Binalyze AIR 3.0 Cloud Forensics

Steve Jackson: We are live. Good afternoon, everyone. Good morning if you’re in the US. Good afternoon in Europe. Good evening in the Asia-Pacific region. My name is Steve Jackson. I’m the SVP of Growth here at Binalyze, and welcome to our Air 3.0 Cloud Forensics Launch Webinar.

While we’re just waiting for a few people to join the webinar, let me do some of the usual housekeeping. So, you’ll see a panel on the right-hand side where you can submit questions and comments. I would ask you to please do that. We will have a Q&A session at the end of the webinar, and we would love to see all of your questions and get to answer them then.

We also have a Discord server, for more technical discussion support, and also, Jaana has asked me to invite you all over to help influence the direction of the product. So, a link will be put into the chat in a few moments for you to go over to our Discord and to join there as well and join in the conversation.

And finally, if you are an existing Binalyze customer, you can access support in the usual ways, so, by email, and also for the knowledge base.

All right, a couple of things to begin with. Thank you for your time. We’ve actually smashed the previous record for our webinar, so thank you all for taking the time to join us. That’s really exciting for us. It’s a big release for us as well, so we appreciate you joining us.

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

I am joined today by two colleagues. The first one is Emre Tinaztepe, our Founder and CEO; and secondly, Jaana Metsamaa, hope I said that correct, Jaana, who is our VP of Product, and we’ll be taking you through the demonstration of the new features in a 3.0 in a short while.

All right, let’s get into it. So, we are ticking over from 2.X to 3.0 today. So that’s obviously a key moment for us, it’s an important milestone. So I just want to take a second to kind of reflect on that a little bit. Air 1.0 was way back in October 2019, when Emre was surrounded by about five people rather than what he is today.

And with Air 1.0, we introduced fast, remote and browser-native, I think, super important forensics, and by doing so, reduced the acquisition time from hours to minutes. So that was the goal way back with Air 1.0, and that started a phase of our development which was all around increasing the capacity in terms of what we can collect, the evidence that we can collect, and how quickly we can do that, and how quickly we can optimize the product.

Moving forward to Air 2.0, which I do actually remember, was May 2021, seems like yesterday actually, when we launched our drone technology to provide automated and assisted compromise assessment.

And that moment took us on into a phase where the product became also about incident response and had more of an investigation focus. And that’s something that throughout the 2.Xs we have continued to develop on.

Today, we are taking another leap forward. We’re moving into Air 3.0, October 2022. There seems to be a pattern there. So maybe May 2024 will be another one. And today we’re extending our capabilities onto cloud platforms.

And that will begin a phase of our development where we’re scaling the breadth and depth of not just evidence acquisition, but the whole digital forensics and incident response capability of the product. So, an important milestone, really exciting for us.

And as I said before, we’re glad that so many of you could join us. These processes, these phases of our development, are all aligned to our product vision and our philosophy, as well.

So, our philosophy from the beginning has been to make everything that we do lightning fast and easy to use, a transformative concept in the forensics world, and our vision is to offer a multi-talented DFIR solution for both enterprises and MSPs that enables most digital forensic investigations to be concluded in less than four hours.

So by ‘concluded’, we mean from soup to nuts, from the beginning to the end in four hours. That’s our goal as a business. We still have a lot on the roadmap to help us deliver that and make that a reality, but that’s what we’re aiming for.

So, let’s have a look. What are we going to look at today? So, for our cloud forensic capability, we have basically three phases of rollout, and we’re launching and making available today phase one of that rollout.

So, what we will show you in the rest of the webinar is the phase one ability to integrate cloud accounts into the Air platform, to enumerate and manage assets from the Air platform in the cloud, and also unlock our best-in-class forensic and investigation tools that we already have for on-premise assets.

We are doing that today for AWS and for Azure, and we have Google Cloud platform on the way. There is a phase two and a phase three, which we’ll discuss at the end of the webinar. So please stick around to the end so that you can see what we have coming. There are some not-too-subtle hints there in the graphic.

Now, when we were deciding how to approach cloud forensics, we heard the agent versus agentless debate getting louder, and we do have some solutions on the way that will be agentless, but we also know from our experience that agents are actually essential in certain-use cases if you want to do forensics properly.

And we’re starting to see the rest of the market turn in that direction as well right now. So, strategically we’re taking a hybrid approach and using both agent and agent lists based on the requirements. So, a passive resource-light agent where required plus agentless operation where possible.

Now, one of the big benefits that we believe we bring to the cloud forensic space is actually our existing footprint. So we already have one tool for all of your assets, all of your desktop and laptop assets. We cover Windows, we cover Linux, we cover macOS, which we launched back earlier in the summer, we also have a Chromebook collector, and we also cover ESXi.

So we have the largest footprint in the market in terms of digital forensic capability. And that, now that we’re adding AWS and Azure, and in the future, Google Cloud platform, allows you as a business to consolidate, to standardize the investigative process and ultimately to save money. So we see that as one of the big value propositions for using Binalyze Air for your cloud forensics.

We also have a really comprehensive capability, which we’ll take you through in the rest of the webinar. So that started with evidence acquisition. It’s moved into instant investigation and also breach remediation tools, as well. And we’ll talk more about that as we go through the webinar. But all of those capabilities are also wrapped with automation, collaboration and integration tools, as well.

So, let’s look at the first pillar, let’s say, of what we’ll be showing you today. So, adding cloud platforms into the Air platform itself.

So, the key deliverables here were really guided by our customers. That’s something that we’ve done from the beginning, not just for cloud. So we listened to what our customers wanted, we asked them what they wanted, and they told us very clearly that they were looking for a solution in the cloud that has a very low admin overhead.

So, keeping the security admin overhead as low as possible to make it easier to approve and easier to deploy the solution within the enterprise environment.

They also asked us to find a balance between the admin overhead and frictionless use. So simple, fast, one-time setup that has an element of persistence without overstepping into security and admin space.

And they also told us that there’s a multi-cloud world, so we need to be able to support multiple accounts, and also it’s a multi-customer world for many of our MSP partners. So they need that multi-tenancy extended into the cloud space as well, and that’s something that we have done.

They also told us some other things, as well. So, specifically with roles and users, that security teams these days are large and distributed geographically. So they wanted the ability to manage those teams, and they wanted the ability to control access to individual users in a very granular and tight way.

And that capability has been built into Air. We’ve delivered on paralleled control over users and roles. 106 role variables, which now includes cloud as well, unlimited role definition, as well as an organization in case architecture, which adds as additional granularity.

All right, so the second pillar will be cloud asset management. And again, we went to our customers to listen to what they needed. So they told us that they wanted it to be easy to enumerate assets and give asset visibility with the minimum of fuss.

They also want to be able to make deployment fast and targeted so that they can remain agile. And they asked us to help identify vulnerable assets quicker.

So we have a great new feature actually called auto-asset tagging, which Jaana will show you a little bit later on, which allows you to adjust through the deployment of the agent, collect assets  into tags and buckets to focus your investigation based on their characteristics.

All right, so enough rambling from me. I’m going to hand you over now to Jaana. She’ll take you through the first part of the demonstration and you’ll come back to me and we’ll continue. Jaana, over to you.

Jaana: We’re excited to be here today and share with you Binalyze Air and what we have in the cloud. So, Steve already mentioned many important things that we heard from our customers when we started this project.

So, one definitely was the ability to connect multiple cloud platforms to Binalyze Air. So many of you work in organizations that are supporting different platforms, so Azure and Amazon AWS, but also many of you provide support for multiple customers.

So you need the ability to connect multiple AWS accounts of different customers. So you can absolutely do that, and I’ll show that in a minute. And this is something that we will follow through throughout our cloud rollout.

Another key principle moving forward, and what we’ve already done here as well, is to minimize the time it takes you to get to the evidence. And we do it by different things.

First of all is by the simplicity of setup. We’ve made it so foolproof that even me, who last time before this project logged into AWS Cloud I think six years ago or five years ago, and if I can do it, then all your professionals can absolutely do it.

