AIR's User Settings

This page provides a comprehensive guide to configuring and managing all settings in Binalyze AIR, covering:

• General Settings: Platform-wide configurations.

• Assets: Managing asset inventories.

• Security: Setting up security features.

• Features: Customizing AIR’s core functionalities.

• Users and Roles: Administering user permissions and roles.

• Evidence Repositories: Configuring storage for collected evidence.

• Policies: Defining evidence collection rules.

• Backup and Backup History: Managing backups and retention schedules.

Each section ensures optimal setup for your AIR environment.

AIR > Settings > General:

Version Information

This section provides details on the versions of various components of the Binalyze AIR platform, helping administrators ensure that all parts of the system are up to date.

1. AIR: The main application version (e.g., 4.23.3). This represents the core platform's release and includes the latest features and security updates.

2. DB (Database): The version of the database used by AIR (e.g., 6.0.7), which stores all data related to the platform’s taskings and configuration settings.

3. Responder: The version of the AIR responder (e.g., 2.50.5) installed on assets for data acquisition and remote interaction.

4. DRONE: The version of the DRONE analysis engine (e.g., 3.11.0), which processes collected evidence to deliver findings and insights on this and some live artifacts through automated analyzers.

5. TACTICAL: These versions indicate the status of various responders for different operating systems, including Linux, macOS, Windows, and the legacy version for older Windows systems. For example, the latest responders are at version 3.12.1, ensuring up-to-date compatibility with operating system environments.

6. MITRE ATT&CK Analyzer: This version (e.g., 7.0.0) refers to the built-in mapping against the MITRE ATT&CK framework, which helps identify adversary tactics, techniques, and procedures during investigations.

7. Disk Image Explorer: This component (e.g., version 1.0.0) provides functionality for exploring disk and volume images acquired during investigations.

Logging

1. Log Level: Determines the verbosity of logging within AIR. Adjusting the log level can help in debugging or keeping track of system activity.

2. Log Files: Provides access to the system's log files, which are useful for auditing, troubleshooting, and reviewing system performance and security events.

License

This section provides details about the current licensing status of the Binalyze AIR installation.

1. License Key: Displays the license key currently in use (e.g., AIR-TEST-LICENSE).

2. Valid Until: The expiration date of the license (e.g., 2025.09.29), which tells you how long the platform is licensed for.

3. Max Client: The maximum number of assets (clients) that can be managed under this license (e.g., 1,000,000 assets).

4. In Use: The number of assets currently being monitored by AIR (e.g., 447,908 assets).

5. Remaining: The number of asset slots still available (e.g., 552,092 assets). This helps ensure scalability and license compliance.

Connection

1. Console Address: This is the current address of the AIR Console (e.g., air-demo.binalyze.com) where asset responders are polling to check for any tasking assignments that need execution.

   • Important: Changing this address will trigger a migration process, which will cause all assets to connect to the new address while deregistering from the old one.

2. Console Proxy: Settings for configuring an internet proxy that AIR can use to connect to external services, such as updates or external evidence storage.

   • Address: The IP address of the proxy (e.g., 10.0.0.1).

   • Port: The port used for proxy communication (e.g., 0).

   • Username and Password: Credentials for authenticating with the proxy.

3. Certificate Authority (CA): If your organization uses a custom CA for SSL communication, this setting allows you to upload the certificate in the appropriate format for secure connections between assets and the AIR Console.

System Resources

Displays information about the system where AIR is installed, helping monitor and optimize performance.

1. CPU:

   • Cores: The number of processor cores (e.g., 8), indicating the processing power available for handling AIR tasks.

   • CPU Type: Details of the CPU model (e.g., Intel Xeon Processor, Skylake architecture).

   • Flags: A list of supported CPU features (e.g., SSE, HT, etc.), indicating hardware capabilities relevant to performance.

2. Memory:

   • Total Memory: The total available system memory (e.g., 32.87 GB).

   • Used Memory: The amount of memory currently in use (e.g., 5.29 GB).

