Terminology

Acquisition Profile

A group of evidence types, application artifacts, and custom content items. There are acquisition profiles provided 'out-of-box' but you can also create additional ones by visiting "Integrations" in the Main Menu.

AIR Console

Web-based management interface which lets you manage your assets and assign tasks.

Asset

In Binalyze AIR, an asset is defined as any entity, whether a device or system, physical or virtual, that operates on a supported operating system such as Windows, macOS, Linux, Chrome, IBM AIX, and ESXi. Assets are the foundational elements on which Binalyze AIR performs various actions, including evidence collection and task execution, crucial for responding to and hunting cyber threats. Examples of assets encompass computers, servers, hosts, cloud accounts, and disk images.

An Asset can be either one of 2 states:

1. Managed: Asset responder/agent is successfully deployed to the device and ready to perform tasks,

2. Unmanaged: The asset is discovered by enumerating Active Directory but does not have the AIR responder deployed.

The Assets Summary window on the home page can also report the asset as:

1. Off-Network: The Asset has supplied data to the console via an Off-Network Acquisition or Triage task.

2. Unreachable: The asset responder/agent is currently unreachable.

3. Update Required: The responder on the asset requires an update to function correctly.

4. Update Advised: The responder is still functional but for full functionality, an update is recommended.

5. Isolated: The asset is currently isolated from the network apart from communication with the AIR console only.

Installation of the AIR responder/agent on your assets is managed via the Assets button in the Main Menu:

The AIR responder/agent installer is a zero-configuration package which contains the console address already embedded in it.

You can deploy the AIR responder/agent in multiple ways:

1. Downloading an installation package (Windows, macOS, Linux, Chrome and ESXi)

2. Copying a PowerShell Command (Windows)

3. Copying a CURL Command (macOS and Linux)

4. Copying a WGET Command (macOS and Linux)

5. Downloading a PowerShell Script (Windows)

6. Downloading the Asset installer (macOS and Linux)

7. Manual installation via Active Directory/SCCM.

8. Generation of a shareable Deployment Link (Windows, macOS, Linux, Chrome and ESXi)

Evidence Item or Artifact?

Evidence Item:

In the context of Binalyze AIR and cybersecurity generally, an evidence item refers to data extracted from various components of a computer operating system and associated system areas crucial for recording, managing, or operating the system. These items often produce digital evidence that can be analyzed to uncover details of user activity and potential security incidents or anomalies.

Artifact:

On the other hand, in Binalyze AIR, artifacts are files produced by applications during their execution. These files contain valuable information about the activities performed by the application, including logs, configuration files, temporary files, and other artifacts of potential interest for forensic analysis and investigation.

Evidence Repository

A remote location for saving evidence collected as the result of an AIR tasking. These include:

1. SMB

2. SFTP

3. FTPS

4. Amazon S3

5. Azure Blob

6. Network Shares

To create a New Repository go to Settings in the Main Menu and select Evidence Repositories from the secondary Menu. From the window 'New Repository' complete the mandatory fields and select the type of repository you wish to add.

Read more details about Evidence Repositories here.

Responder

The AIR responder is a streamlined 40MB standalone package that brings the expertise of level 3 and 4 analysts directly to your digital assets.

Unlike traditional agents that constantly monitor systems and consume significant resources, AIR responders activate to perform precise, user-defined DFIR tasks on demand. This approach allows for the deployment of thousands of virtual responders across your IT ecosystem, ready to execute proactive and reactive incident response activities such as evidence collection, threat hunting, and forensic-level analysis as needed. Binalyze's approach prioritizes efficient security enhancement, marrying minimal asset impact with maximum readiness and incident response capability.

Task

Operations that are assigned to the assets by the AIR console either manually or automatically via a trigger.

Tasks could be either:

1. Manual: Assigned manually by users,

2. Scheduled: Created by users to start in the future. Scheduled tasks could either be one-time or recurring (daily/weekly/monthly).

3. Triggered: Assigned to as the assets as a response to a trigger request which is sent by a SIEM/SOAR/EDR solution.

Triggers (Webhooks)

Triggers are the main extensibility mechanism for AIR to receive alerts from other security suites such as SIEM/SOAR/EDRs.

A trigger is the combination of a parser, an acquisition profile, and a destination for saving the collected evidence (either local or remote).

Binalyze AIR takes this to the next level by allowing the trigger to further automate the post-acquisition analysis by leveraging DRONE and MITRE&CK scanners. So in effect, the alert from your security tools can launch AIR into the collection of relevant forensic data, the analysis of that data, and the delivery of any DFIR findings into the Intelligence Hub with no analyst intervention whatsoever.

Triage

Searching for pieces of evidence such as a file hash, process, or malicious domain at scale. AIR provides you with 'out-of-box' examples for YARA, Sigma, and osquery, making it fast and easy to start sweeping your environment.