LogoLogo
Back to binalyze.com
  • Welcome | Binalyze Knowledge Base
  • AIR
    • AIR
    • Introduction
      • What is AIR?
      • Terminology
      • Architecture
        • AIR Responder Architecture; overview and performance analysis
        • AIR Task Flow and Management
      • Network Communication
      • Cloud Forensics with Binalyze AIR
    • AIR Setup
      • Console Hardware Requirements
      • Console Pre-Installation
      • Console Installation
      • Microsoft Azure Cloud Platform Integration
      • AIR Relay Server
        • What is AIR Relay Server?
        • Requirements for installation
        • How to install a Relay Server on different Linux platforms
        • How to change IP address of Relay Server
        • How to install a Responder with Relay Server support
        • Proxy configurations
          • Adding proxy to Relay Server
          • Adding proxy to Responder
        • Service Management for Relay Server
        • Whitelisting for Relay Server
        • Retrieving metrics from Relay Server
        • Updating and Uninstalling Relay Server
        • Troubleshooting
      • AIR Responder - Supported Operating Systems
        • AIR Responder - MS Windows supported systems
        • AIR Responder - Apple macOS supported systems
        • AIR Responder - Linux (DEB/RPM) supported systems
        • AIR - ESXi Standalone Collector
        • AIR Responder - Chrome supported systems
          • AIR For Chrome
      • AIR Responder Hardware Requirements
      • AIR Responder Deployment
        • Golden Image
        • Responder & Active Directory OUs
        • AIR Responder Exception Rules
          • Binalyze AIR Watchdog Folder
        • FDA via Jamf and Apple’s PPPC utility
        • AIR Responder in Windows 'Safe Mode'
      • Uninstalling AIR Responders
      • Security
        • AIR Console Access Control
        • AIR SSL Enforcement
          • SSL Certificate Management in Binalyze AIR
        • Two-factor authentication (2FA)
      • Post-Deployment Configuration Guide
        • Using AIR CLI on Binalyze AIR Console
      • AIR's User Settings
    • Updating AIR
      • Single-Tier Systems
      • 2-Tier Systems
      • AIR Console Updating - SaaS
    • Backup
      • Restore AIR Backup using the CLI
    • Features
      • Acquisition
        • Task Creation
          • Regex in AIR/DRONE:
          • Asset Management with Persistent Saved Filters
          • Task Cancellation and Deletion
        • Acquisition Profiles
        • Supported Evidence
          • Windows Collections
          • macOS Collections
          • Linux Collections
          • IBM AIX Collections
        • Scheduling Tasks
        • Disk and Volume Imaging
          • Imaging with interACT
        • Chain Of Custody in AIR
      • Auto Tagging
      • Triage
        • Triage Rule Templates
          • YARA Templates
          • Sigma Templates
          • osquery Templates
        • Schedule Triage Tasks
      • interACT
        • interACT Commands
        • PowerShell commands in interACT
      • Compare
      • Timeline
      • Integrations
        • SSO Integrations
          • Microsoft Azure SSO Integration
          • Okta SAML 2.0 SSO Integration
        • Webhooks
          • Mattermost Integration
          • Splunk Integration
          • IBM QRadar Integration
          • Wazuh Integration
          • Cortex XSOAR Integration
          • Elasticsearch Logstash Kibana Integration
          • ServiceNow Integration
          • Sumo Logic Integration
          • Crowdstrike Integration
          • Microsoft Sentinel Integration
          • Slack Integration
          • Carbon Black Cloud Integration
          • Rapid7 InsightIDR Integration
          • LogicHub SOAR (DEVO) Integration
          • Fortigate SIEM Integration
          • Dynatrace Integration
          • Stellar XDR Integration
          • SentinelOne Integration
          • Microsoft 365 Defender Integration
          • Cisco XDR Integration
      • Event Subscription
      • AIR API
        • API in AIR is likely to be more effective than Webhooks
      • DRONE
        • What is DRONE?
        • What is an Analysis Pipeline?
        • Analyzers
          • Cross Platform Analyzers
            • MITRE ATT&CK Analyzer
              • MITRE ATT&CK Analyzer changelog
            • Dynamo Analyzer
            • Browser History Analyzer
            • Generic WebShell Analyzer
          • Windows Analyzers
            • Windows Event Records and how AIR handles them
              • Windows Event Logs in AIR v4.21 and older versions
              • Event Records Summary vs. Event Records
            • Prefetch Analyzer
            • Shellbag Data Fields
          • Linux Analyzers
          • macOS Analyzers
            • Audit Event Analyzer
      • AIR Investigation Hub
        • Using the AIR Investigation Hub
        • Investigation Hub – Data Usage Statistics Dashboard
      • AIR File Explorer
        • File Explorer - FAQs
      • Tornado (Preview Version)
        • Tornado Installation Guide
          • Tornado Operating System Support
        • Updating Tornado
        • Tornado demo video
        • Getting Started with Tornado
          • Tornado Terminology
        • Tornado Collectors
          • Accessing Google Workspace
            • Service Account Creation
              • Enable Service Account Key Creation
          • Access Modes in O365
            • O365 license types
        • Tornado Troubleshooting & Feedback
        • Tornado FAQs
      • Frank.AI
      • Asset Isolation
      • Evidence Repositories
      • Policies
      • Tags
      • Off-Network Responder
        • Setting Up a Custom Case Directory
        • biunzip
          • biunzip password file
      • Binalyze AIR Responder Proxy Support
      • Proxy Configuration on Binalyze AIR Console
      • Binalyze AIR Audit Logs
    • Troubleshooting
      • Binalyze AIR Console CPU Profiling for Performance Issues
      • Understanding MSI Error Code 1618
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
    • FAQs
      • Binalyze AIR Console Migration Procedure For Single-Tier Setup
      • Binalyze AIR Console Migration Procedure For 2-Tier Installation
      • Binalyze AIR Console Backup Procedure
      • Resolving the “Invalid Host Header. Host must be the Console Address” Error
      • How to download the collected evidence and artifacts in Binalyze AIR?
      • How to gather Binalyze AIR logs for Troubleshooting
        • Collecting Binalyze AIR Console Log Files
        • Collecting Binalyze AIR Responder Log Files
        • Collecting Binalyze AIR Off-Network Responder Log Files
      • AIR responder troubleshooting
      • Understanding Port Usage in Binalyze AIR
      • How many assets can connect to a single Console instance?
      • How do I enable SSL on AIR?
      • Can I use AIR with EDR/XDR Products?
      • Can I integrate AIR with my SOAR/SIEM?
      • What (sub)domains are used by AIR?
      • Docker & Host System IP Conflict
      • Monitoring Responder and UI API's
      • How do I update AIR Console?
      • How do I update AIR Responders on assets?
      • How to reset the password of a user via the AIR-CLI?
      • Is there a way to move an asset from one Organization or Case to another?
      • Creating exclusions/exception rules for Binalyze AIR Responder on EPP and EDR Solutions
      • Anything missing?
      • How can I install a version of AIR that isn't the latest?
  • General
    • Licenses - Open-source Software List
Powered by GitBook
On this page
  • Add Authorized User
  • Amazon Web Services Compute EC2
  • Microsoft Azure Virtual Machines
  • Google Cloud Platform
  • Synchronization and Enumeration
  • Responder Deployment

