.png%3Falt%3Dmedia%26token%3D3c56f135-f35f-4b1d-ad36-dca78b5c9823)
.png%3Falt%3Dmedia%26token%3D3c56f135-f35f-4b1d-ad36-dca78b5c9823)
Cloud Forensics with Binalyze AIR
Investigators and analysts can use the Binalyze AIR DFIR Platform to perform DFIR activities on the machines which are located on the cloud platforms. Binalyze AIR DFIR Platform supports cloud virtual machines like on-premise and off-network devices. Investigators and analysts can install Binalyze AIR agents on virtual machines located on the cloud infrastructure for investigations and analysis. Amazon Web Services, Microsoft Azure are supported, and Google Cloud Platforms (coming up soon).
With Binalyze, investigators and analysts can easily and quickly deploy Binalyze AIR to their cloud assets and immediately start to make investigations, compromise assessments, and hunting activities. By taking the automation advantages of the cloud platforms, users can easily deploy many agents only using one authorized cloud platform account.
After adding the authorized account to Binalyze AIR Console, it enumerates the cloud platform to discover and list assets. Then, investigators and analysts can deploy agents to cloud assets individually or multiple assets with one click.
Since different cloud platforms use different identity and access management infrastructures and have different working mechanisms, their requirements may differ. But, at the end of the day, all we need is an authorized account with list and control permissions on cloud assets.
Investigators and analysts can add a cloud account to Binalyze AIR Console in two different ways. They can add cloud accounts using either the Endpoint or Cloud Platforms pages.
By using the Endpoint page:
- 1.From the main page, go to Endpoints
- 2.Click Add New and click Cloud Account
- 3.Then click the Add Account button according to the cloud platform you want to add on the appearing Cloud Platforms window
By using the Settings page:
- 1.Click the gear icon on the top right of the screen.
- 2.Click the Cloud Platforms on the appearing menu.
- 3.Select the cloud platform tab from the tabs at the top of the page. Investigators and analysts can list or edit the existing cloud accounts on this page and also remove accounts. They can also start to discover and synchronize assets by clicking Sync.
- 4.Click the Add Account button.
The configurations that need to be performed according to the cloud platforms are listed below.
Either two different ways mentioned above will redirect investigators and analysts to similar pages allowing them to enter account details. They can either enter their existing account details, which are given below, or use the cloud formation link provided by Binalyze AIR to create a new account with enough permissions.
Account Name: Optional field.
Access key ID: Mandatory field and it must be filled with the value provided by AWS
Secret access key: Mandatory field and it must be filled with the value provided by AWS
Organization: Mandatory field and it must be selected from the Organization created on the Binalyze AIR console. Every cloud account can be assigned to only one organization.
Cloud account needs the following permissions to deploy virtual machines Binalyze AIR agent.
arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
arn:aws:iam::aws:policy/CloudWatchAgentServerPolicy
arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore
arn:aws:iam::aws:policy/AmazonSSMDirectoryServiceAccess
arn:aws:iam::aws:policy/service-role/AmazonSSMMaintenanceWindowRole
arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess
ssm:CancelCommand
The creation of an AWS Account with sufficient permissions flow is explained below.
- 1.Click on the URL and Create an Account
- 2.Open AWS Console -> IAM -> Users
- 3.Select the User -> Security Credentials -> Create Access Key
- 4.Fill out the Account Details Form
Either two different ways mentioned above will redirect investigators and analysts to similar pages allowing them to enter account details. They can either enter their existing account details, which are given below or create a new account with enough permissions.
Account Name: Optional field.
Application (client) ID: Mandatory field and it must be filled with the value provided by Azure
Subscription ID: Mandatory field and it must be filled with the value provided by Azure
Tenant ID: Mandatory field and it must be filled with the value provided by Azure
Key (Client Secret): Mandatory field and it must be filled with the value provided by Azure
Organization: Mandatory field and it must be selected from the Organization created on the Binalyze AIR console. Every cloud account can be assigned to only one organization.
Cloud account needs the following permissions to deploy virtual machines Binalyze AIR agent.
Reader
VirtualMachine Contributor
The creation of an Azure Account with sufficient permissions flow is explained below.
- 1.Azure portal -> App Registrations -> New Registration
- 2.Assign required roles to the new app registration for the subscription
- 3.App Registrations -> Open the created App Registration
- 4.Certificates & Secrets -> Create a new client secret
- 5.Fill out the Account Details Form
Coming soon
Binalyze AIR Console immediately starts to enumerate the cloud platform and pulls the assets list and assets details after the cloud account addition. It discovers the assets depending on the permissions and authorizations of the cloud accounts. All discovered assets will be shown under the Amazon AWS category under the associated organization.
The assets and their details are shown on the right side of the Endpoint page as a list. Assets in which the Binalyze AIR agent is deployed are shown in blue, and the assets in which the Binalyze AIR agent is not deployed are shown in grey in that list.
If investigators or analysts do not sync the cloud account manually, Binalyze AIR Console automatically syncs in 30 minutes and updates the asset list.
All deployment actions are considered tasks by the Binalyze AIR Console and listed under the Tasks as Agent Deployment tasks. Therefore, all agent deployment actions and their status can be seen on the Tasks list.
The primary advantage of agent deployment in a cloud platform is automation. Analysts and investigators don't need to choose the operating systems and their versions. They only assign deployment tasks to the associated devices, and all deployment processes are performed quicker and easier automatically.
Investigators and analysts can deploy Binalyze AIR agents to cloud assets in two different ways. They can deploy agents using either the Endpoint or Cloud Platforms pages.
By using the Endpoint page:
- 1.From the main page, go to Endpoints: All cloud assets are listed here. Investigators and analysts can search, filter and see the details of the assets on this page.
- 2.Select the associated organization: All cloud assets associated with that organization will be listed right side of the page.
- 3.Investigators and analysts can deploy the agents individually, with multiple selections or all of them with one click.
- 1.Individual deploy: Click the assets and then click the Deploy button
- 2.Multiple selections: Select the assets in the Endpoint list by clicking a checkbox at the beginning of the asset line. Then Actions button immediately appears at the top of the page. Click Deploy Agent the under the Actions menu.
- 3.Deploy to All Assets: Click the three-dot on the right side of the Amazon AWS or Tag, which includes associated cloud assets. Then click Deploy Agent
By using the Cloud Platforms page:
- 1.Click the gear icon on the top right of the screen
- 2.Click the Cloud Platforms on the appearing menu
- 3.Select the cloud platform tab from the tabs at the top of the page. Investigators and analysts can list or edit the existing cloud accounts on this page and also remove accounts. They can also start to discover and synchronize assets by clicking Sync.
- 4.Click the three-dot icon at the end of the associated cloud account line under the actions column. Click Deploy Agent.
Last modified 4mo ago