<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=3026858&amp;fmt=gif">

2 min read

New Isolation Feature puts investigation under your control

Featured Image

In the current cases in the DFIR world, there is a lot of confusion about which steps to take decisively and quickly at the endpoint side when something suspicious is found from the moment the investigation started, or from the moment the evidence is found.

As soon as these cases and findings begin, it is mandatory to contact the firewall or the relevant unit to close the connections of the endpoint in order to prevent lateral movement to any other location or to prevent data leakage to the outside world.

As you can see, at this point the investigators have to contact an outside body or unit to finalize this isolation process from time which takes time and it can jeopardize your investigation.

How Isolation makes this process with one single click?

Binalyze AIR now contains the Isolation feature that puts the investigation under the control of the Investigators / SOC Analyst teams by making it possible for them to disconnect any endpoint from the network with one single click immediately. In addition, since the communication with AIR continues, analysts can examine the isolated endpoint via AIR. 

Main advantages:

  1. AIR isolates the machine from the network with a single click immediately, a hard-to-find feature among digital forensic solutions. Normally firewalls or NAC devices are used for this purpose, with this feature we shorten the process without contacting any other product or department.
  2. Isolated machines can be further examined by the DFIR investigators which lets them continue the investigation without any disturbances or interference.

How Isolation works?

  1. Open endpoint dashboard on AIR and click on any endpoint. A slide window will open and you will see the “Isolation” button in the upper right corner.

Incident response

2. Once you click on that button a warning pops up to check if you are sure about the isolation task, click “Yes” and you isolated the endpoint from the network. Now you can investigate the machine without any disruptions.

Presently, the Isolation feature is available only for Windows clients but we will update you as soon as we make it cross-platform functional.

For now, we are only doing manual isolation, but in future versions, we will automate the isolation process of an endpoint in case of any findings with Drone and Triage integrations. Stay tuned for that.


We will have a pre-release live event on Thursday (1st April) where our CEO will showcase the new features and its functionalities.

You can register here.

Also, we will have a live Q&A discussion during the event so make sure to join our Discord channel here.

Make sure to check out our other features in this upcoming release on our blog here.


How to perform compromise assessment with 1 click?

Compromise assessment is an analysis of a network of endpoints or a single endpoint to uncover unknown security breaches, malware, and any sign of...

Read More

Microsoft Exchange Server Vulnerability Scanner (CVE-2021-42321)

UPDATE 15.11.2021.

Microsoft patches actively exploited Exchange, Excel zero-days (CVE-2021-42321). Please refer to their site for more details. 


Read More

The Tenth Step to Forensic Readiness: Legal review

When we plan our incident response strategies and forensic readiness steps, we strongly pay attention to digital evidence acquisition, storage,...

Read More