So that is to mitigate the issue that we heard from customers where sometimes you are giving not enough privileges, but what’s even worse, sometimes you get too high privileges. And that of course puts us in the risk of accidentally leaving our fingerprints all over evidence, right?

So the setup that I’m going to show you right now minimizes that. So, as you can see, I’m in Binalyze AIR and to connect cloud platform, I go here, click cloud platform. As you can see, I already have connected a Microsoft Azure account, but let’s see how the same process can be done on AWS.

So I click add account, I choose a name, and here you can see the guideline, for your IT department to give the right access. So here we have listed the permissions that are needed, and you can of course read them and save them, copy/paste them to whoever needs it.

But, to make it foolproof, you will share this link to your customer or your IT department and say, “Hey guys, just click ‘next’ a few times.” So this is a cloud formation link who is familiar with it. And all they have to do honestly is click next here a few times.

And they are of course specialists and experts, and they know what all these things do, but what happens here is actually, we are creating a new user to this AWS account. As you can see, it’s in the process now.

And I’ll go to the IAM indexes management. I can see there is a user here. This is the user that we just created. Did you notice like it was so quick that we didn’t even notice it happening? Great. And as a next step, I will create access keys.

Now, let’s see if I can remember to close this window, before I show the secrets access key to all your security specialists. No pressure, Jaana. So let me stop sharing the screen for a moment. (Okay, Steve, I’m safe. You can put it back. I assume I’m back.)

So as you can see, here we have connected account one, and I’ve connected it to this 3.0 webinar organization. And as I said before, you can connect multiple accounts to a single organization, which can happen because in Amazon and AWS Azure as well, there are very complicated trees of accounts that you can create, so we absolutely support that.

And, today we support EC2 instances on AWS and compute on Azure. And in the future, we’ll support everything. And  these accounts will be automatically synced every 30 minutes.

And now what we do here is that, all right, like, if you ever have gone around in the AWS console, then it’s a huge beast, and it’s not actually very easy to find everything that you’re supposed to look for and it might need to investigate.

So as you can see, we have enumerated six assets. And I can tell you that these six assets actually are in three different regions. So, you can see that here they are. We have a nice small AWS logo here to indicate where they’re from.

And when I click here, I can already, this is the classic information that we have about every asset, and existing Binalyze users would be familiar with it. But there’s a new section here that you can see that provides more details about the cloud assets itself.

So you can see the region here, networking information like IP addresses, VPC IDs, things like that, and other information. And that’s all before we have deployed an agent.

And as you can see, with a super cool, okay, I’m saying it’s super cool that there’s a parachute here for deployment. With this one click, we can deploy an agent to this compute asset, or, better yet, can select all here and do it all at once.

And, the more attentive of you will notice that, hey, Jaana, there were six computer assets enumerated. Why is the agent employed only to five? And let me say save this.

The answer is really simple. There is still no way to run code on machines that aren’t running. One of these machines has actually shut down. So that’s why we can’t deploy. Currently, you will just need to wake this machine up and then deploy.

And in the future we will add the ability under conditions that you set to automatically deploy to all new cloud assets that come up and down as they’re created. Because as we know, cloud environments are quite volatile, new servers are added every day. So that will be super useful.

But before I show you all the amazing things that we can do with the agent that we just deployed on those cloud assets, I’ll give it back to you, Steve.

Steve: Jaana, thank you. That was super easy actually. I think oftentimes we’ve really well developed products, it looks super easy, but there’s a lot going on in the background, and I think that’s the case here with our cloud forensic solutions.

So, yes, you can do it. And I’m even more inept, so I think I could have a crack at that, as well. So that was really good. Thank you.

Emre: Note, we should tell them that that two minutes of demo cost us six months.

Steve: Yes, exactly. So, no, that was really good. Thank you, Jaana. We’ll be back to you in a short while.

So, the second part of the demonstration is actually the more significant part, which is now that we have added cloud forensic accounts into Air and we’ve enumerated those accounts and we’ve deployed the agent to it, what now can we do?

So let’s take a look at the forensic investigation capabilities in the cloud. So I think the first message that I would like to get across to you is that we’re not new guys to this. So we’ve been doing this for a long time.

We have five years as Binalyze of R&D in the product, another 10 before that the most of the core team we’re working together on a previous solution, and we’ve had a product in the market as we said right at the beginning since October 2019 as Air, which means that we already have a mature battle-tested solution and an experienced team.

So, today is really about just unlocking that best-in-class enterprise forensics capability and delivering that now into the cloud, as well. So we see that again as a big benefit for us. It’s going to allow us to come into the cloud forensic space with a really strong solution from day one, which is what we’re doing. So let’s have a closer look at what we can expect.

So, on the evidence acquisition side, for those of you who have not used Binalyze Air before, we do acquisitions in on average 7-10 minutes, depending on what we’re collecting. So it’s an extremely fast, highly optimized solution.

We also collect over 240 different evidence types across those five different operating system platforms that we talked about earlier. And we also have a really robust system of remote evidence depositories, as well.

So if you want to send your evidence automatically into an S3 bucket or an Azure Blob storage location or an SMB share or a network share, then we have all of those options already in the product. And they are now obviously available to cloud assets, as well.

We get you as incident responders, as cyber security professionals to a shareable case report within approximately 7-10 minutes. And that case report is processed, all the evidence is processed, it’s all passed, it’s all presented in a really clean and tidy way. And it’s a single HTML file with a JSON embedded inside it.

So, collaboration and sharing is a big part of what we do with Air, and the case reports are a really important part of that.

We also critically encrypt and timestamp, as well. That’s actually part of this 3.0 release, as well. So encryption we’ve had for a long time, AES 256 standard encryption, but we’re also now adding RFC 3161 times stamping compatibility, as well.

So that assists, let’s say with that chain of custody question by proving that the evidence existed at a certain point in time and has not been tampered with in the interim.

And finally, we have Drone, which is our automated compromise assessment tool. Drone takes the evidence that we collect in that 7-10 minutes and puts it through over 20 different analyzers to score the evidence and flag the evidence with some verdicts.

So, is this suspicious? Is this important? Is this critical? Is this rare, for example? And then overlay those flags onto the shareable case report. The goal of that being that we guide the analyst to the important parts of the evidence quickly, so that you can get into the meat of your investigation much faster than you would otherwise be able to do.

So, that’s our existing capability, or some of it on the evidence acquisition side, and that is now available from today to the cloud assets in AWS and Azure.

On the investigation side, it continues. So we have a triage tool which allows you to use YARA or Sigma directly on the endpoint to create triage searches. And those searches can be done at scale, which we’ll come to in a moment.

We’re also about to add OSquery into our triage tool as well, which will allow you to do searching with that third method. It’s fast and concurrent scanning. So it’s a super optimized product.

Again, depending on the complexity of the YARA or the Sigma that you’re searching with; 10, 15, maybe 20 minutes. It doesn’t matter whether that’s on one asset, on 10 assets or on 1,000 assets, the reports will come back in roughly the same period of time.

We also have a timeline tool. So one click timeline I can send evidence directly from an asset into, um, a chronological timeline. Again, highly optimized, takes about maybe five to seven minutes to create the timeline.

And once I’ve done that, I can start to investigate my case in a chronological way. And as I do that and I look through the evidence, I can also enrich my timeline. So I can bring in additional assets, additional endpoints, I can bring in off network assets, I can bring in CSV data from other security systems, or I can log milestones.

So a milestone might be that your CTI provider has given you a certain piece of intelligence, a certain date and time, you might want to add that into your investigation to add context so you can enrich these timelines, as well.

And because they’re browser-based, they’re also collaborative, so you’re able to have multiple analysts looking at the same timeline and collaborating on the investigation.

And then in terms of remediation, earlier this year, very early this year, we launched a module called Interact, which is our platform remote shell. So slightly different to the other remote shell solutions on the market in that it is cross-platform, so exactly the same command set regardless of whether you’re investigating a Windows, a Linux or a Mac machine.

It also has some other cool features, as well. So it’s permission-based. So we were talking earlier about having granular control over your users. Interact has that, as well. So we can define three different levels of remote shell access based on the experience of the analyst that you want to use that tool.

