LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • Introduction
  • Download The Evidence and Artifacts from Local Storage
  • By Using interACT
  • By Using Remote Management tools
  • Download The Evidence and Artifacts from Evidence Repositories

Was this helpful?

Export as PDF
  1. AIR
  2. FAQs

How to download the collected evidence and artifacts in Binalyze AIR?

PreviousResolving the “Invalid Host Header. Host must be the Console Address” ErrorNextHow to gather Binalyze AIR logs for Troubleshooting

Last updated 1 year ago

Was this helpful?

Introduction

Binalyze AIR provides two separate mechanisms for storing collected evidence, artifacts, and data. The first and default method is to use the local storage of the asset and server machines' file system. The second method uses the remote network services that we call Evidence Repositories, such as SFTP, FTPS, SMB Amazon S3 Buckets, and Azure Blob Storage.

The location of the storage of the evidence and artifacts is defined in the Policy section in the Binalyze AIR Console. Since the Acquisition tasks are directly bonded to these policies, investigators and analysts can change the type (Local or Evidence Repository) and path of the collected evidence and artifacts by using the options fields in the Policy screen.

The exact location and path of the evidence and artifacts can be viewed through the Evidence URL value, which is located under the Metadata page that is accessible via a button shown under the Status of the associated Task.

The evidence and artifacts collection and storage flow is summarized as follows.

  1. An Acquisition Task is created on the Binalyze AIR Console.

  2. Binalyze AIR responder installed on asset machines connects to Binalyze AIR Console to pull the task and task details.

  3. Binalyze AIR responder installed on asset machines run the Acquire Task on the asset and collects the evidence and artifacts.

  4. Binalyze AIR responder stores the collected evidence and artifacts according to the configuration options defined in the Policies section.

    1. If the Local option is selected, the collected evidence and artifacts will be stored in the file system location defined in the configuration options.

    2. If the Evidence Repository option is selected, the collected evidence and artifacts will be stored in a temporary location on the local file system. Then the asset machine directly connects to the remote network service/server and uploads the evidence and artifacts to the location defined in the configuration options, and all the evidence and artifacts will be deleted from the asset. The flow is depicted in the picture below.

Download The Evidence and Artifacts from Local Storage

Two separate methods can be used to download collected evidence and artifacts, which are stored in the local file system of the asset machines. Investigators and analysts can use Binalyze AIR built-in remote management tool, interACT, or their favorite remote management tool to connect and download the requested evidence and artifacts.

The default location of all collected evidence and artifacts are listed below according to the operating systems. The default location can be changed by editing the policies.

Windows

C:\Binalyze\AIR\Cases

Linux

/opt/binalyze/air/Cases

macOS

/opt/binalyze/air/Cases

By Using interACT

  1. Find the task of interest. The relevant task can be viewed either by navigating through the Global Tasks Tab or by selecting the associated assets from the asset listings and then locating the related task under the asset details page.

  2. Find the exact path of the evidence and the artifacts that are in need of downloading. Click the Metadata button under this Status on the page and view the value of the Evidence URL. It is also possible to directly copy the value of the Evidence URL by clicking the copy button, which is located at the beginning of the Evidence URL line.

  3. Connect to the machine with interACT by clicking the interACT button, which is located under the asset details page.

  4. Navigate to the path provided with the Evidence URL by using the cd command.

  5. Download the associated file by using the get command provided by the interACT.

By Using Remote Management tools

  1. Find the task of interest. The relevant task can be viewed either by navigating through the Global Tasks Tab or by selecting the associated assets from the asset listings and then locating the related task under the asset details page.

  2. Find the exact path of the evidence and artifacts that are in need of downloading. Click the Metadata button under this Status on the page and view the value of the Evidence URL. It is also possible to directly copy the value of the Evidence URL by clicking the copy button, which is located at the beginning of the Evidence URL line.

  3. Connect to the asset with your favorite remote management tool. This tool may vary depending on the operating system installed on the asset. The most commonly used tools are SSH, Remote Desktop Manager, VNC, etc.

  4. Navigate to the path provided with the Evidence URL by using the cd command.

  5. Download the associated file by using the commands and activities provided by the remote management tool.

Download The Evidence and Artifacts from Evidence Repositories

  1. Find the task of interest. The relevant task can be viewed either by navigating through the Global Tasks Tab or by selecting the associated assets from the asset listings and then locating the related task under the assetdetails page.

  2. Download the compressed/encrypted zip file by clicking the Evidence URL The downloadable link will be created and bonded directly to the Evidence URL. Click the Metadata button under this Status on the page and then click on the Evidence URL to download the zip file that includes the chosen evidence and artifacts.