This post results from the project “DFIR & Threat Intelligence” within the Munich Cyber Security Program (MCSP) The MCSP is a cooperation project between Champlain College and Com|Code (Germany). This project focuses on new developments in the Digital Forensics and Incident Response fields as well as performing research for clients of Com|Code.
Binalyze is an incident response tool that, from the claims, seems to be extremely useful. Today we are starting our evaluation of this tool to see exactly what it can do and how useful it will be in practice. It has the capabilities of multiple tools in one with evidence acquisition, compromise assessment, triage at scale, investigation timelines, and automated forensics. We hope that in our testing it truly does live up to the claims, but that will have to wait for a later post. To start off, let me explain how Binalyze works. It is a remote software that runs within a network, allowing it to make images of systems and monitor them. The recommended way to install it on a larger number of computers is to push it via the domain controller, however you can install it on each computer manually. It is meant to be a relatively easy install in the grand scheme of things and based on the installation guide it is.
As mentioned above, this tool has a suite of options available. Firstly we have evidence acquisition, it is built on their proprietary IREC engine and is lightning fast. The average acquisition is completed in under 10 minutes. The evidence can then be stored in a vast number of different ways, from locally to the cloud to network storage. You can also set it up to automatically perform acquisitions based on other security systems. Next we have compromise assessment, they call it DRONE. Their algorithm goes through, delivers its findings and scores them based on the severity. You can also use their keyword search, which can take a multitude of different inputs such as regex. DRONE also adds to the evidence acquisition reports by flagging events of interest by the severity.
Triage at scale is meant to look beyond just a single machine and is meant to find things across the network. Then we have investigation timelines, it is as simple as clicking one button. The program then creates a timeline for you and also has the same flagging as the other sections above. Finally, we have automated forensics, which supports Splunk and QRadar SIEM solutions.
To sum everything up, Binalyze, from what is shown to us, is a great tool to evaluate and truly see what it can do. It seems as though it can be a tool that has the possibility to have a huge impact in the incident response field and possibly save a lot of time and money. We will be updating often on how our tests are going and at the end we will have the results.
–Written by Michael Pinelli ‘23 //Computer Science & Cybersecurity