Was this helpful?

Export as PDF
  1. AIR
  2. Introduction

Cloud Forensics with Binalyze AIR

PreviousNetwork CommunicationNextAIR Setup

Last updated 2 months ago

Was this helpful?

Investigators and analysts can use the Binalyze AIR DFIR Platform to perform DFIR activities on the machines located in the cloud platforms. Binalyze AIR DFIR Platform supports cloud virtual machines like on-premise and off-network devices. Investigators and analysts can install Binalyze AIR responders on virtual machines located on the cloud infrastructure for investigations and analysis. Amazon Web Services and Microsoft Azure are supported.

At Binalyze, we understand the unique challenges of investigating cloud-based attacks like Business Email Compromise (BEC). That’s why we have introduced the Tornado preview version, a standalone desktop application designed to simplify evidence collection from Google Workspace and Microsoft Office 365. Learn all about Tornado .

With Binalyze, investigators and analysts can easily and quickly deploy Binalyze AIR to their cloud assets and immediately start to make investigations, compromise assessments, and hunting activities. By taking the automation advantages of the cloud platforms, users can easily deploy many responders only using one authorized cloud platform account.

After adding the authorized account to Binalyze AIR Console, it enumerates the cloud platform to discover and list assets. Then, investigators and analysts can deploy responders to cloud assets individually or multiple assets with one click.

Add Authorized User

Since different cloud platforms use different identity and access management infrastructures and have different working mechanisms, their requirements may differ however, ultimately, all we need is an authorized account with list and control permissions on cloud assets.

