Skip to the main content.

AIR Release Notes


Trusted by Organizations Worldwide
logo-customers-garmin logo-customers-thy logo-customers-ey logo-customers-deloitte logo-customers-turkcell logo-customers-integrity360 digifors-1 quourum-cyber white_complete



Version 4.11


Link to blog.



  • Introducing Frank.AI, your investigation copilot

    • Frank is an AI Assistant designed to enhance forensic investigations within the AIR console. Frank.AI offers instant forensic assistance across all console pages, for example, providing insights, without leaving AIR, on subjects such as YARA, Sigma, and Osquery rule writing.

    • In this preview version, Frank leverages the ChatGPT API without additional fine-tuning, setting the stage for future enhancements. Future updates aim to expand Frank's capabilities through Retrieval Augmented Generation (RAG) for accessing broader data sources and deeper integration with the AIR ecosystem, including direct data retrieval from the AIR database and collaborative analysis with the AIR's AI module for advanced insights, such as anomaly detection and behavioral correlations.

    • You can reposition, resize, and minimize it just like any standard window, ensuring it fits seamlessly into your workflow without obstructing your view.

    • There are no additional domain requirements as Frank.AI is hosted on

    • Stay tuned for evolving features and improvements based on user feedback. 

  • New evidence types:


  • Parse LNK Files

  • Collect LNK Files


  • Systemctl Services

Browser evidence types across Windows, Linux and macOS

  • Chrome Sessions

  • Chrome Login Data

  • Chrome Local Storage

  • Chrome IndexedDB

  • Chrome Web Storage

  • Chrome Form History

  • Chrome Thumbnails

  • Chrome Favicons

  • Default Browser

  • Firefox Cookies

Credit: Ashok K 

  • A full list of the 584 items now supported in AIR is available in the Knowledge Base


  • Disk imaging errors reported in metadata.yml 

    • AIR’s disk or volume imaging feature produces a file that captures the metadata related to the imaging process. This now includes a log of any errors encountered, which are documented within the metadata.yml file for comprehensive tracking and analysis.          (Credit: Charlotte H)

    • Please see this KB article for a full explanation. 

  • Scheduling Based on Asset Timezone 

    • AIR now enables users to schedule tasks according to the asset's local time zone. This ensures that tasks are executed at the specified time relative to each asset's geographical location, allowing for synchronized operations across different time zones. For example, when choosing this option, instructing the system to perform a task at 01:00 will result in the task being carried out at 01:00 in the local time of each asset, regardless of their global positions. (Credit: Ramesh P)

    • Please see this KB article for more information.

  • Auto Asset Tagging Rules: New wizard and Organizational Saving 

    • The new Auto Asset Tagging (AAT) wizard allows rules to be saved specifically for individual organizations or universally across all organizations. This enhancement supports users in creating and applying incident-specific AATs selectively, avoiding unnecessary use or exposure of a rule outside the intended organizational context.  (Credit: Caleb T)

    • Please read this Auto Asset Tagging KB page for more information.

  •  AIR version information is again displayed in the main menu

    • The AIR console version number has returned to the main menu to stop users from having to locate it on the settings page. 


  • A timestamp issue with the Event log content has been fixed. (Credit: Jon F, Grant O and Ben H)

  • Some incorrect "Match Counts" under the "Case Triages" Page have been resolved.

  • In previous versions, AIR displayed the "KeyLastWriteTime" in the evidential Amcache CSV files in local time instead of UTC. This has now been corrected to show times in UTC, ensuring consistency and accuracy. (Credit: Guo Y)

  • Tornado, crucial for AIR's File Explorer integration, retries registration until successful. A bug affecting success confirmation was fixed, enhancing reliability. (Credit: Nuno P)



Version 4.9


Link to blog.



  • New Task Scheduling capability integrated into the AIR tasking wizard.

    • Investigators can now use the tasking wizard to schedule the following activities:

      • Evidence collections.

      • Triage/Threat Hunting. (Credit: Turgut Ö)

      • Disk and Volume Imaging.

      • Auto Asset Tagging. 

    • Scheduled tasks can be assigned to a Case.

    • The timezone for task execution can be adjusted.

    • The recurrence rate can be set to Daily, Weekly, or Monthly.

    • The sequence can be stopped at a particular date and time or after a defined number of occurrences.

  • New Windows evidence type

    • AIR now parses the Window $USN Journal and saves this file to the evidence repository as a .csv file for easy analysis (Credit: David C) 


  • ESXi collections

    • We have extended the list of what we collect from ESXi from 10 to 100 items. For the full list please visit the Binalyze KB (Credit: Guo Y) 

  • MacOS Agent - Full Disk Access requests 

    • When installing an AIR responder on a T2 or later Mac, Full Disk Access is required for it to have the necessary permissions for all AIR collection types. AIR’s responder will now display a message to advise the installer to:

      • Open System Settings -> Privacy & Security -> Full Disk Access to grant permission to ”air”.

      • The user will need to toggle the switch 'on' to enable Full Disk Access for the AIR responder. (Credit: Caleb T) 

  • Auto Asset Tagging Rules added to Task Details

    • Users can now see in the Task Details window, the Auto Asset Tag(AAT) rules which were checked during individual AAT task assignments. 

Binalyze MITRE ATT&CK Analyzer has seen the following updates since the last release of AIR: 4.1.0, 4.2.0, 4.2.1, 4.2.2 and 4.2.3.

For details please see the changelog in the Binalyze KB.



  • Bulk Action Bar re-sized and re-positioned

    • The new size and location of the Bulk Action Bar means that it no longer interferes with other information displayed in the UI. (Credit: David C) 


Version 4.8.1


Hot Fix

  • Attention to users of AIR 4.8.0: Some users may experience difficulty logging into AIRConsole. This issue affects only users assigned to specific organizations (but not those who select “All” organizations). 

    Please see the example below for reference.

    In version 4.8.1, we have addressed and resolved this issue. We recommend all customers currently using AIR 4.8.0 to upgrade to AIR 4.8.1 at your earliest convenience

CleanShot 2024-02-21 at 16.32.16




Version 4.8

In AIR version 4.7 and above, we've added a new Docker container specifically for enabling the new File Explorer feature in AIR. If you're not interested in using File Explorer, you can proceed with the upgrade as usual. However, if you do wish to utilize the File Explorer and haven't received assistance with migration yet, please reach out to our support team for guidance on updating to either version 4.7+. Kindly note that contacting our support team is only necessary if you intend to activate the File Explorer feature.



  • Isolate multiple assets simultaneously 

    • Users now have the capability to select multiple assets simultaneously and execute bulk actions to isolate any desired number of assets concurrently. (Credit: Samer H)

  • Task renaming

    • Tasks can now be easily renamed via the edit pencil icon located within the Task Details Information tab, streamlining the renaming process for enhanced efficiency and convenience.

  • Columns Headings order & stickiness 

    • We've enhanced the Investigation Hub tables, enabling users to choose and easily rearrange columns by dragging and dropping them into their preferred order. This selected layout will remain 'sticky' for each user, providing a personalized experience.(Credit: Allesando G)

  • Auto Asset Tagging Rules added to Task Details 

    • The Auto Asset Tags used in a Tasking Assignment are now displayed under the Information tab in the Task Details window. 

  • Enhanced Responder Uninstallation

    • By default, the responder uninstallation process now includes a purge/clean-up operation where certain responder application files that were not removed in earlier versions of AIR will now be purged during the process. It's important to note that evidence saved on the local asset or any external evidence repositories will remain unaffected.


  • Agent Update Task Errors

    • A recent Windows update affected the ability of some AIR agents ability to auto-update. Fixed in AIR v4.8 (Credit: Blake B)   

  • Asset labeling/editing issue fixed

    • Typing a new or editing an existing asset label was problematic as the UI was not allowing time to complete typing in some instances. Fixed in AIR v4.8  (Credit: Zainal B N)


Version 4.7

Link to blog.




In AIR version 4.7 and above, we've added a new Docker container specifically for enabling the new File Explorer feature in AIR. If you're not interested in using File Explorer, you can proceed with the upgrade as usual. However, if you do wish to utilize the File Explorer and haven't received assistance with migration yet, please reach out to our support team for guidance on updating to either version 4.7+. Kindly note that contacting our support team is only necessary if you intend to activate the File Explorer feature.



  • Introducing AIR's new File Explorer.

AIR can now be used to explore the file systems of Windows, macOS, and Linux systems where full disk or volume images have been acquired in the RAW format. 

The forensic image can be added to AIR as a new Asset in a three-step process:

  • 1. On the Assets page, click on the ‘Add New’ button and then select Disk Image:

  • 2. Select your connected repository and then the raw disk image you wish to explore:

  • 3. Select ‘Create Asset’:

The image must be supplied to AIR from an SMB or SFTP shared location, where it needs to be saved as a single contiguous file. Segmented files are not currently supported.


The next step is to select File Explore from the secondary menu:


Now you can browse the asset’s directory structure which is now expanded in the secondary menu (highlighted below)  and then go on to select individual files for closer inspection:


A file can be selected with a right-click to download it locally or calculate its hash values.


Advanced filters can be applied to filter the files displayed.


This is just the beginning of our File Explorer project - many more features are planned and your feedback is most welcome.

  • Advanced Filter capability for all evidence category tables

We have added and standardized our advanced filter functionality across all Investigation Hub evidence category tables to:

  • Ensure consistency across AIR's data analysis capabilities.

  • Empower users with flexible advanced query options.

  • Enhance overall data analysis efficiency.

The example above demonstrates the versatility of crafting filters that cater to both simple and intricate requirements. These filters offer support for compound logic by using AND/OR Boolean operators, applicable to any of the available columns. This empowers investigators with robust and flexible filtering capabilities.

  • New collection of remote tool artifacts: 


  • Splashtop Mac Logs


  • Xeox Logs

  • ZohoAssist Logs

  • Supremo Remote Desktop Logs

  • TightVNC Logs

  • AmmyAdmin Logs

  • GoTo Logs    

  • Kaseya Logs

  • Level Logs

  • Remote Utilities Logs

  • RealVNC Logs

  • Splashtop Windows Logs

  • UltraVNC Logs 




  • Improved visibility to DRONE’s verdicts.

  • V4.7 provides valuable transparency by reducing noisy findings and improving visibility into DRONE’s detection logic helping streamline investigations and boost confidence in DRONE's methodology. (Credit: Garett C)

  • The example below shows how, in the details tab, DRONE will now highlight each finding with:

  1. Its description.

  2. A reference to learn more about the findings.

  3. The actual string that was detected.  

  • Investigation Hub - Consolidated View of Bookmarked Items. 

  • With this new feature, AIR users can easily access their bookmarked items, bypassing the need to navigate through multiple sections. This simplifies the workflow and saves time. (Credit: Grant O)

  • The ‘bookmarks-only’ view is accessed via the button in the Investigation Hub page header. Findings and evidence categories with bookmarks can be viewed via drop-down arrows. 

  • Additionally, the note-taking capability enables users to capture extra context and insights, contributing to a more comprehensive understanding of their bookmarked content. Notes can be added via the edit pencil in the Bookmark Notes column.


  • Windows direct collection

  • With the introduction of Windows support, which complements our existing macOS and Linux capabilities, it is now feasible to transmit evidential collections from all three operating systems directly to external evidence repositories, thereby efficiently minimizing the utilization of local disk space.

  • New API functionality

  • Acquisition profiles can be created directly with the API with ‘Get Acquisition Profiles’.

