On Thursday, 1st April, Binalyze introduced the new AIR product release that featured below listed main highlights:
- Endpoint Isolation
- Linux Support
- SFTP Evidence Repository
- Compression & Encryption
- Policy Support
Currently in the DFIR world, when something suspicious is found during the investigation, it is mandatory to contact the firewall or the relevant department to close the connections of the endpoint in order to prevent lateral movement to any other location or to prevent data leakage to the outside world.
At this point the investigators have to contact an outside body or unit to finalize this isolation process which takes time and can jeopardize your investigation.
Binalyze AIR now contains the Endpoint Isolation feature that puts the investigation under the control of the Investigators / SOC Analyst teams by making it possible for them to disconnect any endpoint from the network immediately with one single click. In addition, since the communication with AIR continues, analysts can keep examining the isolated endpoint via the AIR Console.
- AIR immediately isolates the machine from the network with a single click, a hard-to-find feature among digital forensic solutions. Normally firewalls or NAC devices are used for this purpose, with this feature Binalyze AIR shortens the process without contacting any other product or department.
- Isolated machines can be further examined by the DFIR investigators which lets them continue the investigation without any disturbance or interference.
Outstanding coverage of Binalyze enterprise forensics platforms for Windows clients are now also available for Linux. All technical details and supported Linux distributions you can found here.
SFTP Evidence Repository
SFTP is a protocol packaged with SSH that transfers files over a secure connection. The biggest advantage lies in the ability to leverage a secure connection with a pre-set username and password to transfer evidence files. This enables AIR to save the collected evidence to a remote location that can be later accessed by the MSSPs for downloading the collected evidence.
Compression & Encryption
Efficiency and simplicity are at the core of Binalyze solutions, so in this product release, we incorporated the compression and encryption features with the main purpose of reducing network bandwidth, file size to save disk capacity and encrypting evidence for increased security.
Collected evidence will be compressed and encrypted using military grade AES-256 encryption in a ZIP container that can then be opened by providing the password.
Larger organisations with many endpoints have been requesting a method of managing the configuration of tasks such as acquisition, triage or timelining so that they all comply with the organisations broader policies and compliance requirements.
We have now provided this functionality via our Policy Support feature.
Now, if you would like to apply predefined configurations (selecting an evidence repository, enabling compression, setting up encryption, limiting CPU resource usage etc.) to an endpoint or a group of endpoints, you can create these as policies within AIR and target your group using filters.
In this way you automate your investigation process where you don’t have to define single rules for each endpoint but rather create a policy and apply it automatically.
To learn more about the features and its functionalities watch a demo of Binalyze AIR v1.7.35 new product release where Binalyze’s founder Emre Tinaztepe demos the new feature highlights.
To download the update visit here.