   • Free Memory: The remaining available memory (e.g., 27.58 GB), ensures that there are enough resources to handle future operations.

3. File System:

   • Total Storage: The total storage space available (e.g., 315.93 GB).

   • Used Storage: How much storage is currently used (e.g., 189.46 GB).

   • Partition: The partition where AIR data is stored (e.g., /dev/sdb1). Monitoring this ensures sufficient space for data storage and logging.

AIR > Settings > Assets:

Responder Updates

Manage updates for the AIR responders installed on assets.

• This feature allows you to enable or disable automatic updates for responders. If enabled, the responders will automatically update to the latest version when a new release is available. This ensures that the responders are always running the most current version with all the latest features and security patches.

• Deployment Tokens: These tokens are used to securely install and register responders on new assets, ensuring the responders communicate correctly with the AIR Console upon installation.

Tamper Detection

Enable alerts for tampering attempts on responders.

• When Tamper Detection is enabled, the responder will actively monitor its own operation for any interference or attempts to disable it.

• Functionality: If there is an attempt to modify or interfere with the responder (e.g., by disabling it or altering its files), the responder will notify the AIR Console, ensuring that any malicious attempts are flagged immediately.

• This feature is critical for ensuring the integrity and continuous operation of responders in high-security environments.

Uninstallation Password

Prevent unauthorized uninstallation of responders by requiring a password.

• When this feature is enabled, users will need to enter a protection password to uninstall the responder from an asset. This prevents unauthorized personnel from removing the responder, which could otherwise leave the asset vulnerable or unmonitored.

• Uninstallation Method: The uninstallation process will be restricted to shell commands, meaning it can't be removed via a simple GUI or file system manipulation, adding an extra layer of security.

Active Directory (AD) Integration

Synchronize assets from Active Directory with AIR.

• This feature allows Binalyze AIR to integrate with your Active Directory (AD) environment. You can specify the AD server (e.g., 10.0.0.1) and the domain (e.g., company.local) to automatically synchronize information about computers and users from AD into AIR.

• LDAP Synchronization: By manually starting the LDAP synchronization, you can query Active Directory for specific objects such as computers, ensuring that AIR can discover and manage assets from your organization's AD.

• The Query For Computers field (e.g., (&(objectCategory=computer))) uses an LDAP filter to query and sync only computer objects from the directory.

• Authentication: You will need to provide an AD username and password to authenticate and pull information from the directory.

AIR > Settings > Security:

SSL Certificate

Enable secure connections between AIR Console and users/assets by using SSL encryption.

• Certificate: This displays the SSL certificate details used by AIR for secure HTTPS communication. In this case, the certificate is issued by Let's Encrypt (Issuer: Let's Encrypt, Common Name: R3) and is valid for a specific period (e.g., from 2022.09.18 to 2022.12.17).

• Subject: The Common Name (CN) field shows the domain (e.g., air-demo.binalyze.com) to which the certificate applies.

• Having an SSL certificate ensures that all communications between users and the AIR Console are encrypted, preventing unauthorized access to sensitive information.

SSL Root CA

Acts as the root certificate authority (CA) for issuing certificates if a custom SSL certificate is not provided.

• Binalyze AIR generates an SSL Root CA for each instance when a custom certificate isn’t supplied. This certificate is used to create secure communication channels within the system.

• Issuer and Subject: Both are BINALYZE R1, ensuring that the root certificate is tied to the Binalyze platform.

• Validity: The root CA certificate is valid from 2017.10.14 until 2100.10.14, ensuring long-term use and security.

Console Port

Define the port over which the AIR Console is accessible.

• The AIR Console is configured to be accessed on port 8443, which is a secure port typically used for HTTPS traffic.

• Meanwhile, responders will continue to communicate with the console over the default secure port 443. This setup ensures that assets and users can access the platform via separate but secure ports, enhancing security and flexibility.

IP Restriction

Restrict access to the AIR Console based on IP addresses.