  • Asset Tags can be created or removed with the API (Credit: Blake B)

  • AIR API documentation is found at:


MITRE ATT&CK Analyzer changelog




  • Added detection for C# and dictionary-based webshells.

  • Enhanced detection of JSP webshells.

  • Enhanced detection of directory traversal and XSS injection indicators found in server logs.

  • Enhanced detection of ProxyShell and ProxyNotShell vulnerabilities.

  • Added detection of various Linux exploits.

  • An updated list of vulnerable and malicious drivers from LOL Drivers project.

  • Added detection for binaries using potentially compromised AnyDesk certificate.

  • Other minor fixes.


  • Minor FP fixes.

(Full changelog is here: AIR MITRE ATT&CK Changelog)


  • We are pleased to announce a critical fix regarding some of the NTFS categories of evidence collections, which were causing collection tasks to sometimes become unresponsive. The root of the issue was traced back to our backend library, which encompasses a range of NTFS-related evidence types, including:

    • Page File

    • Hibernation File

    • Swap File

    • Hosts

    • Recent File Cache

We have taken steps to address and rectify this issue, and users should no longer experience any issues with these collections. (Credit: Guo Y)

  • Fix applied for an issue regarding the console backup process via the optimization of our backup compression logic. (Credit: Ben H) 



Version 4.5





  • Preview our new Customizable Reporting feature in the Investigation Hub. 

    • This initial version is just the beginning, with many more enhancements in functionality and capacity planned for future updates.

    • Users can, at speed, automatically generate an insightful and shareable comprehensive Compromise Assessment PDF report based on DRONE’s findings.

    • This report is fully customizable, enabling users to choose specific elements for inclusion in their bespoke reports:

      • The Verdicts or Scores as determined by DRONE

      • A Company logo

      • An Executive Summary

      • The Methodology Overview

      • The Data Source Statistics

      • An Asset Overview

    • Post-generation, the report remains editable via our built-in browser editor, allowing for the addition of analyst-led notes and supplemental details such as observations, recommendations, and conclusions.

  • New macOS Evidence Types:

    • FS Events - On macOS 10.17 and later, files with an extension '.fseventsd' (File System Events Daemon) are used to record many file system events, such as file creation, modification, and deletion. This log acts like a 'black box flight recorder' and can be extremely useful in reconstructing the timeline of activities on a Mac.

    • Browser Download data for:

      • Chrome

      • Edge 

      • Firefox 

      • Opera, 

      • Safari 

      • Vivaldi 

      • Waterfox 

      • Brave 

      • Arc

  • New Windows Evidence Types:

    • Browser Download data for:

      • Chrome

      • Edge 

      • Firefox 

      • Opera

      • Brave 

      • Vivaldi 

  • New Linux Evidence Types:

    • Browser Download data for:

      • Chrome

      • Chromium

      • Edge 

      • Firefox 

      • Opera

      • Brave 

      • Vivaldi 




  • AIR UI Improvements include:

    • Secondary menus now consistently display drop-down arrows or sub-menu indicators, providing a clear visual cue that additional options are available. 

    • Enhanced discoverability by setting menus to expand automatically by default.

    • We have enhanced the Quick Start menu by adding "New Case" and "New Asset" options for streamlined access to these features.

  • New Flags for interACT download commands:

    • With these new flags, users can speed up workflows by having the following extra functionality for files they want to download using the ‘get’ command in interACT. 

      • Compression:  ‘-zip

      • Password protection: ‘-zip-password

      • File name change: ‘-name


  • Investigation Hub Improvements:

  • The import status of task data into the Investigation hub is now displayed. There are four states: 

    • Pending task completion.

    • Importing to the case.

    • Import completed. 

    • Failed (a ‘Retry’ option is also presented to the user)

  • Auto refresh on-demand button (Credit: Ben H)

    • This update introduces an on-demand refresh button, notified via a banner message in the Investigation Hub, when new evidence is available for the current case. This reduces distractions from auto-updates, allowing analysts to refresh the page at their convenience and stay focused during investigations.

  • Audit logs for Evidence Imports into the Investigation Hub

    • These new logs detail who accessed the Investigation Hub import feature, when, and what actions they took, enhancing accountability by linking activities to specific users.


  • Asset names are now included for User Access Logs downloaded from Investigation Hub as CSVs (Credit: Ben H)

    • Asset names are now featured in User Access Logs (UALs) downloaded from the Investigation Hub as CSV files, providing analysts with clear visibility of the originating assets for these logs.



Version 4.3





  • Enhanced Data Integration into the Investigation Hub:

    • Seamlessly import .csv files into the Investigation Hub using our data mapping service, accommodating all forms of structured .csv data.

    • Efficiently import and analyze .pst files, enabling the display of email data within the Investigation Hub for a more comprehensive examination.

  • 2 New Windows Evidence Types:

    • Winrar History - This application history is valuable as it tracks file compression/extraction, revealing user actions, timelines, and data movement. (Credit: Ashok K)

    • Windows Error Reporting Files - WER files provide insights into system crashes and application failures, helping to identify potential security breaches or system vulnerabilities. Additionally, they are instrumental in malware detection and constructing accurate timelines for security incidents.

  • 7 New IBM AIX Evidence Types:

    • MySQL Logs - These logs are critical for tracing database transactions, analyzing user activities, establishing timelines, and detecting unusual or malicious query patterns. They provide key insights into data modifications and user behavior.

    • SSH Server Logs - These logs are invaluable for tracking authentication attempts, identifying user access patterns, and detecting potential unauthorized or malicious activities.

    • DHCP Server Logs - provide crucial information on network device connections, including IP address assignments, timestamps, and MAC addresses, aiding in tracking device movements and identifying unauthorized network access.

    • System Logs - Records system activities, user actions, and error messages.

    • Auth Logs - These track authentication activities, such as login attempts and user privileges, providing insights into potential unauthorized access, user behavior, and security policy violations.

    • Boot Logs - Used to analyze system startup sequences, identifying unauthorized changes or failures during boot processes.

    • Mail Logs - Tracks email transactions, identifying senders and recipients, analyzing timestamps, and detecting anomalies or potential security breaches.





  • Comparison report improvements 

    • The Progress window now displays the status of the comparison, including a count for Added, Changed, or Deleted items. When an evidence item is selected, it filters the main viewing window to show the detailed comparison results for that specific item exclusively. 

    • The comparison report now also makes it clear when no changes have been detected.

  • Exporting DRONE Findings

    • Users can export the DRONE findings table out of the Investigation Hub into a .csv file.

    • This will allow the use of DRONE findings in reports, SIEM, or other security tools where custom alerts can be developed based on the results of  DRONE’s analysis.

  • AIR’s MITRE ATT&CK Analyzer version 3.1.0 includes the following:

✅ Every detection now links to an MITRE ATT&CK Technique instead of Tactic only.


✅ Added coverage for various malware families mentioned in our latest reports.

✅ Enhanced detection of anomalies for various techniques such as masquerading, defense evasion, credentials access, suspicious PowerShell scripts, and more.


✅ Enhanced detection of HTML Smuggling technique for more Chromium-based browsers.

✅ Enhanced detection of suspicious Firewall rules, Scheduled tasks, and Services.



  • Ability to adjust timezones in Investigation Hub

    • By default, the Investigation Hub will use UTC as the timezone to display all timestamps.

    • With this release, Investigation Hub users can adjust timezones, improving analysis accuracy in investigations involving diverse geographic and timestamp data.

  • New Asset window for UI

    • Individual assets will now have a dedicated larger window to display more information, appear less cramped, and prepare for future developments.

    • Each Asset page now includes a secondary menu featuring preset filters, providing users with a count and instant access to all past tasking assignments associated with that asset.

    • In this new window, users can view and access all of the cases in which the current asset appears.

    • Tasks can be created from the Asset Action button or by clicking on the ‘+’ revealed when hovering on any of the task names listed in the secondary menu.

  • Adjustable Secondary Menu

    • The user can now manually adjust the secondary menu width in AIR, allowing it to expand up to half of the display window's width through a simple drag action.

    • Double-clicking the secondary menu border will return it to its default size. 

  • New advanced filter to identify servers

    • Users can now filter assets based on whether or not any of their assets are servers. (Credit: Jon F) 

  • Custom Message Banner available via API

    • Users can use all custom banner capabilities via API - the latest posted message, by UI or API, will prevail. 

  • Removal of a default value from the acquisition profile selection field 

    • When initiating a new Acquisition, the Acquisition Profile field will now be blank by default, requiring the user to actively choose a profile. The placeholder text in this field now reads, "Select/create an Acquisition Profile." (Credit: James S)



  • Data grid issue with Organization Updates

    • Data grids now refresh correctly when Organizations are updated. 




Version 4.1





  • 6 new macOS Evidence Types:

    • SSH Known Hosts - Collects SSH Known Hosts used to store the SSH server key fingerprints of the servers that you have connected to in the past.

    • SSH Authorized Keys - Collects SSH Authorized Keys which grant user account access and are crucial for SSH key-based access.

    • SSH Configurations - Collects SSH Configurations which record remote IP addresses, different usernames, non-standard ports, and various used command-line options.

    • SSHD Configurations - Collects SSHD Configurations which indicates the locations of host key files and users' authorized_keys files.

    • Brave History - Collects Brave browser history.

    • Vivaldi History - Collects Vivaldi browser history.

  • 3 new Windows OS Evidence Types:

    • Registry SAM Users - Collects Users and Groups from the SAM file. (Credit: Ashok K) 

    • Brave History - Collects Brave browser history.

    • Vivaldi History - Collects Vivaldi browser history.

  • Persistence - A new Windows Evidence category for AIR which groups the following evidence items often essential to Windows DFIR investigations:

    • Active Script Event Consumers - Dump WMI Active Script Event Consumers.

    • Command Line Event Consumers - Dump WMI Command Line Event Consumers.

    • Registry Items - Enumerate Registry Items.

    • Scheduled Tasks - Enumerate Scheduled Tasks.

    • Service List - Enumerate Service List.

    • Startup Items - Enumerate Startup Items.


  • New SSO integration capability via Okta (Credit: Brian W)

    • AIR now supports an integration with Okta allowing customers and partners to login securely with Single Sign-On for user authentication.




  • Filter DNS traffic on Linux Isolation

    • The Linux asset isolation feature in AIR now offers more secure protection from any communication other than that coming from the AIR console. This enhancement mechanism mitigates possible attack techniques from:

      • DNS Tunneling

      • DNS Data Exfiltration


  • Editable address for Relay Server

    • Flexibility and improved network management allowing users to set any IP or any FQDN for a registered relay server which provides flexibility and easy management on the network.

  • Investigation Hub hash to VirusTotal links 

    • In the individual asset or case level Investigation Hub reports, every piece of evidence with a hash is now accompanied by an eye icon. Clicking this icon will direct you to the VirusTotal website for a detailed analysis of the hashes.

  • Off-Network Password File availability improvements

    • The BiUnzip tool now offers enhanced access to the passwords file, streamlining the decryption of multiple Off-Network zip files. 

    • The Off-Network Asset passwords file will now always be available at; Asset (name) > Tasks > Details > Information Tab. 

    • This update facilitates more efficient data extraction for our users. For detailed guidance on using the BiUnzip tool, please consult our Knowledge Base:

  • AIR agent disk space optimization during acquisition-compression

    • The AIR agent's disk space usage during the acquisition's compression phase has been optimized. This, combined with specific conditions, ensures a more efficient process to help the success rate of acquisition tasks.

