Features
Enable interACT
This feature enables or disables the interACT functionality in Binalyze AIR.
interACT allows users to remotely open a shell session to interact with assets. Users can execute commands and scripts based on their assigned privileges.
Security Requirement: To use interACT, users must have enhanced security in place—either Two-Factor Authentication (2FA) or Single Sign-On (SSO). This ensures secure access to sensitive systems, limiting unauthorized use.
Read more about interACT here: interACT
Two-Factor Authentication (2FA) for isolated AIR installations
To enhance security, Binalyze AIR interACT requires Two-Factor Authentication (2FA) using Time-Based One-Time Passwords (TOTP). You can set up offline 2FA solutions such as Google Authenticator or Microsoft Authenticator, making it suitable for use in isolated networks.
Why is 2FA Mandatory in interACT?
Preventing Unauthorized Access interACT provides direct access to systems, making security a top priority. Relying solely on a password increases the risk of unauthorized individuals gaining control. 2FA significantly reduces this risk by adding an extra layer of authentication.
Securing Critical Command Execution interACT allows users to execute commands directly on a system. Without a strong authentication mechanism, a malicious actor could exploit access to perform harmful operations. 2FA ensures that only authorized users can issue commands, maintaining system integrity and security.
By enforcing 2FA, interACT safeguards against unauthorized access and potential misuse, ensuring a secure and controlled environment for forensic investigations.
Resolve Responder Public IP
This feature allows AIR to capture and associate the public IP of an asset.
When enabled, the AIR Console parses HTTP request headers to extract the
X-Forwarded-Forheader provided by proxies. This header reveals the public IP address of the responder (asset), even if it's behind a proxy or firewall.Visibility: If the feature is enabled, AIR will display the
X-Forwarded-ForIP address instead of the communication IP (the one directly visible to AIR). This provides more accurate forensic visibility of an asset's location and origin.
Case Selection
Enforce mandatory case selection when starting tasks.
This feature requires users to associate every task they run in AIR with a specific case.
Benefit: It enforces structured workflows, ensuring that all investigations are organized and traceable to a particular case, which is critical for auditing and maintaining clarity in incident response efforts.
RFC3161 Timestamping
Provides cryptographic proof of when data was acquired and its integrity.
RFC3161 timestamping ensures that the data collected during acquisition has a digital signature, proving that the data existed at a specific time and has not been altered since.
When enabled, every new acquisition task will include a signature file with metadata, adding legal and forensic robustness to your investigation process.
Chain of Custody
Protect evidence integrity by registering it on the blockchain via LOCARD, which is a blockchain-based system for secure evidence handling in digital forensics. It has seen some adoption in Europe but remains underutilized in the U.S. due to regulatory and infrastructure challenges, leading to slower adoption and less frequent use.
This feature integrates with LOCARD, a blockchain-based platform for evidence integrity. When enabled, the chain of custody for digital evidence is secured by submitting evidence metadata to the blockchain, ensuring it hasn't been tampered with.
LOCARD Credentials: To use this, you'll need to provide the Organization, Host, Username, and Password for your LOCARD account.
SMTP (Email Configuration)
Set up email notifications, such as password-reset emails.
Specifying an SMTP server allows Binalyze AIR to send out automated emails, particularly for password resets. This is useful for self-service password recovery.
You must configure the SMTP server address, port, sender email, username, and password. For example, using
mail.smtp2go.comas the server.
Syslog / SIEM Integration
Enable integration with Syslog servers or SIEM systems.
This feature allows Binalyze AIR to send event logs to a centralized Syslog or SIEM (Security Information and Event Management) system for enhanced log monitoring and analysis.
You will need to configure the protocol (TCP/UDP), server address, and port to send logs from AIR to your preferred log management system.
Banner Message
Display a custom banner message across all AIR Console pages.
This feature allows you to set a banner message that will appear on all pages of the AIR Console. This is useful for displaying system notices, warnings, or other important information to all users.
Policies
Enforce task options and preferences across assets.
Policies allow administrators to define global task preferences and restrictions for assets in the organization.
Customizability: Policies can be tailored for different subsets of assets using filters, and a user must have the "Override Policy" privilege to modify the default organizational policies.
Auto Asset Tagging
Automate tagging of assets when they are added to AIR.
When this feature is enabled, Binalyze AIR automatically applies asset tags based on predefined rules as soon as a responder is installed on an asset.
Flexibility: Even if this feature is disabled, users can still run the Auto Asset Tagging task manually on assets.
Enable Frank.AI
Activate AI-powered assistance for investigations.
Frank.AI is an AI-driven assistant integrated into Binalyze AIR. It helps guide users through investigations, providing suggestions and assistance to streamline the forensic analysis process. Frank.AI acts as a copilot for investigators, improving efficiency by leveraging AI to answer analysts' questions.
Last updated
Was this helpful?