interACT
Purpose-Built, Cross Platform Remote Shell for DFIR
Last updated
Purpose-Built, Cross Platform Remote Shell for DFIR
Last updated
In the dynamic landscape of Digital Forensics and Incident Response (DFIR), having the right tools can make all the difference. Enter interACT Remote Shell, a purpose-built solution that differentiates itself from the crowd. This page takes you on a journey through the unique features that make interACT an invaluable asset for DFIR professionals.
At its core, interACT is meticulously crafted for the intricate demands of Digital Forensics and Incident Response. It's not just another shell implementation; it's a specialized tool designed to meet the specific challenges faced by investigators and responders in the field.
Binalyze AIR’s interACT module is a comprehensive secure remote shell that is cross-platform and provides a standardized command set for Windows, macOS, and Linux to empower and greatly simplify the investigation process. Investigators and incident responders can connect to their assets easily by starting an interACT session via the AIR console.
When an interACT session is initiated, the AIR console connects to the asset in just a few seconds and provides a command line interface for investigators to begin their triage, mitigation, or other remediation actions.
Another very useful and unique feature of interACT is its ability to control access to features based on user permissions level. This allows DFIR team leaders and managers to create appropriate access profiles to match the experience and ability of each team member.
Currently, interACT has 3 levels of permissions:
Enumeration Privileges
Read Content Privileges Write
Execute Privileges
These access levels can be further enhanced by controlling individual users' access to organizations on the AIR platform resulting in a highly granular solution for access control.
DFIR environments are diverse, with Windows, Linux, and MacOS systems. InterACT simplifies operations by supporting cross-platform commands, ensuring a consistent and efficient experience across different operating systems.
interACT’s Library feature allows DFIR managers and team leaders to upload standardized investigation assets like scripts and toolkits, making it easy for individual analysts to utilize them with a single click during their investigation.
Repetitive tasks are an inevitable part of DFIR. With interACT's library, you can deploy your favorite scripts effortlessly. This not only saves time but also ensures consistency in your investigative processes.
Collaboration is at the heart of effective incident response. With InterACT, you can attach sessions to specific cases, promoting seamless collaboration among team members. This feature streamlines communication and ensures everyone is on the same page during investigations.
Also, by providing access to the Library of approved assets, a more uniform investigative process across the whole team can be defined and encouraged.
Another valuable feature of interACT is the full auditing and logging capability. This not only enhances visibility but also facilitates compliance with rigorous security standards. Every command used and response received is logged in a real-time interACT session report. Additionally, if any files are transferred between the analyst and the asset, these are logged, including their hash values.
InterACT has three levels of audit:
Firstly, the interACT session log is generated as a Case Report and saved as a Task immediately after the session is closed.
Next is the Global Audit Log which can not be purged
Thirdly, the user can export the interACT audit logs to their Syslog server for analysis.
InterACT is a powerful tool, so this comprehensive auditing capability provides peace of mind that, should you need to demonstrate exactly what happened during a remote shell session, you can do just that.
The interACT command-line parser will use Unix-like command line parsing methods due to the libraries used and the missing Windows libraries. Because of that, a Windows user will have to write a del command like this:
del C:/xyz/abc.txt # use forward slashes
del 'C:\xyz\abc.txt' # within single quotes
The following is currently invalid and probably will be invalid in the future due to the Windows non-standard way of command-line parsing and escaping characters.
del C:\xyz\abc.txt # Invalid
del "C:\xyz\abc.txt" # Invalid
InterACT provides peace of mind by offering individual privileges for command sets. This fine-grained control allows you to balance the need for access with the imperative of maintaining a secure environment.
In conclusion, interACT Remote Shell is not just a tool; it's a game-changer for DFIR professionals. Its purpose-built design, user privilege customization, cross-platform compatibility, Syslog integration, script deployment capabilities, collaborative features, and emphasis on individual privileges make it a versatile and indispensable asset in the arsenal of any cybersecurity expert.
interACT Commands