Using the AIR Investigation Hub
Last updated
Last updated
The Investigation Hub offers a centralized and well-organized interface to manage all case-related elements, including assets, evidence, artifacts, and triage results. It simplifies the investigative process by providing efficient filtering options and a robust global search feature, eliminating the need to switch between tools or manually piece together information from various sources.
This hub is designed to elevate the investigative process by seamlessly integrating additional data sources and context through data-importing capabilities. This means you can augment your analysis by importing relevant data and context, ensuring that you have access to a comprehensive and updated information set for your investigation.
The Investigation Hub is not static, it is a living and breathing space that will ingest and consolidate every report allocated to a case as the investigation progresses.
The remainder of this page delves into the various sections that comprise the displayed information. It's beneficial to become familiar with this layout to easily locate the specific data you're interested in. Given the diverse nature of investigative needs, users may employ various methods to explore this data.
Read more; you may find the article titled 'Investigating a malware attack using Binalyze Air's Investigation Hub' to be a valuable example of one such approach.
Within this article, we will delve into the different perspectives offered by the Investigation Hub and provide suggestions on how users can effectively utilize its functionality.
The Investigatin Hub can be broken down into six sections:
Header
Secondary Menu
Dashboard & Widgets
Evidence
Findings & Results Table
MITRE ATT&CK
Details View
Automated Report Generation
The Header is a persistent element across all views within the Investigation Hub.
To the right of the AIR icon is a Global Search input box. This search capability is highly versatile, enabling users to perform searches across all data within the Investigation Hub for the current case OR the AIR console. This encompasses acquisition and triage data, as well as any imported data and findings identified by DRONE, ensuring a comprehensive and integrated approach to investigations.
Recents, with its dropdown arrow gives you access to all of the recently used items or just the Assets, Cases, Tasks or Reports. The user can filter these lists by user.
The Quick Start button allows the user, from any Investigation Hub view, to access some of AIR's core functions including; Acquire Evidence, Acquire Image, Triage, Add New Case and others.
Notifications are accessed via the bell notifications icon
To the right of the Notifications icon is the name of the Organizational environment in which the user is working. From this link the user can access the Organization Settings, change the Organization or add a new one.
Towards the right side of the Header, users have the option to modify time zone settings for all timestamps within the hub, should the need arise.
At the top of the Secondary Menu, the name of the current case (e.g., 'DayOne' in this example) is prominently displayed. From here, users can choose the view to display in the main viewing window of the Investigation Hub, selecting from:
Dashboard
Findings
Exclusions
Evidence
Reports
The bottom half of the Secondary Menu is dedicated to applying Global Filters to the current case, enhancing the ability to narrow down the displayed information. Users can filter by:
Asset
Finding Type
Flag
Dates and Times
Creator
These filtering options, combined with the logical AND switch, enable users to customize and refine the display to show only the most relevant items based on multiple selected criteria. This structured approach helps streamline navigation and improves the efficiency of the investigative process in the Investigation Hub.
Filtering by asset introduces a tertiary menu, allowing users to delve deeper into data granularity. This menu enables the selection or exclusion of specific information for analysis within the Investigation Hub, focusing on particular assets. Following this, a quaternary menu becomes available, offering the ability to further refine the view by filtering through individual tasks associated with a chosen asset. This layered approach to filtering ensures that users can precisely tailor the data they review, making their investigative process more focused and efficient.
The Dashboard provides investigators with a high-level overview of their case, highlighting key issues and investigative opportunities. It features dynamic widgets that automatically update as new evidence and artifacts are added, ensuring that investigators have the most current information at their disposal.
The action buttons on the Dashboard page enable three key activities:
Import .csv or .pst Files: Add these files directly to your case.
Generate Reports: Access the Compromise Assessment report generation wizard.
Export Flags to .csv: Export all flagged items, including bookmarks.
Additionally, the Overview widget allows for filtering by operating system, enhancing your ability to quickly access and organize case data.
The Finding Type widget on the dashboard categorizes and filters findings as either DRONE automated, user-generated, or both. This widget simplifies the review process by presenting findings according to their severity levels:
Red: Indicates High severity
Orange: Denotes Medium severity
Blue: Represents Low severity
Pink: Signifies Matched (keyword/Triage hit)
Each item within the widget is clickable, and the filtered results are displayed on the Findings page.
Note: User-generated findings are a new feature introduced in version 4.13.
Additionally, version 4.13 streamlines the display of findings by reducing the number of Finding categories from eight to just the four through the following re-mapping:
Dangerous & High → High
Suspicious & Medium → Medium
Matched → Matched
Rare, Relevant & Low → Low
This simplification helps clarify the severity of findings, enhancing the investigative workflow.
High: Flags threats that pose immediate and significant risks, demanding urgent action to prevent or mitigate severe impacts. Example: An IIS process executing cmd.exe
or powershell.exe
, which could indicate a web shell.
Medium: Targets activities that deviate from expected norms and could be indicative of potential threats, suggesting a need for deeper scrutiny. Example: A running unsigned process located in a temporary folder, or use of known hacking tools like "mimikatz."
Low: Identifies less critical but still unusual activities that could benefit from further investigation to clarify their nature and intent. Example: System-level processes initiated by non-privileged users, or processes operating from non-existent directories.
Matched: Involves confirmed matches to predefined security rules, keywords, hashes, or patterns within the analyzed data, signaling recognized threat indicators. Example: A detected scheduled task named "MalwareTask*" that aligns with a user-defined keyword "MalwareTask*".
The MITRE ATT&CK widget provides an invaluable overview by displaying how many findings within a case have been mapped to various Tactic and Techniques from the MITRE ATT&CK framework. This framework is a globally recognized knowledge base of adversary tactics and techniques based on real-world observations. It is used extensively for threat modeling and cybersecurity defense.
By incorporating the MITRE ATT&CK widget into the dashboard, investigators can quickly identify patterns and methods used in cyber attacks, facilitating a deeper understanding of the threat landscape. This visibility enables users to align their defense strategies more accurately with the tactics and techniques that adversaries are most likely to use, improving the effectiveness of their security measures. The widget's ability to show the distribution of findings across different categories not only helps in pinpointing vulnerabilities but also aids in prioritizing responses to the most critical threats based on the observed attack patterns.
The Top Asset Breakdown widget highlights the most significant assets within the current case, emphasizing those with the most severe issues. This feature provides a clear and concise view of critical vulnerabilities, helping investigators prioritize their response efforts based on the urgency and impact of the identified problems.
The "Flags" widget provides a comprehensive overview of all flagged items, each accompanied by their respective counts. This widget allows for the customization of flags by users, who can modify both the name and color of each flag to suit their needs.
The default "Bookmark" flag is pre-established and cannot be edited. Additional custom flags, once created, are stored and listed within the library for easy access.
*Note: Flags are configured at the Organization level, so are not just case-specific. Therefore, any edits or deletions to flags will have a global effect for the Organization and are only permitted for users with Case Management privileges. This ensures consistent flagging practices across all cases and preserves the integrity of the flagging system.
Under the heading Evidence, all of the evidence items that have been collected as part of a tasking, even where there has been a null return will be displayed.
A count will be displayed next to each evidence item to indicate the number of associated Findings. For example, in the screenshot below, there are 14 high-priority Findings for Persistence>Scheduled Tasks, 3 medium-priority Findings for Persistence>Registry, and other items are shown with counts but have no Findings associated. This feature helps to quickly identify and prioritize areas of interest within the evidence.
Triage results and Imported evidence items are also displayed in this Evidence section
Within the Secondary Menu, users have the flexibility to dynamically include or exclude case assets, including imported evidence like .pst or .csv files. Assets are categorized either by the operating system or by the name of the imported evidence for ease of management. In the example above, the Windows asset called RichardBurton has been deselected so none of the evidence from this asset will be displayed in any of the Findings views.
Other Evidence, is a category for items that are Findings without a dedicated entry in the Investigation Hub.
All findings without a specific category will be grouped under 'Other Evidence'. This ensures every finding is allocated an evidence record within a category, allowing the total count of findings on the Investigation dashboard to match the number shown in the evidence list accurately.
Within the Secondary Menu, Findings are categorized and displayed alongside a count for each evidence type where applicable. The severity of each Finding is color-coded for quick identification:
Red: Indicates High severity
Orange: Denotes Medium severity
Blue: Represents Low severity
Pink: Signifies Matched (keyword hit)
This system allows for an immediate visual assessment of the evidence's priority level.
Under the Evidence sub-heading section the secondary menu will display all of the evidence items that have been collected as part of a tasking, even where there has been a null return. In the example below we can see that the Hide Empty Pages filter has been activated.
In the screenshot shown above, the acquired evidence from the App Compat Cache has been highlighted for focused viewing. As a result, the main viewing area is exclusively dedicated to displaying all the evidence gathered from the App Compat Cache. In this particular example, one 'Matched' item has been singled out, and its comprehensive details are presented in the section below in the 'Details' tab.
It's important to highlight that in this scenario, the table has been sorted based on the findings column to order the view by the severity of the findings. Additionally, users have the flexibility to rearrange and resize columns according to their preferences. Furthermore, users can customize which columns are visible in the table using the Column Chooser feature, which is available on all pages with tables within the Investigation Hub.
The Evidence section displays both triage results and imported evidence items, offering comprehensive insight into gathered data.
Highlighted in the above screenshot, additional table functionality enhances user interaction and data management:
Flag Column: This column showcases flagged items and enables filtering and sorting based on flag status.
Magnifying Glass Icon: Offers extensive filtering and searching capabilities with options like Contains, Does Not Contain, Starts With, Ends With, Equals, and more, allowing precise control over displayed data.
Dockable Details Pane: Users can choose to dock this pane on the right side or at the bottom of the window. Clicking the icon toggles the Details pane's orientation from vertical to horizontal and vice versa, adapting to user preference and screen layout.
Filtered Items Reminder: A helpful reminder of the currently applied filters, ensuring users are aware of the viewing context.
Date & Time Picker: Allows users to narrow down evidence to specific time periods, facilitating focused analysis.
Created By Column: In the Findings table the Created By column will show if the finding was generated by DRONE or a user.
Highlight to search: This allows users to highlight text in the Investigation Hub tables, as shown below, right-click on the selecton, select the magnifying glass that appears and then choose to "Search in Findings table, Search in the Investigation Hub, Search in Google or search in Virus Total.
Fullscreen Evidence Tables: Users can view evidence tables in full-screen mode, ideal for large datasets with multiple columns and rows. This feature maximizes screen space, allowing easier navigation and analysis of complex data without the need for scrolling or resizing. To exit fullscreen mode, simply click the Exit-Fullscreen icon.
Sticky Column Headings: The selection and position of columns will remain saved in your browser across all AIR sessions unless you clear your browser cookies. This ensures your preferred layout and data organization stay consistent, enhancing both efficiency and user experience.
The Investigation Hub flagging feature allows users to create custom flags to mark evidence and findings they deem significant during an investigation. This flagging functionality can be used to filter by flags and facilitates collaboration with other investigators, it helps to mark items for re-examination, or highlights important details for potential inclusion in reports.
Users create custom flags by right-clicking on a finding or evidence item, selecting ‘Add/Remove Flag’, and then creating a name, description, and color for the flag from the 11 default options, or click the '+' to select your own colour from a palette:
Multiple items can be flagged simultaneously using the Bulk Actions bar:
Hovering over the flag of a flagged item in the table view will reveal:
The name of the flag
Who created the flag
The date & time it was created
Flags are saved at the Organization level in Libraries, therefore they will be available to all cases created in the same Organization.
Creating new flags or editing existing flags can be done in Libraries if the user has Case Management privileges.
The Bookmark Flag is the only fixed/permanent flag.
Users can use the advanced filter to include or exclude flagged items in the Investigation Hub table views, enhancing the ability to focus on prioritized or highlighted evidence.
AIR's DRONE capability enhances decision support by utilizing built-in YARA, Sigma, and osquery rules to swiftly identify compromised assets. By analyzing evidence from thousands of assets, DRONE generates insights (Findings) that help prioritize investigations and target critical areas efficiently.
