Binalyze AIR 5.6

What’s New?

• Investigation Hub Live Collaboration and Activity Sync: Analysts can now observe real-time user presence, comment updates, and evidence flag changes within the Investigation Hub. This enables investigation teams to collaborate simultaneously on the same evidence and instantly see each other’s actions without refreshing the view.

• Investigation Hub Search Enhancements with Prefix Support: The new prefix search capability allows using the “*” symbol in the Investigation Hub to find evidence names or keywords starting with a given text. This makes it faster to locate related items across large investigations, particularly when searching partial filenames, process names, or user activities.

• Maintenance Window Configuration for SaaS Environments: Administrators can now select preferred maintenance windows directly within AIR. This ensures updates and maintenance operations occur within defined time slots, providing predictable scheduling for managed tenants.

• Command Snippets Management Improvements: Snippets can now be tagged and grouped, making it easier to filter or categorize repeatable live-response actions in interACT sessions—improving operational efficiency and consistency for investigation teams.

• Hunt/Triage Location Inclusion and Exclusion Support: Analysts define precise include/exclude path patterns for each platform in the Hunt/Triage feature. This ensures keyword and YARA scanning occurs only on relevant directories—improving performance and reducing noise during evidence analysis.

• Expanded Evidence Support for macOS and Linux: New artifact sources, including DNF/YUM History, SSH Files, System Logs, and software update information, improve cross-platform visibility and provide deeper forensic coverage for investigations.

New Features & Improvements

AIR Console – Investigation Hub

Investigation Hub Live Activities, Data Reload and User Presence

This release further enhances real-time collaboration within the Investigation Hub. Active users are now visible in the interface, allowing analysts to see who else is working on the same case or evidence category. When actions such as flagging items, adding notes, or findings occur, all connected users receive immediate updates without manual refresh. Bulk actions performed by others are summarized with short status messages. These enhancements make the Investigation Hub a live, synchronized workspace where multiple analysts can collaboratively drive an investigation while maintaining full traceability.

The “Live Activities” and “User Presence” features can be toggled from the Investigation Hub user preferences button. For fast-paced incident response operations, this capability reduces communication delays and improves awareness of concurrent investigation actions.

Prefix Search in Investigation Hub

The Investigation Hub now supports prefix-based filtering. When analysts type a term followed by an asterisk (“*”), the system returns all evidence or findings beginning with that prefix. For instance, entering “inv*” retrieves matches such as “investigation” or “inventory.”

This enhancement is particularly valuable for analysts who need to rapidly investigate multiple variations of a file name, process, or event in large datasets.

AIR Console – Settings

Maintenance Window Implementation

Administrators can now define structured maintenance windows by selecting preferred days and times in the settings interface. These parameters control when SaaS maintenance and auto-updates may occur, ensuring predictable operations during off-peak hours. Each maintenance window defines a start time, duration, and day of week, all of which are retrievable through management APIs.

This configuration helps minimize interruptions during critical investigations and ensures alignment with internal change control policies.

AIR Console – Evidence Acquisition

Redesign Acquisition Profile Evidence Categories and Tabs

The acquisition profile interface is fully redesigned for clarity and usability. Tabs are reorganized into clear evidence groups such as System, Memory, Network, Disk & Filesystem, Applications, and Event Logs. Analysts now benefit from alphabetically ordered artifact lists and inline descriptions for quick comprehension. Each evidence item includes a tooltip describing its contents and importance.

A new “Only Show Selected” filter allows focusing on active collection settings. Together, these updates streamline acquisition configuration, ensure completeness, and improve planning for targeted investigations or large-scale asset acquisitions.

AIR Console – Notifications

Notification Broadcasting Service with SSE

Periodic polling for notifications has been replaced with Server-Sent Events (SSE). Instead of sending repeated requests every few seconds, AIR Console now pushes notifications to the UI instantly when new events occur. This reduces unnecessary traffic, improves efficiency, and provides immediate alert visibility for analysts monitoring active cases or system updates.

For investigation teams, this means that findings, responder updates, or evidence collection statuses appear in real time with lower network overhead and faster situational awareness.

Responder and RelayPro

Hunt/Triage Inclusion-Exclusion Support

With version 5.6.0, Hunt/Triage operations now support pre-scan inclusion and exclusion rules. Analysts can define directory patterns to include or omit during scanning. Each platform (Windows, macOS, Linux) can have separate path lists defined via console or policy configurations. Validation ensures patterns are accepted correctly and executed as expected by responders.

