Welcome to Binalyze AIR Feature Highlights. My name is Emre Tinaztepe, and today I will demonstrate the timeline feature of Binalyze AIR and the CSV import feature for further enrichment of this timeline.
You can name many solutions that can create a timeline, starting from the traditional forensic solutions to open source command-line utilities. These are all great, but you need something much faster and easier to use when it comes to timeline creation in the quickest way possible. That was the motivation behind creating the Timeline feature in AIR.
Before demonstrating the enrichment with the CSV file, let’s first create a new timeline.
We will provide a unique name for this investigation and select a time zone so all events that AIR will collect from these endpoints will align and normalize to the selected timezone. In the following step, we will choose a number of endpoints that we want to extract events from, and click on “Create.”
By clicking create, you immediately assign a task to these endpoints to collect all relevant events and import them in a unified timeline. In around three to five minutes, the entire created timeline will appear in your AIR dashboard.
The great thing about the timeline feature is that it is collaborative so that multiple investigators can work on the same timeline simultaneously. Whenever they flag an event, it will be immediately visible to the other investigators.
All flagged events will appear in the flag section, which proves as a handy feature in the reporting phase.
CSV Import
Suppose you would like to enrich this timeline further by adding other endpoints. You can do that easily by clicking on the “Endpoint” button and selecting needed endpoints from the available list.
With the latest AIR version, we have extended this capability by adding support for custom CSV files. So now, we will enrich this timeline by using this new capability.
We will add a CSV file and import all the events from the file into the timeline in just four steps. For demonstration purposes, we will be using an MFT.
In the first stage, AIR shows a preview of the file format. So, when you click “Next,” you need to provide a mapping between the CSV columns to the timeline event properties. In the third step, optionally, you can filter your data by importing all records, by date, or by the number of records. Finally, you will see a preview of how the events will look when you import them into your timeline.
Once you click on “Import,” it will start processing the CSV file. As soon as you complete importing the file, you can simply click on “Go to timeline,” and it will bring you to the enriched timeline to start investigating.
That was all for today. I hope you enjoyed it.
You can try the enriched Timeline feature here.
