Acquisition Profiles

Acquisition profiles in Binalyze AIR define the types of data that will be collected during an evidence acquisition process. These profiles allow you to customize and streamline the data collection to fit your specific investigation needs.

Using ‘Out-of-the-Box’ Acquisition Profiles

As shown above, Binalyze AIR comes with several predefined acquisition profiles that you can use immediately, for example:

1. Quick: Designed for fast data acquisition with essential evidence types.

2. Full: Collects a comprehensive and rich set of data from the assets.

3. Compromise Assessment: Focuses on indicators of compromise and suspicious activity, defined by the Binalayze threat hunting team.

These ‘out-of-the-box’ profiles are ideal for common scenarios and provide an ideal quick start for your investigations.

Creating your own Acquisition Profiles

To create your own custom acquisition profile, follow these steps:

• (1) Navigate to Acquisition Profiles:

  • Go to the "Libraries > Acquisition Profiles" section from the main dashboard.

• (2) Create a New Profile:

  • Click on the "+ New Profile" Action Button.

  • Provide your new profile with a name that will perhaps help you later to identify its purpose.

• (3) Select the Operating System(s) for your new profile:

  • Windows

  • Linux

  • macOS

  • IBM AIX

  • Or a cross-platform eDiscovery collection

• (4) Select Evidence Types:

  • Binalyze AIR supports an ever-growing number of evidence types for collection and presentation in the Investigation Hub. To build your profile, choose the data you want to collect from the extensive options grouped under the following five tabs:

    • Evidence List

      • System artifacts (e.g., registry hives, event logs)

    • Artifact List

      • Application artifacts such as server Logs, RMM, AV tools, etc

    • Custom Content Profiles

      • Select bespoke file locations for collection.

    • Network Capture

      • Network Flow captures TCP/UDP connections and stores them as a CSV, and/or PCAP to capture IP packets as a PCAP file.

    • osquery

      • Use osquery language to capture data.
• (5) Save the Profile:

  • Once you have configured all the necessary settings, click "Save" to create your custom acquisition profile.

Managing Acquisition Profiles

• Edit Profiles: You can edit existing profiles by selecting the profile and making necessary changes.

• Delete Profiles: Remove profiles that are no longer needed to keep your list organized.

• Duplicate Profiles: Create a copy of an existing profile to use as a template for a new one.

• User Privileges for acquisition profiles can be managed via ‘Settings > Roles’

Best Practices

• Check Profiles: Ensure your acquisition profiles are up-to-date with the latest evidence types and investigation requirements.

• Test Profiles: Test new profiles in a controlled environment to ensure they collect the intended data.

• Average Time Taken: In the Acquisition Profiles table you can see the ‘Average Time’ taken by each profile, this can be useful when considering the performance and efficiency of individual profiles.

By using acquisition profiles in Binalyze AIR, you can efficiently gather relevant data for your investigations, saving time and ensuring comprehensive evidence collection.