Getting Started with Tornado
Last updated
Was this helpful?
Last updated
Was this helpful?
Launch Tornado application
Accept license agreement
Configure initial settings:
Settings
Parselets
Dark Mode (switch between light and dark modes)
Send Feedback (provide Tornado feedback to Binalyze)
Documentation (links to Tornado documentation)
Verify internet connectivity
Check firewall settings
Configure proxy (if needed)
If you are an existing AIR customer using Binalyze Tornado, you can direct your collected data to the Investigation Hub by providing the AIR Console URL and an AIR API Token in the Settings window during setup.
If you are not yet an AIR customer, you can skip this section. In this case, the collected data will be available for download as an SQLite database, which you can analyze using your preferred tools or viewer.
HTTP TRACE is a diagnostic HTTP method that echoes the full request received by the server back to the client. It is used to help identify issues such as header manipulation. For more details, visit the Tornado Troubleshooting and Feedback page.
Clicking on Parselets opens the Tornado Parselet window, where you can browse and select the specific parselet you wish to execute. Currently, Tornado supports Google Workspace and Microsoft 365:
In the Google Workspace Configuration window, you can sign in using an individual user's account or Service Account credentials, depending on your preferred authentication method. For more details about these two login methods, visit our Accessing Google Workspace page.
When choosing to sign in with Google as a normal user, you will be directed to the Sign in with Google window, where you can authenticate using your standard Google account credentials.
Setting Up Your Collection
From this point, the Tornado wizard will guide you step by step through the process of configuring your collection:
There is a Date range picker to allow users to narrow the focus of their investigations:
To help investigators narrow their focus, certain collectors come equipped with built-in filters. These filters, as shown above, allow for more precise data collection, enabling targeted investigations and reducing unnecessary data collection.
Selecting 'Run' takes the user to the 'Process' stage in the Tornado wizard.
If the collection is complete and the user does not have access to AIR with an API Token, a link to the file path of the collected data will still be displayed. This ensures that the collected data remains accessible for further analysis:
In the specified location, the user will find the Case.ppc file, which is a ZIP archive. Once unzipped, it contains a SQLite database that can be opened and viewed using your preferred DB/SQLite browser:
For users with access to AIR, you will need to select a Case (e.g., in the screenshot, the case is named TT-Demo-Script) and then click the 'Send to Investigation Hub' button. After a few moments, Tornado will provide a link to the Case in the Investigation Hub, where you can inspect the collected data:
In the screenshot below of the Investigation Hub, you can see how GWS collections are organized by collector type in the secondary menu. The table and details windows are displayed in the standard Investigation Hub layout, providing a consistent and intuitive user experience.
WebView2 Installation
Automatic prompt if missing
Follows standard Windows installation
Restarts automatically after install
No manual intervention required
macOS Security Blocks
Error: "App cannot be opened"
Solution: Allow in Security & Privacy
Check Gatekeeper settings
Linux Permission Issues
# If permission denied chmod +x ./tornado # If binary not found export PATH=$PATH:/path/to/tornado
Start Tornado application
Complete initial setup
Familiarize with interface
Prepare cloud service credentials
Configure authentication methods
Test connectivity
Select data sources
Configure collectors
Start your first collection
Remember: Tornado is distributed as a portable application that requires minimal setup. On Windows, any required components like WebView2 Runtime are automatically handled during the first launch.
API Tokens are generated in the AIR console at: Integrations > API Tokens - .
The collectors available to you in Tornado depend on the type of account used to log in. Using a Service Account provides access to a wider range of collectors. For detailed information, please refer to the .
Gmail History & History IDs: Learn more about this here:
