1 of 100

Binalyze AIR - Prod

AIR Knowledge Base

Our mission is to deliver solutions that reduce incident response investigation times through unparalleled forensic-level visibility, automation, speed, and collaboration at scale.

AIR Platform Troubleshooting FAQs

You can view our support terms and conditions here.

AIR

AIR Platform

AIR is an Automated Investigation and Response platform offering the most comprehensive feature set for remotely acquiring 698 types of digital evidence in just minutes.

Welcome to AIR's Documentation

This Knowledge Base will guide you through all the features of AIR.

What is AIR?Terminology Architecture Network Communication Cloud Forensics

What is AIR?

Automated Investigation and Response platform

AIR is an Automated Investigation and Response platform that delivers deep forensic visibility and end-to-end investigation capabilities at speed.

AIR combines the rapid remote acquisition of 737 evidence types with intelligent, efficiency-driven automation to drastically reduce investigation time, simplify workflows, and empower SOC and incident responders with accurate, collaborative insights, thereby boosting long-term cyber resilience.

AIR further accelerates investigations through DRONE—a powerful suite of integrated analyzers that automatically assess collected evidence. DRONE's findings across multiple assets are consolidated and visualized in a single pane of glass: the AIR Investigation Hub.

AIR will perform simultaneous hunt and triage on thousands of assets using YARA, Sigma, and osquery rules.

AIR protects employee privacy with targeted collections when required. It also captures the 'forensic state' of multiple assets and presents this information in an Investigation Hub.

The Investigation Hub serves as an all-encompassing, user-friendly DFIR intelligence resource. This unifying Investigation Hub consolidates Acquisition and Hunt/Triage data from all assets, presenting it in an easily digestible format. It also integrates DRONE analyzer findings through intuitive graphical visualizations, thereby identifying the most critical machines that warrant further immediate, focused investigation or remediation. The Investigation Hub streamlines the investigative process by:

Providing actionable findings to prioritize and guide investigators,
Offering comprehensive listings of all evidential artifacts,
Including a range of advanced filtering options, and
Featuring a powerful global search capability.

The AIR platform integrates with your existing SIEM, SOAR solutions, and many EDR products. This is done via Webhooks and an open API that empowers analysts to automate the response phase of IR.

So, all forensic collections can be scheduled, automated, remote, and scalable.

With evidence hashing, AES256 encryption, and RFC3161 time-stamping, the Chain of Custody for evidence handling by AIR is completely secure.

Other key features include our patent-pending Baseline Comparison technology. This allows you to be more proactive and focused in the way you target your efforts. Here, you can compare acquisitions against one another and easily identify additions, changes, and deletions to key system areas often exploited by attackers.

AIR helps you cut through the noise of security data with live YARA, Sigma, and osquery scanning combined with rapid keyword searching, automated post-acquisition analysis, and Event Scoring.

These features all combine to enable most digital forensics investigations to be concluded in less than 4 hours - which is a dramatic improvement over what is commonly achieved today with other solutions.

Architecture

A brief overview of system architecture

Components

AIR is an on-premise or cloud-based, client-server solution that allows you to remotely perform various tasks on assets such as collecting forensic evidence and performing threat hunts with YARA, Sigma, or osquery.

1. Management Console

Management Console is a web-based application that can be viewed from any device with an up-to-date browser.

2. AIR Responders

Assets are connected to the management console via a lightweight "passive" responder that can be deployed manually or via other mechanisms such as SCCM.

2.1. Passive Responder Explained

AIR responders;

DO NOT scan anything on the asset that may cause slowdowns (e.g. your Antivirus),
DO NOT block anything on the asset that may cause false positives (e.g. your DLP),
DO NOT create any alerts that may cause "alert fatigue".

3. Communication with the Binalyze Domain

DOMAIN

What data is sent or received by Binalyze domains

Domain

Data Sent To Domain

Data Received From Domain

AIR Task Flow and Management

Introduction

In today's dynamic digital environment, managing tasks efficiently within a software system is crucial for reliability, flexibility, and optimal performance. This guide explores a sophisticated task management system designed to handle a wide range of operational scenarios, focusing on task retrieval, execution, prioritization, and system resilience against failures and network disruptions.

Task Retrieval and Execution

The Role of the AIR Console

The AIR platform features an intuitive web-based console designed to orchestrate and dispatch tasks to designated remote AIR responders effectively. Serving as the nerve center for task allocation, this console guarantees that each task is accurately assigned for execution, optimizing operational efficiency. Within this ecosystem, assigning a specific task to a particular asset is termed a 'task assignment,' ensuring a clear, one-to-one correspondence between tasks and assets for precise management and tracking.

Mechanisms for Task Checking

To accommodate diverse operational needs and customer network policies, the system employs two primary mechanisms for task checking:

Regular Interval Checks: Tasks are checked at predefined intervals, which can be dynamically adjusted based on the system's current configuration and operational demands.
The NATS Protocol: For immediate task fetching or near real-time communications with assets, the system incorporates a specialized protocol named "NATS." This protocol is designed to bypass the standard checking intervals, allowing for urgent tasks to be retrieved and executed with minimal delay

AIR does not use TLS for NATS traffic because no sensitive data is transmitted over it. NATS is only used to send a lightweight “ping” message when the AIR Console assigns a task to a Responder. After receiving this signal, the Responder immediately connects back to the AIR Console over HTTPS (port 443) to securely download the full task details

Task Checking Intervals

Task-checking intervals are not static; they vary dynamically from seconds to hours, influenced by the system's configuration. This flexibility ensures the system can adapt to changing workloads and priorities efficiently.

Task Prioritization and Execution Order

Prioritization of Critical Tasks

Certain tasks, such as "cancel tasks," receive priority in the execution queue. This prioritization is crucial to prevent delays in the cancellation process, ensuring tasks are halted promptly when required.

Execution Order and FIFO Queue Model

The system employs a first-in, first-out (FIFO) queue model for task execution. This model ensures that tasks are processed in the order received, with special consideration given to tasks that might block or delay subsequent operations unnecessarily.

Handling of Failed Tasks and Network Disruptions

Tasking Assignment interruptions

If a Tasking Assignment has been collected by the Responder but is interrupted before the completion of collection, triage, or analysis, the task will not resume where it left off. Instead, this interruption will result in a task failure. Such failures are automatically recorded within the console's tasking details.

When this occurs, the status of the task in the AIR console will reflect the failure, and it will be necessary to manually restart or initiate a new task to ensure that the intended data collection and analysis are completed. This approach ensures clarity and accuracy in managing task assignments, even in cases of unexpected interruptions.

Retry Mechanisms for File Uploads

For tasks that require file uploads, such as uploading to an evidence repository, the system includes built-in retry mechanisms. These mechanisms are activated to re-attempt uploads if network issues interrupt the process. The number of retries and the specific procedures for handling these retries vary depending on the task type and the destination of the file.

Additionally, if "direct collection" is enabled for an acquisition task and a failure occurs, the user must restart the acquisition process from the beginning. This ensures that all necessary data is properly collected without partial or corrupt files.

Data Purging and Task Cancellation

A specialized "purge local" task type exists for efficiently cleaning up local data related to completed or failed tasks. This function is crucial for maintaining optimal disk space utilization and efficient system resource allocation.

System Flexibility and Customer Policies

This guide emphasizes the importance of a flexible system that can adapt to diverse customer policies, including specific network configurations and security requirements. The choice of protocols and mechanisms for task management is influenced by these diverse operational needs.

Documentation and System Improvements

Continuous improvement is a cornerstone of system development. The commitment to updating documentation reflects ongoing efforts to refine task management processes and system functionalities based on operational insights and technical advancements.

Technical Implementation Details

The guide offers an in-depth examination of the system's technical underpinnings, including the utilization of the "NATS" protocol, dynamic adjustment of task-checking intervals, and the logic behind task prioritization and queue management. These details offer a comprehensive understanding of the system's operational logic and its capability to handle various scenarios efficiently.

Conclusion

Efficient task management is pivotal in ensuring the reliability and performance of software systems. Through innovative mechanisms, such as the air console and NATS protocol, alongside dynamic task-checking intervals and a robust FIFO queue model, the system outlined in this guide represents a state-of-the-art solution for managing tasks in complex software environments. The emphasis on flexibility, resilience, and continuous improvement underscores the system's readiness to meet the evolving demands of modern digital operations.

Network Communication

How do assets communicate with the console?

How Do Assets Communicate with the Console?