  • Column Search in the Investigation Hub now working correctly

    • After conducting a global search in the Investigation Hub any ‘column search’ failed to return results - this is now fixed.


Version 4.0




Streamlining Workflows - Introducing the all new UI/UX for AIR

  • New floating header at the top of every page to allow immediate access to:

    • Searching across AIR.

    • Recent Cases, Assets, Tasks and Reports.

    • The Quick Start button to launch AIR Tasks. 

    • Notifications

    • Current Organization name display, with a dropdown to switch between Organizations.

  • Organization selection improvements

    • To eliminate any potential confusion regarding the organization's assets you are currently viewing, the system now displays only one organization at a time.

    • Switching between Organizations has been made simpler via the Organization dropdown menu which provides access to:

      • Organization Settings.

      • Change Organization.

      • Add New Organization. 

  • Main menu bar is now split into two sections:

    • The top section is now home to the core areas for AIR;

      • Home: Full overview of your AIR deployment.

      • Assets: Listing of current Assets.

      • Cases: Listings for open, closed and archived Cases.

      • Libraries: for Acquisition profiles, Triage Rules, interACT Files and Auto Asset Tagging rules.

  • The bottom section is home to AIR’s supporting functionality;

    • Integrations: API Tokens, Webhooks and Cloud Platforms.

    • Activity: With Insights, Recents, Notifications and Audit Logs all clearly displayed for analysts.

    • Tasks: All of your Console Tasks displayed in one window for searching and filtering.

    • Timelines: To review existing or create new Timelines.

    • Settings: The bottom of the Main Menu is the new home for all of your Settings; Assets, Security, Features, Users/Roles, Evidence Repositories, Policies and Backup.

  • New Secondary Menu Bar 

    • This new menu appears when a Main Menu item is selected.

    • This is collapsible to maximize your screen’s working space but at the same time, allows users to drill down in AIR functionality at speed.

  • New Navigation Bar

    • This allows the user to see exactly where they are in every screen of the AIR platform by showing the ‘path’ to the current view.

  • Access to Recents via the Homepage

    • Direct access to Recent Cases, Recent Assets, Tasks and Reports - making it easier to pick up where you left off.

  • New Bulk Actions Bar 

    • Found at the bottom of the Asset page to count the number of assets selected and provide easy access to the Taskings that can be applied to those assets.

  • Settings changes

    • Moving the “Enable Policies” toggle from the Policies page to  Settings > Features

New Operating System support - IBM AIX

  • IBM AIX Off-Network Agent 

    • AIX is a series of widely used Unix operating Systems for business critical applications developed by IBM. 

    • These systems have proved tricky to investigate and are not covered well by existing security products, but now AIR provides the necessary support to do so.


  • Introducing the AIR Investigation Hub, formally known as Consolidated Reports

    • For ease of access and to create a collaborative investigative space, the new Investigation Hub is now available from the secondary menu bar within each individual Case.

New Forensic Evidence Collections

  • 15 new macOS Evidence Types and a new Evidence Category:

    • Downloads - presents information about downloaded files.

    • IP Route - presents IP route information.

    • Logged Users - shows currently logged in users.

    • Network Interfaces - presents NIC information.

    • Event Taps - reveals items that have a tap into the system.

    • DNS Resolvers - presents DNS resolution information.

    • Quicklook Cache - reveals items previewed with Quicklook.

    • Cron Jobs - presents scheduled/cron jobs

    • Arc History - collects Arc browser history.

    • Reopened Apps - shows apps not installed but in re-opened plist.

  • Persistence - New category which groups the following evidence items often essential to macOS DFIR investigations:

    • Mail Rules - collects mail rules that contain AppleScripts.

    • Login Hooks - these hooks can be used to achieve persistence.

    • Logout Hooks - as above.

    • Emond Clients - Emond accepts events from services.

    • Most Recently Run - The MRU lists the most recents files a user accessed.

  • Forensic image files in a single Zip file. 

    • This release introduces a new toggle switch, giving users the option to enable or disable the consolidation of physical disk or volume image files into a single zip file, eliminating the need to split them into chunks.



Yet more Webhooks for AIR to supercharge your SOC's automated data collection and analysis capabilities:

  • Webhook parser for SentinelOne. (Credit: Dane Z)

  • Webhook for Microsoft 365 Defender.

  • Cisco AMP/XDR.





  • Password Protection for AIR Agent Uninstallation  

    • We already provide Tamper Detection for the AIR Agent - now users can only uninstall the AIR Agent if they have access to the password to do so.

    • Agent uninstallation through the OS UI is disabled. The agent can only be uninstalled using shell commands with the protection password as an argument, locally or remotely (e.g., SCCM). 

    • Uninstallation via the AIR UI or API remains possible without requiring a password.


  • Detailed Browser History and Download History

    • In this release, we've refined the representation of Chrome browser forensic data, particularly within the browser and download history evidence segments, including:

      • Referrer details

      • Signature

      • Hash values

      • Timestamps

      • Visit duration insights, and others.

    • These enhancements enable analysts to conduct a more in-depth browser forensic examination.

  • Timeline Enhancements

    • Horizontal scrolling functionality has been added, making it simpler to navigate and concentrate on specific dates and times within your timelines.

  • Prefetch Parsed Referenced Files

    • Users can now more easily analyze prefetch records as AIR now displays 5 categories of information in a single view.

  • Character limitation for single triage rule

    • To prevent the browser becoming unresponsive we have limited the maximum to 350K of characters in a single Triage Rule.



  • Password Recovery - Email Fix 

    • If SMTP is not configured, AIR can not send emails. Previously, users attempting a password reset were told to check their email, leading to confusion when no email arrived. We've updated this to now prompt users to contact the administrator instead.

  • Timezone inconsistencies in Investigation Hub

    • Timezone data will now be displayed in the user's local browser time and timezone information will be displayed to the user at the top of the Investigation Hub page.

    • This timezone setting can not be changed by the user.

  • YARA rule failed to validate

    • Validation of some correct YARA rules was failing, this has been modified and now works correctly. (Credit: Nick H)

  • Improvements to Offline Installer Scripts (Credit: Blake B)




Version 3.12.4


Hot Fix

  • We have made the Consolidated Report button enabled for Cases that were created before version 3.12.3 was released. Users can now use Consolidated Reports as expected without any problem.

  • To learn more about consolidated report- read this article.

  • When a Task is Failed, even though an error message reflects the issue,  shown as an  “Unexpected Failure” message within the Tasks Details page (by hovering over the “eye” icon in the Status tab); the Console did not report the correct status immediately.  We have fixed this issue and the correct status is now reported.

  • When a user chooses a 'Custom Option' to collect evidence and the mode of "Direct Collection" toggle (on Linux or MacOS) is changed while a Task is still running, the agent may crash. We have fixed this issue to avoid the possibility that the agent will crash.



Version 3.12




Streamline your investigation

  • DRONE analysis for macOS

    • MITRE ATT&CK Analyzer

      • As of v3.12 DRONE now has MITRE ATT&CK rules for macOS.

    • Dynamo Analyzer (Credit: Dilek G)

      • Dynamo will parse the AIR report generated as the result of a task assignment and highlight suspicious entries.

    • Browser History Analyzer

      • Chrome, Edge, IE (7-11), Firefox, Opera, Safari, Vivaldi, Waterfox and Brave are now all supported for macOS

    • Audit Event Analyzer

      • Brings advanced capability to AIR by scanning event records for keywords, hacker tools, and commands, setting verdicts based on criteria, guidelines, or Sigma rules.

  • Tooltips added to DRONE findings within the Consolidate Report

    • When a user hovers above a Verdict or Score finding listed in the Table view, they will be presented with a to a tooltip that explains how the result is derived.

  • Isolation of macOS endpoints

    • Expanding Isolation capability to the last major operating systems -macOS. (Fully supports Windows, Linux & macOS devices).

    • Regardless of the isolation state, the endpoint maintains communication with the AIR console to allow analysts performing their investigation by generating Tasks as usual.

  • Addition of a "Retry Upload" action for failed Task Assignments (Credit: Daniel M) 

    • Should a failure occur during the evidence upload phase of a task, a "Retry Upload" feature is now available to resolve issues more efficiently. Key benefits include:

      • Elimination of the need for evidence re-acquisition, preserving the original data.

      • No additional disk space consumption.

      • The "Retry Upload" option repurposes the existing task assignment for the re-upload, preventing task duplication.

  • Simpler access to Off-Network Agent logs & Drone log files

    • Agent logs and Drone log files of Off Network  are now saved in the same folder . This makes it easier to find any log files and share them with  Binalyze Technical support or for troubleshooting by yourselves. 

    • File name format is: Troubleshoot-[TIMESTAMP].zip.

Enriching evidence and artifacts

  • New Artifact types collected for macOS:

    • Discord Desktop Cache

      • Discord instant messaging and VoIP social platform with voice calls, video calls, text messaging, media and files in private chats or as part of communities called "servers".

    • Parallels Logs

      • Parallels is a software company best-known for Parallels Desktop for Mac that allows users to run Microsoft Windows systems on macOS computers. 

    • Homebrew Logs

      • Homebrew is a free and open-source software package management system that simplifies the installation of software on macOS, as well as Linux.

    • Sophos Events Database

      • Sophos develops products for communication endpoint, encryption, network security, email security, mobile security and unified threat management. 

    • Sophos Antivirus Logs 

      • The AIR agent will now collect Sophos Antivirus logs.

  • New Evidence types for macOS:

    • Shared File List

      • The SharedFileList (SFL) in macOS is a system feature that manages "recent items" lists for applications and the system itself. These lists could include recently used applications, documents, servers, or even volumes. The files with the extensions .sfl and .sfl2 are plist (property list) files in binary format.

    • Shell/Bash History

      • The .bash_history file holds significant value for various reasons including command tracking which may reveal the activity of an attacker. However, note that the .bash_history file can be manipulated, cleared, or even disabled by knowledgeable users.

Synchronization and collaboration between teams

  • Customizable Banner Message  (Credit: Helen T)

Users can now display important announcements via a banner on the console GUI for events like maintenance, upgrades, or config changes. The banner interface allows:

  • Scheduling via Start/End dates

  • Message editing - up to 512 characters

  • Color customization

  • URL linking

  • Banner dismissal to maximize screen space

This feature provides direct communication with AIR users and offers permission controls for message settings.




AIR Core Functions Enhancements

    • Timeline 

      Swipe through a Timeline Bar to view events, dates, or time periods that are outside the current visible area.

        • Click-and-drag: The user clicks on the timeline bar and drags it left or right to scroll through the timeline. 

        • Swipe wheel: If the device supports a scroll wheel or touchpad gestures, the user can use it to scroll left or right on the timeline bar.

    • Triage

      Many more new triage rule templates are available to assist when constructing triage task assignments including:

        • YARA - Find by size range

        • YARA - Find Portable Execution files only

        • YARA - Find PKZIP files only

        • YARA - Find by hash value after filtering by file size

        • Sigma - User account hidden by registry

        • osquery - Unusual Cron entries

        • osquery - Processes running with no binary on disk

Consolidated Reports Enhancements

  • Consolidated Report Module refactoring to provide Generic Report Module

    • This new module generates individual task assignment reports that maintain the same view and structure as the existing Consolidated Reports.

  • Triage results from osquery are now available in Consolidate Reports 

    • osquery results are now also searchable from the Global Search.

Security Enhancements

  • Automatically renew default AIR SSL certificate (Credit: Ramesh P)

    • The Binalyze-generated self-signed certificate will now auto-renew when it's within 10 days of expiration.


