AIR Release Notes

Version 4.43

Features

New Multi-Asset interACT capability

AIR 4.43 introduces a completely redesigned experience for interACT, Binalyze’s remote live shell feature. This update significantly improves productivity by allowing analysts to manage multiple live sessions within a single, intuitive interface, reducing cognitive load and streamlining interactive investigations.

This short video shows Multi-Asset interACT in action.

What’s New?

These improvements are already resonating with users and threat-hunting teams who rely on AIR for high-speed investigations. This release positions interACT as a true analyst-first feature with native multi-session awareness.

Real-Time User Online Status Indicators

AIR now displays user presence across the UI to help with team coordination and case visibility:

• A green dot under the avatar indicates a user is currently online.

• A gray dot means the user is offline.

• This indicator appears in the user management table, case views, and other screens where user details are displayed.

This improvement supports collaboration in larger teams and across time zones.

Acquisition Profile Type Visibility

To reduce errors when assigning acquisition profiles to assets, AIR now displays the associated platform(s) for each profile:

• Windows

• Linux

• macOS

This small but impactful change helps ensure analysts select valid profiles for each target asset, especially during baseline or full acquisitions.

Enhancements

Investigation Hub - Global Filters Repositioned

To improve efficiency, the Global Filters have been relocated from the secondary menu to the top of the Investigation Hub, immediately below the section title, ensuring permanent visibility and immediate access.

Also new:

• ‘Evidence Category’ has been added as a Global Filter.

• These global filters persist throughout user interactions at both asset and case levels.

Investigation Hub - Relative Date/Time Filtering

AIR now supports relative time selection to apply date and time filters in the Investigation Hub. Analysts can quickly select dynamic ranges, such as “Last 5 minutes,” “Last 7 days,” or “Next 30 minutes,” by clicking on the timestamps in Investigation Hub tables.

This enhancement complements the existing absolute date/time filtering (e.g., 00:00–23:59 on a specific date) by offering more flexible, context-aware filtering, particularly useful in timeline reviews and live evidence analysis.

Investigation Hub - Improved Text Selection Actions

We've improved the visibility of contextual search tools that appear when text is selected in tables or details views.

Now clearly visible:

• Search in the current table

• Search in the Investigation Hub

• Google Search

• VirusTotal Lookup

These actions are now represented with intuitive icons and light animation to reduce the risk of being overlooked.

Binalyze MITRE ATT&CK Analyzer is now at version 9.6.1

Recent updates to the MITRE ATT&CK Analyzer and Dynamo module introduce improved coverage for emerging threats and evasive behaviors:

• Expanded Detection of MCP Server Activity
  New rules detect Model Context Protocol (MCP) server behaviors on Windows endpoints, covering configuration files, environment variables, processes, and network activity, to help identify unauthorized AI assistant access and potential data exfiltration.

• IIS Malware Coverage
  Added YARA-based detection for multiple native IIS malware families, including IIS-Raid, RGDoor, IIStealer, ISN, IISpy, and IISerpent, each tuned to the unique traits of these stealthy web server threats.

• ConfuserEx Detection Improvements
  Updated rules improve the detection of samples protected by the ConfuserEx .NET obfuscator, enhancing coverage of heavily packed malware.

• Suspicious Service Path Detection
  Dynamo now queries all fields when identifying suspicious service paths, improving accuracy in identifying abuse scenarios.

• Minor rule refinements and false-positive reductions were included across the YARA and Dynamo rule sets.

These updates enhance DRONE’s automated assessments and MITRE ATT&CK mapping for faster, more accurate investigations. Full changelog available here.

Fixes

• Minor UI/UX adjustments across the Investigation Hub, including feedback from usability testing.

• Stability and layout improvements in task creation screens.

• Interactive shell drawer display issues resolved for specific browser sizes.

Version 4.41

New Features and Enhancements

Repository Explorer – Centralized Forensic Image and File Access

A new main menu item, the AIR Repository Explorer, now centralizes access to all disk image data and repository files, replacing the previous per-asset image file management. 

Once selected, the Repository Explorer will reveal a secondary menu which lists the available repositories and their contents under Global or Organizational assignments.

 Key benefits of this new feature include:

• A single interface to browse and manage repositories.

• Download individual files directly to the user's machine.

• Directly upload files into existing repositories using the Upload File action button.

• Import any compatible file in the repository to mount as a ‘disk image asset’ using the new "Import Disk Image" action.

• Improved navigation between global and organization-specific repositories across Azure, AWS S3, SFTP, and SMB.

NB: The Repository Explorer only displays repositories that are configured and available to the logged-in user. For example, FTPS will not appear unless it has been added previously.

This enhancement significantly improves visibility, usability, and operational efficiency.

Fleet AI – AI Agents for Rule Generation and Guided Investigation

Fleet AI marks Binalyze's first major step into Agentic AI for investigation and response automation, introducing our Multi-Expert Agent System (MEAS) architecture to embed specialized AI expertise directly into AIR’s investigation workflows—if and when the user chooses to activate it.

The first of these agents, Fleet Detection Engineer, debuts in AIR 4.41. It can generate validated YARA, Sigma, and osquery rules based on natural language prompts. A contextual memory system enables secure, persistent conversations, enhancing rule accuracy and usability.

If the Triage Rule wizard is open during a Fleet AI session, you can instantly accept and inject a generated rule directly into the wizard for immediate use.

Coming Soon:

• Deeper AIR integration and task automation, including a DFIR-specific assistant to answer investigation-related questions.

• Security guardrails for scope control, sensitive data filtering, and secure access.

• Scalable architecture built with FastAPI, Redis (with pgvector), and Docker/ECS deployment.

• Bring Your Own AI (BYOAI): Option to deploy Fleet AI on-premise with no Binalyze Cloud connectivity, ensuring complete data privacy.

Search in AIR’s Settings

You can now search across AIR’s Settings section and subsection titles using the new search box located at the top of the Settings secondary menu.

Selecting a result takes you directly to the relevant configuration page, where the matching item will be highlighted.

This small but powerful enhancement makes navigating complex settings faster, easier, and far more intuitive.

User Profile Photos

Users can now upload their own profile images. These will be displayed across the AIR console UI in user-facing areas, such as the user menu, case history, and activity logs. Supported for both regular and SSO-authenticated users, although not synced from the identity provider.

Event Subscription UI Improvements

The Event Subscription configuration interface, found under Main Menu > Integrations > Event Subscriptions, has been refined for improved usability. Enhancements include:

• Categorized grouping of events.

• Searchable interface for faster configuration.

• Improved multi-select and toggle options for greater clarity and control.

Exclude Responder(s) from Updates

The Exclude from Updates feature allows users to prevent selected assets from receiving responder updates. This can be done individually via the More actions menu or in bulk using the bulk action bar—ideal for maintaining a state, managing phased rollouts, or excluding specific assets.

Excluded assets are hidden from update-related actions and skipped by auto-update processes. Their status is clearly indicated on the asset detail page.

To re-enable updates, use the Include in Updates action. The asset will be included in the next update cycle, and update controls will reappear.

NB Any scheduled or manual update tasks are discarded when exclusion is applied. These are not restored automatically—new tasks must be created.

Investigation Hub - Multiple Findings per Evidence

Evidence items can now display more than one finding:

• A plus (“+”) indicator in the Finding Type column indicates when multiple findings are present for that item.

• A dedicated "Findings" tab in the details view allows each Finding to be examined independently.

This resolves prior inconsistencies in the representation of evidence and improves investigative accuracy.

Investigation Hub - Contextual Time Filtering

You can now filter any Investigation Hub table by date directly from the column view:

• Click a date to access options such as “before,” “after,” or “exact.”

• Applied filters are automatically added to Advanced Filters as additional criteria.

• Supports all date columns within the Investigation Hub.

Investigation Hub - Launch Asset Actions in the Investigation Hub

You can now launch core AIR actions—such as Acquire Evidence and Triage—directly from the asset name column within the Investigation Hub. 

Simply hover over an asset name to reveal a gear icon, then click it to access quick actions instantly. 

This streamlined interaction eliminates the need to return to the Quick Start screen, making task initiation faster and more intuitive.

Binalyze MITRE ATT&CK Analyzer is now at version 9.5.0

This update expands AIR’s detection capabilities through improvements to YARA and Dynamo rules:

• YARA: Added detection for KoiLoader/KoiStealer and hacker tools used in recent campaigns. Includes false positive fixes and new rules targeting Initial Access IOCs.

• Dynamo: Broadened tool coverage to improve context and correlation in forensic evidence.

These updates enhance DRONE’s automated assessments and MITRE ATT&CK mapping for faster, more accurate investigations. Full changelog available here.

Fixes

This release includes minor fixes and polish items from AIR 4.40 and 4.41, including UI refinements and background performance improvements.

Version 4.37

Important Notice: Database Migration
This is a major release that includes a database migration step. As a result, the upgrade process may take longer than usual.
To minimize disruption, we strongly recommend scheduling this upgrade outside of business hours. If you need assistance or have any concerns, please contact Binalyze Support before proceeding.

New Features and Enhancements

Bulk Task Cancellation and Deletion

Managing large volumes of tasks is now faster and more efficient with the introduction of Bulk Task Cancellation. This new capability allows users to cancel one or more tasks directly from the Tasking view using the familiar bulk action toolbar.

