InterACT
Overview
Binalyze AIR’s interACT module is a comprehensive secure remote shell that is cross-platform and provides a standardized command set for Windows, macOS, and Linux to greatly empower and simplify the investigation process. Investigators and incident responders can connect to their assets easily by starting an interACT session via the AIR console.
When an interACT session is initiated, the AIR console connects to the asset in just a few seconds and provides a command line interface for investigators to begin their triage, mitigation or other remediation actions.
Another very useful and unique feature of interACT is its ability to control access to features based on user permissions level. This allows DFIR team leaders and managers to create appropriate access profiles to match the experience and ability of each team member.
Currently interACT has 3 levels of permissions:
Enumeration Privileges
Read Content Privileges Write
Execute Privileges
These access levels can be further enhanced by controlling individual users' access to organizations on the AIR platform resulting in a highly granular solution for access control.
interACT’s Library feature allows DFIR managers and team leaders to upload standardized investigation assets like scripts and toolkits to make it easy for individual analysts to utilize those assets in the course of their investigation with a single click.
Also by providing access to the Library of approved assets a more uniform investigative process, across the whole team, can be defined and encouraged.
Another valuable feature of interACT is the full auditing and logging capability. Every command used and response received is logged in a real-time interACT session report. Additionally, if any files are transferred between the analyst and asset these are also logged, including their hash values.
interACT has three levels of audit:
Firstly, the interACT session log which is generated as a Case Report and saved as a Task immediately after the session is closed.
Next is the Global Audit Log which can not be purged
And thirdly the user has the option to export the interACT audit logs to their Syslog server for analysis.
interACT is a powerful tool so this comprehensive auditing capability provides peace of mind that, should you need to demonstrate exactly what happened during a remote shell session, you can do just that.
The interACT command-line parser will use Unix-like command line parsing methods due to the libraries used and the missing Windows libraries. Because of that, a Windows user will have to write a del command like this:
del C:/xyz/abc.txt # use forward slashes
del 'C:\xyz\abc.txt' # within single quotes
The following is currently invalid and probably will be invalid in the future due to the Windows non-standard way of command-line parsing and escaping characters.
del C:\xyz\abc.txt # Invalid
del "C:\xyz\abc.txt" # Invalid
Last updated