  • Issues connected with CPU limitations have been resolved (Credit: Helen T)

  • Expired Task Assignments will no longer delay subsequent Task Assignments (Credit: Christian K)




Version 3.11.1

3.11.1 is all about Timeline enhancements and bug fixes. Binalyze team would like to thank its customers who shared their feedback and input to help us improve the quality and usability of the Timeline Bar, Flags and Filters.



  • Several Timeline improvements including;

    • Enhanced Date and Time Selection: Users can now specify both start and end dates, with precision down to individual hours, facilitating more granular timeline investigations.

    • User-Defined Navigation: The introduction of arrow-based navigation allows users to move backward and forward through user-specified periods, as determined in the date/time selector.

    • Refined Zoom Capability: The Timeline histogram now supports zoom functionality down to a singular hour for precise analysis.

    • Dedicated Tab for Flagged Items: We have reintroduced a specialized tab within the Timeline view to prominently display flagged items, ensuring streamlined navigation for significant events.


  • Event Id not displayed in Timeline UI

    • The Event ID artifact now populates its details in the Title column of the AIR Timeline UI. (Credit: Grant O)

  • Timeline flagging fixes

    • We've implemented multiple fixes to the flagging feature in the Timeline, resulting in overall usability enhancements.


Version 3.11.0

Important Security Update (Credit - Caleb T and Tyler B)

We have added ACL settings to a driver object to prevent unauthorized access and potential privilege escalation.
Users should urgently deploy the updated agents to address this high-severity vulnerability



Version 3.10

NB: The MongoDB relies on the CPU architecture that runs your AIR server. For this update, AIR v3.10, the CPU has to be newer than 2011 for both Intel and AMD processors. If your processor architecture is older than this, it is not advised to update MongoDB.



  • Disk Space limit configuration for Acquire Evidence Tasks

    • When evidence collections are stored on the local machine, this new feature, for macOS and Linux, will allow AIR users to determine the amount of free disk space to always be left available to the local user.

    • If a collection is not complete when the allocated disk space limit is reached, the collection at that point and the .ppc will be available to the analyst in the normal way.

    • The Task Status will be marked ‘Partially Completed’.

    • Task Logs will now be available in the Case Report, under Case Info, and in Consolidated Reports in the Case Summary. These logs will list any uncollected evidence items.

  • Bandwidth limit configuration for Acquire & Image Evidence Tasks

    • AIR users now have the ability to determine the amount of network bandwidth they wish to allocate to their AIR collections.

  • Ability to purge locally saved acquisition task data 

    • This new action, ‘Purge Local Data’, will create a ‘Purge’ Task to remove all data generated for a task assignment on an endpoint.

    • Purge Local Data can also be run from the Case’s page to purge all data generated for a task assignment on an endpoint.

    • Purging local data will not affect the installed AIR agent, so it remains ready for new task assignments.

    • To use Purge Local Data, the privilege “Delete task assignment” is required. 

Binalyze AIR now supports the collection of over 350 evidence items.


New evidence types collected for Windows:

  • LNK Files

    • AIR will analyze and parse LNK files which are often abused by hackers, who can leverage them to use legitimate applications (such as PowerShell) to download malware or other malicious files. 

  • Users

    • User accounts are created and stored as objects in Active Directory Domain Services. These accounts can be compromised by bad actors and programs such as system services used to log on to a computer. A successful login generates an access token which includes the security identity and group memberships of the user account associated with the process or thread. Every process executed on behalf of this user has a copy of this access token.

  • Timeline

    • Windows 10 Timeline feature enables users to: (i) View their currently running apps and look back at their previous activities such as; opened documents, programs, images, videos or visited websites. (ii) Synchronize activities across devices. (iii) Provide information about applications that were executed within the last 30 days, such as application name, time when it was launched and its duration. This information can be of forensic value, helping to reconstruct events, even if the files, documents or applications have been deleted.

  • UAL Logs

    • User Access Logs (UAL) store a lot of information and often present IT admins with privacy concerns. One such feature helps correlate an account and the source IP address with actions performed remotely on systems, so potentially valuable to attackers. (Credit: Daniel M)

New Evidence Types For macOS:

  • Apple Audit Logs

    • macOS writes important operational and security information that can be useful to an attacker as a place to obfuscate changes that were recorded. As part of defense-in-depth, the files in /var/audit should be owned only by root with group wheel with read-only rights and no other access allowed. macOS ACLs should not be used for these files.

  • AnyDesk Logs

    • AnyDesk is a remote desktop application that provides platform-independent remote access to personal computers and other devices running the host application.

  • Teamviewer Logs

    • TeamViewer is a German remote access and remote control software application often concerned with the maintenance of computers and other devices.

New Evidence Type For Linux:

  • AnyDesk Logs

    • (See above)

  • Filtering of Tasks to determine the presence of DRONE data

    • AIR now creates a metadata flag: ‘hasDroneData’ which indicates that DRONE data exists for a particular Task and reports with DRONE data can be filtered for in the endpoint’s Task listings. 

  • ‘biunzip’ is a new command-line tool from Binalyze specifically designed to extract zip files generated by the AIR Off-Network Agent.

    • You can download the latest release of biunzip from the releases section on

    • Biunzip will either unzip a single zip file or unzip zip files in a directory using a CSV file.

    • This capability will allow running off-network investigation at scale, and at speed with minimum effort.


  • Huge Timeline improvements

    • The timeline events bar is now displayed in histogram format, making it clear when activity has taken place.

    • The timeline bar now has zoom-in and zoom-out capabilities allowing users to drill down from decades to individual hours.

    • Findings flags will be shown in the timeline bar.

    • Filtering down via start and end dates is now possible as is filtering by; decades, years, months and days.

  • Hash Values for all Event and Registry Files are now shown in all Case and Consolidated Reports.

    • These hash values are searchable via Global Searching.

  • Last Used fields added

    • To help better understand analyst’s activity within AIR, a ‘Last Used Field’ has been added to the following pages:

      • interACT Library

      • Evidence Repositories

      • API tokens

      • Webhooks

      • Acquisition (profiles)

      • Triage (profiles)

  • Backup AIR every 4 hours 

    • It is now possible to automate your AIR backups to take place every 4 hours, or or as was available in previous versions; daily, weekly and monthly.       (Credit: Daniel M)

  • Loading Bar added for Async Commands

    • A loading bar for ongoing asynchronous commands is now displayed in all interACT shell sessions.


  • No significant fixes needed this month 


Version 3.9.2



  • Acquisition Profiles now display average time taken to complete

    • This great new feature displays to the user the average time it takes to run a particular acquisition profile in their own AIR environment. This will help analysts make decisions as to which Profile is best suited to a particular circumstance. (Credit: Daniel M)

    • This feature is unique to the users own environment, so the collection of metrics will start afresh with each new AIR console install.

  • New wizard to add endpoints to a Timeline

    • This dedicated Timeline wizard will speed up and simplify the addition of endpoints to your Timelines.  The new flow allows you to select endpoints, define the Task and then choose the post acquisition analyzers such as DRONE or any of the other AIR analyzers needed for your specific investigations.

    • This feature is aligned with the new Quick Start feature introduced in v3.8 - Both designed to simplify and speed up your investigations.

  • Five new Webhooks available in AIR:

    • Stellar EDR

    • LogicHub SOAR (DEVO)

    • Rapid7 InsightIDR

    • Fortigate SIEM

    • Dynatrace

Take advantage of AIR’s Webhooks to increase your SOC’s automated collections and analysis of data from endpoints and dramatically speed up all of your investigations.

  • New macOS evidence support - Apple System Logs

    • Apple System Log Files (.asl files) contain detailed records of various system events, processes, errors, warnings, and activities that occur on a macOS device.

  • New macOS evidence support - Apple Unified Logs

    • The Apple Unified Logs (AUL) system was introduced with macOS 10.12. It creates a standard log format used in all Apple operating systems, including macOS, iOS, watchOS, and tvOS. One of the most powerful filtering capabilities of AUL is the predicates.

    • AIR will present unified logs using the comprehensive set of predicates shown below:

      • User login events

      • Tccd events

      • Ssh activity events

      • Command line activity run with elevated privileges

      • Kernel extension events

      • Screen sharing events

      • Keychain unlock events

      • Sessions creation and destruction events

      • Detecting and blocking malicious software events

      • Failed sudo events

      • MDM Clients Events


  • Consolidated Report improvements

    • To support collaboration between analysts by highlighting important evidence and findings, we have added the option to bookmark items within Consolidated reports.

    • Users can also see who bookmarked an item and when they did so. They can also apply filters to show ‘Bookmarks’ or ‘Bookmarked by’.

    • A new ‘event viewing’ window will display expanded details for any item selected in the main viewing area.

    • Global Search has been enhanced for faster search returns.

  • YARA rule scans can be run via interACT

    • It is now possible to run YARA scans inside the AIR cross-platform remote shell, interACT.   (Credit: Ramesh P) 

  • YARA and Sigma rules use the same verification method 

    • Binalyze AIR will now use matching validation methodologies for these two different rule types, so YARA and Sigma scanning can no longer be tasked to run any incompatible rules. (Credit: Antonio L)



  • AWS S3 upload failures

    • Simultaneous upload issues to AWS S3 bucket and all other repositories have been fixed by enforcing sequential uploads only. (Credit: Simon L)

  • Reporting a Failed Status

    • When a Task is running, and something causes the agent to restart, a ‘failed’ status will be shown when the agent starts again if any of the tasks fail to complete.

  • Timeline imports to Chrome

    • An issue preventing Chrome uploads to the AIR Timeline has been resolved.

  • Authentication Errors for Public API's are fixed



Version 3.8



  • New Quick Start wizard for launching AIR tasks.

    • This new feature is available from all AIR Console views, it speeds up and simplifies the launching of AIR tasks; Acquire Evidence, Acquire Image, Triage, interACT, Timeline, Compare and Schedule Acquisition.

  • Disk Images

    • AWS S3 and Azure evidence repositories now provide support for forensic disk image acquisitions. (Credit: Daniel M)

  • Downloading from Evidence Repositories - For individual endpoint Case Reports, it is now possible to directly download the file associated with that report:

    • A download button will be shown for the following sources:

        • AWS

        • Azure

    • A URL with a copy button will be shown for the following sources:

        • Local

        • SFTP

        • FTPS

        • SMB

  • AIR Backup - AWS S3 is now a supported repository for AIR backups (Credit: Daniel M)

  • Relay Server - Not everyone can have direct access from all of their endpoints to the AIR console. This new AIR Relay Server/traffic router capability, will allow network segments which need to remain air-gapped to communicate with the AIR console. 


    *This feature will be enabled per demand. If you're interested, contact your customer success.



  • Task Naming - Users can customize the individual Tasks' name. In doing so, this will override the default auto-task naming function.  If the user decides not to give the task a customized name, AIR will revert to its auto-task naming convention.

  • Settings Menu - Streamlining the main settings menu by relocating the following to the sub-settings tab; Users/Roles, Evidence Repositories and Licence options.

    • The new settings menu is grouped as follows: 

      • General - Version, Logging, License, Connection, Console Proxy. 

      • Endpoints - Agent updates,, Tamper detection, Active directory.

      • Security - SSL certificate, SSL root CA, Console port, IP restriction, Authentication, SSO.

      • Features - Enable interACT, Resolve Agent Public IP, Case selection, RFC3161 Time-stamping, SMTP, Syslog / SIEM.