To help users narrow down which tasks to cancel, all advanced filters are fully supported, making it easier to locate and select specific task types, names, sources, or statuses. Once multiple tasks are selected, the bulk action bar will automatically appear, along with a task count to indicate how many have been selected for cancellation (note: this refers to the number of tasks, not assets).

As part of the same enhancement, we’ve also introduced Bulk Task Deletion. When using the Delete Tasks option in the bulk action bar, users can choose between:

• Delete Task Only – Removes the task from the console without affecting the asset.

• Delete and Purge Local Data – Deletes the task and purges any associated local data from the asset.

These enhancements streamline the cleanup of redundant or misconfigured task assignments, helping maintain a more organized and accurate tasking environment while offering greater control over retained data.

Read more about task cancellation and deletion here in the Knowledge Base.

Investigation Hub – Regex Support Added to Advanced Filters

The Investigation Hub now includes regex (regular expression) operator support within the Advanced Filters section. This enhancement enables more powerful and flexible data filtering across cases, triage results, and evidence views.

How It Works

Regex filtering is available via the existing Contains filter dropdown, with the following operator options:

• Matches RegEx (case insensitive)

• Does not match RegEx (case insensitive)

• Matches RegEx (case sensitive)

• Does not match RegEx (case sensitive)

These options allow you to create highly granular search conditions, ideal for forensic analysts dealing with variable or loosely structured data inputs.

Read more about RegEx in Advanced Filters here in the Knowledge Base.

Investigation Hub – Import Status Progress Display

Users can now monitor import progress directly within the Investigation Hub as the status is shown in real time next to the case title, providing immediate visibility into the current state of ongoing or newly added tasks.

When hovering over the data import icon, users will now see a clear visual status:

• A green tick indicates that the import has successfully completed.

• A spinning circle of dots signifies that the import is still in progress.

This small but impactful addition makes it easier to track case activity at a glance, helping investigators stay informed without switching views or refreshing pages.

Read more about the Secondary Menu here in the Knowledge Base.

Investigation Hub – Keyboard Navigation Now Refreshes Details Pane

We've added this ‘quality-of-life’ improvement to the AIR Investigation Hub based on customer feedback.

Previously, when navigating between artifacts in the center pane using keyboard arrows, the Details Pane did not update accordingly, requiring a manual click to refresh the content. We’ve now addressed this.

With this release:

• The Details Pane now automatically refreshes when navigating through artifact line items using the keyboard arrow keys.

• This behavior also applies when the details pane is detached in a separate window, ensuring a consistent experience across both views.

This enhancement makes artifact review faster and more intuitive—just the way it should be.

(Credit: Adam D, Josh T)

Investigation Hub – User Attribution for Individual Exclusions

We've enhanced the Individual Exclusions feature in the Investigation Hub by adding user attribution. Now, when a user manually excludes a Finding, their name is recorded and displayed in the Exclusion Table. This update brings greater transparency and auditability to the exclusion process.

Why it matters:

Users can now easily identify who excluded specific findings—helping teams maintain accountability and better understand investigation decisions.

This builds on the original feature introduced in v4.35, which allowed analysts to exclude findings on a case-by-case basis without needing to define a rule.

Read more about Exclusions here in the Knowledge Base.

API Support for Creating Tags in Triage Rules

Users can now create and categorize triage rules using the public API. This new capability allows tags to be programmatically added during triage rule creation, eliminating the need for manual tagging and enabling more scalable, automated workflows.

Key Benefits:

• Streamlines triage rule management via automation.

• Enhances organization with consistent, tag-based categorization.

• Reduces manual overhead in rule setup.

📘 View API documentation

Binalyze MITRE ATT&CK Analyzer is now at version 9.0.1

Here is a summary of the releases since our last release notes, 5 March – 2 April 2025:

Version 9.0.1

• Updated detection for SystemBC proxy malware.

• Enhanced detection of Play ransomware variants and related tools.

• Additional minor fixes and improvements.

Version 9.0.0

• New YARA rules targeting China-based APT tools:

  • HUI Loader (S1097), ShadowPad (S0596), SodaMaster (S0627)

  • SparowDoor backdoor and ABYSSWORKER rootkit

• Detection improvements for:

  • Credential theft, brute-force utilities, network discovery, and reverse proxy tools

  • Malware using compromised or revoked digital signatures

• Dynamo has been updated to better recognize commonly used hacker tools in forensic artifacts.

Versions 8.7.0 – 8.7.1

• Added detection for Winos, a C2 framework used in recent Taiwan-focused campaigns.

• Improved coverage of ESXi-targeting ransomware variants.

• New detection for Sosano, a backdoor aimed at aviation, satellite, and critical transport sectors.

These updates continue to strengthen Binalyze’s threat detection arsenal with broader coverage and enhanced forensic insight. For more details, visit the Binalyze MITRE ATT&CK Analyzer changelog.

Fixes 

None of note

Version 4.33

New Features and Enhancements

Dark Mode

A Dark Mode UI is now available in AIR. This feature provides a more comfortable and visually appealing experience, especially in low-light environments. It reduces eye strain during extended sessions and enhances usability while aligning with modern UI standards. Users can now switch between light and dark modes in the main AIR menu based on their preference, improving usability and overall satisfaction. 

Data Usage Dashboard - Hierarchical Sunburst View

Understanding data usage in complex environments can be challenging, especially with large datasets. The new Hierarchical Sunburst View in the Data Usage Dashboard offers an intuitive, hierarchical visualization that makes it easier to identify key usage patterns, trends, and anomalies at a glance.

Key Benefits:

• Clear, Visual Breakdown – Navigate data relationships more effectively than with traditional tables or linear charts.

• Interactive Exploration – Click on segments to drill down into deeper data layers for detailed insights.

• Consistent Filtering – All global filters apply to the Sunburst visualization for a seamless analysis experience.

• Save to Dashboard – Easily save your customized Sunburst views for quick access and ongoing monitoring.

Where to Find It?

The Sunburst View is available under; Settings>Actual Disk Usage in the Hierarchical View tab on the Actual Usage page.

Read more about Disk and Data Usage here in the Knowledge Base.

Enhanced API Token Management with Role-Based Access Control

To improve security and flexibility, API Token Management now supports role-based access control (RBAC), reducing the need for excessive permissions.

Key Enhancements:

• Global Admins continue to create and modify API tokens.

• Granular Permissions: Tokens now inherit only the privileges of their assigned role (e.g., read-only or custom roles), preventing over-permissioning.

• Post-Creation Role Updates: Token permissions can be modified after creation, allowing for dynamic access control.

• Governance & Security:

  • The role assigned to a token and its creator cannot be deleted unless the token is reassigned or removed.

  • Improved auditability and compliance with least privilege principles.

The primary enhancement in this release is the revised role of the API token. Previously, API tokens were automatically assigned the Global Admin role, granting unrestricted access to all APIs. This update introduces role-based limitations, allowing API usage to be tailored according to the selected role. This improvement refines automation workflows and strengthens access control policies.

Event Subscription for Automated AIR Workflows

To enhance automation workflows, AIR now supports Event Subscriptions, allowing users to receive real-time notifications when specific events occur. Previously, while AIR actions could be triggered via API, there was no way to retrieve results automatically, requiring users to log in manually. This limitation made it occasionally challenging to integrate AIR with other tools for fully automated workflows.

Key Enhancements:

• Event Subscription Mechanism: Users can subscribe to specific events in AIR and receive instant notifications.

• HTTP Callbacks: When an event occurs, AIR sends a POST request with relevant event data to the user’s specified HTTP endpoint.

• Seamless Automation: These triggers enable users to automate follow-up actions, such as initiating workflows in external tools.

• Improved API Integration: Reduces the need for manual intervention, making end-to-end DFIR automation more efficient.

This update ensures that users can build fully automated incident response processes, improving efficiency and operational flexibility.

Read more about Event Subscription in the Knowledge Base.

Security Update for AIR Console Access Control

To address a security vulnerability involving Host header injection, we have implemented more stringent controls on AIR Console access.

Key Points:

• Access Restriction: The AIR Console will now only be accessible through the specific address registered during the initial setup, ensuring that only legitimate requests are processed.

• Technical Enforcement: This measure counters manipulations of the Host header that could potentially allow unauthorized access.

• Configuration Flexibility: For legitimate access needs from multiple domains or IP addresses, users can specify allowable entries via the AIR_CONSOLE_ADDRESSES environment variable.

• Enhanced Security: This change not only prevents unauthorized access but also aligns with best practices for secure network management.

This update enhances security protocols and provides administrators with better control over access settings.

AIR Responder Support in Windows Safe Mode

The Binalyze AIR Responder can now function in Safe Mode, allowing forensic acquisition even when a system is booted in a restricted state. To enable this functionality, users must register the Binalyze AIR Agent Service before entering Safe Mode.

Key Details:

• If the machine enters Safe Mode with Networking, the AIR Console connection remains active.

• Users must add the two Registry Keys before Safe Mode is active to allow tasking via the console.

• Without these additions, interACT and remote tasking will not work until the Registry keys are added.

