Policies

Policies serve to define how evidence is collected and managed, providing fine-grained control over resources and processes.

Policies in AIR provide central configuration management and support global configurations that can be overridden at the Organisation level when required.

This overriding is only possible when the user has the “Override Policy” privilege allocated to their role.

Key Components:

1. Name & Organization: Policies must have a unique name and be assigned to a specific organization.

2. Evidence Storage: Configures where evidence is stored—either locally (default paths: Binalyze\AIR\ on Windows, /opt/binalyze/air/ on Linux/macOS) or in defined repositories like SMB or SFTP.

3. Resource Limits: Controls CPU usage, bandwidth, and disk space during collection to prevent resource overuse. You can specify CPU limits (e.g., 100%) and restrict bandwidth and disk space.

4. Compression & Encryption: Enables optional compression and encryption of the collected evidence, with a password for added security.

5. Scan Scope: You can opt to restrict scans to local drives only, excluding network and external drives.

6. Isolation Settings: Policies can include an IP/Port and ‘process allow’ lists for isolation tasks, which ensures that specific communication channels remain open during an asset’s isolation.

Use Case Example:

When creating a policy for a specific investigation, you could configure it to save evidence in an AWS S3 bucket, limit the CPU to 50%, compress the evidence for efficient storage, and ensure network drives are excluded from the scan. You could also configure the policy to allow communication with critical servers even if the asset is isolated.