Using the AIR Investigation Hub

The Investigation Hub offers a centralized and well-organized interface to manage all case-related elements, including assets, evidence, artifacts, and triage results. It simplifies the investigative process by providing efficient filtering options and a robust global search feature, eliminating the need to switch between tools or manually piece together information from various sources.

This hub is designed to enhance the investigative process by seamlessly integrating additional data sources and context through data-importing capabilities. This means you can augment your analysis by importing relevant data and context, ensuring that you have access to a comprehensive and updated information set for your investigation.

The Investigation Hub is not static, it is a living and breathing space that will ingest and consolidate every report allocated to a case as the investigation progresses.

The remainder of this page delves into the various sections that comprise the displayed information. It's beneficial to become familiar with this layout to easily locate the specific data you're interested in. Given the diverse nature of investigative needs, users may employ various methods to explore this data.

Read more; you may find the article titled 'Investigating a malware attack using Binalyze Air's Investigation Hub' to be a valuable example of one such approach.

Navigating the Investigation Hub

Within this article, we will delve into the different perspectives offered by the Investigation Hub and provide suggestions on how users can effectively utilize its functionality.

The home page can be broken down into six sections:

1. Header

2. Assets

3. Evidence

4. Findings

5. MITRE ATT&CK

6. Results Table

7. Details view

1. Header

The Header is a persistent element across all views within the Investigation Hub. It incorporates a hamburger icon that enables users to toggle the visibility of both the Assets and Evidence views, providing them with the flexibility to maximize the main viewing area for a more immersive exploration of findings.

The next icon to the right is the AIR logo which when selected will take the user out of the hub and to the Homepage of their current organization.

To the right of the AIR icon is the name of the case that is currently being displayed in the hub. In the screenshot above this is the case called 'Day One'.

In the center of the Header is a Global Search input box. This search capability is highly versatile, enabling users to perform searches across all data within the Investigation Hub for the current case. This encompasses acquisition and triage data, as well as any imported data and findings identified by DRONE, ensuring a comprehensive and integrated approach to investigations.

Towards the right side of the Header, users have the option to modify time zone settings for all timestamps within the hub, should the need arise.

2. Assets

Within the Assets section, users have the flexibility to dynamically include or exclude case assets, including imported evidence like .pst or .csv files. Assets are categorized either by the operating system or by the name of the imported evidence for ease of management. In the example above, the Windows asset called RichardBurton has been deselected so none of the evidence from this asset will be displayed in any of the Findings views.

3. Evidence

Under the sub-heading Acquisition, the Evidence section will display all of the evidence items that have been collected as part of a tasking, even where there has been a null return.

A count will be displayed alongside any evidence item where there has been a Finding, in the screenshot above there are 318 Findings in the Registry>App Compat Cache.

Triage results and Imported evidence items are also displayed in this Evidence section.

In the screenshot shown above, the acquired evidence from the App Compat Cache has been highlighted for focused viewing. As a result, the main viewing area is exclusively dedicated to displaying all the evidence gathered from the App Compat Cache. In this particular example, one 'Matched' item has been singled out, and its comprehensive details are presented in the section below in the 'Details' tab.

It's important to highlight that in this scenario, the table has been sorted based on the findings column for better organization. Additionally, users have the flexibility to rearrange and resize columns according to their preferences. Furthermore, users can customize which columns are visible in the table using the Column Chooser feature, which is available on all pages with tables within the Investigation Hub.

4a. Findings

The upper part of the Findings section provides users with a quick overview, including counts, of items categorized as Dangerous, Matched, Suspicious, or Rare. It also highlights findings that DRONE has marked with risk scores of High, Medium, or Low. For more details on the methodology behind these findings, you can refer to the article titled "Automated Compromise Assessment with DRONE."

The bar and pie chart graphics in the lower part of this area serve as an at-a-glance summary of the key aspects of the findings. It highlights the highest-priority assets that have achieved the most significant number of findings. The Triage & Acquisition count serves as a useful reminder as to whether or not all of the available reports have been consolidated in the Investigation Hub.

If users suspect that there are more reports to incorporate into the Investigation Hub, they have the option to manually trigger a refresh by selecting the refresh button located in the top-right corner. This manual approach to refreshing was intentionally designed to prevent potential disruptions to the investigator's workflow, ensuring a seamless and uninterrupted user experience.

The "Generate Report" button enables users to create a Compromise Assessment Report. For detailed information on what this report entails and how it's structured, please refer to the Knowledge Base page titled "Compromise Assessment Report."

4b. MITRE ATT&CK

MITRE ATT&CK serves as a global resource for adversary tactics and techniques, guiding threat models and methodologies across industries. Integrated with AIR, it continuously maps findings to ATT&CK, enhancing detection with up-to-date YARA rules for IoCs and TTPs. DRONE's implementation scans endpoints and processes using crafted rules, with automated rule updates in AIR. You can read more about DRONE in this blog, 'Automated Compromise Assessment with DRONE'.

The screenshot above demonstrates how findings are seamlessly linked to detailed tables containing individual hits. When you toggle on the 'Display All Tactics' option in the top right, you'll notice that even Tactics without findings are displayed. In this instance, the 'Reconnaissance' tactic is shown.

4c. Results Table

In the screenshot above, you can see 18 results following the user's selection of the Phishing Technique, as shown in screenshot 4b. The table provides information about the Asset where the finding was located, outlines the details of the Finding, and presents the Verdict/Score, along with the associated Tactic and Technique.

For added flexibility, the Column Chooser in the top right corner empowers users to customize which columns are visible. Additionally, users can resize all columns to suit their preferences.

4d. Details View

The screenshot provided above displays the details view of the file selected, which is the third one from the top in the Results table (refer to section 4c). This particular file is currently located in the Recycle Bin and has been classified as 'Relevant.' This classification is based on the application of a Binalyze DFIR rule, which correlates with MITRE ATT&CK technique T1566. Notably, the file in question is a password-protected zip file. Additionally, the associated metadata reveals information such as the hash, MAC dates/times, file size, and file path.

In the second example provided above, we can observe how the details view has presented additional pertinent information regarding a distinct file identified by DRONE. From AIR v4.7, each finding will be accentuated with the following:

1. Its description.

2. A reference to help further understand the findings.

3. The specific string that was detected.

Investigation Hub Bookmarks

Items displayed in any of the Investigation Hub results tables can be bookmarked. As soon as the first item is bookmarked, a Bookmarks button will appear in the Investigation Hub header as shown above. The button will also display a count for the number of items currently bookmarked - in this case it is one.

To bookmark an item, users need to click on the tag icon located on the left side of the item in the results table. Once selected, the tag will change to a dark blue color, and the counter in the Investigation Hub header will increase by one.

As shown above, hovering the mouse pointer over an activated bookmarked tag will display information about who bookmarked it and when it was bookmarked.

Accessing a 'bookmarks-only' view is conveniently achieved through the button located in the Investigation Hub page header. Users can explore findings and evidence categories with bookmarks by utilizing drop-down arrows. In the example above only the Findings table is expanded.

Furthermore, the note-taking feature empowers users to capture additional context and insights, enriching their understanding of bookmarked content. Notes can be added via the edit pencil icon found in the Bookmark Notes column.