During an investigation, users may discover that some Findings are not relevant to their case. The Investigation Hub gives the user the ability to exclude such Findings, aiding investigators in focusing on pertinent information.
Exclusion Methods:
Direct Exclusion:
Right-click on a Finding and choose "exclude" from the context menu.
Exclude by: Customize the exclusion based on the path in two ways: On the specific path, which excludes an item only if found in that particular location, or based on the finding, which excludes the item regardless of where it is found on the asset.
Scope: Decide whether to exclude from just this case, all cases within the organization.
Target: Apply the rule to the selected asset, or all assets in the case.
(Exclusion by hash value is coming soon)
Management and Audibility:
Excluded Findings are removed from the Findings table and added to the Exclusions table found in the Investigation Hub, secondary menu. This feature allows teams to cross-validate and resolve discrepancies as needed.
At the top of this page, users can click "Manage Rules" to edit or delete rules from the "Finding Exclusion Rules" library.
This library is also accessible from the Organization Library under "Finding Exclusions Rules," where users can change the scope from Case to Organization, apply exclusions from one asset to all assets in the organization, or completely delete rules if they have "Case Management" privileges.
Additional Exclusion Options:
Use the three-dot ellipses at the end of the row for more exclusion options.
Employ Bulk Actions to exclude multiple Findings simultaneously.
Tooltips are provided throughout to guide users in utilizing these customizable options effectively. After an exclusion is applied, users have a brief opportunity to undo the operation or close the notification, ensuring that actions are deliberate and retrievable.
This Exclusions Capability significantly streamlines the investigative process, allowing investigators to maintain focus on essential evidence while managing irrelevant data efficiently.
The Notes feature enhances collaboration by allowing users to attach notes to any evidence item or Finding, without the requirement for the item to be bookmarked. These notes are accessible to the entire team working on the case and are displayed in the Notes column of the table view.
This feature is particularly useful for enhancing communication within the team, as it allows for the sharing of insights and observations directly alongside the relevant evidence. Furthermore, notes can be seamlessly integrated into reports through AIR’s “Generate Report” feature, which supports the creation of customizable reports. Additionally, notes can be exported for external use.
Overall, the Notes feature in AIR 4.13 streamlines case documentation and enhances the reporting process, making it an essential tool for collaborative investigations.
In previous versions of AIR, the decision-support system, including the automated evidence analyzers known as DRONE, helped users prioritize their investigative steps. With the release of AIR 4.13, users now have the capability to generate their own Findings, enhancing the depth of investigations by incorporating personal insights, organizational context, or specific investigative details.
For instance, from the Evidence page, users can right-click on an item and select "Mark as Finding" to manually allocate a Finding to it. This process involves several steps:
Selecting a Finding Type: Users choose from pre-defined types such as High, Medium, Low, or Matched.
Adding a Description/Label: This describes or labels the Finding for clarity and reference.
Detailing the Path and Associating with MITRE ATT&CK TTP: Users can specify the file path and link the Finding to a specific tactic or technique from the MITRE ATT&CK framework.
Setting a Date: Users can also include the date when the Finding was identified or marked.
Upon confirming with "OK", the Finding type is displayed in the "Finding Type" column within the Evidence page, along with a column indicating who created the Finding. These user-generated Findings are then added to the "Findings" window, where they are distinguishable by a "created by" column, which shows whether a Finding is from DRONE or user-generated, and identifies the creator. This allows for efficient tracking and searching using the column search functionality.
Additionally, these Findings are reflected in the Dashboard widget, where users can filter to view "All" findings or specifically search across DRONE or user-generated Findings using the provided tabs. This new feature in AIR 4.13 significantly empowers users to tailor their investigative processes with enriched data and personalized analysis.
MITRE ATT&CK serves as a global resource for adversary tactics and techniques, guiding threat models and methodologies across industries. Integrated with AIR, it continuously maps findings to ATT&CK, enhancing detection with up-to-date YARA rules for IoCs and TTPs. DRONE's implementation scans assets and processes using crafted rules, with automated rule updates in AIR. You can read more about DRONE in this blog, 'Automated Compromise Assessment with DRONE'.
