LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • Creating evidence repository from “Evidence Repositories”
  • Creating evidence repository during Policy creation
  • Creating evidence repository during acquisition task creation

Was this helpful?

Export as PDF
  1. AIR
  2. Features

Evidence Repositories

Where to save your collected data

By default, AIR supports saving collected evidence locally on the asset with paths set as Binalyze\AIR for Windows, /opt/binalyze/air for Linux, and /opt/binalyze/air for macOS. Alternatively, users can opt to send their collections to Evidence Repositories such as network shares; SMB, FTPS, SFTP, or to cloud storage; AWS S3 Buckets and Azure Blob Storage.

Defining exact system resource requirements for the Evidence Repository is challenging due to variations in environments, asset counts, and the types of acquisition tasks performed. Disk space, CPU, and memory needs can vary widely, influenced by factors like the size of disk images, log files collected during acquisitions, and the volume of evidence gathered from each asset. As a result, it’s impractical to offer a one-size-fits-all recommendation for resource allocation.

The term Evidence Repository describes a remote location, off the actual asset subject to the tasking assignment, whether it is any one of the 5 currently supported storage options.

You can create Evidence Repositories in three different ways:

  • From the “Evidence Repositories” page

  • During Policy creation

  • During Acquisition task creation

A common query from our customers revolves around the configuration of the Evidence Repository and how it interacts with the AIR Console, especially concerning evidence uploads and the necessary network permissions. Here's what you need to know:

Evidence Upload Process

When configuring the Evidence Repository, it's essential to understand the pathway through which evidence files are uploaded. Specifically, there might be confusion about whether these uploads occur directly from the assets to the Evidence Repository or if they go through the AIR console.

To clarify: Evidence files are uploaded directly from the assets to the Evidence Repository. This process necessitates configuring your firewall to permit traffic from the asset to the Evidence Repository on the relevant ports. For example, if using SMB for evidence transfer, you must allow access through port 445.

AIR Console Access

For the File Explorer feature within the AIR console to function correctly, the AIR console requires access to the Evidence Repository. This setup ensures that users can seamlessly browse and interact with the stored evidence directly through the AIR console interface.

Configuring Your Firewall

Given these operational details, it's necessary to adjust your firewall settings accordingly:

  • Allow traffic from your assets to the Evidence Repository, particularly if using specific protocols like SMB on port 445.

  • Ensure the AIR Console has access to the Evidence Repository to enable full functionality of the File Explorer feature.

Creating evidence repository from “Evidence Repositories”

1. Navigate to the Evidence Repositories section by clicking the Settings button in the Main Menu button and then select “Evidence Repositories” from the Secondary Menu.

2. Click the “+Add New” button on the top of the page.

3. From the New Evidence Repository window, provide a name to the repository and then select the relevant repository.

4. Depending on the type of evidence repository you choose, the required fields are adjusted accordingly:

SMB

  • Path: The location that is polled for evidence. If the IP address of the repository is "172.16.1.1", and the folder name is "Share", the path will be “\\172.16. 1.1\Share” without quotes.

  • Username (if required)

  • Password (if required)

SFTP

  • Host: Hostname or IP address of the SFTP server.

  • Port: The port on which the SFTP server is listening to. The default port for SFTP is 22.

  • Path: The location directory that is polled for evidence.

  • Username (if required)

  • Password (if required)

FTPS

  • Host: Hostname or IP address of the FTPS server.

  • Port: The port on which the FTPS server is listening to. The default port for FTPS is 21.

  • Path: The location directory that is polled for evidence.

  • Username (if required)

  • Password (if required)

NB: Implicit SSL/TLS is not supported

Amazon S3

  • Region: Region name for the bucket that was created in.

  • Bucket: Name of the bucket

  • Access Key ID

  • Secret Access Key

Note: IAM users must have proper rights and permissions to access the S3 bucket.

Azure Blob

Creating evidence repository during Policy creation

1. Select the Settings button in the Main Menu button and then select “Policies” from the Secondary Menu.

Click the “+Add New” button on the top of the page

2. Provide a name to the repository and then select the relevant repository type:

3. Select the relevant repository type by clicking on it.

4. Click the “Save” button.

5. The newly created repository will appear in the drop-down list, select the relevant repository and finalize the process.

Creating evidence repository during acquisition task creation

1. From the “Acquire Evidence” pane, click on the Evidence Repository radio button under the "Save Collected Evidence To" section.

2. Click in the "Repository" box“ and then select “+ Add new repository”:

3. From the window 'New Repository' complete the mandatory fields and select the type of repository you with to add there are five options:

  • SMB

  • SFTP

  • FTPS

  • Amazon S3

  • Azure Blob

4. The newly created repository will appear in the drop-down list, select the repository you want for this particular acquisition and finalize your Acquisition Task via the wizard.

To improve task reliability and prevent failed uploads, a connection check for evidence repositories will take place when starting acquisition tasks (both scheduled and immediate). Here's how it works:

  • When creating tasks like Acquisition or Acquire Image, AIR automatically checks the connection to the selected repository (SFTP, FTPS, Azure, or AWS).

  • If the connection check takes longer than 10 seconds, it will be canceled, and a warning message will appear. However, task creation is not blocked—you can choose to proceed or cancel the task if the repository is inaccessible.

UI Warning Message: If the repository is inaccessible, you'll see this warning: "The following evidence repositories are currently inaccessible. If responders cannot access these repositories, they will not be able to send the collected evidence. Please note that access to these repositories is managed through the AIR server. If the responders have access, evidence transmission will proceed without issues. Do you still want to continue?"

This feature ensures you're aware of potential access issues before initiating a task, helping you avoid wasted time on failed uploads. It’s important to note that this connection check occurs between the AIR console and the repository—not between the responders and the repository. While it's impractical to check every responder in large-scale tasks, a successful console check significantly reduces the likelihood of connection issues for responders.

PreviousAsset IsolationNextPolicies

Last updated 6 months ago

Was this helpful?

Shared Access Signature (SAS) URL See for details.

https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview