Off-Network Assets

How to collect evidence from an off-network device and import it to AIR?
For assets not connected to your network, AIR allows you to generate an executable package to run triages and gather data. This package can be transferred to the asset via email, file-sharing services, or directly taken to the asset. Once executed on the asset, the collected data should be ingested by the AIR console that created the package for analysis and reporting.
When the AIR binary is executed, it creates an encrypted evidence container file with a .zip extension on the offline asset. Upon importing this file back into the AIR console, it is automatically decrypted by the console that created the binary.
Users can choose to encrypt the collection with an additional password during the off-network collection task setup. When importing the collection .zip file with the additional password back into the console, users will need to enter this extra password. Biunzip, a small utility we created, is specifically useful in this scenario, aiding in managing multiple off-network acquisitions during console ingestion.

Step 1: Create an Off-Network Task

  1. 1.
    Navigate to the "Assets" tab in the AIR console and click on the "+Add New" button.
  2. 2.
    Select "Off-Network" to initiate the creation of a task for devices not connected to the network.

Step 2: Choose the Task Type

  1. 1.
    In the second stage, select the type of task you want to perform on the Off-Network asset. You can choose between "Acquisition" or "Triage".
  2. 2.
    For this example, let's proceed with the "Acquire" feature.

Step 3: Select Operating System

Choose the operating system where you intend to execute the Off-Network binary you're creating. If uncertain or planning to use the binary across various operating systems, it's advisable to prepare by generating a package containing multiple binaries. This ensures compatibility with any of the Operating Systems and architectures supported by AIR.

Step 4: Configure Acquisition Stages

Specify the general Acquisition settings, including Task Name, Acquisition Profile, Resource Limits, and other policy configurations.

Step 5: Optional Drone Feature (Post-Acquisition)

If you want to enable the DRONE feature as a post-acquisition step, enable the relevant DRONE analyzers.

Step 6: Download Agent Binary

  1. 1.
    Download the compiled agent binary by clicking on the "Download" button.
Alternatively, create a shareable download link using the "Share" option.

Step 7: Execute on the Offline Asset

Run the downloaded agent binary on the relevant offline asset. In the example below we show the downloaded executable file named ‘offnetwork_windows_amd64.exe’ and the UAC window where the user will need to allow permissions for the AIR agent to run.
Air will display its progress as seen below and notify the user when the activity is complete

Step 8: Import Collected Data

  1. 1.
    After the agent completes its task, it generates an encrypted evidence container file (.zip extension) on the offline asset.
  2. 2.
    The user needs to copy or transfer the collection so that it can be imported back into the AIR console that generated the binary.
  3. 3.
    Import the .zip or .ppc file into the AIR console that created the binary.
  1. 4.
    If the user encrypted the collection with a password during the off-network task creation, enter the password when prompted during the import process.

Step 9: Review Report on AIR-Console

Once the imported data is decrypted, review and analyze the collected data through the AIR console.
Following these steps allows users to perform off-network data collection efficiently using AIR, providing a seamless process for acquiring, importing, and analyzing data from devices not connected to the network.
It is possible to import multiple .zip or .ppc files into AIR at the same time via the window shown below while making use of our bespoke unzipping tool "biunzip":
Window where Off-Network tasks are created and the resultant evidence is imported
Last modified 20d ago