To match your viewing preferences and monitor setup, the Details view for selected evidence items is both dockable and detachable. You can either open a separate, independent window to display the evidence details or use the icon shown below to toggle the position of the Details window.
Dockable Evidence Details Window: This feature allows you to toggle the Details window between a vertical display on the right side of the browser window and a horizontal display at the bottom. Simply click the icon to switch between these views.
In the Details window, there may be occasions when some fields are empty. To minimize clutter from these empty fields, you can use the 'Hide Empty Fields' feature. This option allows you to clean up the interface by displaying only those fields that contain information.
Detachable Evidence Details Window: This feature allows users to open evidence details in a standalone window that can be resized and repositioned anywhere on the screen(s) for improved clarity. The window maintains its form even when displaying new evidence items. Clicking on a new row in the table updates the detached details view to match the newly selected item. This flexibility allows investigators to compare multiple pieces of evidence side by side, improving the overall analysis process.
Details View Example:
The screenshot above displays an example of a typical details view of a file selected in the table view. This particular file is a Scheduled Task entry which has a DRONE Finding Type 'High'.
The term "Digital Sign Status As Text" refers to the description of the status of a digital signature in text form. When you encounter "Bad Digest" as the status, it indicates an issue with the digital signature of a file or document.
Specifically, "Bad Digest" means that the hash value calculated from the downloaded or retrieved file does not match the hash value that was originally used when signing the document or file. This discrepancy suggests that the file may have been altered or corrupted after it was signed. Consequently, the integrity of the file is in question, and it can no longer be trusted as authentic or unmodified from its signed state. This status is a critical indicator in digital security practices, especially when verifying the legitimacy and integrity of software downloads and updates.
Searching the hash value revealed in the details window across the Investigation Hub immediately reveals other Findings associated with this file:
Now we can see that there are two High Findings that are mapped to MITRE ATT&CK Tactics and Techniques shown.
The advanced filter save feature boosts efficiency by enabling users to save and share custom filters within an AIR organization. This functionality streamlines data analysis, promotes consistency, and enhances collaboration throughout the investigative process.
The Advanced Filter window remains visible as you build the filter and you can reposition it.
Each Advanced Filter is specific to the table it is built in eg; an advanced filter you build in Findings will not be available to you in the Browser Artifact table.
Filters can be saved and then later selected from the drop-down list.
Add items to Advanced Filters directly from the Details window using the filter icon:
AIR's automated report generation feature alongside the Compromise Assessment Report template efficiently populates reports with relevant investigation information, offering pre-built, customizable sections tailored to different stakeholders and audiences.
Generating a Report: Users can initiate report generation from the Secondary Menu under "Reports" or directly from the Dashboard action button using AIR’s Compromise Assessment report template. The report generation process has been refined to allow for greater customization and flexibility:
Initial Setup and Customization:
Include all findings from the Investigation Hub, encompassing DRONE findings and user-generated findings, excluding any that have been previously filtered out.
Filter which assets and associated tasks to include based on relevance to the report.
Apply additional filters by the severity of findings and by flags to tailor the content further.
Inclusion of Evidence:
Users can choose to incorporate evidence linked to flagged items, enhancing the report with crucial items of note that may not be categorized as findings.
Report Customization:
Add a company logo to the report, enabling service providers to brand reports for their clients.
Name the report and set the date/time to ensure clarity and relevance.
Select specific sections to include in the report based on the intended audience, ensuring the content is appropriate and targeted.
Final Steps and Editing: Once the report is generated by clicking <Generate Report>, it remains fully editable within an HTML iframe editor. This flexibility allows analysts and responders to append additional analysis notes, recommendations, and other pertinent information as needed.
Post-Creation Options:
Save: Saves the current HTML version of the report, allowing further modifications in the future.
Export PDF: Converts the report into a PDF file for distribution or archiving.
Both HTML and PDF versions of the report can be managed, edited, generated, exported, and deleted from the "Reports" tab in the Secondary Menu of the Investigation Hub.
This wizard-driven approach not only simplifies the report generation process but also provides users with powerful tools to create detailed, customized reports that meet specific requirements, all within a few clicks.