Binalyze AIR v5.11

What’s New?

• Google Cloud Storage support – AIR now supports evidence upload and archival to Google Cloud Storage. This provides analysts and investigation teams with greater flexibility in selecting secure cloud repositories for collected evidence, improving integration with multi-cloud environments and accelerating post-incident data availability for review.

• Golden Image hostname conflict alert – AIR automatically identifies assets that share duplicated hostnames due to image deployment errors and raises a visible alert within the Console. This ensures analysts can maintain asset integrity during investigations and prevents misattribution of evidence sources.

• Asset menu restructuring – The redesigned Asset view separates Assets into three intuitive sections: Devices, Disk Images, and Cloud Assets. This streamlined layout helps analysts quickly locate relevant evidence sources, assess responder status, and initiate investigation workflows with improved clarity.

New Features & Improvements

AIR Console – Management

Golden Image Hostname Conflict Alert for Devices

AIR now detects when identical hostnames appear across multiple assets, often due to improper image cloning. When such a condition occurs, AIR displays a clear alert in the Console interface. This helps maintain evidence integrity by preventing investigators from assigning findings to misidentified assets.

For investigation teams, this feature eliminates ambiguity during timeline analysis or DRONE comparison tasks by ensuring each asset’s identity remains unique and traceable across evidence collections and response actions.

Asset Menu Changes

The Asset section of AIR Console has been restructured to separate Devices, Disk Images, and Cloud Assets into distinct categories. Each category includes its own tree view, preset filters, and tailored data grid columns. This structural clarity allows analysts to navigate large environments efficiently, identify responder connectivity status, and focus on relevant evidence sources.

Add Task ID Filter to Get Tasks by Case ID API

The backend API now supports filtering tasks within a specific investigation by task ID. This accelerates evidence tracking, allowing analysts to isolate relevant processing events or review discrete acquisitions as part of automated investigation pipelines.

By refining task selection, investigation teams can quickly pinpoint and validate the execution of evidence collection steps within complex multi-asset operations, improving overall investigative precision.

Filter Users with Role Tag

A new filter capability based on user roles has been added to the management interface. Investigation administrators can now quickly locate users or analysts with specific access permissions, streamlining audit reviews and response approvals.

This enhancement supports improved operational security and control, ensuring that only authorized users are assigned investigation privileges aligned with their organizational roles.

AIR Console & Responder - Evidence Repository

Google Cloud Storage Support

Analysts can now store investigation evidence directly in Google Cloud Storage, extending AIR’s existing multi-cloud compatibility. This enhancement simplifies integration for organizations using Google Cloud as part of their security data infrastructure.

During evidence acquisition or upload task configuration, users can define a Google Cloud Storage repository as the destination. This capability helps ensure forensically sound, integrity-preserving preservation of large evidence sets across global cloud environments while supporting compliance and retention requirements.

For more details: Knowledge Base

Bug Fixes

• Timeline date selection ignores empty range and snaps to nearest date – Resolved an issue in the Timeline view that caused selected empty date ranges to automatically shift to the nearest available data range. The Timeline now respects the exact range selected by the analyst and accurately displays empty periods when applicable, ensuring chronological integrity during investigation review.

• Tasks page unresponsive under high task volume – Fixed an issue where the Tasks page failed to load or become unresponsive after a large number of tasks were executed. The performance of task listing and pagination has been improved to support high-volume investigation environments reliably.

Binalyze MITRE ATT&CK Analyzer is now at version 11.6.0

Dynamo Analyzer

The DRONE analysis engine introduces refined detection criteria for process anomalies on Windows. Priority-based process checks have been removed to reduce false alerts, while new logic identifies suspicious process paths and command-line attributes that may indicate adversary use of system binaries for unauthorized activity. Additional enhancements include matching administrative share access events and identifying tool names linked to known privilege escalation or lateral movement behaviors. DRONE also now detects PuTTY host key caches, highlighting potential unauthorized remote access operations.

Sigma

Sigma detection rules have been fully synchronized with the latest repositories from SigmaHQ and Hayabusa. This update expands AIR’s coverage for modern adversary techniques and ensures more consistent cross-referencing with current MITRE ATT&CK mappings during investigation correlation.