All routine communication between assets and the AIR console is initiated by the assets—they do not receive incoming requests from external sources. Communication occurs through various protocols and channels:

Cloud Forensics

Investigators and analysts can use the AIR platform to conduct investigations on machines located in cloud platforms. Our platform supports cloud-based virtual machines, as well as on-premise and off-network devices. Investigators and analysts can install responders on virtual machines located on the cloud infrastructure for investigations and analysis. Amazon Web Services and Microsoft Azure are both supported.

We understand the unique challenges of investigating cloud-based attacks, such as Business Email Compromise (BEC). That’s why we have introduced the Tornado preview version, a standalone desktop application designed to simplify evidence collection from Google Workspace and Microsoft Office 365. Learn all about Tornado .

Investigators and analysts can easily and quickly deploy responders to their cloud assets and immediately initiate investigations, compromise assessments, and threat-hunting activities. By leveraging the automation advantages of cloud platforms, users can easily deploy multiple responders using a single authorized cloud platform account.

After adding the authorized account to the Console, it enumerates the cloud platform to discover and list assets. Then, investigators and analysts can deploy responders to individual or multiple cloud assets with one click.

Setup

AIR setup instructions

Relay Server

What is Relay Server?

AIR Relay Server is a specialized SOCKS5 proxy server specifically designed to facilitate communication between AIR responders and the AIR console. Its primary function is to act as an intermediary, enabling the seamless proxying of connections between the responders and the console.

With Relay Server, you can enhance the security of both responders and the console by only granting access via the Relay Server, eliminating the requirement for direct access to the AIR console from the responder environment.

This indirect access approach adds an extra layer of protection to the overall system architecture.

The Relay Server functionality in an AIR deployment is not automatically available for all users. This feature's availability is contingent upon specific license configurations.

Users considering the installation and configuration of a Relay Server should liaise with their Binalyze installation advisor as part of the setup process.

Relay Server Pro

Relay Server Pro is available starting with AIR version 5.4 and represents the next generation of secure relay communications for Binalyze AIR.

Overview

Relay Server Pro is a fundamental architectural evolution in secure relay operations for Binalyze AIR. It replaces the legacy SOCKS5-based relay server with a fully authenticated HTTPS proxy that implements JWT-based two-step verification for Responders connecting through constrained or segmented networks.

Requirements for installation

To ensure a successful installation of Relay Server, it is necessary to have a Linux operating system based on either Debian or Redhat, with a minimum kernel version of 3.9.0. This requirement guarantees compatibility and optimal performance.

The Relay Server functionality in an AIR deployment is not automatically available for all users. This feature's availability is contingent upon specific license configurations.

Users considering the installation and configuration of a Relay Server should liaise with their AIR installation advisor as part of the setup process.

Currently, the supported versions for Relay Server are as follows:

How to install a Relay Server on different Linux platforms

To ensure proper installation of the Relay Server, the responder must be installed and registered within the same organization and on the same system. If you plan to install the responder beforehand, you should select a direct connection as the Relay Server will be located on the same system.

From the "Organizations" page, when you create a new organization or select an existing one, it will bring you to a page where you can deploy a new Relay Server.

By clicking "New Relay", a deployment page brings up for the Relay Server:

As you can see, there are packages available based on Debian or Redhat distributions. You can select either the 64-bit or ARM64 version by clicking the arrow next to the "Download" button.

Once the package is downloaded, you will need to configure the environment settings for the Relay Server to register with the AIR Console. To simplify this process, you can easily copy the necessary commands by clicking the "copy" button located in the right corner of the command.

export AIR_DEPLOYMENT_TOKEN=dce4e59125c545a2
sudo -E dpkg -i ./binalyze-air-relay-server_2.22.0_*.deb

After copying the commands, open a terminal and navigate to the directory where you have downloaded the package. If the directory is "Downloads" in your home folder, you can go to that folder by executing the following commands in the terminal:

As part of the Relay Server installation process, it performs a check to verify the availability of the responder. Additionally, it configures the responder to manage the newly installed Relay Server.

Upon successful installation, you will be able to view your newly deployed Relay Server on the "Organization Detail" page.

How to change IP address of Relay Server

Before deploying a new asset through Relay Server, you need to choose the IP address of the Relay Server to which the endpoints will connect. This chosen IP address will serve as the connection route for the assets that will be routed through this Relay Server.

You can change the address of the Relay Server by accessing the "Relay Server Details" section, which can be found in the "Organization Detail" page.

How to install a Responder with Relay Server support

When deploying a new responder to an asset, you will encounter a configuration option that allows you to choose a connection route. This allows you to deploy a responder that either directly connects to the AIR Console or utilizes a connection route via a Relay Server.

By selecting the "Relay Server Connection" radio button, you will be presented with a list of registered Relay Servers associated with this organization. From this list, select one option and proceed with the configuration.

The subsequent steps remain the same as when deploying a new responder, regardless of the connection route chosen (Relay Server). Once you have successfully installed a new asset using the Relay Server connection, you will observe the newly deployed asset associated with the Relay Server on the "Organization Detail" page.

After selecting the installed Relay Server from the list on the "Organization Detail" page, you can access your associated assets by clicking on the "Assets" tab. Additionally, you can view comprehensive details of your Relay Server on this page by clicking on the "Information" tab.

Updating the Connection Route address

Furthermore, you can view and manage assets that are connected through this Relay Server. To modify the connection routing of your assets, navigate to the "Assets" tab. Simply select the asset that you would like to view or edit.

Within the "Connection Route" setting, you have the option to choose between a direct connection to the AIR Console or selecting another Relay Server for your asset to connect to. This action will bring up the same settings page for connection routing that you encountered when deploying a new asset.

Updating Connection Route addresses for multiple assets

To update the connection route addresses for multiple assets in the same organization, follow these steps:

Go to the organization's page (the organization where you want to update the assets) or the Assets page.
Selected the desired assets within the same organization.
Edit the connection route by selecting the icon at the end of the connection route row.
Modify the connection route addresses or choose a Direct connection.

By following these steps, you can easily update the connection route addresses for multiple assets in the same organization.

Updating the responder’s connection route address using the command line

Even if you manually update your connection route, during the next visit to AIR Console from the responder, the responder will retrieve and set the old connection route address. This occurs because the AIR Console is unaware of the address you have set. To avoid this, any changes to the connection route must be made directly from the AIR Console. The configure command mentioned below is primarily utilized for troubleshooting and testing the connection to the Relay Server.

To manually update the connection route of your responder, you can run the responder with the "configure" flag. Follow these steps:

Open a Terminal.
Navigate to the directory where the responder is located.
Run the configure command as shown below:

Upon running the configuration command, the responder service will automatically restart with the updated configuration, including the new connection route that has been set. This ensures that the responder incorporates the changes and operates according to the new configuration.

Proxy configurations

Like the responder, the Relay Server has the capability to proxy connections through a proxy server when communicating with responders or AIR Console. This provides flexibility in terms of configuring proxies for the responder, which connects through a Relay Server, or setting a proxy specifically for the Relay Server. Additionally, it is also possible to set proxies for both the responder and the Relay Server simultaneously. The diagram below illustrates all the possibilities for proxying the Relay Server and the responder.

Adding proxy to Relay Server Adding proxy to Responder

Adding proxy to Relay Server

To add the proxy configuration to Relay Server, you can modify the /etc/profile file by following these steps:

Open a terminal or command line session.
Open the /etc/profile file in your favorite editor with administrative privileges:

sudo vim /etc/profile

Scroll to the end of the file and add the following lines:

Alternatively, you can use the following method to set proxy settings, but be aware that it will impact the proxy behavior of other programs.

Save the changes and exit the text editor.

To apply the changes, restart your system:

By adding these lines to the /etc/profile file, the specified proxy settings will be exported as environment variables.

Service Management for Relay Server

As Relay Server operates as a service/daemon managed by systemd, you can utilize the following systemctl commands to start, stop, restart and reload the service:

To start the service:

To stop the service:

To restart the service:

Stopping and restarting the Relay Server may require several minutes due to its behavior of gracefully shutting down. The Relay Server waits for connected endpoints to disconnect before shutting down to ensure a proper shutdown process.

During this waiting period, the Relay Server allows sufficient time for all endpoints to disconnect, ensuring that any ongoing communications are completed. Once all the endpoints have disconnected from the Relay Server, it proceeds with the shutdown process.

Whitelisting for Relay Server

Relay Server is designed to facilitate communication between the AIR Console and the responder. As a result, Relay Server carefully examines all connection attempts to ensure they are directed towards AIR Console and blocks any connection requests to other destinations. This strict enforcement guarantees that only connections to AIR Console are permitted, thereby providing a secure environment and ensuring that no undesired connections to other addresses occur.