• This feature allows administrators to restrict access to the AIR Console to a specific range of IP addresses, limiting who can interact with the console.

• Important: This restriction does not affect communication between the AIR Console and the assets themselves. It only controls who can access the console’s user interface.

• The current IP address of the user accessing the system (e.g., 172.71.122.69) is displayed for reference.

Authentication

Configure user authentication security settings.

You can enforce Two-Factor Authentication (2FA) for all users, adding an extra layer of security by requiring a second form of verification (e.g., a mobile app code) when logging in. (SSO will override this option)

• This setting enhances overall security by ensuring that only authenticated and verified users can access the system.

Single Sign-On (SSO)

Enable and configure Single Sign-On (SSO) for AIR.

• SSO allows users to log in to AIR using their organization’s existing identity provider (e.g., Azure AD, Okta) without needing separate credentials. This simplifies the login process and enhances security by centralizing authentication management.

• Tenant ID and Client ID: These are provided by the SSO identity provider (e.g., Azure, Okta) and uniquely identify the organization’s SSO configuration.

• Client Secret: A secure key used for authenticating the connection between AIR and the SSO provider (shown as encrypted in the system).

• Callback URL: This is the URL (e.g., https://air-demo.binalyze.com/api/auth/sso/azure/callback) where users are redirected after successful authentication via SSO. It ensures that users are logged into the AIR platform after authenticating through the identity provider.

• Entry Point and Issuer: These fields are also part of the SSO configuration, ensuring that AIR communicates correctly with the identity provider.

• Certificate: Uploading a certificate from the identity provider is necessary for secure communication between AIR and the SSO service.

SSO improves user management and security by centralizing login credentials with your existing identity provider, simplifying the user experience while ensuring strong authentication practices.

AIR > Settings > Features:

Enable interACT

This feature enables or disables the interACT functionality in Binalyze AIR.

• interACT allows users to remotely open a shell session to interact with assets. Users can execute commands and scripts based on their assigned privileges.

• Security Requirement: To use interACT, users must have enhanced security in place—either Two-Factor Authentication (2FA) or Single Sign-On (SSO). This ensures secure access to sensitive systems, limiting unauthorized use.

• Read more about interACT here: interACT

Resolve Responder Public IP

This feature allows AIR to capture and associate the public IP of an asset.

• When enabled, the AIR Console parses HTTP request headers to extract the X-Forwarded-For header provided by proxies. This header reveals the public IP address of the responder (asset), even if it's behind a proxy or firewall.

• Visibility: If the feature is enabled, AIR will display the X-Forwarded-For IP address instead of the communication IP (the one directly visible to AIR). This provides more accurate forensic visibility of an asset's location and origin.

Case Selection

Enforce mandatory case selection when starting tasks.

• This feature requires users to associate every task they run in AIR with a specific case.

• Benefit: It enforces structured workflows, ensuring that all investigations are organized and traceable to a particular case, which is critical for auditing and maintaining clarity in incident response efforts.

RFC3161 Timestamping

Provides cryptographic proof of when data was acquired and its integrity.

• RFC3161 timestamping ensures that the data collected during acquisition has a digital signature, proving that the data existed at a specific time and has not been altered since.

• When enabled, every new acquisition task will include a signature file with metadata, adding legal and forensic robustness to your investigation process.

• Read more in this blog: https://www.binalyze.com/blog/dfir-lab/protect-your-chain-of-custody-with-content-hashing-and-timestamping

Chain of Custody

Protect evidence integrity by registering it on the blockchain via LOCARD which is a blockchain-based system for secure evidence handling in digital forensics. It has seen some adoption in Europe but remains underutilized in the U.S. due to regulatory and infrastructure challenges, leading to slower adoption and less frequent use​​.

• This feature integrates with LOCARD, a blockchain-based platform for evidence integrity. When enabled, the chain of custody for digital evidence is secured by submitting evidence metadata to the blockchain, ensuring it hasn't been tampered with.