      • Users/Roles

      • Evidence Repositories

      • Backup

  • New artifacts for collection - For macOS, in both ‘Full’ and ‘Quick’ acquisition profiles we have added; Quarantine Events, Sudo Last Run, iMessages, Dock Items (dock.plist) and Document Revisions.

  • UX improvement - In the Timeline view it is now possible to select or deselect all evidence categories with a checkbox found at the top of the evidence category listings.

  • UI improvements - To improve workflow:

    • When creating a New Case in AIR, the Organization field will not be automatically populated anymore, it will remain blank so that the user is ‘forced’ to think about which Organization the New Case should be attributed to.

    • The auto expansion animation has been removed from the left side navigation menu of the UI.

  • Evidence Repository - It is now possible to define a Domain Name for any new SMB Evidence Repositories.

  • Triage Rules - There is now no limit to the number of triage rules available to investigators.(Credit Antonio L)

  • Yara - AIR’s version of Yara has been updated to Yara v4.3.1.

  • interACT opens in a new window - allowing users to continue to use the Console UI and have several interACT sessions active simultaneously

  • interACT auto-complete - Navigation between the auto-complete options is now possible with tab key.  (Credit: Christian K)

  • $mft as a .csv improvement - The full file path for each $mft record entry will now be included in the .csv generated by an AIR, ‘$mft as csv’ collection.

  • CPU limit for macOS - Users can now limit the amount of CPU usage available to the AIR agent on the endpoint when assigning a task.


  • OSquery on Triage bug fixes. (Credit: Christian K)

  • Timeline bug fixes. (Credit: Ramesh P)


Version 3.7



  • Triage Match Count Column

    • In the Task window it is now possible to select, from a column selector, to display a column for Match Counts, and if the user filters by Triage the Match Count column will be added automatically to the filtered results.

  • New Webhook - Microsoft Sentinel

    • AIR now has built-in support for a Microsoft Sentinel Webhook (Credit to - Finland).

  • Mandatory Case Selection Option

    • This new feature allows Enterprise and MSOC customers to enforce the selection of a case for all Acquisition and Triage tasks ensuring that all collections and tasking results are attributed to a case.  For FIS customers this feature will always be active by default.

  • New Chrome artifacts for Mac Linux and Windows

    • For Mac, Linux and Windows support has been added for parsed evidence from Chrome; Bookmarks, Cookies, Downloads, User Profiles, Extensions and Browsing History

  • Isolation Support for Linux

    • Linux endpoints can now be 'Isolated' from within the Endpoints Details UI window.

  • New 'Last Seen' Endpoint Filter

    • AIR now allows for the date and time filtering of endpoints by;  'Last Seen After', 'Last Seen Before' and 'Last Seen Between'.

  • Apple macOS TCC collection

    • AIR now supports the collection of Mac TCC (Transparency, Consent and Control) data.

IMPORTANT: In order to benefit from these new features,  you should install our new DataBase. Click here to learn more.




MITRE ATT&CK enhancements

  • MITRE ATT&CK Rules with Drone for Acquisition and Triage Tasks

    • Users can now see and select the MITRE ATT&CK analyzer in both the Acquire Evidence and Triage Tasking windows. In these views it is now also possible to see when AIR last checked our MITRE ATT&CK database to ensure that the user has access to the latest MITRE ATT&CK definitions for AIR.

  • MITRE ATT&CK Rules support for off-network tasks

    • The same level of support mentioned above for MITRE ATT&CK is now also available for off-network Evidence Acquisitions and Triaging.

  • MITRE ATT&CK Tactics Widget View within Consolidated Report

    • The Consolidated Report now aligns and displays artifacts by the number of times a particular MITRE ATT&CK Tactic, Technique or Finding has been identified. The Technique and Sub-Technique identified will also be displayed along with a direct link to the relevant MITRE ATT&CK webpage.

  • MITRE ATT&CK Auto update

    • Binalyze AIR will now automatically check for any new MITRE ATT&CK updates as soon as a user opens the Acquire Evidence or Triage Tasking windows. An internet connected AIR installation is required, ensuring customers always have access to the latest AIR MITRE ATT&CK definitions. (Off-Line support will be coming in future versions)


Consolidated Report enhancements

  • Consolidated Report: MITRE ATT&CK Report View

    • The Consolidated Report front page now displays  a MITRE ATT&CK overview report.

  • Consolidated Report: Event Records Consolidation

    • Event Records are now consolidated in human readable format for investigators.

  • Consolidated Report: Global Search

    • Global Searching is now possible across Consolidated Reports.  This feature addition is super powerful, and allows users to search across all of the acquisition and triage data that constructs a Consolidated Report from multiple endpoints in any particular case.

  • Consolidated Report: Process Details View

    • An event details module has been added at the bottom of the evidence item page, so when an item is selected in the upper window, if there is additional information available it will be displayed in the lower details window.

  • Consolidated Report: Process Tree View

    • A Tree view is now available for processes within Consolidated Reports.

  • Consolidated Report: CSV export

    • It is now possible to export Evidence Items from within the Consolidated Report to CSV.



  • Security fix related to endpoint isolation

  • Security fix related to the installation process

  • Security fix related to the password reset process

  • Security fix related to access to server files



Version 3.6



  • Public key authentication support was added to SFTP evidence repositories

    • Users can use public key authentication on SFTP servers or services such as Amazon Transfer Family to store the evidence and artifacts.

    • Users can use either a username and password authentication or public key authentication on SFTP on Evidence Repository


  •  N/A


  • Minor bug fixes



Version 3.5.1



  • Consolidated Report.

    • The Consolidated report is a single, easy-to-read DFIR intelligence report, that displays Acquisition and Triage acquired data from multiple endpoints in one report.

  • Triage with OSQuery.

    • Analysts can now create, modify and run OSQuery queries across multiple assets in the AIR Triage GUI, along with our pre-existing YARA and Sigma capabilities.

  • Timeline support was added for Linux and macOS.

    • Investigators and analysts can add Linux and macOS artifacts to AIR Timelines.  Leverage this addition to have just one Timeline with multiple endpoints from all 3 operating systems; Windows, Mac and Linux. This is potentially another massive boost to speeding up investigation times.

  • Importing Chrome/Chromebook collections to Binalyze AIR Console

    • Investigators and analysts can now add standalone Chrome evidence acquisition results (PPC file) to Binalyze AIR

  • New Artifacts and Evidence for macOS and Linux.

    • More than 35 new artifacts and evidence types, such as Apache, Nginx, MySQL, PostgreSQL, MongoDB, Docker, KnowledgeC, and more system-related logs were added to Binalyze AIR

  • Organization Tags

    • Managed SOCs partners (MSSPs) can add, remove, list and group their Organizations by Tags. This  would simplify operational day to day needs, since it is much simpler to define and classify each Organization by 1 or multiple Tags. The new capability is available also via the API.


  •  N/A


  • interACT get the command’s unresponsiveness bug fixed

  • interACT session termination bug fixed




Version 3.4.3


  • Network Capture for Linux and macOS

    • Beginning in version 3.4, the network capture feature is available on Linux and macOS operating systems.

  • Display Real IP Addresses of Endpoints by using XFF (Credits: Aaron V.)

    • AIR Console can read and parse the HTTP requests and XFF headers from the Forward Proxy and associate them with the assets to determine the assets' real IP.

  • x64 support for Off-Network Microsoft Windows

    • Beginning in version 3.4, Microsoft Windows 64-bit Off-Network binary package is available and can be run on supported 64-bit architectures.

  • Disk Imaging

    • Binalyze AIR provides disk imaging which we call “Acquire Image”, for Microsoft Windows, Linux, and macOS operating systems.

  • The last Seen Endpoints filter parameter was added to API (Credits to Garmin)

    • “Get Endpoint” API request now has the Last Seen Endpoints filter parameter. So the assets can be listed by the last seen date.

  • AIR for Chrome

    • AIR For Chrome is the evidence collector extension for Chrome and ChromeOS. AIR For Chrome extension allows investigators and analysts to capture forensically sound data with a single click at machine speed.


  • The character limitation on the hostname field of the Endpoints is removed.

    • Beginning in version 3.4, there will be no character limitation for assets' hostnames. Assets that have hostnames longer than 15 characters won't be trimmed and shown as they are.

  • The Endpoint Details page has been improved

    • The new endpoint details page is more organized and practical and provides more information about the asset.

    • The name of the System Resources tab has been changed to Hardware, and Volume and disk information will be shown here.

    • Acquire button function has been expanded. When it is clicked, Acquire Evidence and Acquire Image options will appear, and users can select any of them to start a data acquisition or disk/volume imaging task.

    • Disk and volume imaging, what we call Acquire Image tasks, can be performed in Volume or Disk tabs under the Hardware section of the Endpoint Details page.


Version 3.3.1



  • Multiple Sigma Rule Upload

    • Investigators and Analysts can upload multiple Sigma rules to AIR Console at once

  • Taking Full Logical Volume Images by using the user interface

    • Investigators and Analysts can create full logical volumes of images using either a user interface or a secure remote shell interACT.

    • Microsoft Windows, Linux, and Apple macOS operating systems are supported

  • x64 support for Windows Agent

    • Beginning in version 3.3 64-bit version of the Microsoft Windows AIR Agent is available.

  • Case ID Prefix

    • Customers using more than one Binalyze AIR Console instance can now add a prefix to their Case IDs. Therefore there will not be experienced any confusion about Case IDs anymore.

  • Progress monitoring added to Get & Put commands on the interACT

    • Investigators and Analysts can see the file download progress from an endpoint (get command) and file upload to the endpoint from the library (put command) command outputs while using secure remote shell interACT.

  • MITRE ATT&CK Scanner was added to Binalyze AIR Automated Threat Analyzer, DRONE

    • When Investigators and Analysts scan their systems with DRONE, they can see the MITRE ATT&CK mapped results in the report. DRONE rules are continuously developed and mapped to the MITRE ATT&CK framework.


  • Some security improvements on AIR Console

  • Some performance improvements on AIR Console


  • Minor bug fixes



Version 3.2.4


Security Hot fix

  • Binalyze AIR uses the JWT library that was compromised, immediate actions have been taken to remediate and AIR v3.2.4, containing the hot-fixes for the related vulnerabilities, has been released as of today. This includes fixes for the indirect vulnerabilities due to second-level dependencies.

    Therefore, it is strongly recommended to update your existing AIR deployments to this latest version AIR v3.2.4 at your earliest convenience. 


Version 3.2.3


Hot Fix

  • Hot fix that includes typo fixes, timeline date filtering, and browser back button navigation caused regarding the dashboard



Version 3.2.2



  • Activity Overview Dashboard added

    • Activity Overview Dashboard is a dynamic dashboard that provides tabular and graphical information about the usage, benefits, and return on investment of the Binalyze AIR in the enterprise company.

  • Progress Monitoring was added to InterACT secure remote shell

    • Investigators can track the progress of the command and estimate how much time is left on the interACT shell

  • AIR Agent Proxy Support

    • AIR agent automatically identifies the proxy configuration on the endpoint and configures itself to access the required services over the proxy service.


  • Miscellaneous package and dependency updates


  • Several bugs fixed


Version 3.1



  • Golden image option was added to AIR Agent installation

    • AIR agent is now compatible with installation via a golden image for new device deployment. With this feature enabled, an administrator can prevent potential connection and availability problems that may have previously occurred on the AIR console for machines installed from a golden image.

  • New File System Enumeration evidence for Linux and macOS

    • Investigators can list the creation, modification, and access dates and times of the files and folders on the Linux and macOS filesystem as CSV files.