We also have a script and asset library within Interact as well, which allows you to standardize the investigative process by uploading approved scripts or approved assets that you want your analysts to use during remote shell sessions.

That tool is also OSquery-compatible. That’s one of the commands. So you can use OSquery in the remote shell, and there is a full log and audit trail, as well.

So, every single command used and every response received in addition to any files that move between the analyst and the asset are all logged in real time in an Interact session log, which is also sent back into the platform-wide log and also into syslog if you have those kinds of things integrated.

And we also recently launched the ability to escalate your investigation to a full disk image. We’re not full disk image people, but we’ve added that capability. If you do want to escalate your case to full disc imaging, then you can do that via Interact, as well.

And finally, we also have unlocked some proactive forensics and threat hunting features. So the ability to baseline your assets. So take a baseline acquisition and treat that as a golden image, the ability to schedule forensic snapshots against your assets at some point in the future, our compare feature which we launched in the summer, which is a patent-pending differential analysis tool.

So compare two different forensic snapshots of the same asset, and see what has been added to the asset, what has been deleted from the asset or what has been changed on that asset between those two forensic points in time from a granular forensic perspective.

We also have integrations with systems like SIEM and SOAR, so we can start to trigger secondary forensic actions off the back of their alerts and those systems. And we have a flexible web hook system for other types of integrations, as well. And recently we launched an open API if you want to make deep integrations with the Air platform.

So, that’s a lot, but there is a lot, which is the point. We are bringing a lot of capability into the cloud forensic space and all of those things and all of the other things on the platform are available for AWS and as Azure assets from the 3.0 release. So it really puts us into a strong position in terms of cloud forensics going forward.

All right, I will hand back to Jaana now and let her demonstrate some of those features. I don’t think we have time to do all of them, but some of them.

Jaana: Yeah, it’s echo. I hope you hear me semi-okay.

Emre: We hear you clearly, Jaana.

Jaana: Very good. So, yeah, again, to emphasize all these things that Steve just mentioned, we can do on-the-cloud compute assets, as well. So on Windows, Linux, and Mac. And that’s very cool and I won’t be able to show all of them today, and I know many of you are already existing users of Binalyze Air, so I thought I would choose something that is new for you, as well.

I got, I think, that is the bare bread and butter of acquisition, triage, Interact, et cetera. So I would say one of the, you know, lesser known features and gets less attention than it should is our out auto asset tagging feature that we added a new capability into this month.

So, auto tagging is a thing that allows you to tag your endpoints automatically based on certain conditions met, and what these conditions are is totally under your control.

So auto asset tagging is in this tiny menu again, and you can have all different rules set up. And whenever a new agent is installed on a new device or server, then this rule is run. And then if these rules are met, for example, process running or directory exists or whatnot, then it gets attack-ready, for example, and the sky’s the limit, honestly.

And the new thing that we added this month is auto asset as tagging with OSquery. And in case you are not familiar with OSquery, then OSquery based in Google is the only useful thing Facebook has ever released. That maybe is a bit harsh, but it’s definitely super cool.

So OSquery allows you to run basic SQL queries to describe any device. And now you can run those queries using Binalyze Air. Today it now does tagging.

So one of the things that I’d like to add is that we just added some AWS endpoints to our collection, and I would like to group them based on the region that they are in. So I add a new tag rule here. So, custom, and we automatically show you all the tables that the OSquery has.

I auto-complete to ec2_instance_metadata, find region here, save, add this tag to any device that has a region called EU+ basically. And well, most of these rules are platform-independent. So I need to, although this wouldn’t be, I need to actually do the same thing for links, as well.

But see how fast it is. So it’s not that bad, right? And like, save, and now what I can do is well, let’s go all in, right?

So I click run now, it does tell me that, hey, are you sure? And now all these tags are run on old assets that in Binalyze Air. Okay, sorry guys for it. But this detour gave Binalyze Air a bit of time to run those auto asset tag rules.

So let’s see. So I can now go, and as you can see, this endpoint already has this tag here. So every time there is a new endpoint added to Binalyze Air, all the rules are run and things are automatically tagged with the right thing. And here they are.