• LOCARD Credentials: To use this, you'll need to provide the Organization, Host, Username, and Password for your LOCARD account.

SMTP (Email Configuration)

Set up email notifications, such as password-reset emails.

• Specifying an SMTP server allows Binalyze AIR to send out automated emails, particularly for password resets. This is useful for self-service password recovery.

• You must configure the SMTP server address, port, sender email, username, and password. For example, using mail.smtp2go.com as the server.

Syslog / SIEM Integration

Enable integration with Syslog servers or SIEM systems.

• This feature allows Binalyze AIR to send event logs to a centralized Syslog or SIEM (Security Information and Event Management) system for enhanced log monitoring and analysis.

• You will need to configure the protocol (TCP/UDP), server address, and port to send logs from AIR to your preferred log management system.

Banner Message

Display a custom banner message across all AIR Console pages.

• This feature allows you to set a banner message that will appear on all pages of the AIR Console. This is useful for displaying system notices, warnings, or other important information to all users.

Policies

Enforce task options and preferences across assets.

Policies allow administrators to define global task preferences and restrictions for assets in the organization.

• Customizability: Policies can be tailored for different subsets of assets using filters, and a user must have the "Override Policy" privilege to modify the default organizational policies.

Auto Asset Tagging

Automate tagging of assets when they are added to AIR.

• When this feature is enabled, Binalyze AIR automatically applies asset tags based on predefined rules as soon as a responder is installed on an asset.

• Flexibility: Even if this feature is disabled, users can still run the Auto Asset Tagging task manually on assets.

Enable Frank.AI

Activate AI-powered assistance for investigations.

Frank.AI is an AI-driven assistant integrated into Binalyze AIR. It helps guide users through investigations, providing suggestions and assistance to streamline the forensic analysis process. Frank.AI acts as a copilot for investigators, improving efficiency by leveraging AI to answer analysts' questions.

AIR > Settings > Users:

This section allows administrators to add new users to the Binalyze AIR platform, specifying essential details such as the user's name, organization, role, and login credentials.

1. Type:

   • This field defines the type of user being added, depending on the organization's structure. For example, it could differentiate between internal users and external users (like clients or contractors) if your organization uses different user types.

2. Name:

   • Name: The first name of the user being added (e.g., "John").

   • Surname: The last name of the user (e.g., "Doe"). These fields are important for identifying and managing users in the system, especially in larger organizations.

3. Username*:

   • The username is a mandatory field (indicated by the asterisk). This is the unique identifier that the user will use to log in to the AIR platform (e.g., [email protected]).

   • The username is often based on the user's email address to ensure uniqueness and facilitate easy recognition.

4. Email*:

   • The email is also a mandatory field. It is used for account-related communications, such as password resets, system alerts, or notifications.

   • This email should be valid and associated with the user being created to ensure they receive important platform-related information.

5. Organization*:

   • This field allows you to assign the new user to a specific organization within the Binalyze AIR system.

   • If multiple organizations are managed within the AIR platform (e.g., in the case of a multi-tenant setup), you can select which organization the user belongs to.

   • The system can restrict users from viewing or managing other organizations, depending on their access privileges.

   • Note: If no organization is selected or assigned, the user may have limited or no permissions within the platform.

6. Role*:

   • The Role dropdown allows you to assign the user's role within the platform. Roles define the level of access and permissions the user will have. Common roles could include:

     • Administrator: Full access to manage the platform, users, and assets.

     • Investigator: Access to forensic and incident investigation features.

     • Viewer: Read-only access to view data and reports.

   • This field is crucial for setting user permissions and ensuring that they can only perform actions aligned with their responsibilities.

7. Password*:

   • This is where you set the password for the user’s account. The password should meet the organization's security requirements (e.g., complexity, length).

   • A secure password is essential to ensure that unauthorized access to the platform is prevented.

8. Confirm Password*:

   • This field is used to confirm the password entered above. Ensuring that the passwords match helps avoid login issues caused by incorrect entries.