  • Baseline Comparison Reporting

  • Collapse/Expand All items under the Acquisition Profile section.

  • Acquisition Profile information was added to the Tasks list under the Endpoint details page.

  • YARA 4.2 update

  • FTPS support for full disk image

  • SSL/TLS proxy server support was enhanced



Version 3.0.5



  • RFC-3161 compatible evidence signing for the chain of custody


  • New Asset status, "Off-Network," added

  • AIR Console domain address updates are enhanced

  • New evidence types added

    • Docker Artifacts for Linux OS

    • Browser History Artifacts for Linux OS

    • Browser History Artifacts for macOS

    • RAM image collection for Linux

  • Agent uninstallation and purge operations are enhanced

  • Multi-file upload for Off-Network devices

  • Path of the evidence files added

  • Local IP addresses added to the endpoint details page

  • The full disk image for macOS


  • Case activity reporting to Binalyze cloud services [credit: Nixu]

  • DNS and ICMP Protocols are filtered when Endpoint Isolation


Version 2.10.2



  • AWS EC2 one-click agent deployment

  • Cloud forensics - Azure VM support

  • Azure VM one-click agent deployment

  • Auto Asset Tagging based on hostname, IP address, and subnet

  • Auto Asset Tagging based on custom rules with osquery builder

  • Linux full disc image via interACT


  • 7x speed improvement for most evidence acquisitions on macOS and Linux

  • You can now upload multiple YARA rules at once

  • Improved troubleshooting logs

  • Token support for MFA


  • Fixed an issue where sometimes recycle bin collection would fail

  • Fixed an issue that prevented baseline comparison on unreachable endpoints

  • Other minor bug fixes



Version 2.9.3



  • Fixed an agent uninstallation issue on Linux and macOS

  • Fixed an issue where in some cases, disk imaging would hang


Version 2.9.1



  • Added ability to enumerate Amazon AWS EC2 assets

  • Added Yara triage support to macOS assets

  • Added Baseline comparison for macOS assets

  • Added full disk image collection with interACT for Windows assets


  • Added ability to duplicate acquisition profiles


  • Fixed an issue where notifications were not shown about tasks in non-default Organisations

  • Fixed the wrong warning message when deleting a task from a case.

  • Fixed an issue where the user couldn't see the baseline comparison report even though the baseline acquisition task was finished.

  • Fixed the name column sorting in the interACT Library




Version 2.8.2



  • Added off-network Acquisition and Triage with portable agent

  • Added interACT for macOS

  • Added Tamper Detection for macOS agent


  • API now includes endpoints for Policy, Auto Asset Tagging, Triage Rules, and Users (Docs)

  • interACT shell now supports backslash (\) for newline

  • Updated and improved the powershell deployment script

  • Improved efficiency of e-Discovery and custom content collections


  • Fixed an issue where some users were not able to upload files to the interACT library

  • Fixed an issue where sending the same acquisition twice to the same timeline would result in duplications

  • Fixed an issue where an evidence repository that’s in use in a policy could be removed from the console

  • Fixed limitation on username length


Version 2.7.2



  • Fixed task migration scripts update

  • Fixed scheduled task comparison is missing on Baseline Comparison

  • Fixed connecting AD user with less than 5 characters

  • Fixed spelling mistake is shown On ESXi Agent Deployment Page

  • Fixed UI issues about ESXi tab



Version 2.7.1



  • Fixed a bug related to agent uninstallation process


Version 2.7.0



  • Added support for Apple macOS assets

  • Added Chromebook standalone collector (credit: Yuta K.)

  • Added ESXi standalone collector (credit: Andres S. and Mason T.)


  • Case selection is now optional with an Enterprise or MSOC license

  • API now includes endpoints for Repositories, Baseline, Case and Organizations (Docs)

  • Improved the retry process for interACT’s get and put commands


  • Fixed issue with downloading files with special characters via interACT

  • Fixed acquisition history graph on the dashboard

  • Fixed other minor functionality and UI issues

  • Fixed UTC time mismatch in DRONE for Windows event logs and event records

  • Fixed DRONE stability issue when using keyword search



Version 2.6.2





Version 2.6.1



  • Added asset baseline forensic comparison

  • Added support for FTPS evidence repositories

  • You can now have interACT sessions with isolated Windows endpoints


  • Added new evidence and artifact types to Windows acquisition

  • All active interACT sessions are now ended when interACT is disabled from settings

  • Added "New Rule" shortcut to Triage assignment screen

  • Added keyboard support for confirming and dismissing popups (Enter/Esc)

  • Improved evidence compression performance

  • Enabled option not to compress evidence on collection

  • Upgraded interACT curl executable to version 7.83.1

  • Upgraded interACT osquery executable to version 5.2.3

  • Improved performance of agent installation on Windows


  • Improved Auto Asset Tagging task assignment

  • Improved UI performance in various locations

  • Improved security of sensitive credentials saved in the AIR setting

  • Fixed an issue with the status of the agent update task

  • Fixed a bug in the interACT zip command

  • Fixed a minor bug in unique case directory creation on endpoints

  • Fixed other minor bugs


Version 2.5.1



  • Fixed a bug in the DRONE configuration file migration process.



Version 2.5.0



  • Added DRONE support for Linux

  • Added Sigma rule triage to Linux

  • Added shareable deployment feature

  • Added new organization management page

  • Added osquery command to interACT

  • Added mkdir command to interACT

  • Added sort and tree options to interACT pslist command


  • Added SSL Enforcement for accessing AIR. 

  • Added auto asset tag rules for Apache, Redis, Mysql and Rabbitmq

  • Added tamper detection type to audit log description

  • Added filtering endpoints by label

  • Added filtering audit logs by endpoint name

  • Added TACTICAL and DRONE KB download links

  • Added required privileges section to interACT command help pages

  • Improved endpoint update performance

  • View and Update Organization privileges moved from system privileges to user privileges

  • Hardened to prevent less-privileged users from accessing sensitive settings data

  • Upgraded interACT curl executable to version 7.82.0

  • Improved tamper detection 

  • Improved triage to allow the same Yara rule name in different rulesets

  • Added time frame limit to DRONE Event Records Analyzer

  • Improved DRONE Ransomware Analyzer performance. Added total and per channel limit for Events of Interest and Event Records analyzer.


  • Fixed a minor issue on global search

  • Fixed evidence repository path validation bug

  • Fixed Endpoint label delete issue

  • Fixed e-Discovery patterns search issue

  • Fixed interACT curl command's missing CA certificates on Windows

  • Fixed a bug in sigma triage to kill DRONE process when task is canceled

  • Fixed an issue with the DRONE Linux x86 build.

  • Fixed other minor bugs

  • UI/UX improvements


Version 2.4.0

Blog News: v2.4.0



  • Added e-Discovery collection to acquisition profiles (credit Yalkin D.)

  • Added Tamper detection to agent

  • Added agent support for Linux arm64 (aarch64)

  • Added curl command to interACT

  • Added hex command to interACT


  • Added IP Address column to Endpoint table

  • Added silent installation tooltip for SCCM agent deployment

  • Added endpoint name to audit log filter

  • DRONE keyword search capability is now more visible

  • Improved zip command in interACT - Now zips to folder

  • Added new metrics for case report memory section


  • Fixed unquoted service path issue after a config update (CVE-2021-42563)

  • Fixed minor issues on timeline export

  • Fixed duplicated user validation issue

  • Fixed evidence repository name and path validation issue

  • Fixed system resource usage not updating in interACT session issue

  • Fixed renaming evidence repository issue

  • Fixed an issue that allowed task assignment to endpoints with an old agent

  • Fixed webhook addresses not updated after a change of console address

  • Fixed SFTP current directory support

  • Fixed opening report issue in Safari browser

  • Fixed minor issue on Sigma rule parser

  • Fixed minor issue on Drone table

  • Fixed minor UI issues



Version 2.3.6


  • Fixed a bug that broke the database migration step on v2.3.5

  • Fixed minor memory leak in the Events of Interest analyzer


Version 2.3.5

Blog News: v2.3.5


  • Added Sigma rule triage for Windows

  • Added autocomplete functionality to interACT

  • Added ServiceNow support to webhooks


  • Added new privilege to allow changing endpoint label

  • Added auto asset tag rules for Docker and Kubernetes

  • Added version information to settings

  • Added ability to handle Unicode file paths in YARA scanner

  • Added ability to specify a temporary staging directory for acquisition tasks that use evidence repository

  • Improved evidence collection on low capacity endpoints by letting AIR automatically select the volume with the greatest available free space (credits: Babak M.)

  • Improved evidence repository background upload mechanism with persistent retries

  • Improved case export functionality


  • Fixed minor memory leak of canceled tasks

  • Fixed minor logging issues

  • Fixed interACT exec command stdin issues on Windows

  • Fixed a bug related to listing unsupported drone analyzers

  • Fixed case filter issue

  • Fixed policy list on task creation, missing policies

  • Fixed case-sensitive username issues

  • Fixed case day counter

  • Fixed minor bugs on the report

  • Fixed other minor bugs



Version 2.3.0

Blog News: v2.3.0


  • InterACT: A cross-platform remote shell session capability that allows the users to run commands on remote endpoints for triage, mitigation, and remediation purposes in situations such as cyber incident response activities.


  • Improved windows agent installation

  • Improved endpoint tag assignment

  • Increased timeout duration for Azure Blob Storage


  • Fixed incorrect tag-endpoint count

  • Fixed scheduled instant execution

  • Fixed invalid SFTP port

  • Fixed returning wrong http status code for invalid evidence repository Id

  • Fixed organization search criteria

  • Fixed timeline wrong date range issue on export

  • Fixed multiple role assignment issue on UI

  • Fixed showing "Reset filter" button in the timeline

  • Fixed organizations tag gaps on the UI

  • Fixed privilege hierarchy issue between organization and global admin roles

  • Fixed not showing 404 page for case section

  • Fixed webhook URLs display issue in some cases

  • Fixed duplicated start date field in scheduled task detail

  • Fixed no link issue on "see details" text on Settings > Connection page

  • Fixed broken KB links for Webhooks and SSO


Version 2.2.1 

Blog News: v2.2.1

  • Added Slack integration support

  • Added Mattermost integration support

  • Fixed timeline sort issue

  • Fixed viewing case.ppc issue on failed tasks

    Read the detailed notes




Version 2.2.0 (RC)


  • Added exporting endpoints as CSV

  • Added exporting cases as CSV

  • Added exporting case activities as CSV

  • Added exporting case notes as CSV

  • Added exporting case endpoints as CSV

  • Added exporting audit logs as CSV

  • Added exporting timeline events as CSV

  • Added Yara external variables and removed yara+ modules (file, process)

  • Upgraded Yara to 4.1

  • Enriched triage case report for file matches for Linux


  • Added webhook support for Elasticsearch Logstash Kibana (ELK)

  • Added webhook support for SumoLogic

  • Improved task queues

  • Improved triage performance

  • Improved handling of cancel tasks

  • Improved connection timeouts

  • Improved log rotation

  • Improved log format

  • Improved logging

  • Improved Triage case report

  • Updated the application icon for the Windows agent

  • Added timeout for evidence repositories on agent


  • Added retry for agent HTTP requests

  • Added retry for failed case file uploads

  • Introduced Linux systemd service restart on failure

  • Fixed compression progress reporting

  • Fixed HTTP response close

  • Fixed a race condition for HTTP transport

  • Fixed progress reporting

  • Fixed self match possibility of custom content collection for Linux

  • Fixed misc. minor bugs



Version 2.1.5

  • UI/UX improvements on case containers

  • Fixed minor bugs related to case containers

  • Fixed drone autopilot issue on scheduled tasks and webhooks.

