AIR File Explorer XFS Partition Support: Added support for recognizing and parsing XFS partitions in disk images. Analysts can now browse and analyze evidence from XFS-based assets directly within AIR File Explorer.
Expanded Windows evidence coverage in Baseline Comparison: Baseline Comparison is enhanced with support for 40+ new Windows evidence sources, along with new section constants and table-to-section mappings to extend comparison coverage across file system activity, registry artifacts, system and network data, SRUM, and other forensic evidence sources. macOS section constants and mappings were also reformatted for improved consistency.
Enhanced RelayPro: Upgraded RelayPro with a new toolchain and dependency improvements enhances responder–console communication security and reliability. This ensures uninterrupted evidence transfers and more resilient responder connectivity during large-scale, distributed investigations.
Baseline Comparision coverage was significantly expanded through the addition of more than 40 new Windows evidence items with appropriate identifier fields and ignore fields mappings introduced to support accurate comparison behavior across a broader set of artifacts. To enable these new evidence types throughout the comparison pipeline, 12 new Windows section constants and related table-to-section mappings were also added. In addition, macOS section constants and table mappings were reformatted for more consistent alignment and improved maintainability.
The newly supported Windows evidence sources were added across multiple investigation areas, including file system and user activity artifacts such as crash dumps, recycle bin, system restore, downloads, shell bags, LNK files, and jump list data; registry artifacts such as AppCompatCache, UserAssist, Recent Docs, Typed URLs, Office MRU, and Open/Save MRU; system and network data including processes, TCP/UDP tables, ARP table, and volumes; SRUM-based usage artifacts covering application, network, timeline, energy, and connectivity data; and other high-value sources such as Amcache, browser downloads, dependency manifests, PowerShell ConsoleHost history, and user access logs. Through this expansion, broader visibility into Windows activity and configuration data was enabled, allowing change analysis to be performed with greater depth and consistency.
Full disk images containing XFS partitions can now be opened in AIR File Explorer, and file types within those partitions are displayed correctly. This improvement was implemented to address cases where XFS-based evidence could be accessed, but file type information was not visible, limiting file review and triage during investigations. With this enhancement, evidence stored on XFS partitions can be examined more effectively, enabling faster validation of file contents and improving confidence in incident analysis for security analysts.
This release introduces an updated RelayPro component version that enhances responder–console communication reliability and strengthens encryption handling. The updated communication stack ensures secure transmission during live-response operations and improves failover handling for responders working through restrictive networks.
For investigation teams, this means greater confidence in evidence integrity and session reliability during real-time analysis or containment workflows. RelayPro’s enhanced dependency security reduces the risk of communication errors, ensuring uninterrupted connectivity between distributed responders and the AIR Console.
Optimizations have been added to reduce redundant responder–console communication. Responders now suppress duplicate status reports and disable unnecessary retry attempts when a request fails with permanent error conditions (for example, 404, 403, 401 responses). This improvement reduces network overhead during widespread deployments and speeds up recovery during transient connectivity disruptions.
Incorrect Task Status Display: Resolved an issue where task statuses under Cases → Tasks appeared inconsistent when the main task was cancelled. Statuses now correctly reflect task outcomes across all views.
Proxy Configuration Not Applied to External Services: Corrected a defect where AIR Console’s proxy settings did not apply to outbound traffic for feature management and analytics services. Proxy enforcement is now consistent across all external integrations.
Investigation Hub Report Generation: Fixed a failure that prevented report generation from evidence sources while reports from findings succeeded. Evidence-based reports now generate reliably.
Acquisition Task Report Loading: Addressed an issue where the Investigation Hub report for certain acquisition tasks remained in a loading state. Reports now open consistently within the console.
Chrome History Acquisition Integrity: Improved file copy process for the Chrome History database to reduce the risk of corrupted SQLite files, ensuring analysts can examine browser activity with full integrity preservation.