• When using an off-network collector, users can perform acquisitions in Safe Mode without modifying the registry unless remote tasking is required.

Read more about AIR Responder in Windows Safe Mode here.

Binalyze MITRE ATT&CK Analyzer is now at version 8.5.0

Recent enhancements included:

Yara

Enhanced Detection Capabilities:

• Deceptive Development Backdoor: Detection added for Lazarus APT group's custom backdoor targeting developers via fake job offers.

• Veeam Credential Dumping Tools: Now detects tools extracting Veeam credentials from MSSQL databases, addressing technique T1555.

• ValleyRAT Backdoor: Introduced detection for the ValleyRAT backdoor linked to the Silver Fox cybercrime group.

Dynamo

Forensic Analysis Enhancements:

• Enhanced identification and analysis of hacking tools found during forensic investigations for more efficient threat assessment and response.

We have also implemented minor fixes and performance enhancements to improve system stability and detection accuracy, strengthening our security solutions against emerging threats and enhancing investigation processes.

For more details, visit the Binalyze MITRE ATT&CK Analyzer changelog.

Version 4.31

New Features and Enhancements

Investigation Hub Historical Disk Usage Statistics Dashboard

AIR version 4.29 introduced a comprehensive Disk Usage Dashboard in the Investigation Hub. This feature offers real-time, detailed insights into disk usage within the Investigation Hub, categorized by cases, organizations, and evidence types. Additionally, a new Historical Insights view has now been added, providing an enhanced perspective for trend analysis.

Key Benefits:

• Granular Insights combined with Filters: View breakdowns by organization, case, evidence type, etc.

• Improved Storage Management: Easily visualize data with pie charts and detailed tables.

• Historical Views: Analyze trends over time.

• Report Generation: Export insights as PDF reports for sharing or as CSV files directly from table views.

User Guidance:

• Access: Available exclusively to Global Admins via the AIR console:

  • Navigate to: Settings > Investigation Hub Disk Usage > Actual Disk Usage or Historical Disk Usage.

• Summary and Filters:

  • Total disk usage is summarized at a glance.

  • Filters include organization, investigation type, platform, evidence type, and category.

• Visual Representation:

  • Pie charts highlight the top nine usage categories, with the remaining items visible via scrolling arrows.

This update enhances usability, supports trend analysis, and streamlines disk usage monitoring for better resource management. Read more in the Binalyze KB.

New Data Collectors

• The following Browser based Data Collectors have been added:

  • Linux: Firefox Extensions

  • macOS: Chrome Extensions, Edge Extensions, Opera Extensions, Firefox extensions, DHCP Settings

  • Windows: Firefox Extensions

Tornado - Preview Version

We’re thrilled to announce the Tornado Preview, a standalone desktop application designed to streamline and enhance evidence collection from cloud platforms such as Google Workspace and Microsoft Office 365.

Tornado equips investigators with the tools to effortlessly gather critical artifacts, including email records, user access logs, and administrative actions—key elements for Business Email Compromise (BEC) investigations.

Key Highlights

• Multi-Platform Support:
  Tornado currently supports Google Workspace and Microsoft Office 365, with additional platforms planned for future releases.

• Advanced Collection Capabilities:
  Gather essential data types such as email and activity logs across supported platforms.

• Investigation-Centric Design:
  Tailored for BEC investigations with rapid evidence collection, optimized workflows, and enhanced incident response capabilities.

• User-Friendly Evidence Collection Interface:
  Intuitive design ensures precise, efficient, and reliable evidence gathering.

• Data Analysis Options:
  Export data to SQLite for detailed analysis, integrate seamlessly with Binalyze AIR and leverage the Investigation Hub for advanced use cases.

Availability

The Tornado Preview is:

• For AIR Customers: Available alongside the release of AIR version 4.31 on January 15, 2025, via the Tornado Preview button in the AIR console.

• For non-AIR customers: A dedicated landing page offers a free preview starting February 10, 2025. Early registration is available to join the mailing list and receive the download link.

For comprehensive details on Tornado’s features and usage, please visit our Knowledge Base.

Binalyze MITRE ATT&CK Analyzer is now at version 8.2.4

Recent enhancements included:

• Added detection for malicious extensions involved in the Cyberhaven compromise and a broader campaign targeting Chrome extensions for credential-stealing purposes. Blog Post here.

For more details, visit the Binalyze MITRE ATT&CK Analyzer changelog.

Version 4.27.6

AIR now provides configurable encryption for off-network collections. By default, encryption is disabled to streamline the post-collection ingestion process, enabling faster and more efficient evidence handling.

However, for scenarios requiring enhanced security, you can enable encryption during the setup of the off-network collector package. This ensures that sensitive data remains protected while giving you the flexibility to prioritize efficiency when needed. 

We believe this update will improve your workflows while maintaining the highest level of security for your investigations.
For more details please see the Binalyze Knowledge Base page Off-Network Responder and please don’t hesitate to reach out to our team if you need further information.

Version 4.25.3 Hotfix

Several issues have been addressed today with this Hotfix release two that may have affected costumes are outlined below:

1. Issue Addressed: interACT progress communication with AIR console (VOC-1472)

There was an issue in Responder v2.50.5 where certain interACT commands (get, put, zip, YARA, image) were missing progress information in the Console, though the commands still functioned properly. This is fixed in Responder v2.53.6.

2. Issue Addressed: Case Tasks missing (VOC-1463)

When navigating to a Case with multiple Acquisition, Triage, and InterACT records, the entries briefly appear but then disappear from the screen. This affects all data types, and even refreshing the page does not fix the issue. The count for each category (e.g., Acquisition: 45) also drops to zero unexpectedly.

Recommendations:

Update to AIR v4.25.3 when released to benefit from these improvements.

Hotfix

This hotfix addresses the following issues:

1. FSEvents Collection: The macOS Artifact Collection - FSEvents was not providing complete event data in the Investigation Hub. We have improved collection and removed the 3-day limit, ensuring all events are now captured.

2. Incorrect Asset Status: Assets were incorrectly marked as ‘Offline’ when they were actually ‘Online’. The fix ensures real-time and accurate status updates.

3. Report Viewing Issue: Users were unable to properly view reports in the Investigation Hub. The issue has been resolved, ensuring full access to reports.

4. Event ID Description Error: In the Investigation Hub, the description for every Event ID was incorrectly showing as "Windows is starting up". This issue has been resolved, and the correct descriptions are now displayed.

Recommendation: Apply the latest update to benefit from these fixes.

Version 4.21

Enhancements

We have expanded the evidence-collection capabilities in Binalyze AIR by adding several new browser-related items for Linux, macOS, and Windows:

For Linux, we now collect:

• Browser Bookmarks (Chromium, Edge, Opera, Vivaldi, Brave)

• Browser User Profiles (Chromium, Edge, Opera, Vivaldi, Brave)

• Browser Local Storage (Chromium, Edge, Opera, Vivaldi, Brave)

• Dump Browser Indexed DB (Chromium, Edge, Opera, Vivaldi, Brave)

• Browser Web Storage (Chromium, Edge, Opera, Vivaldi, Brave)

For macOS, the following items have been added:

• Browser Bookmarks (Edge, Opera, Vivaldi, Arc, Brave, QQ)

• Browser User Profiles (Edge, Opera, Vivaldi, Arc, Brave, QQ)

• Browser Local Storage (Edge, Opera, Vivaldi, Arc, Brave, QQ)

• Dump Browser Indexed DB (Edge, Opera, Vivaldi, Arc, Brave, QQ)

• Browser Web Storage (Edge, Opera, Vivaldi, Arc, Brave, QQ)

For Windows, we now collect:

• Browser Bookmarks (Edge, Opera, Vivaldi, Brave, QQ)

• Browser User Profiles (Edge, Opera, Vivaldi, Brave, QQ)

• Browser Local Storage (Edge, Opera, Vivaldi, Brave, QQ)

• Dump Browser Indexed DB (Edge, Opera, Vivaldi, Brave, QQ)

• Browser Web Storage (Edge, Opera, Vivaldi, Brave, QQ)

We have also further enhanced evidence collection capability by adding a new artifact group for Windows focused on Docker.

The new "Docker" group includes the following items for collection:

• Docker Changes

• Docker Containers

• Docker Image History

• Docker Images

• Docker Info

• Docker Networks

• Docker Processes

• Docker Volumes

This addition ensures that Docker-related artifacts can now be collected and analyzed from Windows systems, further extending the capabilities of Binalyze AIR for environments leveraging containerization.

For a full list of the evidence and artifacts supported by AIR please visit our Knowledge Base.

Security

2FA for LDAP users from account settings

• You can enable 2FA for LDAP users even if 2FA is enforced for all users, and now you can configure 2FA for LDAP users directly from account settings.

Fixes

• Fixed: Repeat Mechanism in Schedule Task for Case Selection

  • A fix has been applied for the issue that arose when the user selected 'Case' after configuring the ‘repeat’ option in the Schedule Task settings, the repeat mechanism did not function as expected.