So, honestly, the sky’s the limit with  OSquery. And I know Mason, you mentioned in the chat that you can’t wait until OSquery can run in triage, in bulk as we do with YARA and Sigma. Well, definitely auto asset tagging isn’t built to triage with OSquery.

But I’m sure you can see as well how you could actually, until we add OSquery to triage, which is coming very soon, you can already do this by actually using tagging to find different IOCs, because yeah, as you can see, you can, query based on registry keys, Chrome extensions, like, anything really.

So, I hope you enjoy it. And it’s definitely one of my favorite features of Binalyze Air.

But next, let’s see some of the standard features of Air. Many of our (or yours, I’m no investigator) investigations will start with an IOC triage. As Steve mentioned, we provide support triaging with YARA and Sigma rules.

So, we have a few examples here that you can see here. You can find triage by file system, so file names, hashes, extensions, et cetera, but also from the memory running processes and things like that.

(I’ll skip this section now, but we have had previous webinars where we have done this. I think the last time we showed it, as well.) Definitely our most comprehensive capabilities, acquiring of evidence.

And to acquire evidence with Binalyze Air, you first need to define what you want to acquire. And to do that, you need to define acquisition profile and all acquisition profile is a description of things that you want to acquire.

So, as you know, we support three platforms today; Windows, Linux, and macOS. And we have a specific list of items that you can collect from each of them. I think overall across platforms, we have like 240-50 different items. And also we have a special collection that is cross-platform for e-discovery.

So I’ll just, for the folks that are with us for the first time, I’ll slowly scroll through this list. So, as you can see what’s in the clipboard, DNS, firewall rules, volume information, memory, of course, you can’t really do that without an agent, right? Browser history, file system, so MFT, journal files, registry hives, all those things.

And I think I need to speed up because this is getting boring for you. Network information and so on and so on and so on. So this is quite comprehensive and a similar list we have for Linux.

And last month, we actually spoke quite in depth about our acquisition capabilities on macOS, as well. And of course, previously we have introduced our Windows acquisition capabilities. And with e-discovery, for example, you can really dig deep and for example, search for all P&G files if you want to see all the things that people have screenshotted on their devices, or DOCX files or all the emails, so this is all possible.

And let me show you how this acquisition goes. So let’s go back to our endpoints and let’s go to our webinar. Yeah, by the way, we also have one asset with an agent deployed on the Azure account. The other one is shut down but works basically the same as with AWS ones.

Anyhow, what we can do, where Binalyze Air really shines is that you can do these things in bulk. So I select all the assets that are online, green means they’re online, and I can choose to acquire evidence from all of them at once.

And this is related to a webinar that we’re just having. And next we choose the acquisition profile and I choose one that is called ‘Quick’. And then in the background, there’s a policy that describes where the evidence is saved.

So we allow saving the acquired evidence on the device itself, and then you can use your own ways to transfer it out if you wish to. Most of our customers actually use an evidence repository, which can be an FTPS, FTP server, network share, AWS pocket and so on.

And I also leave on Drone. So, Drone is our automatic analysis tool. And it will look at a bunch of things and point you, the investigator, to that right direction if it sees something suspicious.

And when I click start here, then what happens is that we send a command to all those agents and say, hey, collect evidence. And depending on which acquisition profile you use, e.g., what types of evidence you have chosen to collect, this will take up to 10 minutes unless your device has four gigabytes of memory and you decide to collect memory, then it might take a bit longer.

And once it’s completed then you can go to the asset and actually see the progress. So yeah, I believe this is actually a full acquisition, and I have this acquisition report already open, as well.

So yes, all the evidence is actually uploaded to the evidence repository. But you get this report where you can see all the evidence summarized together. And if I just put all those things together here, you can see there are a lot of things here.

So this is one of the assets, this is one of the AWS servers, right? And here is that Drone assessment. So, Drone has found 54 suspicious things, and if I were an investigator, these are the things where I would start from.

What is quite cool is you can find things here. Now, let’s see, we have a screenshot now. Well, you still need to know what you’re what you’re looking for, but the search box looks through this entire report.

