Binalyze AIR 4.7 Release

Features

In AIR version 4.7, a new Docker container has been introduced to enable the new File Explorer feature. If you plan to use File Explorer and are upgrading from an older version instead of performing a fresh installation, you can upgrade as usual. Only contact our support team if you want to enable the File Explorer feature.

Introducing AIR's new File Explorer

AIR can now be used to explore the file systems of Windows, macOS, and Linux systems where full disk or volume images have been acquired in the RAW format. 

The forensic image can be added to AIR as a new Asset in a three-step process:

• 1. On the Assets page, click on the ‘Add New’ button and then select Disk Image:

• 2. Select your connected repository and then the raw disk image you wish to explore:

 

• 3. Select ‘Create Asset’:

 

The image must be supplied to AIR from an SMB or SFTP shared location, where it needs to be saved as a single contiguous file. Segmented files are not currently supported.

The next step is to select File Explore from the secondary menu:

Now you can browse the asset’s directory structure which is now expanded in the secondary menu (highlighted below)  and then go on to select individual files for closer inspection:

A file can be selected with a right-click to download it locally or calculate its hash values.

Advanced filters can be applied to filter the files displayed.

This is just the beginning of our File Explorer project - many more features are planned and your feedback is most welcome.

Advanced Filter capability for all evidence category tables

We have added and standardized our advanced filter functionality across all Investigation Hub evidence category tables to:

• Ensure consistency across AIR's data analysis capabilities.

• Empower users with flexible advanced query options.

• Enhance overall data analysis efficiency.

The example above demonstrates the versatility of crafting filters that cater to both simple and intricate requirements. These filters offer support for compound logic by using AND/OR Boolean operators, applicable to any of the available columns. This empowers investigators with robust and flexible filtering capabilities.

New collection of remote tool artifacts

macOS

• Splashtop Mac Logs

Windows

• Xeox Logs

• ZohoAssist Logs

• Supremo Remote Desktop Logs

• TightVNC Logs

• AmmyAdmin Logs

• GoTo Logs    

• Kaseya Logs

• Level Logs

• Remote Utilities Logs

• RealVNC Logs

• Splashtop Windows Logs

• UltraVNC Logs

Enhancements

Improved visibility to DRONE’s verdicts

• V4.7 provides valuable transparency by reducing noisy findings and improving visibility into DRONE’s detection logic helping streamline investigations and boost confidence in DRONE's methodology. (Credit: Garett C)

• The example below shows how, in the details tab, DRONE will now highlight each finding with:

1. Its description.

2. A reference to learn more about the findings.

3. The actual string that was detected.  

Investigation Hub - Consolidated View of Bookmarked Items

• With this new feature, AIR users can easily access their bookmarked items, bypassing the need to navigate through multiple sections. This simplifies the workflow and saves time. (Credit: Grant O)

• The ‘bookmarks-only’ view is accessed via the button in the Investigation Hub page header. Findings and evidence categories with bookmarks can be viewed via drop-down arrows. 

• Additionally, the note-taking capability enables users to capture extra context and insights, contributing to a more comprehensive understanding of their bookmarked content. Notes can be added via the edit pencil in the Bookmark Notes column.

Windows direct collection

• With the introduction of Windows support, which complements our existing macOS and Linux capabilities, it is now feasible to transmit evidential collections from all three operating systems directly to external evidence repositories, thereby efficiently minimizing the utilization of local disk space.

New API functionality

• Acquisition profiles can be created directly with the API with ‘Get Acquisition Profiles’.

• Asset Tags can be created or removed with the API (Credit: Blake B)

• AIR API documentation is found at: docs.binalyze.com

MITRE ATT&CK Analyzer changelog

4.0.1

Yara

• Added detection for C# and dictionary-based webshells.

• Enhanced detection of JSP webshells.

• Enhanced detection of directory traversal and XSS injection indicators found in server logs.

• Enhanced detection of ProxyShell and ProxyNotShell vulnerabilities.

• Added detection of various Linux exploits.

• An updated list of vulnerable and malicious drivers from LOL Drivers project.

• Added detection for binaries using potentially compromised AnyDesk certificate.

• Other minor fixes.

Dynamo

• Minor FP fixes.

(Full changelog is here: AIR MITRE ATT&CK Changelog)

Fixes

We are pleased to announce a critical fix regarding some of the NTFS categories of evidence collections, which were causing collection tasks to sometimes become unresponsive. The root of the issue was traced back to our backend library, which encompasses a range of NTFS-related evidence types, including:

• • Page File

  • Hibernation File

  • Swap File

  • Hosts

  • Recent File Cache

We have taken steps to address and rectify this issue, and users should no longer experience any issues with these collections. (Credit: Guo Y)

• Fix applied for an issue regarding the console backup process via the optimization of our backup compression logic. (Credit: Ben H).