LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • What is Binalyze Tornado?
  • Is Tornado really free to use?
  • What can you expect from the future iteration of Tornado?
  • Why is cloud forensics important, and how does Tornado contribute to this field?
  • What can I collect with Tornado?
  • How does Tornado help with investigations?
  • How can I analyze the collected data?
  • What platforms does Tornado support?
  • What inspired the creation of Binalyze Tornado?
  • How does Tornado differentiate itself from other forensic tools?
  • Does Binalyze Tornado hash or timestamp collections?
  • What are the key benefits of using Tornado for cloud-based investigations?
  • What challenges does Binalyze Tornado address in cloud forensics?
  • What kind of support does Binalyze provide for Tornado users?
  • How does Tornado handle updates and new feature releases?
  • How does Binalyze Tornado support the development of cloud forensics methodologies?
  • How does Binalyze Tornado integrate with other Binalyze products?
  • What are the unique challenges of cloud forensics compared to traditional digital forensics?
  • How does Binalyze Tornado support incident response teams?
  • What future trends in cloud forensics is Binalyze Tornado preparing for?
  • What are the primary use cases for Binalyze Tornado?
  • How does Tornado integrate with Microsoft 365 and Google Workspace?
  • What are parselets, and how do they function within Tornado?
  • Example Scenarios Where Tornado Would Be Beneficial

Was this helpful?

Export as PDF
  1. AIR
  2. Features
  3. Tornado (Preview Version)

Tornado FAQs

PreviousTornado Troubleshooting & FeedbackNextFrank.AI

Last updated 2 months ago

Was this helpful?

What is Binalyze Tornado?

Answer: The Preview Version of Binalyze Tornado is currently a free standalone desktop application designed to streamline and enhance evidence collection from cloud platforms like Google Workspace and Microsoft Office 365. It enables investigators to gather essential artifacts such as email records, user access logs, and administrative actions. This tool addresses the need for efficient and comprehensive digital forensics in cloud environments, and it is particularly useful for security investigations and compliance audits.

Is Tornado really free to use?

Answer: Yes, Tornado is currently (after February 14, 2025) available as a free standalone application, making it accessible to a wide range of users, from small businesses to large enterprises, as well as partners, without any upfront costs. The current version of Tornado is a Preview version.

What can you expect from the future iteration of Tornado?

Binalyze has released a preview version of Tornado. Users are encouraged to share feedback using the form. It will help us refine and develop Tornado further as we continue to expand its capabilities, ensuring users can maximize its benefits and effectively conduct investigations.

The initial focus will be to expand and improve our evidence-collection capabilities. In the future, likely in the second half of 2025, Tornado will be integrated into AIR. This integration will enable DRONE to analyze collections, with key findings presented in the AIR Investigation Hub to support investigators.

Why is cloud forensics important, and how does Tornado contribute to this field?

Answer: Cloud forensics is a rapidly growing field due to organizations worldwide' increasing reliance on cloud services. However, standardized methodologies and enterprise-ready tools are lacking. Tornado addresses these challenges by offering a structured approach to evidence collection.

What can I collect with Tornado?

Answer: Currently, Tornado supports the collection of various data types from Microsoft 365 and Google Workspace. This includes email data, access logs, audit logs, drive activities, and administrative actions. The specific artifacts available depend on the platform and your organization's configuration. This capability is crucial for organizations needing to perform detailed investigations and maintain comprehensive records of digital activities.

How does Tornado help with investigations?

Answer: Tornado is particularly valuable for Business Email Compromise (BEC) investigations. It allows investigators to quickly gather essential cloud-based evidence, including email records, access logs, and administrative actions. This streamlines the investigation process and helps organizations respond more effectively to security incidents.

How can I analyze the collected data?

What platforms does Tornado support?

Answer: Currently, Tornado supports Microsoft Office 365 and Google Workspace platforms. Future updates may include additional cloud platforms and expanded collection capabilities, ensuring that Tornado remains relevant and useful as cloud technologies evolve.

What inspired the creation of Binalyze Tornado?

Answer: Binalyze Tornado was born out of the need for a comprehensive and reliable tool in the emerging field of cloud forensics. While numerous open-source tools are available, many lack the support and structured methodology required for enterprise-level investigations. Tornado aims to fill this gap by providing a robust, enterprise-ready solution that adheres to established forensic principles and methodologies.

How does Tornado differentiate itself from other forensic tools?

Answer: Unlike many open-source forensic tools, Tornado offers a structured and supported approach to cloud forensics. It is designed to be a comprehensive solution that integrates seamlessly with existing workflows, providing a user-friendly interface and extensive support for cloud platforms like Microsoft 365 and Google Workspace.

Does Binalyze Tornado hash or timestamp collections?

Answer: No, Tornado does not currently hash or timestamp collections. This functionality will be implemented after Tornado is integrated into Binalyze AIR (H2 2025).

What are the key benefits of using Tornado for cloud-based investigations?

Answer: Tornado provides several key benefits, including comprehensive data collection capabilities, cross-platform support, and integration with existing forensic tools. It streamlines the investigation process, allowing organizations to quickly gather and investigate evidence, respond effectively to security incidents, and ensure compliance with regulatory requirements.

What challenges does Binalyze Tornado address in cloud forensics?

Answer: Binalyze Tornado addresses several challenges in cloud forensics, including the lack of standardized tools for evidence collection, the complexity of integrating multiple cloud services, and the need for a user-friendly interface that can be used by both technical and non-technical users. By providing a comprehensive solution, Tornado simplifies the forensic process and ensures that organizations can effectively manage and analyze cloud-based data.

What kind of support does Binalyze provide for Tornado users?

Answer: Binalyze provides support for Tornado users, including detailed documentation, user guides, and technical assistance to address questions or issues that may arise during its use. Tornado is currently available as a free preview version, and we encourage users to share their feedback. While not all customer requests may be supported immediately, especially if they fall outside the current scope, your input is invaluable. It will help us refine and develop Tornado further as we continue to expand its capabilities, ensuring users can maximize its benefits and effectively conduct investigations.

How does Tornado handle updates and new feature releases?

Answer: Tornado will be updated with new features and improvements based on user feedback and advancements in cloud forensics. Binalyze will provide detailed release notes and documentation for each update, ensuring that users are informed of new capabilities and can take full advantage of the latest developments.

How does Binalyze Tornado support the development of cloud forensics methodologies?

Answer: Tornado is designed to evolve with the field of cloud forensics, incorporating feedback from users and industry experts to refine its methodologies and features. By providing a reliable and structured tool, Tornado helps establish best practices and standards in cloud forensics, contributing to the development of this emerging field.

How does Binalyze Tornado integrate with other Binalyze products?

Answer: Binalyze Tornado integrates seamlessly with Binalyze AIR to deliver a comprehensive Automated Investigation and Response platform driven by digital forensics. Tornado enables rapid cloud and machine-based evidence collections, while AIR provides detailed analysis and reporting, creating a cohesive and efficient forensic workflow.

What are the unique challenges of cloud forensics compared to traditional digital forensics?

How does Binalyze Tornado support incident response teams?

Answer: Binalyze Tornado provides incident response teams with the tools they need to quickly gather evidence and enable effective forensic investigation of cloud environments. Its intuitive interface and comprehensive data collection capabilities enable teams to assess the scope of an incident, identify affected systems, and develop effective remediation strategies.

What future trends in cloud forensics is Binalyze Tornado preparing for?

Answer: Binalyze Tornado is preparing for future trends, such as the increased adoption of multi-cloud environments, the rise of containerized applications, and the growing importance of real-time threat detection and response. By continuously evolving its features and capabilities and listening to feedback from Tornado's preview users, Tornado aims to accompany the evolving needs of organizations and provide users with cutting-edge forensic tools.

What are the primary use cases for Binalyze Tornado?

Answer: Binalyze Tornado is primarily used for cloud-based digital forensics, focusing on evidence collection from platforms like Microsoft 365 and Google Workspace. It is particularly useful for investigations involving Business Email Compromise (BEC), compliance audits, and incident response. Integrating with Binalyze AIR, it also expands cross-platform investigation capabilities closing investigation blind spots.

How does Tornado integrate with Microsoft 365 and Google Workspace?

Answer: Tornado uses specific collectors, known as parselets, to gather data from Microsoft 365 and Google Workspace. These parselets interact with the respective APIs to collect emails, logs, and other relevant data. The integration ensures comprehensive data collection for forensic analysis.

What are parselets, and how do they function within Tornado?

Answer: Parselets are specialized components within Tornado designed to collect and analyze evidence from cloud platforms. They function by interfacing with platform-specific APIs to gather data, which is then processed and stored for forensic analysis.

Example Scenarios Where Tornado Would Be Beneficial

  1. Incident Response for Unauthorized Access Scenario: An organization suspects unauthorized access to its Microsoft 365 accounts. Using Tornado, the incident response team can quickly collect sign-in logs and audit logs to identify suspicious activities, such as unusual login times or locations.

  2. Data Breach Investigation Scenario: After a data breach, an organization needs to determine the extent of the data accessed or exfiltrated. Tornado can be used to collect email data, drive activities, and administrative reports from Google Workspace to trace the breach's impact and identify compromised data.

  3. Compliance Audit Preparation Scenario: An organization is preparing for a compliance audit and needs to ensure that all user activities and administrative actions are documented. Tornado can collect comprehensive reports and logs from both Microsoft 365 and Google Workspace, providing a clear audit trail.

  4. Phishing Attack Investigation Scenario: An organization suspects a phishing attack targeting its employees. Using Tornado, the security team can collect and analyze email data from Microsoft 365 and Google Workspace to identify phishing emails, track their distribution, and determine which users were affected. This helps mitigate the attack and prevent future incidents.

  5. Internal Policy Compliance Monitoring Scenario: A company wants to ensure compliance with internal communication policies. Tornado can be used to collect and analyze email and chat data to verify adherence to communication guidelines, identify any policy violations, and provide insights for improving policy enforcement.

  6. Data Loss Prevention (DLP) Audit Scenario: An organization needs to audit its data loss prevention measures. Tornado can collect data on file sharing and access activities from Google Drive and Microsoft OneDrive to identify potential data leaks and unauthorized access and ensure that sensitive information is adequately protected.

  7. User Behavior Analysis Scenario: A company wants to understand user behavior patterns to enhance productivity and security. Tornado can collect and analyze data on user activities, such as login times, application usage, and communication patterns, providing insights into user habits and identifying areas for improvement.

  8. Cross-Platform Security Assessment Scenario: An organization uses both Microsoft 365 and Google Workspace and needs a comprehensive security assessment. Tornado can collect and analyze data from both platforms, providing a unified view of security posture, identifying vulnerabilities, and recommending improvements.

  9. Forensic Investigation Training Scenario: A training institution wants to provide hands-on experience in cloud forensics. Tornado can be used as a training tool to simulate real-world scenarios, allowing students to practice evidence collection, analysis, and reporting in a controlled environment.

Answer: Once the evidence is collected, you can download it as an SQLite database for analysis. If you're a Binalyze AIR user, you can also send the data directly to the Investigation Hub through API integration. This feature offers flexibility, allowing you to use AIR for further investigation or share the collection with other forensic tools or workflows. Learn more about AIR's Investigation Hub .

Answer: Cloud forensics presents unique challenges, such as the dynamic nature of cloud environments, the shared responsibility model between cloud providers and customers, and the complexity of accessing and preserving data across distributed systems. Binalyze AIR and Tornado address these challenges by providing , ensuring that evidence is collected and preserved in a forensically sound manner.

here
tools specifically designed for cloud environments
Customer Feedback within the Tornado application