Investigators and analysts can add a cloud account to the Binalyze AIR Console by using the Assets page:

  1. From the Main menu select Assets

  2. Click Add New and click Cloud Account

  3. Then click the Add Account button according to the cloud platform you want to add on the appearing Cloud Platforms window

The configurations that need to be performed according to the cloud platforms are listed below.

Amazon Web Services Compute EC2

Either of the two different ways mentioned above will redirect investigators and analysts to similar pages, allowing them to enter account details. They can either enter their existing account details, which are given below, or use the cloud formation link provided by Binalyze AIR to create a new account with enough permissions.

Account Name: Optional field.

Access key ID: Mandatory field and it must be filled with the value provided by AWS

Secret access key: Mandatory field and it must be filled with the value provided by AWS

Organization: Mandatory field and it must be selected from the Organization created on the Binalyze AIR console. Every cloud account can be assigned to only one organization.

Cloud account needs the following permissions to deploy virtual machines Binalyze AIR responder.

arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore arn:aws:iam::aws:policy/AmazonSSMDirectoryServiceAccess arn:aws:iam::aws:policy/service-role/AmazonSSMMaintenanceWindowRole arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess ssm:CancelCommand

The creation of an AWS Account with sufficient permissions flow is explained below.

  1. Click on the URL and Create an Account

  2. Open AWS Console -> IAM -> Users

  3. Select the User -> Security Credentials -> Create Access Key

  4. Fill out the Account Details Form

Microsoft Azure Virtual Machines

Either two different ways mentioned above will redirect investigators and analysts to similar pages allowing them to enter account details. They can either enter their existing account details, which are given below or create a new account with enough permissions.

Account Name: Optional field.

Application (client) ID: Mandatory field and it must be filled with the value provided by Azure

Subscription ID: Mandatory field and it must be filled with the value provided by Azure

Tenant ID: Mandatory field and it must be filled with the value provided by Azure

Key (Client Secret): Mandatory field and it must be filled with the value provided by Azure

Organization: Mandatory field and it must be selected from the Organization created on the Binalyze AIR console. Every cloud account can be assigned to only one organization.

Cloud account needs the following permissions to deploy virtual machines Binalyze AIR responder.

Reader VirtualMachine Contributor

The creation of an Azure Account with sufficient permissions flow is explained below.

  1. Azure portal -> App Registrations -> New Registration

  2. Assign required roles to the new app registration for the subscription

  3. App Registrations -> Open the created App Registration

  4. Certificates & Secrets -> Create a new client secret

  5. Fill out the Account Details Form

Google Cloud Platform

Coming soon

Synchronization and Enumeration

Binalyze AIR Console immediately starts to enumerate the cloud platform and pulls the assets list and assets details after the cloud account addition. It discovers the assets depending on the permissions and authorizations of the cloud accounts. All discovered assets will be shown under the Amazon AWS category under the associated organization.

The assets and their details are shown on the right side of the Secondary Menu in the Assets page as a list. Assets in which the Binalyze AIR responder is deployed are shown in blue, and the assets in which the Binalyze AIR responder is not deployed are shown in grey in that list.

If investigators or analysts do not sync the cloud account manually, Binalyze AIR Console automatically syncs in 30 minutes and updates the asset list.

Responder Deployment

All deployment actions are considered tasks by the Binalyze AIR Console and listed under the Tasks as responder Deployment tasks. Therefore, all responder deployment actions and their status can be seen on the Tasks list.

The primary advantage of responder deployment in a cloud platform is automation. Analysts and investigators don't need to choose the operating systems and their versions. They only assign deployment tasks to the associated devices, and all deployment processes are performed quicker and easier automatically.

Investigators and analysts can deploy Binalyze AIR responders to cloud assets by using the Endpoint page:

  1. From Assets in the Main Menu: All cloud assets are listed here in the Secondary Menu. Investigators and analysts can search, filter and see the details of the assets on this page.

  2. Investigators and analysts can deploy the responders individually, with multiple selections or all of them with one click.

    1. Individual deploy: Click the assets and then click the Deploy button

    2. Multiple selections: Select the assets in the list by clicking a checkbox at the beginning of the asset line. Then Actions button immediately appears at the top of the page. Click Deploy Responder the under the Actions menu.

    3. Deploy to All Assets: Click the three-dot on the right side of the Amazon AWS or Tag, which includes associated cloud assets. Then click Deploy Responder

here