To enable connections to addresses other than the AIR Console, a configuration called "Whitelist" is utilized. By specifying addresses or IP/FQDN patterns in the whitelist, the Relay Server allows communication between clients and the whitelisted addresses. In such cases, the Relay Server acts as a proxy between the client and the whitelisted address, ensuring seamless communication while still maintaining the necessary security measures.

To add or modify the whitelist in the configuration file, you can follow these steps:

Locate the config.yml file: /opt/binalyze/air/relay/config.yml
If the Whitelist field is not present in the file, add it as a YAML array in the following format:

In the Whitelist array, you can include various elements such as IP addresses, fully qualified domain names (FQDNs), FQDNs with wildcards, CIDR notations, IP ranges, or use an asterisk (*) to allow all connections.

The Whitelist elements support the following formats:

IP address: Enter the specific IP address.
FQDN: Provide the fully qualified domain name.
FQDN with wildcard: Use an asterisk (*) as a wildcard character in the domain name.
CIDR: Specify the IP range using CIDR notation.

FQDN addresses that have been added to the whitelist are not resolved to IP addresses. Therefore, destinations using IP addresses without FQDN will be denied. Relay Server only resolves IP addresses of Console Address in the configuration file.

By configuring the whitelist, you can specify the allowed addresses or domains that Relay Server will permit connections to.

After modifying the config file for Relay Server, it is essential to reload the configuration if Relay Server is already running. To accomplish this, you can use the following systemctl command:

Retrieving metrics from Relay Server

Relay Server serves these metrics produced by Prometheus from a Unix socket.

To retrieve metrics from the Relay Server's Unix socket, you can use the curl command to make a request to the following endpoint: http://localhost/metrics on the Unix socket /var/run/Binalyze.AIR.Relay.sock. Here's an example command:

sudo curl --unix-socket /var/run/Binalyze.AIR.Relay.sock http://localhost/metrics

Executing this command will provide you with a response containing various metrics related to the Relay Server. The response will include information such as the number of active connections, request duration, request errors, reload count, and more.

Please note that you need to run this command on the same system where the Relay Server is running, as it communicates via the Unix socket.

Here's a sample response:

# HELP air_relay_info Information about the Relay Server environment.
# TYPE air_relay_info gauge
air_relay_info{arch="aarch64", build_time="2023-06-14T07:22:01", commit="f064c83645e1901d421714b8bd1dbec274425551", goarch="arm64", goos="linux", hostname="halilonay.ubuntu", os="Ubuntu 22.04.2 LTS (Jammy Jellyfish)", version="2.23.0"} 1
# HELP air_relay_proxy_active_connections Number of active connections to the Relay Server.
# TYPE air_relay_proxy_active_connections gauge
air_relay_proxy_active_connections 0
# HELP air_relay_proxy_request_duration_seconds Duration of each request handled by the Relay Server.
# TYPE air_relay_proxy_request_duration_seconds histogram
air_relay_proxy_request_duration_seconds_bucket{le="0.005"} 0
air_relay_proxy_request_duration_seconds_bucket{le="0.01"} 0
air_relay_proxy_request_duration_seconds_bucket{le="0.025"} 0
air_relay_proxy_request_duration_seconds_bucket{le="0.05"} 0
air_relay_proxy_request_duration_seconds_bucket{le="0.1"} 0
air_relay_proxy_request_duration_seconds_bucket{le="0.25"} 1
air_relay_proxy_request_duration_seconds_bucket{le="0.5"} 1
air_relay_proxy_request_duration_seconds_bucket{le="1"} 1
air_relay_proxy_request_duration_seconds_bucket{le="2.5"} 1
air_relay_proxy_request_duration_seconds_bucket{le="5"} 1
air_relay_proxy_request_duration_seconds_bucket{le="10"} 1
air_relay_proxy_request_duration_seconds_bucket{le="+Inf"} 1
air_relay_proxy_request_duration_seconds_sum 0.149310392
air_relay_proxy_request_duration_seconds_count 1
# HELP air_relay_proxy_request_errors_total Total number of request errors encountered by the Relay Server.
# TYPE air_relay_proxy_request_errors_total counter
air_relay_proxy_request_errors_total 1
# HELP air_relay_proxy_requests_total Total number of requests received by the Relay Server.
# TYPE air_relay_proxy_requests_total counter
air_relay_proxy_requests_total 1
# HELP air_relay_reload_count Number of times the Relay Server has been reloaded.
# TYPE air_relay_reload_count counter
air_relay_reload_count 0
# ...

These metrics provide insights into the Relay Server's performance, resource utilization, and various other statistics related to its operations.

Updating and Uninstalling Relay Server

To update Relay Server, you can initiate an update task for the Relay Server from the AIR Console.

Follow these steps from AIR Console:

Locate the Relay Server from the “Organization Detail” page.
Select the relay server and click “Update” button from “Relay Server Details” page.

By running the update task from the AIR Console, the Relay Server installed on the asset and the responder itself will be updated to the latest version.

Similarly, if you wish to uninstall Relay Server from an asset, you can click to red button next to the “Update” in “Relay Server Details” page from AIR Console. This will remove Relay Server and responder from the system.

Troubleshooting

To run the Relay Server correctly, the responder must be running to manage tasks received from the AIR Console. Any modification or removal of these requirements will cause the Relay Server to fail to operate.

If responders attempting to connect through the Relay Server cannot establish a connection, they will fallback to a direct connection. Alternatively, if a proxy connection is configured, they will fallback to using the proxy for the connection.

If connections through the Relay Server are experiencing failures, you can try resolving the issue by restarting the service using the following systemctl command:

This command will initiate a restart of the Relay Server service, which may help in resolving any connectivity issues.

Modifying the config file manually can introduce several problems, particularly due to the YAML format. Therefore, if you intend to make changes to the config file, such as adding whitelist addresses, it is crucial to adhere to the correct YAML format.

Ensure that you follow the YAML syntax rules while making any alterations to the config file. This includes correctly indenting elements, using appropriate punctuation, and maintaining the structure specified by the YAML format.

Relay Server logs all incoming connections and other operational activities for the purpose of troubleshooting and investigating any failures. To access these logs, you can retrieve by clicking on "Log Retrieval" on the "Relay Server Details" page.

Responder Hardware Requirements

Responder - Supported Operating Systems

Operating Systems that are supported by the responder

The AIR responder can be installed on Microsoft Windows, Linux, and Apple macOS operating systems. All supported operating systems and associated versions are listed below.

Responder - MS Windows supported systems

Windows 7 SP1 (with latest updates)
Windows 8
Windows 8.1
Windows 10
Windows 11
Windows Server 2008 R2 (with latest updates)
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows Server 2025

Responder - Apple macOS supported systems

macOS 10.15
macOS 11.0
macOS 12.0
macOS 13.0

Responder - Linux (DEB/RPM) supported systems

Centos 7
Centos 8
Centos 9
Fedora 21
Fedora 22
Fedora 24
Fedora 26
Fedora 34
Fedora 36
Amazon Linux 1 Latest
Amazon Linux 2 Latest
Redhat 7
Redhat 8
Redhat 9
Pardus 17
Pardus 21
Rockylinux 9
Rockylinux 8
Debian 7
Debian 8
Debian 10
Debian 11
Debian 12
Ubuntu 12.04
Ubuntu 14.04
Ubuntu 16.04
Ubuntu 18.04
Ubuntu 20.04
Ubuntu 22.10
Ubuntu 23.04
Ubuntu 24.04
Boss Linux 7
Boss Linux 8
Boss Linux 9
Boss Linux 10

All Linux distros can run on 32/64 bit and ARM64 architectures.

Responder - Chrome supported systems

Chrome 90+

AIR For Chrome

1- Click evidence collection for Chrome

The AIR responder standalone collector currently provides support for execution on Chrome v90+ operating systems.

AIR For Chrome is the evidence collector extension for Chrome and ChromeOS. AIR For Chrome extension allows investigators and analysts to capture forensically sound data with a single click at machine speed. All data is collected into a well-organized HTML report that is accompanied by individual CSV files. Investigators and analysts can use AIR For Chrome Extension to collect forensically sound data from Google Chrome and ChromeOS.

AIR For Chrome is the fastest and easiest way of capturing forensically sound data from Google Chrome browsers. The forensically sound data collected by AIR For Chrome are listed below.

Browser History

Responder for Golden Images

In AIR a Golden Image is for customers who want to use the same Operating System image files to generate new machines with a responder already installed. As AIR use the computer name/hostname of the machine/asset as a unique identifier for the machine/asset, customers cannot use the exact same image in which AIR Responder is already installed without newly introduced golden image support.

It basically cleans some configuration options set during registration and then disables and stops the Responder service before the image of the operating system is taken. To do this, we use `--prepare-golden-image' flag that is explained below. This must be called before the imaging process takes place.

After the image is prepared, the user must use --init-golden-image flag, which is explained below before the image is used to create a new instance.

--prepare-golden-image

The user must use this flag before creating a golden image.

Responder and Active Directory OUs

This page summarizes the capabilities and current limitations of Responder for Organization Units (OUs) within an Active Directory (AD) environment.

Key Points:

Current Capability:
- Once Active Directory integration is complete, the AIR will display the domain on the Assets page.
- Users can filter assets by clicking on their Organization Unit on the Assets page. Further filtering for "Managed Status in Managed" will show assets where the Responder is installed.
Limitations and Requests:
- As of now, AIR does not support querying or installing Responders directly at specific OU levels (e.g., SecurityTesting.AIR.local) beyond the root AD level (e.g., AIR.local).
- A feature request has been submitted to allow integration directly at the OU level to enhance targeted management within the domain structure.
Installation Note:
- The AIR Responder will report on systems where it is installed. It does not automatically install on systems within an AD environment where it is not already installed.

Integrating AIR with Active Directory: Permissions Information

When integrating AIR with Active Directory, it is important to note that the account used for this integration does not require Domain Admin permissions. The integration primarily involves LDAP searches for reading directory information. Therefore, having Domain Users permission is sufficient for LDAP integration with AIR. This ensures that the necessary operations can be performed securely without granting excessive privileges.

Conclusion: Efforts to extend AIR's integration capabilities to specific OUs are ongoing, following feedback and feature requests. This enhancement aims to provide more granular control and efficiency in managing cybersecurity operations across different organizational units.

Responder Exception Rules

Overview

Allow-listing is required for AIR responders to run acquisition tools, write temporary artifacts, and access protected areas of the file system. Without explicit exclusions in your Endpoint Protection Platform (EPP), Endpoint Detection and Response (EDR), or antivirus solution, these routine activities can trigger false positives and interrupt evidence collection.

Use the tables below to add the recommended folder and binary exclusions for each supported operating system. Choose the entries that match your deployment to keep responders running without false positives.

Windows

Folders to Exclude:

C:\Program Files (x86)\Binalyze\AIR\agent\
C:\ProgramData\.binalyze-air

Binaries to Exclude:

C:\Program Files (x86)\Binalyze\AIR\agent\AIR.exe
C:\Program Files (x86)\Binalyze\AIR\agent\DRONE.exe
C:\Program Files (x86)\Binalyze\AIR\agent\TACTICAL.exe

Linux

Folders to Exclude:

/opt/binalyze/air/agent/
/usr/share/.binalyze-air/

Binaries to Exclude:

/opt/binalyze/air/agent/air
/opt/binalyze/air/agent/drone
/opt/binalyze/air/agent/tactical

macOS

Folders to Exclude:

/opt/binalyze/air/agent/
/usr/local/share/.binalyze-air/

Binaries to Exclude:

/opt/binalyze/air/agent/air
/opt/binalyze/air/agent/drone
/opt/binalyze/air/agent/tactical

AIR Watchdog Folder

AIR Watchdog Folder:

C:\ProgramData\.binalyze-air\ or %ProgramData%\.binalyze-air\*

The AIR Watchdog Folder (C:\ProgramData\.binalyze-air\ or %ProgramData%\.binalyze-air\) is a critical directory used by the AIR responder for storing internal data required to maintain and monitor the health and proper functioning of the AIR responder agent. This folder contains temporary files, logs, and configuration data that help the Watchdog component of the AIR platform ensure that the responder agent is running correctly and automatically restarts the agent if any issues arise.

Purpose of the Watchdog Folder

Health Monitoring: The Watchdog monitors the responder agent's status. If the agent stops unexpectedly or malfunctions, the Watchdog uses this folder to store diagnostic data and trigger the necessary actions (e.g., restarting the agent).
Temporary Storage: The folder stores temporary files used by the AIR responder during its forensic and investigative processes. These may include logs, process monitoring data, or execution-related files.
Configuration Data: The directory can also house configuration and state files that help the agent track its operational state, ensuring that it maintains continuity of processes even in the event of interruptions.

Exception Configuration

When configuring EDR (Endpoint Detection and Response) or AV (Antivirus) software, it is essential to exclude this folder from being scanned or interfered with. Failure to do so may cause unnecessary alerts or interruptions to the operations of the AIR responder, potentially halting the forensic collection process or causing data collection to fail.

Folder Path Variations

Absolute Path: C:\ProgramData\.binalyze-air\* This is the standard path used by the AIR Watchdog on Windows systems.
Environment Variable Path: %ProgramData%\.binalyze-air\* This variation uses the %ProgramData% environment variable, which points to the C:\ProgramData\ folder. It's a more dynamic way of referencing the same location in different system configurations.

Importance of Allow-Listing This Folder

For AIR to function seamlessly, especially during critical incident response tasks, excluding this folder from AV/EDR scans or interference is vital. The Watchdog service ensures that the responder remains operational and recovers automatically if disrupted.

To ensure uninterrupted operation, follow these allow-listing rules in your security setup:

Windows AV/EDR Systems: Allow-list the folder C:\ProgramData\.binalyze-air\*
Linux/macOS Equivalents: Similar watchdog components may exist in those environments within paths like /usr/share/.binalyze-air/ or /opt/binalyze/air/agent/ (adjust based on OS).

By allowing the Watchdog folder, you ensure AIR remains resilient and responsive, even in the event of unexpected issues.

Responder in Windows Safe Mode

AIR Responder Operation in Windows Safe Mode

AIR Responder is now capable of functioning in Safe Mode, allowing forensic acquisition and remote tasking on machines operating in a restricted state. However, to maintain full functionality and allow task execution via the AIR Console, specific registry modifications must be applied before entering Safe Mode.

Enabling AIR Responder in Safe Mode

Before booting into Safe Mode, execute the following Registry modifications to register the AIR Agent Service:

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Binalyze.AIR.Agent.Service" /VE /T REG_SZ /D "Service" /F

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Binalyze.AIR.Agent.Service" /VE /T REG_SZ /D "Service" /F

These registry changes can also be enforced via the Windows UI by running msconfig to get to the System Configuration window where in the Boot tab, the user can select Safe Boot with the Network button active:

These registry entries ensure the AIR Agent Service is recognized and loaded in Safe Mode.

Behavioral Scenarios

Safe Mode with Networking

If a machine enters Safe Mode with Networking, the AIR Agent will continue operating as expected, maintaining communication with the AIR Console.

Safe Mode (Without Networking)

The AIR Agent cannot communicate with the console if networking is unavailable unless an off-network package is used for forensic acquisitions.

Remote Task Execution

Without the registry modifications, the AIR Console cannot issue remote tasks to the endpoint in Safe Mode.
Adding the registry keys before booting into Safe Mode ensures that Responder and interACT remain functional.

Manual Execution in Safe Mode (Not Recommended)

If the registry modifications are not applied and the AIR Agent does not load, users can manually execute AIR.exe after entering Safe Mode to establish a temporary connection.
However, this approach is not recommended due to potential inconsistencies and administrative overhead.

By proactively applying the recommended registry changes, organizations can ensure seamless forensic investigations even when endpoints are booted in Safe Mode.

Security

Two-factor authentication (2FA)

In AIR (Settings > Security > Authentication), two-factor authentication (2FA) is a security feature designed to enhance user account protection by requiring two forms of verification when logging in. This adds an additional layer of security beyond the traditional username and password combination, significantly reducing the risk of unauthorized access.

Some key points about 2FA in AIR:

LDAP User Compatibility with 2FA: AIR supports two-factor authentication (2FA) for LDAP users. You can easily configure 2FA directly from the account settings within AIR, making the setup process straightforward and efficient for centralized user management systems.
Administrators can enforce two-factor authentication (2FA) for all users. This uniform security policy enhances overall security by requiring all users to authenticate with an additional method, such as a one-time password (OTP) sent to a mobile device or generated by an authenticator app.

Settings

Console Settings

All console settings can be accessed via the gear icon in the top-right corner of the header bar. This page provides a complete guide to configuring and managing settings across AIR, including:

General Settings: Platform-wide configurations.
Assets: Managing asset inventories.
Security: Setting up security features.
Features: Customizing AIR’s core functionalities.
Evidence Repositories: Configuring storage for collected evidence.
Policies: Defining evidence collection rules.
User Management:
- Users
- Groups
- UserRoles
Backup and Backup History: Managing backups and retention schedules.
Investigation Hub Disk Usage: Empowers users to manage Investigation Hub data storage effectively.
Danger Zone.

Each section ensures optimal setup for your AIR environment.

Security

SSL Certificate

Enable secure connections between AIR Console and users/assets by using SSL encryption.

Certificate: This displays the SSL certificate details used by AIR for secure HTTPS communication. In this case, the certificate is issued by Let's Encrypt (Issuer: Let's Encrypt, Common Name: R3) and is valid for a specific period (e.g., from 2022.09.18 to 2022.12.17).
Subject: The Common Name (CN) field shows the domain (e.g., air-demo.ACME.com) to which the certificate applies.
Having an SSL certificate ensures that all communications between users and the AIR Console are encrypted, preventing unauthorized access to sensitive information.

SSL Root CA

Acts as the root certificate authority (CA) for issuing certificates if a custom SSL certificate is not provided.

AIR generates an SSL Root CA for each instance when a custom certificate isn’t supplied. This certificate is used to create secure communication channels within the system.
Issuer and Subject: Both are BINALYZE R1, ensuring that the root certificate is tied to the Binalyze platform.
Validity: The root CA certificate is valid from 2017.10.14 until 2100.10.14, ensuring long-term use and security.

Console Port

Define the port over which the AIR Console is accessible.

The AIR Console is configured to be accessed on port 8443, which is a secure port typically used for HTTPS traffic.
Meanwhile, responders will continue to communicate with the console over the default secure port 443. This setup ensures that assets and users can access the platform via separate but secure ports, enhancing security and flexibility.

IP Restriction

Restrict access to the AIR Console based on IP addresses.

This feature allows administrators to restrict access to the AIR Console to a specific range of IP addresses, limiting who can interact with the console.
Important: This restriction does not affect communication between the AIR Console and the assets themselves. It only controls who can access the console’s user interface.
The current IP address of the user accessing the system (e.g., 172.71.122.69) is displayed for reference.

Authentication

Configure user authentication security settings.

You can enforce Two-Factor Authentication (2FA) for all users, adding an extra layer of security by requiring a second form of verification (e.g., a mobile app code) when logging in. (SSO will override this option)

This setting enhances overall security by ensuring that only authenticated and verified users can access the system.

Single Sign-On (SSO)

Enable and configure Single Sign-On (SSO) for AIR.

SSO allows users to log in to AIR using their organization’s existing identity provider (e.g., Azure AD, Okta) without needing separate credentials. This simplifies the login process and enhances security by centralizing authentication management.
Tenant ID and Client ID: These are provided by the SSO identity provider (e.g., Azure, Okta) and uniquely identify the organization’s SSO configuration.
Client Secret: A secure key used for authenticating the connection between AIR and the SSO provider (shown as encrypted in the system).

SSO improves user management and security by centralizing login credentials with your existing identity provider, simplifying the user experience while ensuring strong authentication practices.

Evidence Repositories

AIR allows you to set up various Evidence Repositories for storing and managing collected data securely. The supported repository types are:

SMB: Ideal for sharing files across network devices.
SFTP: Utilizes SSH for encrypted data transfer.
FTPS: Combines FTP with SSL/TLS for secure transfers.
Amazon S3: Provides scalable cloud-based storage, perfect for large-scale investigations.

Key Features:

Global or Organization-Level Setup: Repositories can be defined at both global and organizational levels, providing flexibility in evidence management across multiple AIR instances or within a single organization.
Secure Data Management: Protocols like SFTP and FTPS ensure that data transfers are encrypted, safeguarding sensitive information during uploads and downloads.
Automatic and Manual Uploads: Evidence can be automatically uploaded to repositories based on configured tasks, or users can manually upload files as needed.

This setup ensures secure, scalable, and efficient management of evidence within AIR, accommodating various infrastructure needs.

Policies

Policies serve to define how evidence is collected and managed, providing fine-grained control over resources and processes.

Policies in AIR provide central configuration management and support global configurations that can be overridden at the Organisation level when required.

This overriding is only possible when the user has the “Override Policy” privilege allocated to their role.

Key Components:

User Management

AIR > Settings > User Management > Users:

This section enables administrators to view existing users and their attributes. It also allows for the addition of new users to the AIR platform, where key details such as name, organization, role, and login credentials are specified during setup.

For organizations needing to onboard multiple users simultaneously, the Import Users button provides bulk user import capability via CSV file upload or email list. Optional metadata such as organization, role, or group can be included for automatic assignment. A preview step allows validation before changes are applied, expediting onboarding for large enterprise security operations teams while reducing human error and maintaining consistent access structures.

Mandatory fields are marked with an asterisk (*).

User Roles

In AIR, the Global Admin has full control over managing 109 specific privileges, allowing the creation of highly customized user roles. This granular access control ensures that each user or group has permissions tailored to their specific needs, such as handling evidence acquisition, interACT sessions, or audit log management.

A useful feature within this setup is the tooltips provided alongside each privilege. These tooltips highlight any dependencies that may exist between privileges, helping administrators configure roles accurately without unintentionally restricting necessary functions.

For example, an admin could create a role that enables a user to access interACT for remote evidence collection while restricting access to audit logs or system-wide settings. The tooltips ensure that admins are aware of any required privileges to avoid misconfigurations.

This approach provides both flexibility and clarity, empowering admins to manage user roles effectively.

Backup

AIR > Settings > Backup:

The AIR Backup feature allows users to back up system data securely and flexibly through the UI or Command Line Interface (CLI). Backups can be stored locally, on SFTP, or in Amazon S3, and encrypted using AES256 with a password.

Backups can be performed immediately or scheduled at intervals of every 4 hours, daily, weekly, or monthly. Users can set the number of backups to retain and the scheduled start time. CLI backup options are available, with detailed instructions in the Knowledge Base.

AIR > Settings > Backup History:

This page displays the Backup History available to the AIR console.

AIR Backup File Naming Convention

AIR backup files use a structured naming format that embeds timestamp and version information directly into the .abf filename. This makes it easy to identify when a backup was created and which internal backup schema and AIR console version were used.

Example Filename

Filename Components

Date Component: 25-11-17

25 = Year (2025)
11 = Month
17 = Day

Time Component: 6-6-0-026

Represents the exact creation time of the backup:

6 = Hour
6 = Minute
0 = Second
026 = Millisecond

Backup File Format Version: v4

Indicates the internal backup schema/version used by AIR. This ensures compatibility between console versions and the expected backup structure.

AIR Console Version: AIRv5.5.1

Shows which AIR version generated the backup.

File Extension: .abf

AIR Backup File.

Summary

~25-11-17_6-6-0-026_v4_AIRv5.5.1.abf means the backup was created on 17 November 2025 at 06:06:00.026, using the v4 backup format, from an AIR 5.5.1 console.

Investigation Hub Disk Usage

This feature empowers users to manage Investigation Hub data storage effectively and is fully explained here: Investigation Hub – Data Usage Statistics Dashboard.

Danger Zone

Killswitch: Cancel All Running Tasks

The Killswitch is a powerful administrative control available under Settings > Danger Zone in the AIR Console. It allows Global Admins to immediately cancel all currently running cancellable tasks across the entire platform, without needing to select individual assets or tasks.

Safety Confirmation

To safeguard against accidental activation, a case-sensitive confirmation is required. You must, before the operation can proceed. Type the exact phrase:Cancel All Tasks

Note: This action cannot be reversed.
Only tasks that are in a cancellable state will be affected.

Use this feature carefully, particularly during large-scale investigations or scheduled operations.

Organization Settings

Organizational Controls

From the top bar, the drop-down allows the user to select:

Organization Settings

Account Settings

The Account Settings section in AIR allows users to manage personal preferences and session details. This section is accessible via the user icon located in the top-right corner of the AIR interface toolbar.

What You Can Do in Account Settings

View Account Details: Includes your registered name, surname, email address, and username.
Change Password: Locally authenticated users can update their password directly from here.
Sign Out: Securely log out of your AIR session.
Customize Theme Preferences: Switch between Light and Dark Mode or set the UI to follow system time-based settings.

Dark Mode

The AIR interface supports a Dark Mode UI theme, providing a modern, eye-friendly visual style that is ideal for use in low-light conditions or during extended periods of use. This feature:

Enhances usability and reduces eye strain.
Can be toggled manually between Light and Dark modes.
Includes an Auto mode that adapts the UI based on your machine's time zone and daylight saving hours, ensuring a seamless experience.

Dark Mode aligns with current UI standards and user expectations, supporting a comfortable and productive working environment.

User Profile Photos

Users can upload their own profile images. These will be displayed across the AIR console UI in user-facing areas, such as the user menu, case history, and activity logs. Supported for both regular and SSO-authenticated users, although not synced from the identity provider.

Updating

Updating the AIR console

Features

Fast, remote, and scalable across the corporate network

API

Explore our comprehensive resource at docs.binalyze.com.

The AIR API facilitates seamless communication with the AIR console, enabling users to collect information or execute tasks with precision and efficiency.

We provide sample requests in various programming languages, including Go, Python, and Java, as well as sample cURL requests to equip users with comprehensive integration resources. These samples serve as practical guides, showcasing the seamless implementation of our API functionalities across different development environments.

To access detailed documentation and unlock the full potential of our API, we invite developers to explore our comprehensive resource at docs.binalyze.com. Here, you can find in-depth explanations, tutorials, and reference materials that guide you through the integration process seamlessly.

Our API documentation, which includes detailed endpoint descriptions, authentication guidelines, and practical code examples, offers invaluable insights for developers at every stage. Leverage the power of our API at docs.binalyze.com to empower your development journey and unlock new possibilities.

Enhanced API Token Management with Role-Based Access Control

API Token Management supports role-based access control (RBAC), which enhances security and flexibility while reducing the need for excessive permissions.

Global Admins can only create and modify API tokens.
Granular Permissions: Tokens inherit only the privileges of their assigned role (e.g., read-only or custom roles), preventing over-permissioning.
Post-Creation Role Updates: Token permissions can be modified after creation, allowing for dynamic access control.
Governance & Security:

API token management in AIR has role-based limitations, allowing API usage to be tailored according to the selected role. This capability refines automation workflows and strengthens access control policies.

API is likely to be more effective than Webhooks

Why Using the API in AIR is Likely to be More Effective

APIs and webhooks both serve as methods for integrating systems and enabling communication between applications, but they are suited for different use cases. In many scenarios, using APIs is recommended over webhooks due to the control, flexibility, and broader operational capabilities they offer.

Acquisition

Data acquisition is the collection of forensically sound data from any computer system (disk, external storage, memory, etc.). This data generally varies based on the operating system installed on the computer or server. Acquired data often needs to be parsed, stored, and presented in a human-readable format for further analysis and investigation.

Data acquisition is the primary activity of most digital investigations. Before data acquisition, the investigators generally identify the data they’ll need. Since data or evidence is an essential element of any investigation, investigators tend to take as much as they can in the first instance to avoid, if possible, a second acquisition. Therefore, the power of the digital investigation and DFIR solution is often proportional to the acquisition capability and the features associated with it.

AIR provides easy-to-deploy and fast data acquisition capabilities with a wide range of operating systems supported for the collection of 600+ forensically sound data types. AIR provides remote data acquisition for on-premise, cloud, and off-network devices. Thus, investigators can remotely investigate multiple devices at speed and scale.

AIR supports a growing number of operating systems, including Windows, Linux, macOS, ChromeOS, ESXi, and IBM AIX.

The results of AIR's Acquisition and Hunt/Triage processes can be further analyzed using DRONE's automated Post Acquisition Analyzers. DRONE's findings, along with all collected artifacts, are then presented within the Investigation Hub.

The AIR responder needs to be deployed first to acquire data. All data acquisition is performed according to the Data Acquisition Profile created before the acquisition is started.

Supported Evidence

These pages categorize the supported evidence and artifacts by OS, indicating whether each item is parsed and presented in the Investigation Hub and/or if the associated file is collected.

The table below provides a count of the currently supported evidence and artefact items

$Boot

Overview

Evidence: $Boot Description: Dump Raw Contents of $Boot File Category: DiskFilesystem Platform: windows Short Name: ntfsboot Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

$LogFile

Overview

Evidence: $Log File Description: Dump raw contents of $LogFile Category: DiskFilesystem Platform: windows Short Name: ntfslog Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

$Secure:$SDS

Overview

Evidence: $Secure:$SDS Description: Dump Contents of $Secure:$SDS Category: DiskFilesystem Platform: windows Short Name: securesds Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

The $Secure file contains security descriptors for all files and directories on the NTFS volume. These descriptors include access control lists (ACLs), ownership information, and audit settings. The $SDS alternate data stream stores the actual security descriptor data, which is referenced by file entries to avoid duplication.

Data Collected

This collector gathers structured data about $secure:$sds.

$Secure:$SDS Data

Field

Description

Example

Collection Method

This collector uses kernel driver NTFS raw access to read $Secure:$SDS from each fixed NTFS drive.

Forensic Value

Security descriptors provide critical information about file permissions, ownership, and access control. This data can reveal unauthorized access, privilege escalation attempts, and security policy violations. Essential for investigating insider threats and understanding who had access to sensitive files.

$TxfLog $Tops:$T

Overview

Evidence: $TxfLog $Tops:$T Description: Dump Contents of $TxfLog$Tops:$T Category: DiskFilesystem Platform: windows Short Name: txflogtops Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Action1 RMM Logs

Overview

Evidence: Action1 RMM Logs Description: Collect Action1 RMM Logs Category: Applications Platform: windows Short Name: action1rmmlgs Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Active Directory Logs

Overview

Evidence: Active Directory Logs Description: Collect Active Directory Logs Category: Applications Platform: windows Short Name: adl Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Active Script Event Consumers

Overview

Evidence: WMI Active Script Description: Dump WMI Active Script Event Consumers Category: System Platform: windows Short Name: wmiasc Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

WMI ActiveScript Event Consumers execute VBScript or JScript code when specific WMI events occur. This is a powerful persistence mechanism that allows attackers to run arbitrary scripts with SYSTEM privileges in response to system events.

ActiveScript consumers are particularly dangerous because they don't require a file on disk (fileless persistence) and run with high privileges.

Data Collected

This collector gathers structured data about wmi active script.

WMI Active Script Data

Field

Description

Example

Collection Method

This collector queries WMI for ActiveScriptEventConsumer instances in multiple namespaces:

ROOT\Subscription
ROOT\DEFAULT
ROOT\CIMV2

Forensic Value

ActiveScript consumers are a common advanced persistence technique. Investigators use this data to detect WMI script-based persistence, identify malicious VBScript/JScript payloads, and track fileless malware techniques.

AmmyAdmin Logs

Overview

Evidence: AmmyAdmin Logs Description: Collect AmmyAdmin Logs Category: Applications Platform: windows Short Name: aammyadmnlg Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Antivirus Information

Overview

Evidence: Antivirus Information Description: Collect information about installed antivirus Category: System Platform: windows Short Name: avi Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

AnyDesk Logs

Overview

Evidence: AnyDesk Logs Description: Collect AnyDesk Logs Category: Applications Platform: windows Short Name: nydskl Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

AnyDesk is a widely-used remote desktop application frequently leveraged by both legitimate users and threat actors. It stores trace logs, configuration files, connection traces, and recorded sessions. The software is commonly abused for initial access and persistence in cyber attacks.

Data Collected

This collector gathers structured data about anydesk logs.

Collection Method

This collector gathers AnyDesk trace files, configuration files, connection trace logs, and recorded session files from user and system directories.

Forensic Value

AnyDesk artifacts are critical for investigating unauthorized remote access, as the tool is frequently used in ransomware attacks, tech support scams, and remote access trojans. Logs reveal connection IDs, session times, file transfers, and can link to specific AnyDesk addresses used by attackers.

Apache Logs

Overview

Evidence: Apache Logs Description: Collect Apache Logs Category: Applications Platform: windows Short Name: apcl Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

Apache HTTP Server and Tomcat logs record web server activity including access logs, error logs, and application-specific logs. These logs are critical for understanding web server operations and detecting web-based attacks.

Data Collected

This collector gathers structured data about apache logs.

Collection Method

This collector gathers Apache and Tomcat log files from standard installation directories in Program Files, collecting access logs, error logs, and other server activity logs.

Forensic Value

Apache logs are essential for detecting web attacks, unauthorized access attempts, data exfiltration, and command injection. They reveal attacker IP addresses, requested URLs, user agents, and exploitation attempts against web applications.

AppCompatCache

Overview

Evidence: AppCompactCache Description: Enumarate AppCompatCache (aka ShimCache) Category: System Platform: windows Short Name: appcc Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

AppPaths

Overview

Evidence: AppPaths Description: Enumerate AppPaths Category: System Platform: windows Short Name: apppaths Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

ARP Table

Overview

Evidence: ARP Table Description: Collect ARP Table Category: Network Platform: windows Short Name: arpt Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The ARP (Address Resolution Protocol) table maps IP addresses to physical MAC addresses on the local network. Windows maintains this cache for performance, storing recent IP-to-MAC mappings from network communication.

ARP cache can reveal devices the system has recently communicated with on the local network, including routers, file servers, and other workstations.

Data Collected

This collector gathers structured data about arp table.

ARP Table Data

Field

Description

Example

Collection Method

This collector uses Windows API to enumerate ARP cache:

GetIpNetTable to retrieve all ARP entries
Parses MAC addresses into readable format
Records adapter associations

ARP entry types: Other (1), Invalid (2), Dynamic (3), Static (4).

Forensic Value

ARP cache reveals local network communication patterns. Investigators use this data to identify devices on the local network, detect ARP spoofing attacks, track lateral movement targets, identify network infrastructure devices, correlate with network connections, and detect man-in-the-middle attacks.

Avast Logs

Overview

Evidence: Avast Logs Description: Collect Avast Logs Category: Applications Platform: windows Short Name: avstls Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

AVG Logs

Overview

Evidence: AVG Logs Description: Collect AVG Logs Category: Applications Platform: windows Short Name: avgls Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Avira Logs

Overview

Evidence: Avira Logs Description: Collect Avira Logs Category: Applications Platform: windows Short Name: avrals Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Bitdefender Logs

Overview

Evidence: Bitdefender Logs Description: Collect Bitdefender Logs Category: Applications Platform: windows Short Name: btfndrls Is Parsed: No Sent to Investigation Hub: No Collect File(s): Yes

Background

Bitdefender is an enterprise-grade security solution that maintains detailed logs of endpoint protection, firewall activities, malware detections, and system events. Logs include XML-formatted system events, firewall logs, and database files containing threat intelligence.

Data Collected

This collector gathers structured data about bitdefender logs.

Collection Method

This collector gathers Bitdefender logs from multiple locations including Endpoint Security logs, Desktop profile logs, system XML files, firewall logs, and database files containing security event data.

Forensic Value

Bitdefender logs are critical for investigating security incidents, tracking malware detections, analyzing firewall blocks, and understanding endpoint protection events. They provide comprehensive visibility into threats, network traffic controls, and security posture over time.

Brave Extensions

Overview

Evidence: Brave Extensions Description: Collect Brave Extensions Category: Applications Platform: windows Short Name: bext Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Brave Favicons

Overview

Evidence: Brave Favicons Description: Collect Brave Favicons Category: Applications Platform: windows Short Name: bfico Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Brave Thumbnails

Overview

Evidence: Brave Thumbnails Description: Collect Brave Thumbnails Category: Applications Platform: windows Short Name: bthmb Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

Browser thumbnails are cached preview images of visited websites. This visual data supplements browsing history by providing screenshots of accessed pages, useful for recovering deleted history and identifying visited content.

Data Collected

This collector gathers structured data about brave thumbnails.

Brave Thumbnails Data

Field

Description

Example

Collection Method

This collector extracts cached thumbnail images from browser storage.

Forensic Value

Thumbnail analysis provides visual evidence of visited websites, can recover evidence after history deletion, and helps identify phishing pages, malicious sites, or sensitive internal resources accessed by users through visual inspection.

Adding proxy to Responder

Why Proxy Support

Responder establishes connections to remote servers over HTTP, HTTPS, NATS, SFTP, FTPS, SMB, and Websocket over HTTPS. Please note that the supported protocols are subject to change in the future.

Responder primarily communicates with the AIR Console via HTTP/S, as HTTP/S is the most essential protocol.

There is a requirement to tunnel the responder’s connections over a different server, not to directly communicate with AIR Console or other servers. As a result, we implemented the proxy feature for all types of communication methods, which is entirely optional. Although it is optional, we enable the Proxy feature of the responder by default during the initial installation. However, previous installations without the proxy feature are unaffected, and the feature remains disabled. This means upgrading an existing responder to a version <= v2.15.x will not be affected by this new feature as long as it is not enabled explicitly. Enabling and disabling the proxy feature manually is documented below. Please note that, as of now, the only way to enable or disable the proxy feature is to run the related commands on the machine. That is to say, it cannot be changed remotely via the AIR Console.

Proxy Server Types

In this document, we are only interested in Forward proxy servers. Other types of proxy servers, such as reverse proxy servers and transparent proxy servers, are out of scope.

We only support forward proxy servers that support HTTP Tunneling with the HTTP Connect method and SOCKS5 proxy servers.

Note that we also support HTTP proxy servers using SSL/TLS encryption via HTTPS protocol; however, the SSL certificate of the server must be a valid certificate, or the CA certificate of the server certificate must be loaded to the machine to determine whether the encrypted connection is secure or not.

The responder uses the system’s SSL/TLS certificate validation methods and AIR Console’s CA certificate to validate the certificates of the remote server.

We will also describe how we handle Authenticated Proxy Servers below.

We anticipate encountering more issues with HTTPS proxy servers, authenticated proxy servers, and SSL interception/bumping in the future. Because of this, the proxy configuration of these types of servers and the Agent must be performed carefully.

Configure Proxy Settings

There are different ways to configure the proxy settings for all supported platforms, including the machine and the Agent. Due to historical reasons, responders can detect proxy settings on different platforms from various sources. As a result, our detection of the proxy settings logic is described below.

If ProxyEnabled: false or missing ProxyEnabled option in the agent’s config.yml file, we skip reading proxy settings. Missing ProxyEnabled option means ProxyEnabled: false, implicitly.
Try to find proxy settings using AIR_HTTP_PROXY and AIR_HTTPS_PROXY environment variables. If they are set, they will be used as the source of proxy settings.

Note that setting one of the HTTP_PROXY, HTTPS_PROXY, AIR_HTTP_PROXY, or AIR_HTTPS_PROXY environment variables is sufficient to use a single proxy address.

You must restart the responder’s service if there is a change in the environment variables or config.yml file changes to let the Agent take the new values into account.

Configure Proxy Settings on Linux

AIR_HTTP_PROXY, AIR_HTTPS_PROXY, HTTP_PROXY, HTTPS_PROXY, http_proxy, and https_proxy proxy server environment variables are used if they are set. We use them to configure the Agent's proxy behavior. In addition to these environment variables AIR_NO_PROXY, NO_PROXY, and no_proxy environment variables are also used if they are set as long as a proxy server is set in the proxy environment variables.

We use an additional AIR_ prefix for responder-specific proxy environment variables to let users set a proxy server for only the Agent or use a different proxy server for the responder.

Since the Agent runs as a service or daemon, users need to configure the proxy settings using the following method.

If /etc/environment.d/binalyze-air-agent.conf does not exist, create it.

Open /etc/environment.d/binalyze-air-agent.conf and add the following example lines to it:

AIR_HTTP_PROXY=proxy.example.com:3128 AIR_HTTPS_PROXY=proxy.example.com:4128 AIR_NO_PROXY=localhost,127.0.0.0/8,::1

The responder's systemd service file will read the changes made to the edited file. Therefore, it is necessary to reload the changes and restart the service for the changes to take effect. You can do this by running the following commands:

sudo systemctl daemon-reload sudo systemctl restart Binalyze.AIR.Agent.service

You should keep in mind that using systemd’s approach to override service settings to set proxy settings can create an issue after uninstalling the responder from the machine. Because the overridden service settings are retained after uninstallation, installing a responder to that machine after uninstallation will utilize the overridden service configuration.

Configure Proxy Settings on macOS

Setting proxy environment variables, as in Linux, is a way to configure a proxy for the responder.

As the agent works as a daemon in the macOS system with root privileges under the launchd service manager, we can set the environment variables like this

Open the launchd.conf file to add environment variables (Note that the file may not exist, you can create it)

sudo nano /etc/launchd.conf

Append the proxy environment variables like this. Alternatively, you can skip AIR_ prefix but it will affect other programs in the system.

# ... setenv AIR_HTTP_PROXY proxy.example.com:3128 setenv AIR_HTTPS_PROXY proxy.example.com:4128 setenv AIR_NO_PROXY *.local,169.254/16

The method above will require a reboot to be effective. Alternatively, you can use the other methods mentioned below without needing to reboot.

The second method for setting environment variables on macOS is to use the following commands.

sudo launchctl setenv AIR_HTTP_PROXY proxy.example.com:3128 # You should use the same command for other environment variables

The method above requires restarting the responder’s service like this:

sudo launchctl unload /Library/LaunchDaemons/com.binalyze.air-agent.plist sudo launchctl load -w /Library/LaunchDaemons/com.binalyze.air-agent.plist

Apple explains the third way to set a proxy for macOS systems with this link

You should bear in mind that only HTTP and HTTPS proxies are supported via System Settings > Network > ... > Proxies not SOCKS or other types.

macOS saves the credentials of the proxies set by System Sessions to the Key Chain. The responder doesn’t support Key Chain access to get the credentials, so we don’t recommend using authenticated proxies using this method. You can set the username and password of the proxy server using environment variables, which are explained in this document.

macOS launchd Tips

Question:

How do I set environment variables that persist across reboots for a specific daemon/service on a macOS system?

Answer:

To set environment variables that are persisted across reboots for a specific daemon or service on a macOS system, you can use the launchctl setenv command as follows:

Identify the name of the daemon or service that you want to set the environment variables for. This name is typically specified in the Label key in the daemon's property list file, which is stored in /Library/LaunchDaemons or /System/Library/LaunchDaemons for system-level daemons, or in ~/Library/LaunchAgents for user-level daemons and services.
Use the launchctl setenv command to set the environment variables for the daemon or service, using the -n option to specify the name of the daemon or service. For example, to set the FOO

sudo launchctl setenv -n com.example.myservice FOO bar

To verify that the environment variable has been set, you can use the launchctl getenv command, using the -n option to specify the name of the daemon or service. For example:

sudo launchctl getenv -n com.example.myservice FOO

This should print bar.

Keep in mind that the launchctl setenv command only sets environment variables for processes launched by launchd, and it does not modify the environment of processes that are already running. If you want to set environment variables for a running process, you will need to use a different method, such as setting the variables in the process's shell configuration file or using the export command in the process's shell.

Also, note that the launchctl setenv command only sets environment variables for daemons and services managed by launchd. If you want to set environment variables for other processes, you will need to use a different method.

The responder’s service/daemon name is com.binalyze.air-agent on macOS systems.

Configure Proxy Settings on Windows

As explained for Linux and macOS, the responder can also use the specified proxy environment variables for Windows.

The responder runs as a service using SYSTEM account on Windows systems. Because of this, a user’s proxy settings cannot be accessed by the SYSTEM account without using unnecessarily complex methods.

The responder can only access the system’s environment variables, not the user’s environment variables.

The first method is to use the proxy environment variables to set a proxy for the responder. There are different ways to set environment variables for Windows.

Question:

Please instruct me on how to set system environment variables for Windows systems.

Answer:

To set system environment variables on a Windows system, you will need to follow these steps:

Press the Windows key + R to open the Run dialog.
Type "sysdm.cpl" and press Enter to open the System Properties window.
Switch to the "Advanced" tab.
Click the "Environment Variables" button.

To set a new system environment variable, click the "New" button under the "System variables" section.
To edit an existing system environment variable, select it from the list and click the "Edit" button.

In the Edit Environment Variable window, enter the name and value for the environment variable.
Click "OK" to save the changes.
Close the Environment Variables and System Properties windows.

Note: You will need to have administrator privileges to make these changes.

The second method is to use the netsh command to set winhttp proxy.

Question:

Please instruct me on how to set a proxy using the netsh command on a Windows system with an administrator account.

Answer:

Press the Windows key + X and select "Command Prompt (Admin)" to open an elevated Command Prompt window.
Type the following command and press Enter to set the proxy server:

netsh winhttp set proxy [proxy_server_name]:[port]

Replace [proxy_server_name] and [port] with the actual values for your proxy server and port.

If your proxy requires authentication, you can use the following command to set the username and password:

netsh winhttp set proxy [proxy_server_name]:[port] "user=[username]&password=[password]"

Replace [proxy_server_name], [port], [username], and [password] with the actual values for your proxy server, port, username, and password.

To verify that the proxy has been set, you can use the following command:

netsh winhttp show proxy

This will display the current proxy settings.

Note: You will need to have administrator privileges to run these commands.

The third way of setting a proxy is to use the netsh winhttp set advproxy command. This is introduced after Windows 11.

Create a settings.json file like this:

{"Proxy": "10.211.55.3:3128", "ProxyBypass": "", "AutoconfigUrl": "", "AutoDetect": false}

Run the command like this:

netsh winhttp set advproxy setting-scope=machine settings-file=settings.json

To clear advproxy settings, you need to run the same command but settings.json should have empty fields like this

{"Proxy": "", "ProxyBypass": "", "AutoconfigUrl": "", "AutoDetect": false}

The fourth way of setting a proxy using the Windows registry is as follows:

Open the registry editor and go to the Internet Settings key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings

Set the values using proxy settings like this

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings] "ProxyEnable"=dword:00000001 "ProxyOverride"="*.noproxy.example.com" "ProxyServer"="example.com:3128" "AutoConfigURL"="http://example.com/wpad.dat"

You need to restart the responder’s service if proxy settings are changed.

Static vs Automatic Proxy

Automatic proxy means that we use the URL of the PAC file to get the proxy URL from the Operating System. Automatic proxy support is only applicable to macOS and Windows platforms. Other proxy settings are considered static proxy settings, and they require restarting the responder service if any changes are made.

There may be some issues if Automatic Proxy is used with our Isolation feature on Windows.

Because, for automatic proxies, wpad.dat or PAC files are fetched from the AutoConfigURL address by the Windows platform’s own services. Therefore, these services may not have access to the target URL during DNS resolution or HTTP request processing. This may grant the responder direct access to the remote servers, bypassing the proxy. If a direct connection is not allowed from that machine, the responder will not be able to communicate with the AIR Console. It is recommended that users exercise such scenarios for Windows platforms.

Authenticated Proxies

The responder obtains the proxy server’s authentication information using the proxy server's URL. For example, if a proxy is set using an environment variable AIR_HTTP_PROXY=http://username:[email protected]:3128 then the responder parses the URL and uses the username and password of the proxy server to send to the proxy server with an HTTP header, e.g. Proxy-Authorization: Basic encoded-credentials`

For authenticated SOCKS5 proxy servers, the URL structure is the same for authorization, and it uses the SOCKS5 protocol's authentication method, e.g. socks5://username:[email protected]:1080

NATS & Evidence Repositories

The responder uses a NATS client to connect to a NATS server over port 4222. NATS is used to get notifications from the AIR Console about the tasks in the queue. This helps the responder complete tasks promptly when assigned.

As our proxy requirement for the responder is to connect over a proxy server always, if it is set, the responder tries to connect to AIR Console’s NATS server using HTTP or SOCKS5 proxies, like regular HTTP connections. It uses the same HTTP Connect method to create a tunnel to the server for the NATS protocol.

If the proxy server does not support tunneling on port 4222, the responder attempts to connect to the NATS server directly, thereby bypassing the proxy server. Note that this is the default behavior for all non-HTTP protocols, SMB, FTPS, and SFTP.

SMB uses port 445.

SFTP uses port 22.

FTPS uses port 21 and high ports for data transfer.

If the proxy server is configured to open a tunnel for our supported protocols, there shouldn’t be any problem. Because of the fallback mechanism we use to bypass the proxy server when creating a tunnel fails, the responder should be able to send data to the remote server.

SSL Bumping/Interception

If the proxy server is configured to intercept SSL traffic between the responder and the AIR Console, several essential points must be considered.

CA certificate of the AIR Console should be considered valid by the proxy server. Otherwise, the proxy server cannot open a tunnel to the AIR Console.
The responder uses Websocket for interACT communication over the HTTPS protocol. However, some proxy servers, e.g., Squid, may not support WebSocket communication well when SSL Bumping is enabled. So, the proxy server must be configured to handle Websocket over HTTPS with SSL bumping if interACT is used. This can be verified by opening an interACT terminal on the AIR Console and seeing the established connection.

Enable / Disable Proxy

By default, the proxy support is enabled after fresh new installations of version >=2.16.x.

When the proxy support is enabled, the config.yml file contains theProxyEnabled: true entry. When this configuration is set to false or missing, it means it is disabled.

You can enable or disable proxy support by running the following commands after the installation or upgrade is successful. Note that you must be an administrator or root to run these commands.

Windows Enable:

"C:\Program Files (x86)\Binalyze\AIR\agent\AIR.exe" configure --enable-proxy

Windows Disable:

"C:\Program Files (x86)\Binalyze\AIR\agent\AIR.exe" configure --disable-proxy

Linux/macOS Enable:

/opt/binalyze/air/agent/air configure --enable-proxy

Linux/macOS Disable:

/opt/binalyze/air/agent/air configure --enable-proxy

These commands enable or disable proxy support to perform the following actions.

Check if the configuration change can be applied; otherwise, exit
Stop the responder’s service
Change the responder’s configuration
Start the responder’s service

Note that exit code 0 (zero) means success. Other exit codes indicate that an error occurred.