This level of control allows investigation teams to focus on specific areas such as user profiles, temp directories, or system logs while skipping irrelevant locations. As a result, hunts/triages execute faster with reduced false positives and more targeted evidence coverage.

Responder Connection and Authentication Enhancements

Multiple improvements have been implemented in the Responder communication and authentication flows, including better handling of token refresh and timeout conditions. These changes strengthen system resilience during long-running investigations and ensure sustained secure connectivity even under adverse network conditions.

General Code and RelayPro Improvements

RelayPro now employs optimized buffer allocation and socket deadline management to prevent potentially idle connection debt. The synchronization of graceful exits across proxy connections enhances system stability and prevents resource leaks, improving long-term reliability in environments with continuous remote communication between the console and assets.

Evidence Expansion

New macOS and Linux Evidence Sources

Evidence acquisition coverage has been significantly expanded for both macOS and Linux platforms. The following new artifact sources have been added:

• macOS: DMG File Opened, File Last Used, Finder Mounted Volume, Keyboard Dictionary, Mount, Software Update Information.

• Linux: DNF History, SSH Files, ETC Files, Sysmon Logs, and YUM History.

These additions provide broader cross-platform investigation coverage. Analysts can trace activity histories, mount operations, and track configuration changes across operating systems, thereby improving the completeness of post-incident investigations.

Database

Support for Encrypted Connections for PostgreSQL Servers

PostgreSQL connections used by AIR are now secured with SSL encryption. This update ensures all data exchanges between the AIR Console and its database are encrypted in transit, meeting compliance requirements and reinforcing data protection for investigation records.

Bug Fixes

• Global Search Input Reset Issue: Resolved a problem where typing quickly in the Global Search bar caused text to disappear or reset while searches were executed. AIR now waits until input stabilizes before re-triggering searches, preventing data loss during typing.

• Task List Sorting Problem: Fixed an issue in the Task Details view where column sorting stopped functioning after reopening the column selection panel. Sorting now behaves consistently across all columns.

• Auto Asset Tagging Task Completion: Addressed a condition causing some asset tagging operations to stay in “processing” despite completion. Task states now stay correctly aligned with responder responses, including when NATS is enabled.

• Policy Isolation Allow List Transmission: A communication issue preventing isolation policy allow lists from being sent from the AIR Console to responders has been corrected. The feature now works as expected for applied network isolation workflows.

• ScreenConnect Artifact Collection: Corrected missing ScreenConnect log acquisition in Windows responder evidence sets. These artifacts are again reliably collected for remote assistance investigation scenarios.

• Browser Login Data Timestamp Alignment: Fixed incorrect ordering of “Date Created” and “Date Last Used” fields in browser login data parsing for Windows evidence.

Binalyze MITRE ATT&CK Analyzer is now at version 11.0.0

Dynamo Analyzer

Detection coverage is expanded with intelligence-driven analytics. Version 10.9 introduced the identification of suspicious commands, file paths, and PowerShell behaviors within Windows registry environment variables. These rules highlight possible persistence and command execution activity tied to adversary tactics.

Version 11.0 further enhances this by adding a new SRUM Application Timeline Analyzer. This analyzer examines collected SRUM data to surface the use of remote monitoring or hacking tools across systems. It also refines recognition of common tool names used within investigations, delivering improved prioritization and context for analysts.

MITRE ATT&CK Analyzer / YARA

Detection coverage has been broadened to include additional remote access and reconnaissance utilities, such as FleetDeck, GoToResolve, Miradore, N-Able, Nezha Agent, PDQ, RustScan, and updated Vidar Stealer variants. Together, these rules improve AIR’s ability to highlight unauthorized remote access software and network reconnaissance patterns across both newly collected and historical evidence.

Ongoing refinements enhance accuracy, reduce false positives, and strengthen the classification of backdoor behaviors and encoded PowerShell execution activity detected on assets.

Sigma

The integrated Sigma engine now aligns fully with the latest SigmaHQ and Hayabusa repository updates. These rule improvements ensure analysts benefit from the latest community-driven detections and enhanced alignment with the MITRE ATT&CK tactics and techniques classification, enabling faster investigation, hunt/triage, and automated correlation within DRONE findings.