Skip to content
Binalyze Knowledge Base
Search
Ctrl
K
Cancel
binalyze.com
AIR
Home
Overview
What is AIR?
Terminology
Architecture
Overview
AIR Responder Architecture; overview and performance analysis
AIR Task Flow and Management
Network Communication
Cloud Forensics
Overview
GCP Deployment: Technical Details
Setup
Overview
Relay Server
Overview
RelayPro
Proxy configurations (Legacy)
Overview
Adding proxy to Relay Server
Legacy Relay Server (Deprecated)
Overview
Requirements for installation
How to install a Relay Server on different Linux platforms
How to change IP address of Relay Server
How to install a Responder with Relay Server support
Service Management for Relay Server
Whitelisting for Relay Server
Retrieving metrics from Relay Server
Updating and Uninstalling Relay Server
Responder
Overview
Responder Hardware Requirements
Responder - Supported Operating Systems
Overview
Responder - MS Windows supported systems
Responder - Apple macOS supported systems
Responder - Linux (DEB/RPM) supported systems
ESXi Standalone Collector
Responder - Chrome supported systems
AIR For Chrome
Responder for Golden Images
Responder and Active Directory OUs
Responder Exception Rules for EPP and EDR
Overview
AIR Watchdog Folder
FDA via Jamf and Apple's PPPC utility
Responder Tamper Detection
Responder in Windows Safe Mode
Proxy Configurations
Overview
Adding proxy to Responder
Additional Proxy Details
Security
Overview
Two-factor authentication (2FA)
Settings
Overview
Console Settings
Overview
General
Assets
Security
Features
Evidence Repositories
Policies
User Management
Overview
User Groups
User Roles
Backup
Investigation Hub Disk Usage
Danger Zone
Organization Settings
Account Settings
Submitting Feedback
Updating
Overview
Console Updating - SaaS
Features
Overview
API
Overview
API is likely to be more effective than Webhooks
Asset Isolation
Overview
Maintenance Mode
Acquisition
Overview
Acquisition Profiles
Overview
Supported Evidence
Windows Collections
$Boot
$LogFile
$Secure:$SDS
$TxfLog $Tops:$T
Activities DB
Action1 RMM Logs
Active Directory Logs
Active Script Event Consumers
AmCache
AmmyAdmin Logs
Antivirus Information
AnyDesk Logs
Apache Logs
AppCompatCache
AppPaths
ARP Table
Avast Logs
AVG Logs
Avira Logs
Bitdefender Logs
Brave Bookmarks
Brave Browsing History
Brave Cookies
Brave Downloads
Brave Extensions
Brave Favicons
Brave Form History
Brave Local Storage
Brave Login Data
Brave Sessions
Brave Thumbnails
Brave User Profiles
Brave Web Storage
Carbon Black Logs
Clipboard
Chrome Bookmarks
Chrome Browsing History
Chrome Cookies
Chrome Downloads
Chrome Extensions
Chrome Favicons
Chrome Form History
Chrome Local Storage
Chrome Login Data
Chrome Sessions
Chrome Thumbnails
Chrome User Profiles
Chrome Web Storage
CIDSizeMRU
CLR
Cisco AMP Logs
Collect LNK Files
Collect SRUM Database Files
ComboFix
Command Line Event Consumers
Cortana History
Crash Dump Information
Cybereason Logs
Cylance Logs
Deep Instinct Logs
Default Browser
DHCP Server Logs
Discord Desktop Cache
DNS Cache
DNS Server Logs
DNS Servers
Docker Changes
Docker Container Logs
Docker Containers
Docker Image History
Docker Images
Docker Info
Docker Networks
Docker Tops
Docker Volumes
Downloaded Files Information
Driver Objects
Drivers List
Dropbox Cache
Dropbox Databases
Dropbox Logs
Dump Brave Indexed DB
Dump Chrome Indexed DB
Dump Edge Indexed DB
Dump Opera Indexed DB
Dump QQ Indexed DB
Dump Vivaldi Indexed DB
Edge Bookmarks
Edge Cookies
Edge Downloads
Edge Extensions
Edge Favicons
Edge Form History
Edge Local Storage
Edge Login Data
Edge Sessions
Edge Thumbnails
Edge User Profiles
Edge Web Storage
Elastic Logs
Environment Variables
Eset Logs
ETL
Event Log EVT Files
Event Log EVT Records
Windows Event Records and How They Are Handled
Event Log EVTX Files
EventTranscript DB
Evernote Databases
Evernote Drag and Drop Files
Evernote Logs
Everything History
F-Secure Logs
Facebook Cache
Facebook Databases
FileExts
FileZilla Sessions
FireEye Logs
Firefox Browsing History
Firefox Cookies
Firefox Downloads
Firefox Extensions
Firewall Rules
FirstFolder
Github Desktop Cache
Github Desktop Databases
Github Desktop Logs
Google Drive Databases
GoTo Logs
Hibernation File
HitmanPro Logs
Hosts File
Iconcache
IE 10,11,Edge Browsing History
IE 7,8,9 Browsing History
IIS Logs
INF Setup
Installed Applications
IPv4 Routes
iTunes Backups
JumpList Automatic Entries
JumpList Automatic Files
JumpList Custom Entries
JumpList Custom Files
Kaseya Logs
LastVisitedPidlMRU
Level Logs
LinkedIn Cache
LogMeIn Logs
MalwareBytes Logs
Map Network Drive MRU
MBR
McAfee Logs
MFT
MFT as CSV
MFT Mirror
Microsoft Calendar
Microsoft Exchange Logs
Microsoft Mail
Microsoft Maps
Microsoft Outlook
Microsoft People
Microsoft Photos
Microsoft Sticky Notes
Microsoft Store Applications List
Microsoft Voice Record History
MongoDB Logs
Mozilla Thunderbird
MSSQL Logs
Network Adapters
NetworkFlow
Network Shares
Notepad++ Sessions
NTDS dit
Object Directory
OfficeMRU
Old Registry Hives
OneDrive Logs
OpenSavePidlMRU
OpenVPN Config
Opera Bookmarks
Opera Browsing History
Opera Cookies
Opera Downloads
Opera Extensions
Opera Favicons
Opera Form History
Opera Local Storage
Opera Login Data
Opera Sessions
Opera Thumbnails
Opera User Profiles
Opera Web Storage
Page File
Palo Alto Logs
Parse LNK Files
Parse SRUM Application Timeline
Parse SRUM Application Usage
Parse SRUM Energy Usage
Parse SRUM Network Connectivity
Parse SRUM Network Usage
PDB Information
Powershell
Powershell ConsoleHost History
Prefetch Files
Processes and Modules
Proxy List
QQ Bookmarks
QQ Browsing History
QQ Cookies
QQ Downloads
QQ Extensions
QQ Favicons
QQ Form History
QQ Local Storage
QQ Login Data
QQ Sessions
QQ Thumbnails
QQ User Profiles
QQ Web Storage
Quick Assist
RAM Image
RDP Cache Files
RealVNC Logs
RecentDocs
RecentFileCache.bcf
Recycle Bin Information
Registry Hives
Registry Items
RemComSvc Logs
Remote Utilities Logs
RogueKiller Reports
RunMRU
SAM Collector
Scheduled Tasks
ScreenConnect (ConnectWise Control) Application Data
Search History
SentinelOne Logs
Service List
Shadow Copy as CSV
ShellBags
ShellFolders
Shim Database
Skype Databases
Skype Media
Sophos Logs
Sourcefire FireAMP Logs
Splashtop Logs
Spotify Cache
Spotify Recently Played List
SRUM
Startup Items
Sublime Text Sessions
SUPERAntiSpyware Logs
Superfetch
Supremo Remote Desktop Logs
Swap File
Symantec Logs
System Restore Points Information
Tanium Logs
TCP Table
TeamViewer Logs
Telegram Desktop Data
Telegram Desktop Download
Thumbcache
TightVNC Logs
Tortoise Git Logs
TotalAv Logs
Trend Micro Logs
Twitter Cache
Twitter Databases
TypedPaths
TypedURLs
UDP Table
Ultraviewer Logs
UltraVNC Logs
USB Storage History
User Access Logs
User Folders
UserAssist
Users
USN Journal
USN Journal $Max
USN Journal as CSV
VIPRE Logs
Visual Studio Team Explorer Config
Vivaldi Bookmarks
Vivaldi Browsing History
Vivaldi Cookies
Vivaldi Downloads
Vivaldi Extensions
Vivaldi Favicons
Vivaldi Form History
Vivaldi Local Storage
Vivaldi Login Data
Vivaldi Sessions
Vivaldi Thumbnails
Vivaldi User Profiles
Vivaldi Web Storage
VMware Config
VMware Drag and Drop Files
VMware Logs
Volumes Information
WBEM
Webroot Logs
WhatsApp Desktop Cache
WhatsApp Desktop Cookie
Windows Defender Logs
Windows Error Reporting Files
Windows Index Search
Windows Live Mail User Settings
Window Screenshots
Windows Notification History
Windows Timeline
Winrar History
Wireless Connection History
WordWheelQuery
WSL
Xeox Logs
ZohoAssist Logs
Zoom Databases
Zoom Media
macOS Collections
AnyDesk Logs
Apache Logs
Apple Audit Logs
Apple System Logs (ASL)
Application Usage
Arc Bookmarks
Arc Browsing History
Arc Cookies
Arc Downloads
Arc Favicons
Arc Form History
Arc Local Storage
Arc Login Data
Arc Sessions
Arc Thumbnails
Arc User Profiles
Arc Web Storage
Auto Loaded Processes
Block Devices
Bluetooth Connections
Brave Bookmarks
Brave Browsing History
Brave Cookies
Brave Downloads
Brave Favicons
Brave Form History
Brave Local Storage
Brave Login Data
Brave Sessions
Brave Thumbnails
Brave User Profiles
Brave Web Storage
Chrome Bookmarks
Chrome Browsing History
Chrome Cookies
Chrome Downloads
Chrome Extensions
Chrome Favicons
Chrome Form History
Chrome Local Storage
Chrome Login Data
Chrome Sessions
Chrome Thumbnails
Chrome User Profiles
Chrome Web Storage
Command Line Activity
Crashes
Cron Jobs
Default Browser
DHCP Settings
Discord Desktop Cache
Disk Encryption
DMG File Opened
DNS Resolvers
Dock Items
Docker Changes
Docker Container Logs
Docker Containers
Docker Image History
Docker Images
Docker Info
Docker Logs
Docker Networks
Docker Processes
Docker Volumes
Document Revisions
Downloaded Files Information
.DS_Store Files
Dump Arc Indexed DB
Dump Brave Indexed DB
Dump Chrome Indexed DB
Dump Edge Indexed DB
Dump Opera Indexed DB
Dump QQ Indexed DB
Dump Vivaldi Indexed DB
Edge Bookmarks
Edge Browsing History
Edge Cookies
Edge Downloads
Edge Extensions
Edge Favicons
Edge Form History
Edge Local Storage
Edge Login Data
Edge Sessions
Edge Thumbnails
Edge User Profiles
Edge Web Storage
Emond Clients
Etc Files
Etc Hosts
Etc Protocols
Etc Services
Event Taps
Extended Attributes
Failed Sudo
File Last Used
File System Enumeration