  • Fixed a bug about using azure storage as evidence repository on linux agents



Version 2.1.0 (RC-2)

  • Added additional functionality to cases feature

  • Minor fixes and improvements



Version 2.0.5

  • Added FQDN support for console address

  • Added a Quick Intro guide to help new users get started with AIR

  • Fixed an issue on SSO with 8443 port

  • Console migration process moved to task logic

  • Minor Linux agent fixes:

    • Minor http timeout fix

    • Minor triage command line parameter fix for excluded files

    • Visit poll interval overflow fix for 32bit architectures

  • Minor Windows agent fixes:

    • Minor improvement on isolation



Version 2.1.0 (RC)


  • Added case container feature

  • Added FIS license support


  • Fixed a minor issue related to the auto-asset-tagging feature

  • Fixed organization admin privileges issue

  • Minor UI/UX fixes


Version 2.0.1

This is the stable version of the latest RC (v2.0-RC)

In this version;

  • Added new predefined acquisition profile: Compromise Assessment

  • Added deployment script support for Windows agents

  • Added webhook parser for Cortex XSOAR and Splunk Phantom

  • Added new evidence type for Windows agents: Collecting USB Storage History

  • Improved license validation messages

  • Improved temporary path usage for Windows agents

  • Fixed a bug related to timeline event count

  • Fixed a bug related to sending events to syslog

  • Fixed a bug related to canceling Auto Tag Asset task on Windows agents

  • Major performance improvements



Version 2.0 (RC)



  • Added AIR-DRONE Integration (available only for acquisition and timeline for now) - rapid keyword searching, anomaly finding, scanning SIGMA rules live directly on any endpoint, and many other DRONE features are available now in AIR.

  • Added Auto Asset Tagging feature - tag your assets automatically by the conditions you provide.

  • Added Off-Network Endpoints feature - add and filter off-network endpoints.

  • Added PPC Import to Timeline feature - import PPC files collected from offline or online environments to Timeline.

  • Added IP Restrictions feature - restrict access to the AIR Console based on IP addresses or IP blocks.

  • Added UI Port Splitting feature - enables you to serve AIR Console and Endpoint requests from separated ports. With this feature, you can create separate firewall rules in AIR.

  • Added Drone findings on the Timeline

  • Added SMB Repository Support for Linux

  • Added Pardus Linux Support

  • Added Super glob meta (double star) support for custom content

  • Added IP Restriction Reset Script

  • Added an ability to download case reports from the endpoint detail task page

  • Added hashes.csv file that contains hashes of the files in the case report

  • Added detailed step by step task statuses (Processing, Compressing, Uploading, Analyzing)

  • Added support for .pfx, .der SSL certificate types

  • Added supported Linux distributions information to deploy the page

  • Added "Send to Timeline" action to Acquisition tasks

  • Added displaying support for PPC file metadata

  • AIR UI has a new design layout now


  • Improved more user-friendly error messages

  • Improved database connection functionality on backend

  • Improved case report view options on the endpoint detail page

  • Improved global search bar visibility for each page

  • Improved notification module "Mark All as Read" accessibility

  • Improved showing EULA in AIR setup

  • Improved and simplified AIR deployment with Docker for Linux

  • Improved performance while opening the Case Report.

  • Improved SSL Certificate installation

  • Minor improvements/fixes on case report

  • Upgraded MongoDB version to 4.4.7


  • Fixed an issue related to uninstallation of windows agent manually

  • Fixed LDAP issue occurring while trying to login AIR with: 
    username@domain format

  • Fixed task queue cancellation

  • Fixed Proxy SSL issue

  • Fixed organization name update issue

  • Fixed organization filter bug on the policy creation page

  • Minor UI/UX fixes


Version 1.8.3

  • Minor changes and improvements

Go to knowledgebase to learn how to migrate from v1.7.61 to v1.8



Version 1.8.2

This is the stable version of the latest RC (v1.8.0-rc)

In this version;

  • Added AIR CLI Support

    • Added to restore using a backup file support

    • Added to reset local user password support

  • Improved AWS S3 Bucket upload on Windows agent

  • Improved Custom Content Collection on Windows agent

  • Fixed some minor bugs

Go to knowledgebase to learn how to migrate from v1.7.61 to v1.8


Version 1.8.0 (RC)



  • Added ability to unisolate an endpoint, whether it's already isolated or not, for easier troubleshooting.

  • Added predefined roles: Organization Admin, L1&L2 Analyst, L3&L4 Analyst, Maintenance Engineer.

  • Added authorization guard for unauthorized users while accessing organization-specific resources and deployment-related pages.

  • Optimized all database indexes for the organization system.

  • Moved policy priority-based config to order-based config.

  • Improved the stateless task scheduler.

  • Improved create tag rest endpoint for organization system.

  • Improved policy-endpoint match stats.

  • Improved caching by moving it from in-memory to a queue-based infrastructure.

  • Improved the backup feature.

  • Updated policy priority/order to clear up the confusion

  • Removed default SMTP connection, users have to enable the SMTP settings to send emails such as password reset

  • Improved auto-isolate operation after reboot


  • Fixed task data error on getting task by id.

  • Added aborting existing TCP connections after Isolate operation

Additional instructions for existing customers:

  • Once a stable version of v1.8 is released, migration documentation and technical support will be provided for existing customers.



Version 1.7.61

  • Fixed NATS blocking call problem.

  • This is the last AIR Console version that supports the MSI installer. In future releases, Docker will be the only deployment option.


Version 1.7.60

  • Fixed password reset bug.

  • Improved endpoint console address migration feature.



Version 1.7.55

  • Added ability to change the console address to migrate endpoints to a new AIR instance.


Version 1.7.50

This is the stable release of the previous RC version (v.1.7.45)

  • Blog News: v1.7.50

  • Fixed a bug upgrading endpoints with old version to newer version

  • Fixed notifying NATS for the endpoints that need to be upgraded to the new version

  • Fixed a bug regarding database backup

  • Added support for validating settings for Azure Blob Storage and AWS S3



Version 1.7.45 (RC)

  • New Feature: CSV import support for Timeline

  • New Feature: Amazon S3 Bucket evidence repository support

  • New Feature: Azure Blob Storage evidence repository support

  • New Feature: LDAPS integration support

  • Changed Triggers to 

  • Added Sources field for Investigation

  • Added support for deleting timeline resources

  • Added LimaCharlie Webhook support

  • Added new predefined YARA rule: 
    NSA Mitigating Webshells

  • Added name field to evidence repositories

  • Improved timeline filtering

  • Improved timeline performance

  • Improved progress reporting based on percentage and time on Linux agent

  • Improved recursive directory walk when compressing case directory on Linux agent

  • Improved isolation task assignment validation

  • Improved task cancellation for network share evidence repository on Windows agent

  • Improved SFTP upload on Windows agent

  • Fixed delay on task receiving after an agent is upgraded to a new version

  • Fixed deploy script bug for non-HTTPS servers

  • Fixed minor bugs on Linux agent

  • Fixed an issue in YARA scanner on Windows agent


Version 1.7.41

  • Minor bug fixes



Version 1.7.40

  • Blog News: v1.7.40

  • New feature: AIR-QRadar integration. Now, an acquisition can be started by triggering AIR via QRadar (credits: Esra Kulüp)

  • New feature: Added Roles and Privileges. Starting from this version AIR contains 70+ user privileges for more fine-grained control

  • New feature: Added backup support for case reports and config files. (Database backup is already available beginning from v1.7.16)

  • New feature: Added AES encryption option for backups

  • New feature: Added SFTP support to store backups on the remote server

  • New feature: Added performing bulk operations on the selected endpoints (adding/removing tags, deleting endpoints, starting acquisition triage, and much more. credits: Babak Mirzahosseiny)

  • New feature: Added triage support to Linux. Now, the file system and memory can be scanned using YARA rules. (credits: Hilko Bengen ( Author of go-yara (

  • New feature: Added Custom Content collection from Linux distributions

  • Added progress update for compression and SFTP upload process on Linux

  • Added sending matched triage rules to Syslog

  • Added advance filter options to data grids

  • Added auto-generated shell script to facilitate Linux deb and rpm packages deployment

  • Added AIR integration guideline to documentation

  • Improved policy creation UI & UX

  • Improved setup process UI & UX

  • Improved custom SSL certificate information

  • Improved task completion status UX

  • Improved nats communication in agent

  • Implemented more secure cookie-based authentication

  • Optimized Audit logging performance

  • Optimized Syslog bulk processing performance

  • Fixed changing proxy settings when the license is lockdown

  • Fixed an issue in the agent installer

  • Fixed some security vulnerabilities

  • Minor changes and bug fixes


Version 1.7.35

  • New feature: GNU/Linux support for Debian and Redhat based distributions (Preview)

  • New feature: Added SFTP support to evidence repositories

  • New feature: Added compression and encryption support for evidence

  • New feature: Added endpoint isolation for Windows platform

  • New feature: Added policy support that gives you the ability to manage evidence repository location, compression, encryption, and CPU limit based on rules (credits: Turkcell CDC)

  • Added extended file information for triage files

  • Added dependecy checking to evidence repository deletion process

  • Added linux acquisition evidence list

  • Added "Use options provided in policies" and "Use custom options" choices to the acquisition, triage, trigger process

  • Added platform column to endpoint datagrid

  • Added platform, isolation status, and policy filters to endpoint page

  • Added Linux deploy steps to deploy page

  • Added assigning log retrieval task to offline endpoints.

  • Optimized caching to minimize performance bottlenecks caused by high request load

  • Optimized security token check performance

  • Optimized concurrent message handling on Nats server

  • Refactored worker pool to works based on priority

  • Refactored the endpoint task queue to work with the task configs in policies and custom configs

  • Removed patrol from AIR

  • Fixed XSS exploit on audit logs

  • Fixed the performance bottleneck on the task progress update process

  • Fixed a memory leak in the visit process on the windows agent

  • Fixed a problem in windows agent installation version check

  • Updated EULA

  • Minor UX improvements

  • Minor bug fixes



Version 1.7.31

  • Fixed the bug related to task assignment to endpoints that are associated with multiple tags


Version 1.7.30

  • Improved triage match results

  • Improved AD sync performance

  • Improved audit log db write transactions

  • Improved license capacity checks

  • Improved LDAP login

  • Highly optimized task core module performance

  • Highly optimized endpoint task queue memory usage

  • Highly optimized audit log storage

  • Highly optimized realtime task assignment to endpoints

  • Optimized logging on agent

  • Optimized debugging log on worker tasks

  • Optimized Agent Installer download performance

  • Optimized task result upload performance

  • Optimized db bulk operations

  • Optimized triage rule storage

  • Optimized task storage

  • Refactored worker core module

  • Fixed an issue related to sending triage task result

  • Fixed performance issue caused by Patrol module

  • Fixed disappearing endpoint tags after AD sync issue

  • Fixed loading up tasks to endpoint queue issue caused by db migration

  • Fixed the register required bug that is caused by latency on endpoint registration

  • Fixed the performance issue on visit requests caused by agent update load balancer

  • Fixed investigating same endpoints multiple times in the same investigation

  • Fixed security token mismatch bug on visit requests

  • Fixed the bug caused by reloading task details on the UI

  • Fixed the bug related to license validation for online and offline environments