So yeah, that was a full acquisition. And oftentimes, depending on what you find, you might actually dig even deeper, you know? With cloud, we start from the high level, we look at the logs, then there might be something suspicious happening with this device, then we deploy the agent, and then as the last resort, we can actually start an remote interactive shelf with one click here.

And if I click start here, then in a second we have a connection established, and now I’m in that machine and I can interact with it. So as you can see, yeah, so this is AWS machine. Here is some information, it is doing something. Well, it’s not a very big machine.

And I can see what’s here. I can actually see the contents of files. I can, depending on the policy, I can download files, but no, I don’t remember which policy I set up. It’s either going to download it to my machine here or to the evidence repository. Let’s see which happens.

Yeah, it went to the evidence repository. No, it’s downloaded. So, let me show help here so you can see all the commands here. So you can do HDP requests, you can execute the script, find files, find hashes of files, you can now create a full disc image of Windows and Mac endpoints.

And yeah, you can run OSquery commands. So OSquery, select start from, see, this is why we have the OSquery builder because I don’t remember these things by heart. Hey, but I have this, I can do this. And see? Gives quite a bit of information.

Emre: And one thing, Jana, it was asked on the chat, these are all cross-platform. So all the comments we see here are cross-platform. But if you want to have a fullback using the native shell, you can still use the exec command, but it’s subject to privileges. So as long as you have that privilege, you can always use the native shell by using the exec command.

Jaana: Yeah, and it really depends on what your native language is. So I’m a Unix girl myself, but if you want to do this on a Linux machine, then you can do that.

So, these were just, and one more important thing to notice that actually all the commands that I executed on this device and in this session are now stored in an audit log. So you can easily add those to your case report, and if you’re working on a case together with somebody else, then they can also see what exactly you did.

So yeah, this was just scratching the surface with Binalyze Air. If you want to learn more, then definitely check out the YouTube videos and showing our future webinars, as well. But I think with a quick tour I’m finished for today, unless Emre would like to demo anything else?

Emre: No, there are some questions. In the meantime I’m trying to answer them. So, maybe we can answer this question because it’s an important one. The privileges are not pulled from Elda or Active Directory.

We support Active Directory, by the way. If you integrate the platform with Active Directory, we mirror all the organizational units. So you see the same structure and want to deploy an agent to those assets. Those will be managed, but when it comes to Interact privileges, it’s fully in the platform. We don’t take them from anywhere.

We have three levels of privilege. The first one is Enumerate. If you have Enumerate, then you can run commands such as DIR, CDN and those types of stuff. And the second one is read. If you have read privilege, then you can fetch files, you can view the contents of the files, and if you have exec privilege, then basically you have access to all of them.

And when you have exec privilege, which is the highest privilege in the platform, then you can use exec command to fall back to Native Shell. And that also includes access to bash, Python and et cetera, whatever is available on the machine. I think that answers the question.

Steve: Good. Okay, thank you for that, Emre.

Emre: Steve, I was expecting something really bad from Mason, but he wrote a good one, so I was like, well played, guys.

Jaana: Mason, there is a typo in your query, because it doesn’t compute.

Emre: Install from programs. Hmm.

Steve: All right. Thank you, Jaana. Thank you, Emre. I think Mason is crying. We’ll handle any other questions in a few moments. Let’s just finish off by looking at what’s going to come next.

So, before we get into the details of that, please do take a look on the website at our release notes. You’ll see that the cadence is almost exactly monthly these days, and has been for a very long time, actually.

So we have a really strong track record of delivering on our roadmap promises and iterating the product in a really fast way, which is allowing us to continue to innovate and disrupt in this space.

So, what we’re about to show you, hopefully that will give you some confidence that that will be delivered as we say it will.

So phase one we’ve gone through today, integrating cloud accounts into Air, enumerating and managing those assets. Super simple, I hope you’d agree. And a glimpse into the best-in-class acquisition and investigation tool that we have, which is now available to all of those cloud assets.

Phase two will take us into log acquisition. So I think I can go out on a limb, Jaana, and say that towards the end of this year, maybe the very early beginning of next year, we will have the cloud log acquisition piece in place, and also starting to move into container forensics with Docker and Kubernetes.