• Fixed: 'Select All' in Case Includes Only Case Assets

  • A fix has been applied for the issue that arose when selecting all assets from a case as it included all assets from the organization rather than only those within the case when 'select all records' was chosen.  (Credit: Mustafa D)

• Fixed: Potential PostgreSQL CVE-2024-7348 Vulnerability in AIR

  • We have resolved the PostgreSQL security vulnerability detailed in CVE-2024-7348 within Binalyze AIR. This vulnerability could potentially allow unauthorized access or data leakage due to improper handling of database permissions in PostgreSQL. Our update addresses this issue, ensuring that our platform remains secure and your data is fully protected. This fix reflects our commitment to maintaining the highest security standards in AIR.

Hotfix

Today we released a hotfix that provides a Responder update to solve tactical incompatibility issues with other security products.

Version 4.15

Link to blog.

Features

Investigation Hub - New Features

The Investigation Hub in AIR is the central point for initiating and concluding all your investigations. As the core of AIR, it enhances your investigative process by integrating comprehensive insights and prioritized data with robust collaboration features. Equipped with advanced navigation features like sophisticated search options and dynamic filters, the Investigation Hub is indispensable for smooth and efficient case management, boosting productivity and connecting all investigative activities seamlessly.

New Activity Feed

• The Activity Feed enhances team collaboration and transparency by logging actions taken by investigators. This includes creating; exclusions, findings, flags, comments, and notes. Each entry includes user identification and timestamp information to ensure a comprehensive audit trail.

• All of the activities are labeled and linked to the individual activity simply by clicking on it. In the example below we can see how Comment Added, Note Added, Flag Added, and Exclusion Rule Created have all been tracked as activities

Add Comment to evidence

• Comments enhance communication by allowing analysts to directly comment on findings or/and tag relevant colleagues. This ensures that all discussions are captured and documented within the activity feed, promoting effective collaboration and transparent activity tracking.

• Right-click on an item and select ‘Comment’ to attach your comment to that item.

Event Logs View and Filtering Improvements

• To manage the extensive data from Event Logs, we've introduced a Column Chooser feature. This allows users to customize their view by selecting specific data fields from the Details view that they want to display in columns. This makes it easier to sort, filter, and analyze the desired relevant log data.

Search Options for selected text

• Users can highlight text within tables and instantly search for it within the same table, across the entire Investigation Hub, or externally on Google or VirusTotal. This feature streamlines the research process and eliminates the need to toggle between different platforms.

Away from the Investigation Hub other new features include:

Tagging added to Triage Rules

• Triage rules in the AIR console can now be associated with Tags, which help in organizing rules and filtering when required. This enhancement aids in managing the rules more efficiently and allows for streamlined searches and better organization within the console.

• When creating a Triage Rule the UI allows the user to filter existing rules by their associated Tags.

• The Triage Rule Library now includes Preset Filters in the secondary menu, allowing users to organize rules hierarchically.

ESXi parser added

• The ESXi parser has been added to the AIR platform, allowing for the import of tasks from off-network ESXi collectors and their presentation in the Investigation Hub.

• Learn more about our ESXi collector here.

Enhancements

Binalyze MITRE ATT&CK Analyzer has been updated to version 5.3.1 (31/05/24)

• For details please see the changelog in the Binalyze KB.

Expose more action buttons on the Asset Info page

• Additional Action Buttons have been introduced to the Asset page to improve usability and immediate access to the most commonly selected actions.

Improvements to the Details view

• Each item's title is displayed in light grey text, making the more critical information in darker text stand out for easier reading and quick reference.

• The "Show or Hide Empty Fields" view option helps to declutter the display by allowing users to hide fields that contain no data, thus reducing visual noise and focusing attention on fields with relevant information.

Advanced Filter improvements 

• The advanced filter save feature boosts efficiency by enabling users to save and share custom filters within an AIR organization. This functionality streamlines data analysis, promotes consistency, and enhances collaboration throughout the investigative process.

• The Advanced Filter window remains visible as you build the filter and you can reposition it.

• Each Advanced Filter is specific to the table it is built in eg; an advanced filter you build in Findings will not be available to you in the Browser Artifact table.

• Filters can be saved and then later selected from the drop-down list.

• Add items to Advanced Filters directly from the Details window using the filter icon.

Fixes

• Timeline date/time picker bug is fixed

Version 4.11

Link to blog.

Features

• Introducing Frank.AI, your investigation copilot

  • Frank is an AI Assistant designed to enhance forensic investigations within the AIR console. Frank.AI offers instant forensic assistance across all console pages, for example, providing insights, without leaving AIR, on subjects such as YARA, Sigma, and Osquery rule writing.

  • In this preview version, Frank leverages the ChatGPT API without additional fine-tuning, setting the stage for future enhancements. Future updates aim to expand Frank's capabilities through Retrieval Augmented Generation (RAG) for accessing broader data sources and deeper integration with the AIR ecosystem, including direct data retrieval from the AIR database and collaborative analysis with the AIR's AI module for advanced insights, such as anomaly detection and behavioral correlations.

  • You can reposition, resize, and minimize it just like any standard window, ensuring it fits seamlessly into your workflow without obstructing your view.

  • There are no additional domain requirements as Frank.AI is hosted on one.binalyze.com.

  • Stay tuned for evolving features and improvements based on user feedback. 

• New evidence types:

Windows

• Parse LNK Files

• Collect LNK Files

Linux

• Systemctl Services

Browser evidence types across Windows, Linux and macOS

• Chrome Sessions

• Chrome Login Data

• Chrome Local Storage

• Chrome IndexedDB

• Chrome Web Storage

• Chrome Form History

• Chrome Thumbnails

• Chrome Favicons

• Default Browser

• Firefox Cookies

Credit: Ashok K 

• A full list of the 584 items now supported in AIR is available in the Knowledge Base. 

Enhancements

• Binalyze MITRE ATT&CK Analyzer has been updated to version 4.3.1

  • For details please see the changelog in the Binalyze KB.

• Disk imaging errors reported in metadata.yml 

  • AIR’s disk or volume imaging feature produces a file that captures the metadata related to the imaging process. This now includes a log of any errors encountered, which are documented within the metadata.yml file for comprehensive tracking and analysis.          (Credit: Charlotte H)

  • Please see this KB article for a full explanation. 

• Scheduling Based on Asset Timezone 

  • AIR now enables users to schedule tasks according to the asset's local time zone. This ensures that tasks are executed at the specified time relative to each asset's geographical location, allowing for synchronized operations across different time zones. For example, when choosing this option, instructing the system to perform a task at 01:00 will result in the task being carried out at 01:00 in the local time of each asset, regardless of their global positions. (Credit: Ramesh P)

  • Please see this KB article for more information.

• Auto Asset Tagging Rules: New wizard and Organizational Saving 

  • The new Auto Asset Tagging (AAT) wizard allows rules to be saved specifically for individual organizations or universally across all organizations. This enhancement supports users in creating and applying incident-specific AATs selectively, avoiding unnecessary use or exposure of a rule outside the intended organizational context.  (Credit: Caleb T)

  • Please read this Auto Asset Tagging KB page for more information.

•  AIR version information is again displayed in the main menu

  • The AIR console version number has returned to the main menu to stop users from having to locate it on the settings page. 

Fixes 

• A timestamp issue with the Event log content has been fixed. (Credit: Jon F, Grant O and Ben H)

• Some incorrect "Match Counts" under the "Case Triages" Page have been resolved.

• In previous versions, AIR displayed the "KeyLastWriteTime" in the evidential Amcache CSV files in local time instead of UTC. This has now been corrected to show times in UTC, ensuring consistency and accuracy. (Credit: Guo Y)

• Tornado, crucial for AIR's File Explorer integration, retries registration until successful. A bug affecting success confirmation was fixed, enhancing reliability. (Credit: Nuno P)

Version 4.8.1

Hot Fix

• Attention to users of AIR 4.8.0: Some users may experience difficulty logging into AIRConsole. This issue affects only users assigned to specific organizations (but not those who select “All” organizations). 

  Please see the example below for reference.

  In version 4.8.1, we have addressed and resolved this issue. We recommend all customers currently using AIR 4.8.0 to upgrade to AIR 4.8.1 at your earliest convenience

Version 4.7

Link to blog.

Features

In AIR version 4.7 and above, we've added a new Docker container specifically for enabling the new File Explorer feature in AIR. If you're not interested in using File Explorer, you can proceed with the upgrade as usual. However, if you do wish to utilize the File Explorer and haven't received assistance with migration yet, please reach out to our support team for guidance on updating to either version 4.7+. Kindly note that contacting our support team is only necessary if you intend to activate the File Explorer feature.

Investigation

• Introducing AIR's new File Explorer.

AIR can now be used to explore the file systems of Windows, macOS, and Linux systems where full disk or volume images have been acquired in the RAW format. 

The forensic image can be added to AIR as a new Asset in a three-step process:

• 1. On the Assets page, click on the ‘Add New’ button and then select Disk Image:

• 2. Select your connected repository and then the raw disk image you wish to explore:

• 3. Select ‘Create Asset’:

The image must be supplied to AIR from an SMB or SFTP shared location, where it needs to be saved as a single contiguous file. Segmented files are not currently supported.

The next step is to select File Explore from the secondary menu:

Now you can browse the asset’s directory structure which is now expanded in the secondary menu (highlighted below)  and then go on to select individual files for closer inspection:

A file can be selected with a right-click to download it locally or calculate its hash values.