AIR > Settings > Roles:

In Binalyze AIR, the Global Admin has full control over managing 109 specific privileges, allowing the creation of highly customized user roles. This granular access control ensures that each user or group has permissions tailored to their specific needs, such as handling evidence acquisition, interACT sessions, or audit log management.

A useful feature within this setup is the tooltips provided alongside each privilege. These tooltips highlight any dependencies that may exist between privileges, helping administrators configure roles accurately without unintentionally restricting necessary functions.

For example, an admin could create a role that enables a user to access interACT for remote evidence collection, while restricting access to audit logs or system-wide settings. The tooltips ensure that admins are aware of any required privileges to avoid misconfigurations.

This approach provides both flexibility and clarity, empowering admins to manage user roles effectively.

AIR > Settings > Evidence Repositories:

Binalyze AIR allows you to set up various Evidence Repositories for storing and managing collected data securely. The supported repository types are:

1. SMB: Ideal for sharing files across network devices.

2. SFTP: Utilizes SSH for encrypted data transfer.

3. FTPS: Combines FTP with SSL/TLS for secure transfers.

4. Amazon S3: Provides scalable cloud-based storage, perfect for large-scale investigations.

Key Features:

• Global or Organization-Level Setup: Repositories can be defined at both global and organizational levels, providing flexibility in evidence management across multiple AIR instances or within a single organization.

• Secure Data Management: Protocols like SFTP and FTPS ensure that data transfers are encrypted, safeguarding sensitive information during uploads and downloads.

• Automatic and Manual Uploads: Evidence can be automatically uploaded to repositories based on configured tasks, or users can manually upload files as needed.

• Task Management: Repositories support task scheduling for evidence uploads, ensuring a smooth workflow for collecting, storing, and analyzing evidence.

• Connection Settings: When configuring repositories, users must provide essential connection details such as credentials, encryption options, and repository paths. For cloud-based storage like Amazon S3, you also need to configure bucket settings.

This setup ensures secure, scalable, and efficient management of evidence within AIR, accommodating various infrastructure needs.

AIR > Settings > Policies:

Policies serve to define how evidence is collected and managed, providing fine-grained control over resources and processes.

Policies in AIR provide central configuration management and support global configurations that can be overridden at the Organisation level when required.

This overriding is only possible when the user has the “Override Policy” privilege allocated to their role.

Key Components:

1. Name & Organization: Policies must have a unique name and be assigned to a specific organization.

2. Evidence Storage: Configures where evidence is stored—either locally (default paths: Binalyze\AIR\ on Windows, /opt/binalyze/air/ on Linux/macOS) or in defined repositories like SMB or SFTP.

3. Resource Limits: Controls CPU usage, bandwidth, and disk space during collection to prevent resource overuse. You can specify CPU limits (e.g., 100%) and restrict bandwidth and disk space.

4. Compression & Encryption: Enables optional compression and encryption of the collected evidence, with a password for added security.

5. Scan Scope: You can opt to restrict scans to local drives only, excluding network and external drives.

6. Isolation Settings: Policies can include an IP/Port and ‘process allow’ lists for isolation tasks, which ensures that specific communication channels remain open during an asset’s isolation.

Use Case Example:

When creating a policy for a specific investigation, you could configure it to save evidence in an AWS S3 bucket, limit the CPU to 50%, compress the evidence for efficient storage, and ensure network drives are excluded from the scan. You could also configure the policy to allow communication with critical servers even if the asset is isolated.

AIR > Settings > Backup:

The Binalyze AIR Backup feature allows users to back up system data securely and flexibly through the UI or Command Line Interface (CLI). Backups can be stored locally, on SFTP, or in Amazon S3, and encrypted using AES256 with a password.

Backups can be performed immediately or scheduled at intervals of every 4 hours, daily, weekly, or monthly. Users can set the number of backups to retain and the scheduled start time. CLI backup options are available, with detailed instructions in the Knowledge Base.