LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • 1. Task Creation
  • Create an Off-Network Task
  • Choose the Task Type
  • Select the Asset(s) Operating System
  • Define the Task
  • Customize Collection Options
  • Customization - Optional DRONE Analysis
  • Download or Share the Responder Binary
  • 2. Task Execution
  • Execute on the Offline Asset
  • Import the Collected Data
  • Review Report on AIR-Console

Was this helpful?

Export as PDF
  1. AIR
  2. Features

Off-Network Responder

How to collect evidence from, or run a triage on an off-network asset and then import the results into AIR?

PreviousTagsNextSetting Up a Custom Case Directory

Last updated 5 months ago

Was this helpful?

For assets not connected to your network, AIR enables the creation of a portable Responder package for running triages and collecting data. This package also facilitates the use of our live MITRE ATT&CK analyzer along with our post-acquisition analyzers, enhancing the depth and relevance of the gathered data.

You can transfer this package to the off-network asset using a shareable link, email, file-sharing services, or by physically taking it to the asset. Once executed on the asset, the collected data is returned to the AIR console that generated the package for comprehensive analysis and reporting via the Investigation Hub.

When the Responder is executed, it creates an evidence container file with a .zip extension on the offline asset.

Up to, but not including AIR v 4.27.6, all collections were automatically encrypted. The password for the output generated by the Off-Network Responder is not predefined or known in advance; it is created programmatically. As a result, this password is not accessible until the output of your off-network task is uploaded to the AIR Console.

With AIR v 4.27.6+ users can choose to encrypt the collection with a password during the off-network Responder setup process. When importing the collection .zip file with the additional password back into the console, users will need to enter this password. , a small utility we created, is specifically useful in this scenario, aiding in managing multiple off-network acquisitions during console ingestion.

1. Task Creation

Create an Off-Network Task

  1. Navigate to the "Assets" tab in the AIR console and click on the "+Add New" button.

  2. Select "Off-Network" to initiate the creation of a task for devices not connected to the network.

Choose the Task Type

  1. In the second stage, select the type of task you want to perform on the Off-Network asset. You can choose between "Acquisition" or "Triage".

  2. For this example, let's proceed with the "Acquire" feature.

Select the Asset(s) Operating System

When creating an Off-Network binary, first choose the operating system on which you plan to execute the binary. If you anticipate needing to use the binary on multiple operating systems or are unsure which system will be used, consider generating a package with multiple binaries. This approach ensures that you will have a binary compatible with all the AIR-supported operating systems.

Define the Task

Specify the Task Name (optional) and Acquisition Profile (mandatory).

Customize Collection Options

Here, you can choose to customize the task options if you need to deviate from your organizational policy settings.

Customization - Optional DRONE Analysis

By default, the DRONE feature is enabled for off-network tasks. However, in the subsequent step, you have the option to deactivate the MITRE ATT&CK analyzer, as well as any or all of the post-acquisition analyzers, depending on your specific requirements.

Download or Share the Responder Binary

You can now download or share the Responder binary you have just created.

You can access the Responder binary by either downloading it directly to your storage media or by copying the link to share the package.

2. Task Execution

Execute on the Offline Asset

Run the downloaded Responder binary on the relevant offline asset. In the example below we show the downloaded executable file named ‘offnetwork_windows_amd64.exe’ and the UAC window where the user will need to allow permissions for the AIR Responder to run.

Air will display its progress as seen below and notify the user when the activity is complete

Import the Collected Data

  1. After the Responder completes its task, it generates an encrypted evidence container file (.zip extension) in the directory from which it was run or the directory specified during the Responder generation process.

  2. The user needs to copy or transfer the zip file so that it can be seen by and imported into the AIR console that generated it.

  3. Import the .zip or .ppc file into the AIR console that created the binary.

  1. If the user encrypted the collection with a password during the off-network task creation, enter the password when prompted during the import process.

In the example provided above, Task 001 is ready for import and will be ingested by the console automatically. However, for Task 002, the user must manually enter a password. This password is the one selected during the generation of the Responder binary as additional security to that automatically provided by AIR.

To import collections or triage results back into the AIR console, you must use the zip file created by the off-network Responder. This file, which contains compressed evidence, can only be accessed once it's imported into the AIR console that created the off-network Responder.

Having clicked the "Import" button as seen in the example above the user is then presented with another window which is shown below where the decrypted zip file name now is revealed and the user can export the passwords used to unzip the containers with the acquired data.

Clicking the "View Task Details" icon will open the Task Details window. Here, users can copy the zip password needed to decrypt the container locally.

Review Report on AIR-Console

Once the imported data is decrypted into the console, users review and analyze the collected data in the AIR Investigation Hub.

If you don't want the collection to be saved to the directory from which you launch the binary, please look at this page to for your collection or triage results.

It is possible to import multiple .zip or .ppc files into AIR at the same time via the window shown below while making use of our bespoke unzipping tool "":

see how you can set a custom directory
biunzip
biunzip
Biunzip