Advanced filters can be applied to filter the files displayed.

This is just the beginning of our File Explorer project - many more features are planned and your feedback is most welcome.

• Advanced Filter capability for all evidence category tables

We have added and standardized our advanced filter functionality across all Investigation Hub evidence category tables to:

• Ensure consistency across AIR's data analysis capabilities.

• Empower users with flexible advanced query options.

• Enhance overall data analysis efficiency.

The example above demonstrates the versatility of crafting filters that cater to both simple and intricate requirements. These filters offer support for compound logic by using AND/OR Boolean operators, applicable to any of the available columns. This empowers investigators with robust and flexible filtering capabilities.

• New collection of remote tool artifacts: 

macOS

• Splashtop Mac Logs

Windows

• Xeox Logs

• ZohoAssist Logs

• Supremo Remote Desktop Logs

• TightVNC Logs

• AmmyAdmin Logs

• GoTo Logs    

• Kaseya Logs

• Level Logs

• Remote Utilities Logs

• RealVNC Logs

• Splashtop Windows Logs

• UltraVNC Logs 

Enhancements

Investigation

• Improved visibility to DRONE’s verdicts.

• V4.7 provides valuable transparency by reducing noisy findings and improving visibility into DRONE’s detection logic helping streamline investigations and boost confidence in DRONE's methodology. (Credit: Garett C)

• The example below shows how, in the details tab, DRONE will now highlight each finding with:

1. Its description.

2. A reference to learn more about the findings.

3. The actual string that was detected.  

• Investigation Hub - Consolidated View of Bookmarked Items. 

• With this new feature, AIR users can easily access their bookmarked items, bypassing the need to navigate through multiple sections. This simplifies the workflow and saves time. (Credit: Grant O)

• The ‘bookmarks-only’ view is accessed via the button in the Investigation Hub page header. Findings and evidence categories with bookmarks can be viewed via drop-down arrows. 

• Additionally, the note-taking capability enables users to capture extra context and insights, contributing to a more comprehensive understanding of their bookmarked content. Notes can be added via the edit pencil in the Bookmark Notes column.

Functionality

• Windows direct collection

• With the introduction of Windows support, which complements our existing macOS and Linux capabilities, it is now feasible to transmit evidential collections from all three operating systems directly to external evidence repositories, thereby efficiently minimizing the utilization of local disk space.

• New API functionality

• Acquisition profiles can be created directly with the API with ‘Get Acquisition Profiles’.

• Asset Tags can be created or removed with the API (Credit: Blake B)

• AIR API documentation is found at: docs.binalyze.com

MITRE ATT&CK Analyzer changelog

4.0.1

Yara

• Added detection for C# and dictionary-based webshells.

• Enhanced detection of JSP webshells.

• Enhanced detection of directory traversal and XSS injection indicators found in server logs.

• Enhanced detection of ProxyShell and ProxyNotShell vulnerabilities.

• Added detection of various Linux exploits.

• An updated list of vulnerable and malicious drivers from LOL Drivers project.

• Added detection for binaries using potentially compromised AnyDesk certificate.

• Other minor fixes.

Dynamo

• Minor FP fixes.

(Full changelog is here: AIR MITRE ATT&CK Changelog)

Fixes 

• We are pleased to announce a critical fix regarding some of the NTFS categories of evidence collections, which were causing collection tasks to sometimes become unresponsive. The root of the issue was traced back to our backend library, which encompasses a range of NTFS-related evidence types, including:

  • Page File

  • Hibernation File

  • Swap File

  • Hosts

  • Recent File Cache

We have taken steps to address and rectify this issue, and users should no longer experience any issues with these collections. (Credit: Guo Y)

• Fix applied for an issue regarding the console backup process via the optimization of our backup compression logic. (Credit: Ben H) 

Version 4.3

Features

Investigation

• Enhanced Data Integration into the Investigation Hub:

  • Seamlessly import .csv files into the Investigation Hub using our data mapping service, accommodating all forms of structured .csv data.

  • Efficiently import and analyze .pst files, enabling the display of email data within the Investigation Hub for a more comprehensive examination.

• 2 New Windows Evidence Types:

  • Winrar History - This application history is valuable as it tracks file compression/extraction, revealing user actions, timelines, and data movement. (Credit: Ashok K)

  • Windows Error Reporting Files - WER files provide insights into system crashes and application failures, helping to identify potential security breaches or system vulnerabilities. Additionally, they are instrumental in malware detection and constructing accurate timelines for security incidents.

• 7 New IBM AIX Evidence Types:

  • MySQL Logs - These logs are critical for tracing database transactions, analyzing user activities, establishing timelines, and detecting unusual or malicious query patterns. They provide key insights into data modifications and user behavior.

  • SSH Server Logs - These logs are invaluable for tracking authentication attempts, identifying user access patterns, and detecting potential unauthorized or malicious activities.

  • DHCP Server Logs - provide crucial information on network device connections, including IP address assignments, timestamps, and MAC addresses, aiding in tracking device movements and identifying unauthorized network access.

  • System Logs - Records system activities, user actions, and error messages.

  • Auth Logs - These track authentication activities, such as login attempts and user privileges, providing insights into potential unauthorized access, user behavior, and security policy violations.

  • Boot Logs - Used to analyze system startup sequences, identifying unauthorized changes or failures during boot processes.

  • Mail Logs - Tracks email transactions, identifying senders and recipients, analyzing timestamps, and detecting anomalies or potential security breaches.

Enhancements

Investigation

• Comparison report improvements 

  • The Progress window now displays the status of the comparison, including a count for Added, Changed, or Deleted items. When an evidence item is selected, it filters the main viewing window to show the detailed comparison results for that specific item exclusively. 

  • The comparison report now also makes it clear when no changes have been detected.

• Exporting DRONE Findings

  • Users can export the DRONE findings table out of the Investigation Hub into a .csv file.

  • This will allow the use of DRONE findings in reports, SIEM, or other security tools where custom alerts can be developed based on the results of  DRONE’s analysis.

• AIR’s MITRE ATT&CK Analyzer version 3.1.0 includes the following:

Functionality

• Ability to adjust timezones in Investigation Hub

  • By default, the Investigation Hub will use UTC as the timezone to display all timestamps.

  • With this release, Investigation Hub users can adjust timezones, improving analysis accuracy in investigations involving diverse geographic and timestamp data.

• New Asset window for UI

  • Individual assets will now have a dedicated larger window to display more information, appear less cramped, and prepare for future developments.

  • Each Asset page now includes a secondary menu featuring preset filters, providing users with a count and instant access to all past tasking assignments associated with that asset.

  • In this new window, users can view and access all of the cases in which the current asset appears.

  • Tasks can be created from the Asset Action button or by clicking on the ‘+’ revealed when hovering on any of the task names listed in the secondary menu.

• Adjustable Secondary Menu

  • The user can now manually adjust the secondary menu width in AIR, allowing it to expand up to half of the display window's width through a simple drag action.

  • Double-clicking the secondary menu border will return it to its default size. 

• New advanced filter to identify servers

  • Users can now filter assets based on whether or not any of their assets are servers. (Credit: Jon F) 

• Custom Message Banner available via API

  • Users can use all custom banner capabilities via API - the latest posted message, by UI or API, will prevail. 

• Removal of a default value from the acquisition profile selection field 

  • When initiating a new Acquisition, the Acquisition Profile field will now be blank by default, requiring the user to actively choose a profile. The placeholder text in this field now reads, "Select/create an Acquisition Profile." (Credit: James S)

Fixes

• Data grid issue with Organization Updates

  • Data grids now refresh correctly when Organizations are updated. 

Version 4.0

Features

Streamlining Workflows - Introducing the all new UI/UX for AIR

• New floating header at the top of every page to allow immediate access to:

  • Searching across AIR.

  • Recent Cases, Assets, Tasks and Reports.

  • The Quick Start button to launch AIR Tasks. 

  • Notifications

  • Current Organization name display, with a dropdown to switch between Organizations.

• Organization selection improvements

  • To eliminate any potential confusion regarding the organization's assets you are currently viewing, the system now displays only one organization at a time.

  • Switching between Organizations has been made simpler via the Organization dropdown menu which provides access to:

    • Organization Settings.

    • Change Organization.

    • Add New Organization. 

• Main menu bar is now split into two sections:

  • The top section is now home to the core areas for AIR;

    • Home: Full overview of your AIR deployment.

    • Assets: Listing of current Assets.

    • Cases: Listings for open, closed and archived Cases.

    • Libraries: for Acquisition profiles, Triage Rules, interACT Files and Auto Asset Tagging rules.

• The bottom section is home to AIR’s supporting functionality;

  • Integrations: API Tokens, Webhooks and Cloud Platforms.

  • Activity: With Insights, Recents, Notifications and Audit Logs all clearly displayed for analysts.

  • Tasks: All of your Console Tasks displayed in one window for searching and filtering.

  • Timelines: To review existing or create new Timelines.

  • Settings: The bottom of the Main Menu is the new home for all of your Settings; Assets, Security, Features, Users/Roles, Evidence Repositories, Policies and Backup.

• New Secondary Menu Bar 

  • This new menu appears when a Main Menu item is selected.

  • This is collapsible to maximize your screen’s working space but at the same time, allows users to drill down in AIR functionality at speed.

• New Navigation Bar

  • This allows the user to see exactly where they are in every screen of the AIR platform by showing the ‘path’ to the current view.

• Access to Recents via the Homepage

  • Direct access to Recent Cases, Recent Assets, Tasks and Reports - making it easier to pick up where you left off.

• New Bulk Actions Bar 

  • Found at the bottom of the Asset page to count the number of assets selected and provide easy access to the Taskings that can be applied to those assets.

• Settings changes

  • Moving the “Enable Policies” toggle from the Policies page to  Settings > Features

New Operating System support - IBM AIX

• IBM AIX Off-Network Agent 

  • AIX is a series of widely used Unix operating Systems for business critical applications developed by IBM. 

  • These systems have proved tricky to investigate and are not covered well by existing security products, but now AIR provides the necessary support to do so.

Investigation

• Introducing the AIR Investigation Hub, formally known as Consolidated Reports

  • For ease of access and to create a collaborative investigative space, the new Investigation Hub is now available from the secondary menu bar within each individual Case.

New Forensic Evidence Collections

• 15 new macOS Evidence Types and a new Evidence Category:

  • Downloads - presents information about downloaded files.

  • IP Route - presents IP route information.

  • Logged Users - shows currently logged in users.

  • Network Interfaces - presents NIC information.

  • Event Taps - reveals items that have a tap into the system.

  • DNS Resolvers - presents DNS resolution information.

  • Quicklook Cache - reveals items previewed with Quicklook.

  • Cron Jobs - presents scheduled/cron jobs

  • Arc History - collects Arc browser history.

  • Reopened Apps - shows apps not installed but in re-opened plist.

• Persistence - New category which groups the following evidence items often essential to macOS DFIR investigations:

  • Mail Rules - collects mail rules that contain AppleScripts.

  • Login Hooks - these hooks can be used to achieve persistence.

  • Logout Hooks - as above.

  • Emond Clients - Emond accepts events from services.

  • Most Recently Run - The MRU lists the most recents files a user accessed.

• Forensic image files in a single Zip file. 

  • This release introduces a new toggle switch, giving users the option to enable or disable the consolidation of physical disk or volume image files into a single zip file, eliminating the need to split them into chunks.

Integrations 

Yet more Webhooks for AIR to supercharge your SOC's automated data collection and analysis capabilities:

• Webhook parser for SentinelOne. (Credit: Dane Z)

• Webhook for Microsoft 365 Defender.

• Cisco AMP/XDR.

Enhancements

Security

• Password Protection for AIR Agent Uninstallation  

  • We already provide Tamper Detection for the AIR Agent - now users can only uninstall the AIR Agent if they have access to the password to do so.

  • Agent uninstallation through the OS UI is disabled. The agent can only be uninstalled using shell commands with the protection password as an argument, locally or remotely (e.g., SCCM). 

  • Uninstallation via the AIR UI or API remains possible without requiring a password.

Investigation

• Detailed Browser History and Download History

  • In this release, we've refined the representation of Chrome browser forensic data, particularly within the browser and download history evidence segments, including:

    • Referrer details

    • Signature

    • Hash values

    • Timestamps

    • Visit duration insights, and others.

  • These enhancements enable analysts to conduct a more in-depth browser forensic examination.

• Timeline Enhancements

  • Horizontal scrolling functionality has been added, making it simpler to navigate and concentrate on specific dates and times within your timelines.

• Prefetch Parsed Referenced Files

  • Users can now more easily analyze prefetch records as AIR now displays 5 categories of information in a single view.

• Character limitation for single triage rule

  • To prevent the browser becoming unresponsive we have limited the maximum to 350K of characters in a single Triage Rule.

Fixes

• Password Recovery - Email Fix 

  • If SMTP is not configured, AIR can not send emails. Previously, users attempting a password reset were told to check their email, leading to confusion when no email arrived. We've updated this to now prompt users to contact the administrator instead.

• Timezone inconsistencies in Investigation Hub

  • Timezone data will now be displayed in the user's local browser time and timezone information will be displayed to the user at the top of the Investigation Hub page.

  • This timezone setting can not be changed by the user.

• YARA rule failed to validate

  • Validation of some correct YARA rules was failing, this has been modified and now works correctly. (Credit: Nick H)

• Improvements to Offline Installer Scripts (Credit: Blake B)

Version 3.12

Features

Streamline your investigation

• DRONE analysis for macOS

  • MITRE ATT&CK Analyzer

    • As of v3.12 DRONE now has MITRE ATT&CK rules for macOS.

  • Dynamo Analyzer (Credit: Dilek G)

    • Dynamo will parse the AIR report generated as the result of a task assignment and highlight suspicious entries.

  • Browser History Analyzer

    • Chrome, Edge, IE (7-11), Firefox, Opera, Safari, Vivaldi, Waterfox and Brave are now all supported for macOS

  • Audit Event Analyzer

    • Brings advanced capability to AIR by scanning event records for keywords, hacker tools, and commands, setting verdicts based on criteria, guidelines, or Sigma rules.

• Tooltips added to DRONE findings within the Consolidate Report

  • When a user hovers above a Verdict or Score finding listed in the Table view, they will be presented with a to a tooltip that explains how the result is derived.

• Isolation of macOS endpoints

  • Expanding Isolation capability to the last major operating systems -macOS. (Fully supports Windows, Linux & macOS devices).

  • Regardless of the isolation state, the endpoint maintains communication with the AIR console to allow analysts performing their investigation by generating Tasks as usual.

• Addition of a "Retry Upload" action for failed Task Assignments (Credit: Daniel M) 

  • Should a failure occur during the evidence upload phase of a task, a "Retry Upload" feature is now available to resolve issues more efficiently. Key benefits include:

    • Elimination of the need for evidence re-acquisition, preserving the original data.

    • No additional disk space consumption.

    • The "Retry Upload" option repurposes the existing task assignment for the re-upload, preventing task duplication.

• Simpler access to Off-Network Agent logs & Drone log files

  • Agent logs and Drone log files of Off Network  are now saved in the same folder . This makes it easier to find any log files and share them with  Binalyze Technical support or for troubleshooting by yourselves. 

  • File name format is: Troubleshoot-[TIMESTAMP].zip.

Enriching evidence and artifacts

• New Artifact types collected for macOS:

  • Discord Desktop Cache

    • Discord instant messaging and VoIP social platform with voice calls, video calls, text messaging, media and files in private chats or as part of communities called "servers".

  • Parallels Logs

    • Parallels is a software company best-known for Parallels Desktop for Mac that allows users to run Microsoft Windows systems on macOS computers. 

  • Homebrew Logs

    • Homebrew is a free and open-source software package management system that simplifies the installation of software on macOS, as well as Linux.

  • Sophos Events Database

    • Sophos develops products for communication endpoint, encryption, network security, email security, mobile security and unified threat management. 

  • Sophos Antivirus Logs 

    • The AIR agent will now collect Sophos Antivirus logs.

• New Evidence types for macOS:

  • Shared File List

    • The SharedFileList (SFL) in macOS is a system feature that manages "recent items" lists for applications and the system itself. These lists could include recently used applications, documents, servers, or even volumes. The files with the extensions .sfl and .sfl2 are plist (property list) files in binary format.

  • Shell/Bash History

    • The .bash_history file holds significant value for various reasons including command tracking which may reveal the activity of an attacker. However, note that the .bash_history file can be manipulated, cleared, or even disabled by knowledgeable users.

Synchronization and collaboration between teams

• Customizable Banner Message  (Credit: Helen T)

Users can now display important announcements via a banner on the console GUI for events like maintenance, upgrades, or config changes. The banner interface allows:

• Scheduling via Start/End dates

• Message editing - up to 512 characters

• Color customization

• URL linking

• Banner dismissal to maximize screen space

This feature provides direct communication with AIR users and offers permission controls for message settings.

Enhancements

AIR Core Functions Enhancements

• • Timeline 

    Swipe through a Timeline Bar to view events, dates, or time periods that are outside the current visible area.

    • • Click-and-drag: The user clicks on the timeline bar and drags it left or right to scroll through the timeline. 

      • Swipe wheel: If the device supports a scroll wheel or touchpad gestures, the user can use it to scroll left or right on the timeline bar.

  • Triage

    Many more new triage rule templates are available to assist when constructing triage task assignments including:

    • • YARA - Find by size range

      • YARA - Find Portable Execution files only

      • YARA - Find PKZIP files only

      • YARA - Find by hash value after filtering by file size

      • Sigma - User account hidden by registry

      • osquery - Unusual Cron entries

      • osquery - Processes running with no binary on disk

Consolidated Reports Enhancements

• Consolidated Report Module refactoring to provide Generic Report Module

  • This new module generates individual task assignment reports that maintain the same view and structure as the existing Consolidated Reports.

• Triage results from osquery are now available in Consolidate Reports 

  • osquery results are now also searchable from the Global Search.

Security Enhancements

• Automatically renew default AIR SSL certificate (Credit: Ramesh P)

  • The Binalyze-generated self-signed certificate will now auto-renew when it's within 10 days of expiration.

Fixes

Version 3.11.0

Important Security Update (Credit - Caleb T and Tyler B)

We have added ACL settings to a driver object to prevent unauthorized access and potential privilege escalation.
Users should urgently deploy the updated agents to address this high-severity vulnerability

Version 3.9.2

Features

• Acquisition Profiles now display average time taken to complete

• • This great new feature displays to the user the average time it takes to run a particular acquisition profile in their own AIR environment. This will help analysts make decisions as to which Profile is best suited to a particular circumstance. (Credit: Daniel M)

  • This feature is unique to the users own environment, so the collection of metrics will start afresh with each new AIR console install.

• New wizard to add endpoints to a Timeline

  • This dedicated Timeline wizard will speed up and simplify the addition of endpoints to your Timelines.  The new flow allows you to select endpoints, define the Task and then choose the post acquisition analyzers such as DRONE or any of the other AIR analyzers needed for your specific investigations.

  • This feature is aligned with the new Quick Start feature introduced in v3.8 - Both designed to simplify and speed up your investigations.

• Five new Webhooks available in AIR:

  • Stellar EDR

  • LogicHub SOAR (DEVO)

  • Rapid7 InsightIDR

  • Fortigate SIEM

  • Dynatrace

Take advantage of AIR’s Webhooks to increase your SOC’s automated collections and analysis of data from endpoints and dramatically speed up all of your investigations.

• New macOS evidence support - Apple System Logs

  • Apple System Log Files (.asl files) contain detailed records of various system events, processes, errors, warnings, and activities that occur on a macOS device.

• New macOS evidence support - Apple Unified Logs

  • The Apple Unified Logs (AUL) system was introduced with macOS 10.12. It creates a standard log format used in all Apple operating systems, including macOS, iOS, watchOS, and tvOS. One of the most powerful filtering capabilities of AUL is the predicates.

  • AIR will present unified logs using the comprehensive set of predicates shown below:

    • User login events

    • Tccd events

    • Ssh activity events

    • Command line activity run with elevated privileges

    • Kernel extension events

    • Screen sharing events

    • Keychain unlock events

    • Sessions creation and destruction events

    • Detecting and blocking malicious software events

    • Failed sudo events

    • MDM Clients Events

Enhancements

• Consolidated Report improvements

  • To support collaboration between analysts by highlighting important evidence and findings, we have added the option to bookmark items within Consolidated reports.

  • Users can also see who bookmarked an item and when they did so. They can also apply filters to show ‘Bookmarks’ or ‘Bookmarked by’.

  • A new ‘event viewing’ window will display expanded details for any item selected in the main viewing area.

  • Global Search has been enhanced for faster search returns.

• YARA rule scans can be run via interACT

  • It is now possible to run YARA scans inside the AIR cross-platform remote shell, interACT.   (Credit: Ramesh P) 

• YARA and Sigma rules use the same verification method 

  • Binalyze AIR will now use matching validation methodologies for these two different rule types, so YARA and Sigma scanning can no longer be tasked to run any incompatible rules. (Credit: Antonio L)

     

Fixes

• AWS S3 upload failures

  • Simultaneous upload issues to AWS S3 bucket and all other repositories have been fixed by enforcing sequential uploads only. (Credit: Simon L)

• Reporting a Failed Status

  • When a Task is running, and something causes the agent to restart, a ‘failed’ status will be shown when the agent starts again if any of the tasks fail to complete.

• Timeline imports to Chrome

  • An issue preventing Chrome uploads to the AIR Timeline has been resolved.

• Authentication Errors for Public API's are fixed

Version 3.7

Features

• Triage Match Count Column

  • In the Task window it is now possible to select, from a column selector, to display a column for Match Counts, and if the user filters by Triage the Match Count column will be added automatically to the filtered results.

• New Webhook - Microsoft Sentinel

  • AIR now has built-in support for a Microsoft Sentinel Webhook (Credit to Elisa.com - Finland).

• Mandatory Case Selection Option

  • This new feature allows Enterprise and MSOC customers to enforce the selection of a case for all Acquisition and Triage tasks ensuring that all collections and tasking results are attributed to a case.  For FIS customers this feature will always be active by default.

• New Chrome artifacts for Mac Linux and Windows

  • For Mac, Linux and Windows support has been added for parsed evidence from Chrome; Bookmarks, Cookies, Downloads, User Profiles, Extensions and Browsing History

• Isolation Support for Linux

  • Linux endpoints can now be 'Isolated' from within the Endpoints Details UI window.

• New 'Last Seen' Endpoint Filter

  • AIR now allows for the date and time filtering of endpoints by;  'Last Seen After', 'Last Seen Before' and 'Last Seen Between'.

• Apple macOS TCC collection

  • AIR now supports the collection of Mac TCC (Transparency, Consent and Control) data.

IMPORTANT: In order to benefit from these new features,  you should install our new DataBase. Click here to learn more.

Enhancements

MITRE ATT&CK enhancements

• MITRE ATT&CK Rules with Drone for Acquisition and Triage Tasks

  • Users can now see and select the MITRE ATT&CK analyzer in both the Acquire Evidence and Triage Tasking windows. In these views it is now also possible to see when AIR last checked our MITRE ATT&CK database to ensure that the user has access to the latest MITRE ATT&CK definitions for AIR.

• MITRE ATT&CK Rules support for off-network tasks

  • The same level of support mentioned above for MITRE ATT&CK is now also available for off-network Evidence Acquisitions and Triaging.

• MITRE ATT&CK Tactics Widget View within Consolidated Report

  • The Consolidated Report now aligns and displays artifacts by the number of times a particular MITRE ATT&CK Tactic, Technique or Finding has been identified. The Technique and Sub-Technique identified will also be displayed along with a direct link to the relevant MITRE ATT&CK webpage.

• MITRE ATT&CK Auto update

  • Binalyze AIR will now automatically check for any new MITRE ATT&CK updates as soon as a user opens the Acquire Evidence or Triage Tasking windows. An internet connected AIR installation is required, ensuring customers always have access to the latest AIR MITRE ATT&CK definitions. (Off-Line support will be coming in future versions)

Consolidated Report enhancements

• Consolidated Report: MITRE ATT&CK Report View

  • The Consolidated Report front page now displays  a MITRE ATT&CK overview report.

• Consolidated Report: Event Records Consolidation

  • Event Records are now consolidated in human readable format for investigators.

• Consolidated Report: Global Search

  • Global Searching is now possible across Consolidated Reports.  This feature addition is super powerful, and allows users to search across all of the acquisition and triage data that constructs a Consolidated Report from multiple endpoints in any particular case.

• Consolidated Report: Process Details View

  • An event details module has been added at the bottom of the evidence item page, so when an item is selected in the upper window, if there is additional information available it will be displayed in the lower details window.

• Consolidated Report: Process Tree View

  • A Tree view is now available for processes within Consolidated Reports.

• Consolidated Report: CSV export

  • It is now possible to export Evidence Items from within the Consolidated Report to CSV.

Fixes

• Security fix related to endpoint isolation

• Security fix related to the installation process

• Security fix related to the password reset process

• Security fix related to access to server files

Version 3.5.1

Features

• Consolidated Report.

• The Consolidated report is a single, easy-to-read DFIR intelligence report, that displays Acquisition and Triage acquired data from multiple endpoints in one report.

• Triage with OSQuery.

• Analysts can now create, modify and run OSQuery queries across multiple assets in the AIR Triage GUI, along with our pre-existing YARA and Sigma capabilities.

• Timeline support was added for Linux and macOS.

• Investigators and analysts can add Linux and macOS artifacts to AIR Timelines.  Leverage this addition to have just one Timeline with multiple endpoints from all 3 operating systems; Windows, Mac and Linux. This is potentially another massive boost to speeding up investigation times.

• Importing Chrome/Chromebook collections to Binalyze AIR Console

• Investigators and analysts can now add standalone Chrome evidence acquisition results (PPC file) to Binalyze AIR

• New Artifacts and Evidence for macOS and Linux.

• More than 35 new artifacts and evidence types, such as Apache, Nginx, MySQL, PostgreSQL, MongoDB, Docker, KnowledgeC, and more system-related logs were added to Binalyze AIR

• Organization Tags

• Managed SOCs partners (MSSPs) can add, remove, list and group their Organizations by Tags. This  would simplify operational day to day needs, since it is much simpler to define and classify each Organization by 1 or multiple Tags. The new capability is available also via the API.

Enhancements

•  N/A

Fixes

• interACT get the command’s unresponsiveness bug fixed

• interACT session termination bug fixed

Version 3.3.1

Features

• Multiple Sigma Rule Upload

  • Investigators and Analysts can upload multiple Sigma rules to AIR Console at once

• Taking Full Logical Volume Images by using the user interface

  • Investigators and Analysts can create full logical volumes of images using either a user interface or a secure remote shell interACT.

  • Microsoft Windows, Linux, and Apple macOS operating systems are supported

• x64 support for Windows Agent

  • Beginning in version 3.3 64-bit version of the Microsoft Windows AIR Agent is available.

• Case ID Prefix

  • Customers using more than one Binalyze AIR Console instance can now add a prefix to their Case IDs. Therefore there will not be experienced any confusion about Case IDs anymore.

