Cloud Forensics

Investigators and analysts can use the AIR platform to conduct investigations on machines located in cloud platforms. Our platform supports cloud-based virtual machines, as well as on-premise and off-network devices. Investigators and analysts can install responders on virtual machines located on the cloud infrastructure for investigations and analysis. Amazon Web Services and Microsoft Azure are both supported.

We understand the unique challenges of investigating cloud-based attacks, such as Business Email Compromise (BEC). That’s why we have introduced the Tornado preview version, a standalone desktop application designed to simplify evidence collection from Google Workspace and Microsoft Office 365. Learn all about Tornado here.

Investigators and analysts can easily and quickly deploy responders to their cloud assets and immediately initiate investigations, compromise assessments, and threat-hunting activities. By leveraging the automation advantages of cloud platforms, users can easily deploy multiple responders using a single authorized cloud platform account.

After adding the authorized account to the Console, it enumerates the cloud platform to discover and list assets. Then, investigators and analysts can deploy responders to individual or multiple cloud assets with one click.

Add Authorized User

Since different cloud platforms utilize distinct identity and access management infrastructures and employ different working mechanisms, their requirements may vary; however, ultimately, all we need is an authorized account with list and control permissions on cloud assets.

Investigators and analysts can add a cloud account to the Console by using the Assets page:

1. From the Main menu, select Assets

2. Click Add New and click Cloud Account

3. Then click the Add Account button according to the cloud platform you want to add on the appearing Cloud Platforms window

The configurations that need to be performed according to the cloud platforms are listed below.

Amazon Web Services Compute EC2

Either of the two methods mentioned above will redirect investigators and analysts to similar pages, allowing them to enter their account details. They can either enter their existing account details, which are given below, or use the cloud formation link provided by Binalyze AIR to create a new account with enough permissions.

Cloud account needs the following permissions to deploy virtual machines Binalyze AIR responder.

The creation of an AWS Account with sufficient permissions flow is explained below.

1. Click on the URL and Create an Account

2. Open AWS Console -> IAM -> Users

3. Select the User -> Security Credentials -> Create Access Key

4. Fill out the Account Details Form

Microsoft Azure Virtual Machines

Either two different ways mentioned above will redirect investigators and analysts to similar pages allowing them to enter account details. They can either enter their existing account details, which are given below or create a new account with enough permissions.

Cloud accounts need the following permissions to deploy the virtual machine responder.

The creation of an Azure Account with sufficient permissions flow is explained below.

1. Azure portal -> App Registrations -> New Registration

2. Assign required roles to the new app registration for the subscription

3. App Registrations -> Open the created App Registration

4. Certificates & Secrets -> Create a new client secret

5. Fill out the Account Details Form

Google Cloud Platform

Coming soon

Synchronization and Enumeration

The Console immediately starts to enumerate the cloud platform and retrieves the assets list and asset details after the cloud account is added. It discovers the assets depending on the permissions and authorizations of the cloud accounts. All discovered assets will be shown under the Amazon AWS category under the associated organization.

The assets and their details are shown on the right side of the Secondary Menu in the Assets page as a list. Assets in which the Binalyze AIR responder is deployed are shown in blue, and the assets in which the Binalyze AIR responder is not deployed are shown in grey in that list.

Responder Deployment

All deployment actions are considered tasks by the Binalyze AIR Console and listed under the Tasks as responder Deployment tasks. Therefore, all responder deployment actions and their status can be seen on the Tasks list.

The primary advantage of responder deployment in a cloud platform is automation. Analysts and investigators don't need to choose the operating systems and their versions. They only assign deployment tasks to the associated devices, and all deployment processes are performed quicker and easier automatically.

Investigators and analysts can deploy responders to cloud assets by using the Endpoint page:

1. From Assets in the Main Menu: All cloud assets are listed here in the Secondary Menu. Investigators and analysts can search, filter and see the details of the assets on this page.

2. Investigators and analysts can deploy the responders individually, with multiple selections or all of them with one click.

   1. Individual deploy: Click the assets and then click the Deploy button

   2. Multiple selections: Select the assets in the list by clicking a checkbox at the beginning of the asset line. Then Actions button immediately appears at the top of the page. Click Deploy Responder the under the Actions menu.

   3. Deploy to All Assets: Click the three-dot on the right side of the Amazon AWS or Tag, which includes associated cloud assets. Then click Deploy Responder