Tim Thorne
The reality of modern incident response is that it’s not always possible to remotely connect with every one of your endpoints. Some assets are required to be standalone and others, such as laptops, some may have become faulty, and others may have been removed as they have been compromised by - or are actively under attack from - the very breach you want to investigate.
Whatever the reason, there’s always going to be a scenario where you’ll need to investigate these disconnected assets. Binalyze AIR allows you to do just that, thanks to its powerful “Off-Network” collection and triage capability.
Binalyze AIR can quickly and easily generate Off-Network Agents which supports Windows, macOS, and Linux machines that you cannot reach via any network connections.
This capability allows analysts to run pre-configured Acquisition or Triage tasks on any unconnected assets in addition to using DRONE, our post acquisition compromise assessment module. All of the results of this activity can then be brought back into AIR for further investigation and inclusion in Cases, Timelines or Consolidated Reports of wider investigations.
Let’s deep dive into the steps and share some options as you complete this key task:
You can easily access this Off-Network feature and generate an executable collection package via the Endpoints Page > Add New > Off-Network button.
Or, as of version 3.8 of AIR, via the brand new Quick Start wizard as shown above.
Simple steps to create an off network collector with Binalyze AIR
First, choose the Task type that you intend to run, Acquire or Triage.
If you’ve used the wizard, the next step will look like the screenshot above. Choose the endpoint platform type that you’re anticipating - or, if you are unsure of the exact specification, no problem, simply build a package to tackle all supported OS platforms by selecting all of the available options.
Now you can create a name for the Task, select which Acquisition Profile to use, or setup a new one. You can specify a whole range of useful options including where to save the collection, whether to limit the Task’s access to the CPU or enforce encryption or turn on compression of the collection.
Having defined the task, the next step is to decide if you need DRONE to carry out any post-acquisition analysis or keyword searches. At this stage the MITRE ATT&CK analyzer, or any of the other standalone analyzers, can also be switched on or off as required.
With all of these options considered, when you’re ready select ‘Download’ to generate the collection package or ‘Share’ to generate a shareable link as shown below.
The resulting downloaded zip file will include all of the required installation and configuration files to carry out your collection or triage
You can go back to edit your selections or Finish to progress to the next stage.
If you choose to share a link you can distribute the link, as shown above, and this link will remain active for the next 24 hours.
To illustrate this, we’ve included an example above, this shows the contents of a downloaded collection package. Now you can simply take this package to the off-network machine and run the binary to execute the acquisition task that is embedded within that binary.
Here is another example of a collection package but this time it includes executables for all three operating systems Window, macOS and Linux.
The screenshot above shows what a completed AIR off-network agent acquisition looks like.
Once this task is completed, the acquired data can be found at the location you’ve specified in the acquisition profile, in a newly created case directory with a .zip extension.
Now all you need to do is copy the newly created .zip file to another machine that can access the AIR Console, and upload the .zip container to the AIR Console.
To bring the off-network collection into AIR, simply select; AddNew > Off-Network
Then select the Organization that generated the collection package (the wrong selection here will not open the .ppc or .zip), the collection can also be attributed to a Case if desired.
AIR will confirm both the successful application of a password together with the importation of the collected data.
You can now inspect the newly added endpoint, which you’ve added to your Organization, along with the very first task created as a result of this first off-network collection.
The Task Details view for this off-network collection will reveal the password used to unlock the .zip file.
To make things easier, you can use the same collection package at any time, in the example above you can see that the collection has been carried out for a second time and the results are shown as a second endpoint task in the normal way.
Binalyze AIR contains other standalone collectors.
Chromebooks, which are increasingly popular in the US market, have an ‘AIR for Chrome’ extension available from the Chrome Web Store.
Options such as the ‘Add to Chrome’ link are supplied in the deployment window shown above.
Once the extension is added, you have some individual buttons to control the artefacts to be collected.
A collection made in this way will look like this (above) and it can be brought into AIR for Timeline analysis. Future versions of AIR will include agents for deployment to Chrome devices.
ESXi systems are also supported by a standalone collector - Again, you can easily download the TAR file - extracts it - and runs it - the collection will be an archive file.
Summary
Collecting data or performing IOC triage on off-network devices has never been simpler, faster or more comprehensive than it is now, thanks to Binalyze AIR. We’re also planning to have even more standalone collectors available as agents in future releases of AIR.
The integrity of the collection and the chain-of-custody is always guaranteed via AIR’s encryption, sha256 hashing and timestamping with RFC3161.
DRONE analysis, timelining and consolidated reporting of multiple endpoints all help the analyst and investigator just like you to be confident of obtaining the best possible advantage in any DFIR investigation or proactive threat hunting activity.
If you’re regularly having to negotiate the challenge of collecting evidence from offline endpoints, why not consider signing up to a free 14 day trial of AIR today - and see for yourself the difference AIR can make in your DFIR workflows.
To find out more click here:
