Actions99
- InterACT Actions
- Notification Actions
- Organization Actions
- Task Actions
- Policy Actions
- Repository Actions
- Setting Actions
- Triage Rule Actions
- User Actions
- Acquisition Actions
- API Token Actions
- Asset Actions
- Auto Asset Tag Actions
- Baseline Actions
- Case Actions
- Evidence Actions
Overview
The "Assign Evidence Acquisition Task" operation in the Acquisition resource of this node allows users to assign a remote evidence acquisition task to a specific case within Binalyze AIR. This operation is useful for digital forensic investigators or incident responders who want to remotely collect forensic artifacts and evidence types from endpoint assets associated with a case.
Typical scenarios include:
- Assigning a task to collect volatile memory, file system data, or browser history from endpoints involved in an investigation.
- Filtering target assets by criteria such as asset name, IP address, platform, online status, management status, organization, tags, or search terms before assigning the acquisition task.
- Using a predefined acquisition profile to standardize what evidence is collected during the task.
Practical example:
- An investigator selects a case and an acquisition profile, filters assets to only those that are online Windows machines tagged with "HR Department", and assigns an evidence collection task to gather documents, logs, and installed software information.
Properties
| Name | Meaning |
|---|---|
| Case | The case to which the acquisition task will be assigned. Can be selected from a list of cases or specified by ID. |
| Acquisition Profile | The acquisition profile defining what evidence and artifacts to collect during the task. Can be selected from a list or specified by ID. |
| Additional Fields | A collection of optional filters and parameters to refine the assignment: |
| - Artifacts | (Only for create/update operations) Select specific artifact categories to collect, e.g., Browser History, File System, Memory Dump, Network Connections, Registry, etc. |
| - Evidence Types | (Only for create/update operations) Select evidence types like Documents, Executables, Files, Images, Logs to collect. |
| - Filter By Asset Name | Filter target assets by their name (string match). |
| - Filter By IP Address | Filter target assets by IP address. |
| - Filter By Management Status | Filter assets by whether they are managed or unmanaged. Options: Managed, Unmanaged. |
| - Filter By Online Status | Filter assets by online status. Options: Online, Offline. |
| - Filter By Organization | Filter assets by one or more organizations. Selectable from a list or via expression. |
| - Filter By Platform | Filter assets by platform type. Options: Windows, Linux, macOS, AIX. |
| - Filter By Search Term | Filter assets by a general search term. |
| - Filter By Tags | Filter assets by comma-separated tags. |
Output
The node outputs JSON data representing the result of the assignment operation. This typically includes details about the created acquisition task such as its ID, status, assigned case, acquisition profile used, and any metadata returned by the API after task creation.
If the node supports binary data output (not indicated here), it would represent files or evidence downloaded, but for this operation, the output is focused on task assignment confirmation and metadata.
Dependencies
- Requires an API key credential for authenticating with the Binalyze AIR API.
- The node depends on the Binalyze AIR service being accessible and properly configured.
- The acquisition profiles, cases, and assets must exist in the Binalyze AIR environment.
- Proper permissions are needed to assign tasks to cases and access acquisition profiles.
Troubleshooting
- Invalid Case or Acquisition Profile ID: If the provided case or acquisition profile ID does not exist or is malformed, the node may throw an error. Ensure IDs contain only letters, numbers, hyphens, and underscores.
- No Matching Assets Found: When filtering assets, if no assets match the criteria, the task assignment may fail or result in no action. Verify filter values and try broader criteria.
- API Authentication Errors: If the API key credential is missing, invalid, or expired, authentication errors will occur. Check credentials and reauthenticate if necessary.
- Network Connectivity Issues: Failure to reach the Binalyze AIR API endpoint will cause errors. Confirm network connectivity and API endpoint availability.
- Permission Denied: Insufficient permissions to assign tasks or access resources will result in authorization errors. Verify user roles and permissions in Binalyze AIR.
Links and References
- Binalyze AIR Official Documentation
- Digital Forensics and Incident Response Best Practices
- n8n Expressions Documentation (for using expressions in property fields)