Acquisition Profiles
Last updated
Last updated
Acquisition profiles in Binalyze AIR define the types of data that will be collected during an evidence acquisition process. These profiles allow you to customize and streamline the data collection to fit your specific investigation needs.
As shown above, Binalyze AIR comes with several predefined acquisition profiles that you can use immediately, for example:
Quick: Designed for fast data acquisition with essential evidence types.
Full: Collects a comprehensive and rich set of data from the assets.
Compromise Assessment: Focuses on indicators of compromise and suspicious activity, defined by the Binalayze threat hunting team.
These ‘out-of-the-box’ profiles are ideal for common scenarios and provide an ideal quick start for your investigations.
To create your own custom acquisition profile, follow these steps:
(1) Navigate to Acquisition Profiles:
Go to the "Libraries > Acquisition Profiles" section from the main dashboard.
(2) Create a New Profile:
Click on the "+ New Profile" Action Button.
Provide your new profile with a name that will perhaps help you later to identify its purpose.
(3) Select the Operating System(s) for your new profile:
Windows
Linux
macOS
IBM AIX
Or a cross-platform eDiscovery collection
(4) Select Evidence Types:
Binalyze AIR supports an ever-growing number of evidence types for collection and presentation in the Investigation Hub. To build your profile, choose the data you want to collect from the extensive options grouped under the following five tabs:
Evidence List
System artifacts (e.g., registry hives, event logs)
Artifact List
Application artifacts such as server Logs, RMM, AV tools, etc
Custom Content Profiles
Select bespoke file locations for collection.
Network Capture
Network Flow captures TCP/UDP connections and stores them as a CSV, and/or PCAP to capture IP packets as a PCAP file.
osquery
Use osquery language to capture data.
(5) Save the Profile:
Once you have configured all the necessary settings, click "Save" to create your custom acquisition profile.
Edit Profiles: You can edit existing profiles by selecting the profile and making necessary changes.
Delete Profiles: Remove profiles that are no longer needed to keep your list organized.
Duplicate Profiles: Create a copy of an existing profile to use as a template for a new one.
User Privileges for acquisition profiles can be managed via ‘Settings > Roles’
Check Profiles: Ensure your acquisition profiles are up-to-date with the latest evidence types and investigation requirements.
Test Profiles: Test new profiles in a controlled environment to ensure they collect the intended data.
Average Time Taken: In the Acquisition Profiles table you can see the ‘Average Time’ taken by each profile, this can be useful when considering the performance and efficiency of individual profiles.
By using acquisition profiles in Binalyze AIR, you can efficiently gather relevant data for your investigations, saving time and ensuring comprehensive evidence collection.