Evidence Collection in Windows Recovery Environment – AIR Windows off‑network responders can now collect evidence while operating inside the Windows Recovery Environment (WinRE). This enhancement allows analysts to acquire and preserve evidence from non‑bootable assets, reducing time and cost by avoiding full disk imaging while maintaining forensically sound collection.
Timezone Visibility and Filtering on the Assets Page – Assets in the Console now display their time zones in the asset detail view and can be filtered by timezone. This assists investigation teams in correlating multi‑regional logs and evidence timelines, accelerating timeline reconstruction across distributed environments.
macOS Artifact Expansion – Added support to collect macOS Spotlight indexes and USB Storage History artifacts. These enrich visibility into file creation, indexing behavior, and external device access, key evidence sources for insider activity and data movement investigations.
PowerShell Console Host History Line Numbering – Parsed results for PowerShell console history now display line numbers, allowing investigators to reference command execution order precisely and improve forensic timeline correlation during live response analysis.
MFT CSV Performance Refactor – The Master File Table (MFT) CSV export process has been refactored to use a faster, multi‑threaded parser, significantly reducing analysis time while maintaining evidence integrity. This supports large‑scale acquisitions and improves analyst productivity during file‑system timeline reviews.
Proxy Configuration Evidence Enhancement – Proxy configuration data is now included in collected evidence, allowing analysts to verify system‑level network redirection and potential unauthorized proxy use during the investigation of lateral movement or data exfiltration.
Each asset now includes a dedicated timezone field, visible on asset detail pages and filterable in the advanced search. This improves the correlation of evidence timestamps when investigating incidents spanning multiple geographies or distributed environments.
Analysts can quickly organize assets by timezone to validate whether log events align across regional systems or correlate deviations with adversary activities executed in different time windows.
Off-network responders can now operate in offline mode within Windows Recovery Environment (WinRE) to collect evidence when systems cannot boot normally. This capability enables the extraction of registry hives, event logs, and file artifacts directly from non‑operational assets without rebuilding the system or imaging the entire disk.
The feature helps analysts recover evidence from critical hosts after ransomware or system‑level compromise, preserving evidence integrity before remediation. Running the off‑network responder from a bootable USB drive ensures the collection process remains isolated and forensically sound.
Proxy configuration evidence has been extended to include a broader detection of system‑defined proxy settings. During an investigation, analysts can now verify proxy configurations to identify hidden network interception, redirection, or misconfiguration that may reveal traces of command‑and‑control communication or exfiltration channels.
The MFT (Master File Table) CSV export operation for Windows assets has been refactored to employ optimized parsing and resource utilization techniques. This delivers substantial performance improvements, significantly reducing parse time on large file systems.
This directly benefits analysts performing file-timeline correlation or change-detection tasks, accelerating triage in enterprise‑scale investigation scenarios.
Parsed PowerShell Console Host History artifacts now include line number annotations. This refinement provides investigators with a clear command-execution order during user activity reconstruction, improving the accuracy of the timeline correlation between host actions and observed alerts.
New evidence types have been introduced for macOS systems. Spotlight artifact collection provides visibility into system index data, revealing files that were accessed or created, even if they were later deleted from user directories.
Combined, these enhance macOS investigation depth and augment visibility into user behavior and adversary traces across Apple environments.
A new artifact source now captures historical records of USB storage device connections on macOS assets. Analysts can identify device identifiers, connection timestamps, and usage relationships to support the validation of data theft or exfiltration hypotheses.
Responders can now override or add custom HTTP headers for console communications. This enables advanced network control or integration scenarios in which security gateways or monitoring tools require specific request identifiers without compromising protocol integrity.
Although primarily a convenience for integration, the feature helps enterprise security teams maintain consistent communication policies while keeping evidence transfer secure and auditable.
The interACT execution command has been enhanced with a new --background alias (also available as --nowait), allowing analysts to execute commands asynchronously. This prevents command‑line session blocking during longer evidence collection operations.
Improvements to standard output and error stream handling prevent unexpected terminations and ensure complete records for audit logging, maintaining chain‑of‑custody assurance for interactive command activity.
Responders now identify themselves using updated, configurable User‑Agent header strings when sending requests to the Console. This ensures compatibility with enterprise firewalls and modern cloud proxy solutions, improving communication reliability across managed environments.
Edge Cookies Acquisition: Updated evidence collector paths for Microsoft Edge to include the latest “Network\Cookies” directory structure introduced in recent versions. This ensures accurate browser cookie collection and visibility inside Investigation Hub.
Case.db OS Version Correction: Fixed a discrepancy where Investigation Hub displayed Windows 11 Pro systems as Windows 10 Pro. The correction ensures accurate operating system reporting for all assets contributing to a case.
SAM Users and Groups Relationship: Corrected the issue preventing group names from displaying correctly under SAM Users acquisition results. Associations between users and groups are now properly recorded and visible in the Investigation Hub.
DRONE Filename Parsing: Resolved bug where filenames starting with zero caused path separator misinterpretation during YARA scanning, ensuring consistent evidence processing regardless of filename format.
The analyzer set has been expanded with coverage across multiple evidence types, including shell histories, browser activities, registry behaviors, and system configuration sources. These new analyzers enhance the detection of user activity, persistence mechanisms, and file execution patterns across Windows, macOS, and Linux disk images. Additionally, extended pattern recognition improves the identification of remote management and hacker tool usage through enriched analysis of command and environment variables.
Detection rules have been updated to identify Dystopia Windows RAT variants that leverage Discord, Telegram, and GitHub for command‑and‑control. Broader refinements across existing signatures further reduce false positives and strengthen behavioral coverage against unauthorized remote access activity.
DRONE now incorporates the latest Sigma rule updates from both the SigmaHQ and Hayabusa repositories, ensuring analysts benefit from the most current community‑derived detection intelligence directly integrated into automated analysis workflows.