Terminology

Acquisition Profile

A group of evidence types, application artifacts, and custom content items. There are acquisition profiles provided 'out-of-box' but you can also create additional ones by visiting "Integrations" in the Main Menu.

AIR Console

AIR has a web-based management interface that allows you to efficiently manage assets and assign tasks. Users can customize their experience by switching between light and dark modes from the main AIR menu, enhancing usability and overall satisfaction.

Asset and Asset Status

In Binalyze AIR, an asset is defined as any entity, whether a device or system, physical or virtual, that operates on a supported operating system such as Windows, macOS, Linux, Chrome, IBM AIX, and ESXi. Assets are the foundational elements on which Binalyze AIR performs various actions, including evidence collection and task execution, crucial for responding to and hunting cyber threats. Examples of assets encompass computers, servers, hosts, cloud accounts, and disk images.

In AIR, an Asset can be in one of 3 states:

1. Managed: The asset's responder has been successfully deployed to the device and is ready to collect tasking assignments from the console.

2. Unmanaged: An asset is categorized as Unmanaged under two specific conditions:

   • Discovery without Deployment: The asset is identified through Active Directory or Cloud Account scans but does not have the AIR responder installed.

   • Unreachable with No Data: The asset has been disconnected from the AIR console for over 30 days (Unreachable), and there is no stored forensic data from that asset in the AIR console.

3. Off-Network: An asset is classified as Off-Network under two specific scenarios:

   • Data Supplied: The asset has previously provided data through methods such as an Off-Network Acquisition or Triage task.

   • Unreachable with Stored Data: The asset holds forensic data within the console but is currently inaccessible for further data collection or task assignments.

   For both scenarios, investigation of the existing data is possible, and additional data can be manually imported as required.

The Assets Summary window on the home page can also report the asset as:

1. Unreachable: The asset's responder is currently unreachable. If an Asset's Responder fails to connect to the Binalyze AIR console for over 30 days, its status changes to "unreachable." Until then, its status will be managed as online or offline.

2. Update Required: The responder on the asset requires an update to function correctly.

3. Update Advised: The responder is still functional, but for full functionality, an update is recommended.

4. Isolated: The asset is currently isolated from the network apart from communication with the AIR console only.

Asset Management - Using Persistent Saved Filters

Persistent Saved Filters enable users to create and store custom asset filters, making it easier to locate and manage assets without having to reapply filter conditions in each session.

Evidence Item or Artifact?

Evidence Item:

In the context of Binalyze AIR and cybersecurity generally, an evidence item refers to data extracted from various components of a computer operating system and associated system areas crucial for recording, managing, or operating the system. These items often produce digital evidence that can be analyzed to uncover details of user activity and potential security incidents or anomalies.

Artifact:

On the other hand, in Binalyze AIR, artifacts are files produced by applications during their execution. These files contain valuable information about the activities performed by the application, including logs, configuration files, temporary files, and other artifacts of potential interest for forensic analysis and investigation.

Evidence Repository

A remote location for saving evidence collected as the result of an AIR tasking. These include:

1. SMB

2. SFTP

3. FTPS

4. Amazon S3

5. Azure Blob

6. Network Shares

To create a New Repository go to Settings in the Main Menu and select Evidence Repositories from the secondary Menu. From the window 'New Repository' complete the mandatory fields and select the type of repository you wish to add.

Organizations

In Binalyze AIR, an organization is a structural entity that allows for the separation of assets, users, and cases within a multi-tenant environment. The multi-tenancy capability of AIR enables a single console to manage multiple organizations, each with its own isolated environment. Here’s how it works:

1. Asset Management: An asset (e.g., a device or endpoint) can belong to only one organization, ensuring clear boundaries between different organizational environments. However, within that organization, the same asset can be assigned to multiple cases​.

2. Case Management: Cases could perhaps also be called 'investigations' or 'incidents' and they are also aligned to a specific organization. Access to cases can be restricted based on user privileges within that organization​.

3. Global and Organization-Specific Settings: Certain settings, such as policies and evidence repositories, can be configured globally across all organizations or individually for each organization. This flexibility allows administrators to enforce global standards while still providing the ability to customize configurations at the organizational level when required​​.

4. Policies and Evidence Repositories: Policies can be applied either globally or on an organization-by-organization basis. For example, evidence repositories, which store collected data, can be aligned to all organizations (global) or set up uniquely for each organization, allowing for localized data control​.

This multi-tenant architecture in Binalyze AIR ensures that organizations can operate independently within the same platform, benefiting from both shared resources and isolated environments, depending on their needs.

Responder

The AIR responder is a streamlined 40MB standalone package that brings the expertise of level 3 and 4 analysts directly to your digital assets.

Unlike 'agents' that constantly monitor systems and consume significant resources, AIR responders only activate to perform precise, user-defined DFIR tasks on demand. This approach allows for deploying thousands of virtual responders across your IT ecosystem, ready to execute proactive and reactive incident response activities such as evidence collection, threat hunting, and forensic-level analysis as needed. Binalyze's approach prioritizes efficient security enhancement, marrying minimal asset impact with maximum readiness and incident response capability.

Task

Operations that are assigned to the assets by the AIR console either manually or automatically via a trigger. A task can be assigned to multiple assets, and this is managed through 'task assignments.' Each individual assignment, known as a 'task assignment,' creates a one-to-one correspondence between the task assigned by the console and the specific asset on which the task assignment is executed, ensuring precise management and tracking across all assigned tasks.

Tasks could be either:

1. Manual: Assigned manually by users,

2. Scheduled: Created by users to start in the future. Scheduled tasks could either be one-time or recurring (daily/weekly/monthly).

3. Triggered: Assigned to as the assets as a response to a trigger request which is sent by a SIEM/SOAR/EDR solution.

Triggers (Webhooks)

Triggers are the main extensibility mechanism for AIR to receive alerts from other security suites such as SIEM/SOAR/EDRs.

A trigger is the combination of a parser, an acquisition profile, and a destination for saving the collected evidence (either local or remote).

Binalyze AIR takes this to the next level by allowing the trigger to further automate the post-acquisition analysis by leveraging DRONE and MITRE&CK scanners. So in effect, the alert from your security tools can launch AIR into the collection of relevant forensic data, the analysis of that data, and the delivery of any DFIR findings into the Intelligence Hub with no analyst intervention whatsoever.

Triage

Searching for pieces of evidence such as a file hash, process, or malicious domain at scale. AIR provides you with 'out-of-box' examples for YARA, Sigma, and osquery, making it fast and easy to start sweeping your environment.