Version 1.7.24

  • Fixed a critical issue on the task assignment module


Version 1.7.23

  • Improved endpoint connection error logging

  • Changed max memory cache size to maximum

  • Highly improved memory usage of the endpoint task queue

  • Increased node's memory usage limit to 6GB

  • Reduced effect of long-running tasks on the starting speed of the application

  • Fixed performance and memory issue on sending events to Syslog and audit logs

  • Fixed a minor bug on the endpoint registration issue

  • Fixed a minor bug on fix endpoint issue task

  • Fixed a minor bug on the installer



Version 1.7.21

  • Fixed an issue in UI

  • Other minor bug fixes and improvements


Version 1.7.20

  • Fixed minor bugs



Version 1.7.16 (RC)

  • Added getting endpoint system resources feature

  • Added database backup feature that allows admin to create database backups regularly (credits: Turkcell CDC)

  • Added version column to the endpoint page

  • Added two new endpoint issue types

  • Added agent update management feature (credits: Turkcell CDC)

  • Added capability to fix registration issue for endpoints that re-installed

  • Improved error report sending on the installer

  • Improved offline license check

  • Improved endpoint issue filter

  • Improved dashboard page statistics

  • Improved automatic page data polling

  • Highly improved backend and agent logs

  • Improved re-upload task mechanism

  • Fixed an issue on triggers that cause not to ignore recurring requests

  • Fixed getting 404 when trying to download an external resource from the report

  • Fixed an issue in task fail upload condition

  • Fixed an exception in downloads collector

  • Other minor bug fixes and improvements



Version 1.7.13 (RC)

  • Fixed an issue in agent installer

  • Other minor bug fixes and improvements



Version 1.7.12 (RC)

  • Highly improved Yara Scanner speed

  • Improved getting agent logs from AIR

  • Improved process collector

  • Fixed an issue in Yara Scanner

  • Fixed an issue in Prefetch collector


Version 1.7.11 (RC Sunburst Edition)

Fixed minor typo



Version 1.7.10 (RC Sunburst Edition)

  • Added FireEye Red Team Tool Countermeasures Yara Rule

  • Added FireEye Mandiant SunBurst Countermeasures Yara Rule

  • Added support for both filesystem and memory triage

  • Added support for getting agent logs from AIR

  • Added support for agent log rotating

  • Highly improved AIR backend for concurrent operations

  • Fixed an issue in triage results

  • Fixed a minor issue in license

  • Other minor bug fixes and improvements


Version 1.7.8 (RC)

  • Fixed an issue in event log parser



Version 1.7.7 (RC)

  • Added Log Retrieval action to endpoint

  • Added Timeline action to endpoint group and endpoint tag tree

  • Added Reset Password support for users

  • Added scroll support for timeline

  • Added downloading case entries from report

  • Improved TimelineIR experience

  • Fixed minor install/uninstall bugs

  • Fixed trigger recurrence bug

  • Fixed other minor bugs

  • Removed setting AD and proxy configs from the installer


Version 1.7.6 (Beta)

  • Minor improvements and bug fixes



Version 1.7.4 (Beta)

  • Fixed an issue in event log parser


Version 1.7.3 (Beta)

  • Added support for downloading report as HTML (credits: Turkcell CDC)

  • Improved Quick Acquisition Profile

  • Improved agent update mechanism (credits: Orhan Solak - Barikat Cyber Security)

  • Fixed an issue in agent task processing mechanism (credits: Burak Karapınar - HAVELSAN)

  • Fixed an issue in agent manual uninstallation (credits: Orhan Solak - Barikat Cyber Security)



Version 1.7.1 (Beta)

  • Added TimelineIR feature

  • Added Binalyze Patrol feature

  • Added audit logs feature

  • Added role-based access control

  • Added "Acquire Evidence", "Schedule Acquisition", "Triage" and "Delete Endpoint" actions by tag

  • Highly improved agent performance

  • Highly improved agent memory usage

  • Improved settings page to separate The Users, License, and Evidence Repositories pages

  • Improved case file upload to handle .ppc files

  • Improved the installer prerequisites to handle the newer version of NodeJS

  • Improved debug logs

  • The minimum memory requirement for the AIR server increased to 8GB

  • Other minor bug fixes and improvements


Version 1.6.14

  • Added support for parsing SRUM Application Resource Usage

  • Added support for parsing SRUM Network Data Usage

  • Added new event records

  • Added MAC time to crash dumps

  • Added Custom Content collection from all drives (credits: Mason Toups)

  • Added Triage on all disk drives (credits: Mason Toups)

  • Added host content to report

  • Added export process table as CSV (credits: Alexander Jarvis)

  • Added Last Write Time for Installed Applications

  • Added support for CPU usage limitation (credits: Turkcell CDC)

  • Added Refresh button to the endpoint groups section

  • Added Delete All Tags button to the endpoint tags section

  • Added Delete button to all detail pages

  • Improved settings page design

  • Improved design of table action buttons

  • Improved Browser History acquisition

  • Improved Network Share connection check

  • Improved exception handling

  • Fixed an issue with event logs

  • Fixed WMI query exception problem

  • Fixed Downloads section processed count

  • Fixed an issue with timestamping



Version 1.6.11

  • Improved endpoint tags

  • Improved installer (credits: Babak Mirzahosseiny)

  • Fixed LDAP user login authentication (credits: Turkcell CDC)

  • Fixed LDAP endpoints register problem (credits: Turkcell CDC)

  • Fixed enable/disable debug logging bug


Version 1.6.9

  • Added feature of adding tags to endpoints (credits: Yalkın Demirkaya)

  • Added LDAP Sync option to endpoint group tree

  • Added refresh button to the endpoint tags section

  • Added delete tag action to the endpoint tags section

  • Added New Profile button to acquisition profiles dropdowns

  • Improved server logger to make logs more readable



Version 1.6.8

  • Added the Recent Tasks section to the dashboard

  • Added task assignment delete option

  • Added Scheduled Acquisition edit option

  • Added confirmation modal to Active Directory settings

  • Added status line to the task detail page

  • Added select all option to triage list of the endpoint

  • Added uninstall task assignment for unmanaged endpoints on a visit request

  • Added onetime scheduled task removal after execution

  • Added task execution history to dashboard backend API

  • Added task assignment removal to backend API

  • Added nats server port status checker job

  • Added match count stats to task details

  • Added support to login with an LDAP account

  • Added sending user deleted event to Syslog

  • Added e-mail field for the user

  • Improved task removal

  • Improved LDAP sync (credits: Babak Mirzahosseiny)

  • Improved SMTP validation logic

  • Improved server restart logic (credits: Babak Mirzahosseiny)

  • Improved agent https connection (credits: Babak Mirzahosseiny)

  • Refactored task assignment and scheduler

  • Fixed changing LDAP endpoint group after visit request (credits: Babak Mirzahosseiny)

  • Fixed https redirection bug (credits: Babak Mirzahosseiny)

  • Fixed report process tree view

  • Minor improvements and bug fixes


Version 1.6.4 (Code Name: Sirius)

  • New backend in NestJS (TypeScript) with 100% unit test coverage

  • New frontend in Vue.js

  • Added auto-complete support for YARA rule editor

  • Added support for YARA rule validation

  • Added group triage feature

  • Added global search feature

  • Added filtering support to all tables

  • Added local search for each page

  • Added security token refresh for triggers

  • Added new evidence types

  • Added new Custom Content collection editor

  • Added required port detection to the installer

  • Added Active Directory server setting alongside domain name

  • Added Memcache for decreasing response times

  • Added support for the upcoming Compromise Assessment feature (PPC file)

  • Added retry feature to agents in case there is no connection to evidence repository

  • Highly improved evidence selection page

  • Highly improved UX for task actions

  • Fixed minor issues in installer

  • Fixed minor issues in the Case report

  • Fixed an issue in NATS

  • Fixed an issue in license handling

  • Fixed Smart Screen warning on agent installation



Version 1.4.1

  • Added collection of Autorun locations

  • Added collection of Downloaded Files information

  • Added collection of RDP Cache Files

  • Added port availability check for the installer

  • Added new license models

  • Added support for offline licensing

  • Added support for task cancellation

  • Highly improved report

  • Highly improved calculation on visit interval

  • Improved UI/UX

  • Fixed an issue with timezone handling

  • Fixed an issue in group task assignments

  • Fixed app manifest problem for console service

  • Removed internet dependency from the installer

  • Minor updates and improvements


Version 1.4

  • Added support for Triage on FileSystem and Memory using YARA+

  • Added support for installation on Windows 7+ OSes

  • Added support for assigning a task to all endpoints in endpoint groups

  • Added support for sending case report after the task completion

  • Added support for anonymous network share connections

  • Added support for send notifications for failed tasks

  • Added Online filter into endpoints page

  • Added support for network share folder permissions check

  • Added support for updating endpoint details for upgraded OSes

  • Added support for filtering with endpoint groups are added

  • Added resilience to case report sending

  • Added sending match count after triage task completes

  • Added Yara rule validation

  • Added validating Yara rule file

  • Added sending Yara rule error message if the wrong rule provided

  • Added sending duration during the task

  • Highly improved evidence acquisition to network shares

  • Improved agent logs

  • Improved exception handling

  • Improved uninstall task

  • Improved fetching array from JSON

  • Improved network share authentication

  • Fixed an issue in LDAP Sync

  • Fixed unhandled exception with JSON GetValue

  • Fixed unhandled exception

  • Fixed wrong function usage for JSON

  • Fixed an issue with agent log

  • Removed unnecessary console API calls

  • Removed console out messages

  • Removed .NET Core dependency

  • Minor updates and improvements




Version 1.3.6

  • Fixed an issue in agent update

  • Fixed an issue in license handling

  • Fixed a UX issue in agent register


Version 1.3.5

  • Improved UI/UX

  • Highly optimized client connection handling

  • Highly optimized database operations

  • Added support for Custom Content

  • Added support for Syslog

  • Added console auditing logs

  • Added support for DB migration

  • Added edit button to tables

  • Added endpoint filter links to dashboard statistics

  • Improved license handling

  • Performance optimizations

  • Fixed an issue in LDAP synchronization

  • Fixed an issue leading to duplicate domain

  • Fixed an issue in tasks page showing incorrect endpoint

  • Fixed an issue in task scheduler

  • Fixed an issue in installer test LDAP button

  • Fixed an issue in installer test proxy button

  • Minor updates and improvements



Version 1.3.3

  • Improved UI/UX

  • Added validation to settings save

  • Fixed screenshot not captured issue

  • Fixed clipboard not captured issue

  • Fixed UsnJournal not retrieved issue

  • Fixed Active Directory paging issue

  • Fixed multiple Active Directory groups issue

  • Added scroll to Active Directory groups


Version 1.3

  • Major architectural improvements

  • Major security enhancements (credits: Mehmet İNCE &

  • Improved NATS real-time messaging

  • Improved email template

  • Added support for generic Webhook integration with SIEM, SOAR, and EDR products.

  • Added Custom Content Collection

  • Added administrator manifest to installers

  • Added logging for prerequisities

  • Added LDAP / Proxy test buttons to settings

  • Added support for SSL

  • Added 404 Not Found pages

  • Fixed an issue with forgot password dialog

  • Fixed an issue with Console updater

  • Fixed an issue with client IP handling

  • Fixed an issue with environment variables

  • Other minor bug fixes and improvements



AIR was born on 21st October 2019 with our first public Beta release 1.2.1