Finder Mounted Volume
Firefox Browsing History
Firefox Cookies
Firefox Downloads
Firefox Extensions
Collect File System (FS) Events
Parse File System (FS) Events
Gatekeeper Approved Apps
Gatekeeper
Homebrew Logs
iMessage
Install Logs
Installed Applications
IP Routes
Kernel Extensions Info
Kernel Extensions
Keyboard Dictionary
Keychain
KnowledgeC
Launchd Files
Launchd Overrides
Listening Ports
Logged Users
Login Hooks
Login Items
logind
Logout Hooks
Mail Rules
Manuel Configuration Profile Install
MongoDB Logs
Most Recently Used
Mount
MySQL Logs
Network Capture
Network Interfaces
Network Usage
NetworkFlow
NGINX Logs
Notification Info
Opera Bookmarks
Opera Browsing History
Opera Cookies
Opera Downloads
Opera Extensions
Opera Favicons
Opera Form History
Opera Local Storage
Opera Login Data
Opera Sessions
Opera Thumbnails
Opera User Profiles
Opera Web Storage
PCAP
Package Install History
Parallels Logs
PostgreSQL Logs
Print Jobs
Printer Info
Processes
QQ Bookmarks
QQ Browsing History
QQ Cookies
QQ Downloads
QQ Favicons
QQ Form History
QQ Local Storage
QQ Login Data
QQ Sessions
QQ Thumbnails
QQ User Profiles
QQ Web Storage
Quarantine Events
Quick Look Cache
Re-opened Apps
Safari Browsing History
Safari Downloads
ScreenSharing
Session Creation and Destruction
Shared File List
Shell History
Software Update Information
Sophos Events Database
Sophos Logs
Splashtop Mac Logs
Spotlight Metadata
SSH Authorized Keys
SSH Configs
SSH Files
SSH Known Hosts
SSHD Configs
SSHD
Sudo Last Run
System Extension Info
System Integrity Protection Status
System Logs
TCCD
TeamViewer Logs
Transparency, Consent, and Control (TCC)
.Trash
USB Info
User Groups
Users
Vivaldi Bookmarks
Vivaldi Browsing History
Vivaldi Cookies
Vivaldi Downloads
Vivaldi Favicons
Vivaldi Form History
Vivaldi Local Storage
Vivaldi Login Data
Vivaldi Sessions
Vivaldi Thumbnails
Vivaldi User Profiles
Vivaldi Web Storage
Waterfox Browsing History
Waterfox Downloads
WiFi Logs
Wireless Network Connections
XProtect Remediation
Linux Collections
AnyDesk Logs
Apache Logs
AppArmor Profiles
APT History
APT Sources
ARP Table
Auth Logs
Block Devices
Boot Logs
Brave Bookmarks
Brave Browsing History
Brave Cookies
Brave Downloads
Brave Favicons
Brave Form History
Brave Local Storage
Brave Login Data
Brave Sessions
Brave Thumbnails
Brave User Profiles
Brave Web Storage
Chrome Bookmarks
Chrome Browsing History
Chrome Cookies
Chrome Downloads
Chrome Extensions
Chrome Favicons
Chrome Form History
Chrome Local Storage
Chrome Login Data
Chrome Sessions
Chrome Thumbnails
Chrome User Profiles
Chrome Web Storage
Chromium Bookmarks
Chromium Browsing History
Chromium Cookies
Chromium Downloads
Chromium Favicons
Chromium Form History
Chromium Local Storage
Chromium Login Data
Chromium Sessions
Chromium Thumbnails
Chromium User Profiles
Chromium Web Storage
Cron Jobs
DEB Packages
Default Browser
DHCP Server Logs
DNF History
DNS Resolvers
Docker Changes
Docker Container Logs
Docker Containers
Docker Image History
Docker Images
Docker Info
Docker Logs
Docker Networks
Docker Processes
Docker Volumes
Dump Brave Indexed DB
Dump Chrome Indexed DB
Dump Chromium Indexed DB
Dump Edge Indexed DB
Dump Opera Indexed DB
Dump Vivaldi Indexed DB
Edge Bookmarks
Edge Browsing History
Edge Cookies
Edge Downloads
Edge Favicons
Edge Form History
Edge Local Storage
Edge Login Data
Edge Sessions
Edge Thumbnails
Edge User Profiles
Edge Web Storage
Etc Files
Failed Login Attempts
File System Enumeration as CSV
Firefox Browsing History
Firefox Cookies
Firefox Downloads
Firefox Extensions
Fstab
Hosts
ICMP Table
IP Routes
IP Tables
Kernel Logs
Kernel Modules
Last Access
Lock Files
Log Files
Logged Users
Mail Logs
Memory Map
Messages
MongoDB Logs
Mounts
MySQL Logs
Network Interfaces
NFS Exports
NGINX Logs
Opera Bookmarks
Opera Browsing History
Opera Cookies
Opera Downloads
Opera Favicons
Opera Form History
Opera Local Storage
Opera Login Data
Opera Sessions
Opera Thumbnails
Opera User Profiles
Opera Web Storage
PostgreSQL Logs
Process Open Files
Processes
RAM Image
Raw Table
Secure
SELinux Configs
SELinux Settings
Shadow
Shared Memory
Shell History
SSH Authorized Keys
SSH Configs
SSH Files
SSH Known Hosts
SSH Server Logs
SSHD Configs
Sudoers
SUID Binaries
Swaps
Sysmon Logs
System Artifacts
System Controls
System Logs
Systemctl Services
TCP Table
UDP Table
UDPLite Table
ULimit Information
Unix Sockets
User Groups
Users
Vivaldi Bookmarks
Vivaldi Browsing History
Vivaldi Cookies
Vivaldi Downloads
Vivaldi Favicons
Vivaldi Form History
Vivaldi Local Storage
Vivaldi Login Data
Vivaldi Sessions
Vivaldi Thumbnails
Vivaldi User Profiles
Vivaldi Web Storage
YUM History
YUM Sources
IBM AIX Collections
AnyDesk Logs
Apache Logs
Auth Logs
Boot Logs
Cron Jobs
DHCP Server Logs
Discord Desktop Cache
DNS Resolvers
Docker Logs
File System Enumeration
Homebrew Logs
Hosts
Install Logs
KnowledgeC
Log Files
Mail Logs
MongoDB Logs
Mounts
MySQL Logs
NGINX Logs
Parallels Logs
PostgreSQL Logs
Processes
Shell History
Sophos Events Database
Sophos Logs
Splashtop Mac Logs
SSH Authorized Keys
SSH Configs
SSH Known Hosts
SSH Server Logs
SSHD Configs
SUID Binaries
System Artifacts
System Logs
TeamViewer Logs
ULimit Information
User Groups
Users
Wifi Logs
YUM History
YUM Sources
ESXi Collections
Account Info
Active Connections
Advanced Configuration
Advanced Settings
CollectInfo
CPU Info
Datastores
Disk Usage
Environment Variables
Filesystem Info
Firewall Ruleset
Hardware Clock Time
Info
IP Interface Info
Kernel Info
Module List
Multipathing Info
Networks
NIC List
Open Files
PCI Info
Permission Info
Processes
Routes
Routing Table Info
SCSI Info
Security Policy Domain
Syslog Config Info
Syslog Logger Info
System
User Info
VIB Info
VmkNicList
Vswitch Standard Info
WBEM Info
Disk and Volume Imaging
Overview
Imaging with interACT
macOS Disk Imaging
Scheduling Tasks
Task Creation
Overview
Asset Management with Persistent Saved Filters
Regex in DRONE:
Task Cancellation and Deletion
Auto Tagging & Tags
Overview
Tags
Chain Of Custody
Compare
Console Audit Logs
DRONE
Overview
What is DRONE?
Server-side DRONE Analysis
What is an Analysis Pipeline?
Analyzers
MITRE ATT\&CK Analyzer changelog
Event Subscription
Evidence Repositories
Overview
Generating a SAS URL
File Explorer
Overview
File Explorer - FAQs
Fleet AI
Full Text Search
Hunt/Triage
Overview
Schedule Hunt/Triage Tasks
Hunt/Triage Rule Templates
Overview
Sigma Templates
YARA Templates
osquery Templates
Integrations
Overview
Microsoft Azure Cloud Platform Integration
SSO Integrations
Overview
FortiAuthenticator SAML 2.0 SSO Integration
Microsoft Azure SSO Integration
Git Repositories
Webhooks
Overview
Carbon Black Cloud Integration
Cisco XDR Integration
Cortex XSOAR Integration
Crowdstrike Integration
Dynatrace Integration
Elasticsearch Logstash Kibana Integration
Fortigate SIEM Integration
IBM QRadar Integration
LogicHub SOAR (DEVO) Integration
Mattermost Integration
Microsoft 365 Defender Integration
Microsoft Sentinel Integration
Rapid7 InsightIDR Integration
SentinelOne Integration
ServiceNow Integration
Slack Integration
Splunk Integration
Stellar XDR Integration
Sumo Logic Integration
Wazuh Integration
interACT
Overview
interACT Commands
interACT Command Snippets
PowerShell commands in interACT
Investigation Hub
Overview
Investigation Hub – Data Usage Statistics Dashboard
Using the Investigation Hub
Off-Network Responder
Overview
biunzip
Overview
biunzip password file
Setting Up a Custom Case Directory
Policies
Proxy Configuration on the Console
Repository Explorer
Responder Proxy Support
Timeline
Tornado (Preview Version)
Overview
Getting Started with Tornado
Tornado Terminology
Tornado Collectors
Access Modes in O365
O365 license types
O365 Collector Prerequisites
Accessing Google Workspace
Service Account Creation
Enable Service Account Key Creation
DRONE Integration in Tornado
Tornado Demo
Tornado FAQs
Tornado Installation Guide
Tornado Operating System Support
Tornado Troubleshooting & Feedback
Updating Tornado
Integrations
Overview
Microsoft Azure Cloud Platform Integration
SSO Integrations
Overview
Microsoft Azure SSO Integration
Okta SAML 2.0 SSO Integration
Git Repositories
Webhooks
Overview
Mattermost Integration
Splunk Integration
IBM QRadar Integration
Wazuh Integration
Cortex XSOAR Integration
Elasticsearch Logstash Kibana Integration
ServiceNow Integration
Sumo Logic Integration
Crowdstrike Integration
Microsoft Sentinel Integration
Slack Integration
Carbon Black Cloud Integration
Rapid7 InsightIDR Integration
LogicHub SOAR (DEVO) Integration
Fortigate SIEM Integration
Dynatrace Integration
Stellar XDR Integration
SentinelOne Integration
Microsoft 365 Defender Integration
Cisco XDR Integration
Troubleshooting
Overview
Understanding MSI Error Code 1618
Collecting Responder Log Files
Collecting Off-Network Responder Log Files
FAQs
Overview
How to download the collected evidence and artifacts?
Collecting Responder Log Files
Managing database usage
Collecting Off-Network Responder Log Files
Responder troubleshooting
Understanding Port Usage
How many assets can connect to a single Console instance?
Can I use AIR with EDR/XDR Products?
Can I integrate AIR with my SOAR/SIEM?
What external URLs are used?
Monitoring Responder and UI API's
How do I update Responders on assets?
Is there a way to move an asset from one Organization or Case to another?
Anything missing?
Self-Hosted
Setup
Overview
Console Hardware Requirements
Pre-Installation Requirements
Installation Guide
Overview
Post-Deployment Configuration Guide
Using CLI on Console
Security
Overview
Console Access Control
Trust Center: Your Security and Compliance Hub
SSL Enforcement
Overview
SSL Certificate Management
Uninstalling Responders
Updating
Overview
2-Tier Systems
Single-Tier Systems
Retiring MongoDB after upgrading to AIR v4.37+
Backup
Overview
Restore Backup Using the CLI
FAQs
Overview
How to gather logs for Troubleshooting
Overview
Collecting Console Log Files
Console Backup Procedure
Console CPU Profiling for Performance Issues
Docker & Host System IP Conflict
How can I install a version that isn't the latest?
How do I maintain the on-prem AIR host?
How do I update Console?
How to reset the password of a user via the CLI?
Resolving the "Invalid Host Header. Host must be the Console Address" Error
Roadmap
Fleet
Home
Overview
What is Fleet?
Terminology
Architecture
Use Cases
Overview
SOC Analyst
Incident Responder
Threat Hunter
Features
Overview
Skills
Recipes
Quickstarts
AIR Integration
Browser Automation
Workspace & Terminal
Detection Engineering
Forensic Analysis
Threat Intelligence
UI Guide
Security
Troubleshooting
FAQs
Overview
URL Whitelist
General
Open Source Licenses
binalyze.com
Binalyze Knowledge Base
On this page
Overview
Products
General
Binalyze Knowledge Base
You can view our support terms and conditions
here
.
Products
Section titled “Products”
Binalyze AIR
Fleet
General
Section titled “General”
Licenses - Open-Source Software List
