The outstanding coverage of Binalyze DFIR platforms for Windows clients is now also available for Linux.
This was a popular request from a large number of our users and customers so we incorporated the feature into our roadmap right away. This Friday we will officially launch it.
Linux incident response
Here is how you can install Linux packages. After you install the Binalyze AIR console onto your server go to: http(s)://[your AIR IP address]/#/deploy.
From the deploy page you will now have the option to install Debian and RPM Linux in addition to the familiar Windows option. Once you install the Linux package, AIR will recognize all machines and list them as endpoints on your AIR dashboard.
As Halkyn Consulting highlighted, Linux Incident response is often overlooked due to the belief that the operating system is more “secure” than other platforms, but as they state this is only partly true since attackers compromise Linux machines on a regular basis.
We are always looking for feedback so we are inviting all DFIR specialists to test the new version and share their feedback with us.
As part of this release, we also published an article on our SFTP feature that you can check Binalyze AIR supports SFTP.
For the Preview Release following distributions are supported and it will be extended to support more distributions in the upcoming releases.
- Debian 7 and above
- Redhat Enterprise Linux 7 and above
- CentOS 7 and above
- Fedora 21 and above
- Ubuntu 14.04 and above
- Other distributions supporting deb or rpm packages.
For the first preview release AIR provides only amd64 architecture builds and this will be extended to provide i386 and arm64 architectures.
For Debian based distributions, deb packages are provided by AIR Console to download and install deb packages manually using “dpkg” or “apt-get” commands.
For Redhat, CentOS, Fedora, rpm packages are provided by AIR Console to download and install rpm packages manually using “rpm” or “yum” commands.
Upgrade and uninstall are both supported over AIR Console and using the platform’s package manager.
Next release will include a generic deploy script to install packages for all supported platforms.
AIR Agent takes advantage of systemd services and SysV Init scripts to register agents as a service which enables the use of ”service” or “systemctl” commands.
First preview release of our Linux supports the following features and will be gradually improved to have more features like our Windows support.
- Acquisition: Supports the collection of the same evidence types by using our IREC Linux product.
- Compression and encryption are supported for case files.
- SFTP is supported to transfer case files to remote destinations securely.
- System resource usages (cpu, ram, disks) are reported to AIR Console.
- AIR Console can retrieve agent’s own log files.
- Update and uninstall over AIR Console.
Differences between Windows and Linux Agents
- Triage feature is currently not supported on Linux platforms but upcoming versions will include YARA engine to scan files and processes under Linux.
- Timeline and Isolation features are currently not supported on Linux platforms but future releases will include these features to align Linux support with Window support.
LIVE EVENT ALERT
We will have a pre-release live event on Thursday (1st April) where our CEO will showcase the new features and its functionalities.
You can register on Teams.
Also, we will have a live Q&A discussion during the event so make sure to join our Discord channel.