And phase three, which will be Q1, Q2 next year will take us into SaaS application forensics, and also bringing Drone for cloud. So automatic analysis of the data that we collect from your cloud accounts.

And those SaaS applications will begin with Microsoft 365, Google Workspace, Zoom, Dropbox, Box, Salesforce, Slack, HubSpot, and then we will launch with Drone for cloud, so that you can do some automatic analysis on all of those platforms, as well.

There will be a phase four, but that’s a little bit too far out for us to talk about today. But hopefully you can see that we’ve come with a really strong opening in terms of cloud forensics, but we have an even stronger roadmap which you can expect to see over the next one or two quarters.

All right, we’ve thrown a lot at you today. We also weren’t able to cover the entire platform. Obviously that would take about four hours, I would imagine. So if you want to try, please go to the website. There’s a 14-day trial there.

Just go to, click on the’ try now’ link in the header, and you can take advantage of our Docker-based architecture. And in about two minutes, you can spin up a version of Air exactly the same as Jaana’s shown you today. That will be a 14-day full-feature trial.

If you would like a one-to-one, then also please go to the website and request a demo, and we can handle that for you, as well. And yeah, we look forward to seeing you there.

All right, questions and answers. Do we have other questions, Emre, that we need to answer?

Emre: There’s a question we’ve received that I think is also good to answer. If you want to run a Python, Tom already answered it, but maybe something else to add. If you want to run a Python script or some best script or some, let’s say even Java, I’m not sure if you can, but if you want to, you can also use the library function because Interact also has a library function, again based on privileges.

If you have access to that privilege, then you can view the library. And if you have access to write privilege, then you can also push that installer to that machine, deploy the interpreter, and then run the Python if it’s not available on the machine already. Already answered in the chat, but I just wanted to say it.

Steve: Great. Thank you, Emre. Any other questions on the chat?

Emre: I think, no. I’m checking. No.

Steve: All right, so…

Jaana: It seems like no.

Steve: If there are no other questions, we’re almost up for time. So, if you have a question and you’re feeling shy, type it now. Otherwise, we’ll give you your five minutes back and end the webinar.

Jaana: And yeah, Matt just shared the Discord link. If you want to be one of the people that we talk about in the webinars where we mentioned and we spoke with users and they told us these insights, then you can absolutely be those people. Just join the webinar and every now and then we’ll be asking for your help in certain new features.

First of all, you can see the features like sometimes months before the others and you can influence where they’re going. Yeah, so, I can see the next question about what else is in the roadmap, like, cloud trail, cart duty, etc.

So absolutely these are in the roadmap, and one of these is literally one of the next things that we’re going to build. So keep an eye on it. Also, Mason, Office 365, do you know that they actually rebranded themselves to Microsoft 365? Also coming up and also, in the earlier form of this long roadmap that we have in earlier stages.

Emre: Jaana, maybe in order to keep the excitement going and increase it, we can also mention briefly about the plugin architecture because all those types of questions will be covered by the plugins, as well.

Jaana: Well, you know…

Emre: Or you can keep the charm. Up to you.

Jaana: This is the secret sauce, Emre. This is the secret sauce.

Emre: Okay, let’s keep it for the future, then.

Jaana: But it’ll definitely, if you’ve heard plugin word before, then you can imagine what we are cooking behind the scenes today and what you can expect to see in the future possibilities to extend Binalyze even more and more, and faster.

Steve: Great. That seems like a good point to end, Jaana. So, thank you once again everyone for joining us on this webinar.Please do go and fire up a trial if that’s what you want to do. Hopefully you’ve seen enough today to make you do that. We look forward to speaking to you further.

If you have any questions, please reach out to us there as well, and we’ll be happy to answer them. And we’ll see you on the next webinar.

Emre: Thanks a lot.

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 19 2024 #dfir #digitalforensics

Forensic Focus 19th June 2024 2:46 pm

Digital Forensics News Round-Up, June 19 2024 #dfir #digitalforensics

Forensic Focus 19th June 2024 2:14 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles