Acquisition Profiles
Last updated
Was this helpful?
Last updated
Was this helpful?
Acquisition profiles in Binalyze AIR define the specific types of data to be collected during an acquisition task. These profiles enable you to customize and streamline data collection to meet the unique requirements of your investigation. Saved within the AIR Libraries, acquisition profiles can be easily shared, reused, or edited for further refinement, ensuring efficiency and consistency across investigations.
As shown above, Binalyze AIR comes with several predefined acquisition profiles that you can use immediately, for example:
Quick: Designed for fast data acquisition with essential evidence types.
Full: Collects a comprehensive and rich set of data from the assets.
Compromise Assessment: Focuses on indicators of compromise and suspicious activity, defined by the Binalayze threat hunting team.
These ‘out-of-the-box’ profiles are ideal for common scenarios and provide an ideal quick start for your investigations.
To create your own custom acquisition profile, follow these steps:
(1) Navigate to Acquisition Profiles:
Go to the "Libraries > Acquisition Profiles" section from the main dashboard.
(2) Create a New Profile:
Click on the "+ New Profile" Action Button.
Provide your new profile with a name that will perhaps help you later to identify its purpose.
(3) Select the Operating System(s) for your new profile:
Windows
Linux
macOS
IBM AIX
Or a cross-platform eDiscovery collection
(4) Select Evidence Types:
Binalyze AIR supports an ever-growing number of evidence types for collection and presentation in the Investigation Hub. To build your profile, choose the data you want to collect from the extensive options grouped under the following five tabs:
Evidence List
System artifacts (e.g., registry hives, event logs)
Artifact List
Application artifacts such as server Logs, RMM, AV tools, etc
Event Log Records
Custom Content Profiles
Select bespoke file locations for collection.
Network Capture
Network Flow captures TCP/UDP connections and stores them as a CSV.
PCAP will capture IP packets and save them as a PCAP file.
The duration of the Network Capture is determined by the user.
osquery
Use osquery language to capture data.
(5) Save the Profile:
Once you have configured all the necessary settings, click "Save" to create your custom acquisition profile.
Edit Profiles: You can edit existing profiles by selecting the profile and making necessary changes.
Delete Profiles: Remove profiles that are no longer needed to keep your list organized.
Duplicate Profiles: Create a copy of an existing profile to use as a template for a new one.
User Privileges for acquisition profiles can be managed via ‘Settings > Roles’
Check Profiles: Ensure your acquisition profiles are up-to-date with the latest evidence types and investigation requirements.
Test Profiles: Test new profiles in a controlled environment to ensure they collect the intended data.
Average Time Taken: In the Acquisition Profiles table you can see the ‘Average Time’ taken by each profile, this can be useful when considering the performance and efficiency of individual profiles.
By using acquisition profiles in Binalyze AIR, you can efficiently gather relevant data for your investigations, saving time and ensuring comprehensive evidence collection.
AIR allows users to collect and present event logs or define specific channels for log collection. (Read more here: )
