Off-Network Responder
How to collect evidence from, or run a triage on an off-network asset and then import the results into AIR?
Last updated
How to collect evidence from, or run a triage on an off-network asset and then import the results into AIR?
Last updated
For assets not connected to your network, AIR enables the creation of a portable Responder package for running triages and collecting data. This package also facilitates the use of our live MITRE ATT&CK analyzer along with our post-acquisition analyzers, enhancing the depth and relevance of the gathered data.
You can transfer this package to the off-network asset using a shareable link, email, file-sharing services, or by physically taking it to the asset. Once executed on the asset, the collected data is returned to the AIR console that generated the package for comprehensive analysis and reporting via the Investigation Hub.
When the Responder is executed, it creates an evidence container file with a .zip extension on the offline asset.
Up to, but not including AIR v 4.27.6, all collections were automatically encrypted. The password for the output generated by the Off-Network Responder is not predefined or known in advance; it is created programmatically. As a result, this password is not accessible until the output of your off-network task is uploaded to the AIR Console.
With AIR v 4.27.6+ users can choose to encrypt the collection with a password during the off-network Responder setup process. When importing the collection .zip file with the additional password back into the console, users will need to enter this password. Biunzip, a small utility we created, is specifically useful in this scenario, aiding in managing multiple off-network acquisitions during console ingestion.
Navigate to the "Assets" tab in the AIR console and click on the "+Add New" button.
Select "Off-Network" to initiate the creation of a task for devices not connected to the network.
In the second stage, select the type of task you want to perform on the Off-Network asset. You can choose between "Acquisition" or "Triage".
For this example, let's proceed with the "Acquire" feature.
When creating an Off-Network binary, first choose the operating system on which you plan to execute the binary. If you anticipate needing to use the binary on multiple operating systems or are unsure which system will be used, consider generating a package with multiple binaries. This approach ensures that you will have a binary compatible with all the AIR-supported operating systems.
Specify the Task Name (optional) and Acquisition Profile (mandatory).
Here, you can choose to customize the task options if you need to deviate from your organizational policy settings.
By default, the DRONE feature is enabled for off-network tasks. However, in the subsequent step, you have the option to deactivate the MITRE ATT&CK analyzer, as well as any or all of the post-acquisition analyzers, depending on your specific requirements.
You can now download or share the Responder binary you have just created.
You can access the Responder binary by either downloading it directly to your storage media or by copying the link to share the package.
If you don't want the collection to be saved to the directory from which you launch the binary, please look at this page to see how you can set a custom directory for your collection or triage results.
Run the downloaded Responder binary on the relevant offline asset. In the example below we show the downloaded executable file named ‘offnetwork_windows_amd64.exe’ and the UAC window where the user will need to allow permissions for the AIR Responder to run.
Air will display its progress as seen below and notify the user when the activity is complete
After the Responder completes its task, it generates an encrypted evidence container file (.zip extension) in the directory from which it was run or the directory specified during the Responder generation process.
The user needs to copy or transfer the zip file so that it can be seen by and imported into the AIR console that generated it.
Import the .zip or .ppc file into the AIR console that created the binary.
If the user encrypted the collection with a password during the off-network task creation, enter the password when prompted during the import process.
In the example provided above, Task 001 is ready for import and will be ingested by the console automatically. However, for Task 002, the user must manually enter a password. This password is the one selected during the generation of the Responder binary as additional security to that automatically provided by AIR.
To import collections or triage results back into the AIR console, you must use the zip file created by the off-network Responder. This file, which contains compressed evidence, can only be accessed once it's imported into the AIR console that created the off-network Responder.
Having clicked the "Import" button as seen in the example above the user is then presented with another window which is shown below where the decrypted zip file name now is revealed and the user can export the passwords used to unzip the containers with the acquired data.
Clicking the "View Task Details" icon will open the Task Details window. Here, users can copy the zip password needed to decrypt the container locally.
Once the imported data is decrypted into the console, users review and analyze the collected data in the AIR Investigation Hub.
It is possible to import multiple .zip or .ppc files into AIR at the same time via the window shown below while making use of our bespoke unzipping tool "biunzip":
