application/json

null

{ "assigned_to": "String", "bpf": "String", "case_id": 42, "collection_name_suffix": "String", "recovery_window_end_time": 42, "recovery_window_start_time": 42, "session_ids": [ "String" ], "tags": [ "String" ] }
Table 4. POST /forensics/capture/recoveries response codes
HTTP Response Code Unique Code Description

201

The workflow recovery job was created.

403

1009

The user or targeted user does not have the capability to perform this request.

409

1000

null

422

1005

A request parameter is not valid.

500

1020

An error occurred during the creation of the recovery job.

Response Description

The newly created recovery that contains the following fields:
  • assigned_to - String - The username of the user the recovery is assigned to. If not supplied the recovery will be assigned to the user making the request. Requires a valid user with Forensics role. Not an authorized service.
  • bpf - String - The Berkeley Packet Filter to pass to the capture device. A simplified Berkley Packet Filter expression to pass to the capture device to apply when recovering network data. Maximum length is 250 characters
  • case_id - String - ID of the case where the collection(s) are created.
  • collection_name_suffix - String - Suffix that is used to name the collection(s) to store the recovered data in. Collection name(s) for recovery tasks are derived from this value and capture devices where network data originates as a recovery task is created for each device. (e.g. A collection name suffix of "mycollection" and data recovered from capture device IP "10.0.0.2" results in a collection that is named "10.0.0.2_mycollection"). NOTE: If the collection name already exists in the case the existing collection is deleted. Maximum length is 100 characters. Alphanumeric and period characters are permitted only.
  • id - Long - ID for the recovery.
  • recovery_task_ids - Long Array - IDs for all recovery tasks belonging to this recovery.
  • recovery_window_end_time - Long - End of time range for data recovery.
  • recovery_window_start_time - Long - Start of time range for data recovery.
  • tags - String - Identifiers applied to recovered data to assist with grouping when searching. These are user supplied string identifiers that are used to mark the data so the user can easily look up the data later. Maximum length 255 alphanumeric characters (all values converted to space separated string)

Response Sample


{
    "assigned_to": "String",
    "bpf": "String",
    "case_id": 42,
    "collection_name_suffix": "String",
    "id": 42,
    "recovery_task_ids": [
        42
    ],
    "recovery_window_end_time": 42,
    "recovery_window_start_time": 42,
    "session_ids": [
        "String"
    ],
    "tags": [
        "String"
    ]
}