Binalyze AIR 5.8

What’s New?

• Evidence Collection in Windows Recovery Environment – AIR Windows off‑network responders can now collect evidence while operating inside the Windows Recovery Environment (WinRE). This enhancement allows analysts to acquire and preserve evidence from non‑bootable assets, reducing time and cost by avoiding full disk imaging while maintaining forensically sound collection.

• Timezone Visibility and Filtering on the Assets Page – Assets in the Console now display their time zones in the asset detail view and can be filtered by timezone. This assists investigation teams in correlating multi‑regional logs and evidence timelines, accelerating timeline reconstruction across distributed environments.

• macOS Artifact Expansion – Added support to collect macOS Spotlight indexes and USB Storage History artifacts. These enrich visibility into file creation, indexing behavior, and external device access, key evidence sources for insider activity and data movement investigations.

• PowerShell Console Host History Line Numbering – Parsed results for PowerShell console history now display line numbers, allowing investigators to reference command execution order precisely and improve forensic timeline correlation during live response analysis.

• MFT CSV Performance Refactor – The Master File Table (MFT) CSV export process has been refactored to use a faster, multi‑threaded parser, significantly reducing analysis time while maintaining evidence integrity. This supports large‑scale acquisitions and improves analyst productivity during file‑system timeline reviews.

• Proxy Configuration Evidence Enhancement – Proxy configuration data is now included in collected evidence, allowing analysts to verify system‑level network redirection and potential unauthorized proxy use during the investigation of lateral movement or data exfiltration.

New Features & Improvements

AIR

Timezone Field for Assets

Each asset now includes a dedicated timezone field, visible on asset detail pages and filterable in the advanced search. This improves the correlation of evidence timestamps when investigating incidents spanning multiple geographies or distributed environments.

Analysts can quickly organize assets by timezone to validate whether log events align across regional systems or correlate deviations with adversary activities executed in different time windows.

TACTICAL

Evidence Collection within Windows Recovery Environment

Off-network responders can now operate in offline mode within Windows Recovery Environment (WinRE) to collect evidence when systems cannot boot normally. This capability enables the extraction of registry hives, event logs, and file artifacts directly from non‑operational assets without rebuilding the system or imaging the entire disk.

The feature helps analysts recover evidence from critical hosts after ransomware or system‑level compromise, preserving evidence integrity before remediation. Running the off‑network responder from a bootable USB drive ensures the collection process remains isolated and forensically sound.

Proxy Configuration Evidence Enhancements

Proxy configuration evidence has been extended to include a broader detection of system‑defined proxy settings. During an investigation, analysts can now verify proxy configurations to identify hidden network interception, redirection, or misconfiguration that may reveal traces of command‑and‑control communication or exfiltration channels.

MFT CSV Refactor with Enhanced Performance

The MFT (Master File Table) CSV export operation for Windows assets has been refactored to employ optimized parsing and resource utilization techniques. This delivers substantial performance improvements, significantly reducing parse time on large file systems.

This directly benefits analysts performing file-timeline correlation or change-detection tasks, accelerating triage in enterprise‑scale investigation scenarios.

PowerShell Console Host History Line Numbering

Parsed PowerShell Console Host History artifacts now include line number annotations. This refinement provides investigators with a clear command-execution order during user activity reconstruction, improving the accuracy of the timeline correlation between host actions and observed alerts.

macOS  Spotlight Artifacts

New evidence types have been introduced for macOS systems. Spotlight artifact collection provides visibility into system index data, revealing files that were accessed or created, even if they were later deleted from user directories.

Combined, these enhance macOS investigation depth and augment visibility into user behavior and adversary traces across Apple environments.

USB Storage History for macOS

A new artifact source now captures historical records of USB storage device connections on macOS assets. Analysts can identify device identifiers, connection timestamps, and usage relationships to support the validation of data theft or exfiltration hypotheses.

Responder

Configurable HTTP Request Headers

Responders can now override or add custom HTTP headers for console communications. This enables advanced network control or integration scenarios in which security gateways or monitoring tools require specific request identifiers without compromising protocol integrity.

Although primarily a convenience for integration, the feature helps enterprise security teams maintain consistent communication policies while keeping evidence transfer secure and auditable.

interACT Execution Command Update

The interACT execution command has been enhanced with a new --background alias (also available as --nowait), allowing analysts to execute commands asynchronously. This prevents command‑line session blocking during longer evidence collection operations.

Improvements to standard output and error stream handling prevent unexpected terminations and ensure complete records for audit logging, maintaining chain‑of‑custody assurance for interactive command activity.

Updated User‑Agent Header for Requests

Responders now identify themselves using updated, configurable User‑Agent header strings when sending requests to the Console. This ensures compatibility with enterprise firewalls and modern cloud proxy solutions, improving communication reliability across managed environments.

Bug Fixes

• Edge Cookies Acquisition: Updated evidence collector paths for Microsoft Edge to include the latest “Network\Cookies” directory structure introduced in recent versions. This ensures accurate browser cookie collection and visibility inside Investigation Hub.

• Case.db OS Version Correction: Fixed a discrepancy where Investigation Hub displayed Windows 11 Pro systems as Windows 10 Pro. The correction ensures accurate operating system reporting for all assets contributing to a case.

• SAM Users and Groups Relationship: Corrected the issue preventing group names from displaying correctly under SAM Users acquisition results. Associations between users and groups are now properly recorded and visible in the Investigation Hub.

• DRONE Filename Parsing: Resolved bug where filenames starting with zero caused path separator misinterpretation during YARA scanning, ensuring consistent evidence processing regardless of filename format.

Binalyze MITRE ATT&CK Analyzer is now at version 11.4.0

Dynamo Analyzer

The analyzer set has been expanded with coverage across multiple evidence types, including shell histories, browser activities, registry behaviors, and system configuration sources. These new analyzers enhance the detection of user activity, persistence mechanisms, and file execution patterns across Windows, macOS, and Linux disk images. Additionally, extended pattern recognition improves the identification of remote management and hacker tool usage through enriched analysis of command and environment variables.

MITRE ATT&CK Analyzer / YARA

Detection rules have been updated to identify Dystopia Windows RAT variants that leverage Discord, Telegram, and GitHub for command‑and‑control. Broader refinements across existing signatures further reduce false positives and strengthen behavioral coverage against unauthorized remote access activity.

Sigma

DRONE now incorporates the latest Sigma rule updates from both the SigmaHQ and Hayabusa repositories, ensuring analysts benefit from the most current community‑derived detection intelligence directly integrated into automated analysis workflows.