LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • Settings
  • HTTP Trace
  • Parselets
  • Google Workspace Configuration
  • Login
  • Date range picker
  • Collectors
  • Process
  • Post Execution
  • Troubleshooting
  • Next Steps

Was this helpful?

Export as PDF
  1. AIR
  2. Features
  3. Tornado (Preview Version)

Getting Started with Tornado

PreviousTornado demo videoNextTornado Terminology

Last updated 3 months ago

Was this helpful?

1. Initial Configuration

  • Launch Tornado application

  • Accept license agreement

  • Configure initial settings:

    • Settings

    • Parselets

    • Dark Mode (switch between light and dark modes)

    • Send Feedback (provide Tornado feedback to Binalyze)

    • Documentation (links to Tornado documentation)

2. Network Configuration

  • Verify internet connectivity

  • Check firewall settings

  • Configure proxy (if needed)

Settings

If you are an existing AIR customer using Binalyze Tornado, you can direct your collected data to the Investigation Hub by providing the AIR Console URL and an AIR API Token in the Settings window during setup.

If you are not yet an AIR customer, you can skip this section. In this case, the collected data will be available for download as an SQLite database, which you can analyze using your preferred tools or viewer.

HTTP Trace

HTTP TRACE is a diagnostic HTTP method that echoes the full request received by the server back to the client. It is used to help identify issues such as header manipulation. For more details, visit the Tornado Troubleshooting and Feedback page.

Parselets

Clicking on Parselets opens the Tornado Parselet window, where you can browse and select the specific parselet you wish to execute. Currently, Tornado supports Google Workspace and Microsoft 365:

Google Workspace Configuration

In the Google Workspace Configuration window, you can sign in using an individual user's account or Service Account credentials, depending on your preferred authentication method. For more details about these two login methods, visit our Accessing Google Workspace page.

When choosing to sign in with Google as a normal user, you will be directed to the Sign in with Google window, where you can authenticate using your standard Google account credentials.

Setting Up Your Collection

From this point, the Tornado wizard will guide you step by step through the process of configuring your collection:

Login

Date range picker

There is a Date range picker to allow users to narrow the focus of their investigations:

Collectors

To help investigators narrow their focus, certain collectors come equipped with built-in filters. These filters, as shown above, allow for more precise data collection, enabling targeted investigations and reducing unnecessary data collection.

Process

Selecting 'Run' takes the user to the 'Process' stage in the Tornado wizard.

Post Execution

If the collection is complete and the user does not have access to AIR with an API Token, a link to the file path of the collected data will still be displayed. This ensures that the collected data remains accessible for further analysis:

In the specified location, the user will find the Case.ppc file, which is a ZIP archive. Once unzipped, it contains a SQLite database that can be opened and viewed using your preferred DB/SQLite browser:

For users with access to AIR, you will need to select a Case (e.g., in the screenshot, the case is named TT-Demo-Script) and then click the 'Send to Investigation Hub' button. After a few moments, Tornado will provide a link to the Case in the Investigation Hub, where you can inspect the collected data:

In the screenshot below of the Investigation Hub, you can see how GWS collections are organized by collector type in the secondary menu. The table and details windows are displayed in the standard Investigation Hub layout, providing a consistent and intuitive user experience.

Troubleshooting

Common Installation Issues

  1. WebView2 Installation

    • Automatic prompt if missing

    • Follows standard Windows installation

    • Restarts automatically after install

    • No manual intervention required

  2. macOS Security Blocks

    • Error: "App cannot be opened"

    • Solution: Allow in Security & Privacy

    • Check Gatekeeper settings

  3. Linux Permission Issues

    # If permission denied chmod +x ./tornado # If binary not found export PATH=$PATH:/path/to/tornado

Next Steps

1. First Launch

  • Start Tornado application

  • Complete initial setup

  • Familiarize with interface

2. Authentication Setup

  • Prepare cloud service credentials

  • Configure authentication methods

  • Test connectivity

3. Begin Collection

  • Select data sources

  • Configure collectors

  • Start your first collection

Remember: Tornado is distributed as a portable application that requires minimal setup. On Windows, any required components like WebView2 Runtime are automatically handled during the first launch.

API Tokens are generated in the AIR console at: Integrations > API Tokens - .

The collectors available to you in Tornado depend on the type of account used to log in. Using a Service Account provides access to a wider range of collectors. For detailed information, please refer to the .

Gmail History & History IDs: Learn more about this here:

learn more about the AIR API here
Tornado Collectors page
Gmail History Collection in Tornado
Tornado application window
Tornado's settings window
Generate API Tokens in the AIR console
HTTP Trace enabled
Tornado's Parselet window
Google Workspace Configuration window
Sign in with Google
Tornado collectin wizard
Date rage selection in Tornado
Tornado data presented in the Investigation Hub