• Progress monitoring added to Get & Put commands on the interACT

  • Investigators and Analysts can see the file download progress from an endpoint (get command) and file upload to the endpoint from the library (put command) command outputs while using secure remote shell interACT.

• MITRE ATT&CK Scanner was added to Binalyze AIR Automated Threat Analyzer, DRONE

  • When Investigators and Analysts scan their systems with DRONE, they can see the MITRE ATT&CK mapped results in the report. DRONE rules are continuously developed and mapped to the MITRE ATT&CK framework.

Enhancements

• Some security improvements on AIR Console

• Some performance improvements on AIR Console

Fixes

• Minor bug fixes

Version 3.2.3

Hot Fix

• Hot fix that includes typo fixes, timeline date filtering, and browser back button navigation caused regarding the dashboard

Version 3.1

Features

• Golden image option was added to AIR Agent installation

  • AIR agent is now compatible with installation via a golden image for new device deployment. With this feature enabled, an administrator can prevent potential connection and availability problems that may have previously occurred on the AIR console for machines installed from a golden image.

• New File System Enumeration evidence for Linux and macOS

  • Investigators can list the creation, modification, and access dates and times of the files and folders on the Linux and macOS filesystem as CSV files.

Enhancements

• Baseline Comparison Reporting

• Collapse/Expand All items under the Acquisition Profile section.

• Acquisition Profile information was added to the Tasks list under the Endpoint details page.

• YARA 4.2 update

• FTPS support for full disk image

• SSL/TLS proxy server support was enhanced

Version 2.10.2

Features

• AWS EC2 one-click agent deployment

• Cloud forensics - Azure VM support

• Azure VM one-click agent deployment

• Auto Asset Tagging based on hostname, IP address, and subnet

• Auto Asset Tagging based on custom rules with osquery builder

• Linux full disc image via interACT

Enhancements

• 7x speed improvement for most evidence acquisitions on macOS and Linux

• You can now upload multiple YARA rules at once

• Improved troubleshooting logs

• Token support for MFA

Fixes

• Fixed an issue where sometimes recycle bin collection would fail

• Fixed an issue that prevented baseline comparison on unreachable endpoints

• Other minor bug fixes

Version 2.9.1

Features

• Added ability to enumerate Amazon AWS EC2 assets

• Added Yara triage support to macOS assets

• Added Baseline comparison for macOS assets

• Added full disk image collection with interACT for Windows assets

Enhancements

• Added ability to duplicate acquisition profiles

Fixes

• Fixed an issue where notifications were not shown about tasks in non-default Organisations

• Fixed the wrong warning message when deleting a task from a case.

• Fixed an issue where the user couldn't see the baseline comparison report even though the baseline acquisition task was finished.

• Fixed the name column sorting in the interACT Library

•  

Version 2.7.2

Fixes

• Fixed task migration scripts update

• Fixed scheduled task comparison is missing on Baseline Comparison

• Fixed connecting AD user with less than 5 characters

• Fixed spelling mistake is shown On ESXi Agent Deployment Page

• Fixed UI issues about ESXi tab

Version 2.7.0

Features

• Added support for Apple macOS assets

• Added Chromebook standalone collector (credit: Yuta K.)

• Added ESXi standalone collector (credit: Andres S. and Mason T.)

Enhancements

• Case selection is now optional with an Enterprise or MSOC license

• API now includes endpoints for Repositories, Baseline, Case and Organizations (Docs)

• Improved the retry process for interACT’s get and put commands

Fixes

• Fixed issue with downloading files with special characters via interACT

• Fixed acquisition history graph on the dashboard

• Fixed other minor functionality and UI issues

• Fixed UTC time mismatch in DRONE for Windows event logs and event records

• Fixed DRONE stability issue when using keyword search

Version 2.6.2

Feature

• Added public API (see details)

Version 2.5.1

Fix

• Fixed a bug in the DRONE configuration file migration process.

Version 2.4.0

Blog News: v2.4.0

Features

• Added e-Discovery collection to acquisition profiles (credit Yalkin D.)

• Added Tamper detection to agent

• Added agent support for Linux arm64 (aarch64)

• Added curl command to interACT

• Added hex command to interACT

Enhancements

• Added IP Address column to Endpoint table

• Added silent installation tooltip for SCCM agent deployment

• Added endpoint name to audit log filter

• DRONE keyword search capability is now more visible

• Improved zip command in interACT - Now zips to folder

• Added new metrics for case report memory section

Fixes

• Fixed unquoted service path issue after a config update (CVE-2021-42563)

• Fixed minor issues on timeline export

• Fixed duplicated user validation issue

• Fixed evidence repository name and path validation issue

• Fixed system resource usage not updating in interACT session issue

• Fixed renaming evidence repository issue

• Fixed an issue that allowed task assignment to endpoints with an old agent

• Fixed webhook addresses not updated after a change of console address

• Fixed SFTP current directory support

• Fixed opening report issue in Safari browser

• Fixed minor issue on Sigma rule parser

• Fixed minor issue on Drone table

• Fixed minor UI issues

Version 2.3.5

Blog News: v2.3.5

Features

• Added Sigma rule triage for Windows

• Added autocomplete functionality to interACT

• Added ServiceNow support to webhooks

Enhancements

• Added new privilege to allow changing endpoint label

• Added auto asset tag rules for Docker and Kubernetes

• Added version information to settings

• Added ability to handle Unicode file paths in YARA scanner

• Added ability to specify a temporary staging directory for acquisition tasks that use evidence repository

• Improved evidence collection on low capacity endpoints by letting AIR automatically select the volume with the greatest available free space (credits: Babak M.)

• Improved evidence repository background upload mechanism with persistent retries

• Improved case export functionality

Fixes

• Fixed minor memory leak of canceled tasks

• Fixed minor logging issues

• Fixed interACT exec command stdin issues on Windows

• Fixed a bug related to listing unsupported drone analyzers

• Fixed case filter issue

• Fixed policy list on task creation, missing policies

• Fixed case-sensitive username issues

• Fixed case day counter

• Fixed minor bugs on the report

• Fixed other minor bugs

Version 2.2.1 

Blog News: v2.2.1

• Added Slack integration support

• Added Mattermost integration support

• Fixed timeline sort issue

• Fixed viewing case.ppc issue on failed tasks

  
  

  Read the detailed notes

Version 2.1.5

• UI/UX improvements on case containers

• Fixed minor bugs related to case containers

• Fixed drone autopilot issue on scheduled tasks and webhooks.

• Fixed a bug about using azure storage as evidence repository on linux agents

Version 2.0.5

Version 2.0.1

Version 1.8.3

Version 1.8.0 (RC)

New:

• Added Docker-based installation support. Once a stable version of v1.8 is released, docker will be the only deployment option. Since then, the MSI installer will no longer be available. Our knowledge base page is available to show how to install the new version of AIR

• Added multiple organization support.

• Added Azure AD single sign-on support.

• Added 2FA support.

• Added stateless queue-based background worker system.

• Added network capture option to acquisition profile.

• Added device name and os on agent visit requests.

• Added deployment token to deploy endpoints more secure way.

• Added some rules to prevent confusion and irregularity on users/roles (Only Global Admins can create Roles, predefined roles cannot be updated).

• Added Wazuh integration support.

Version 1.7.60

• Fixed password reset bug.

• Improved endpoint console address migration feature.

Version 1.7.50

This is the stable release of the previous RC version (v.1.7.45)

• Blog News: v1.7.50

• Fixed a bug upgrading endpoints with old version to newer version

• Fixed notifying NATS for the endpoints that need to be upgraded to the new version

• Fixed a bug regarding database backup

• Added support for validating settings for Azure Blob Storage and AWS S3

Version 1.7.41

• Minor bug fixes

Version 1.7.35

• New feature: GNU/Linux support for Debian and Redhat based distributions (Preview)

• New feature: Added SFTP support to evidence repositories

• New feature: Added compression and encryption support for evidence

• New feature: Added endpoint isolation for Windows platform

• New feature: Added policy support that gives you the ability to manage evidence repository location, compression, encryption, and CPU limit based on rules (credits: Turkcell CDC)

• Added extended file information for triage files

• Added dependecy checking to evidence repository deletion process

• Added linux acquisition evidence list

• Added "Use options provided in policies" and "Use custom options" choices to the acquisition, triage, trigger process

• Added platform column to endpoint datagrid

• Added platform, isolation status, and policy filters to endpoint page

• Added Linux deploy steps to deploy page

• Added assigning log retrieval task to offline endpoints.

• Optimized caching to minimize performance bottlenecks caused by high request load

• Optimized security token check performance

• Optimized concurrent message handling on Nats server

• Refactored worker pool to works based on priority

• Refactored the endpoint task queue to work with the task configs in policies and custom configs

• Removed patrol from AIR

• Fixed XSS exploit on audit logs

• Fixed the performance bottleneck on the task progress update process

• Fixed a memory leak in the visit process on the windows agent

• Fixed a problem in windows agent installation version check

• Updated EULA

• Minor UX improvements

• Minor bug fixes

Version 1.7.30

• Improved triage match results

• Improved AD sync performance

• Improved audit log db write transactions

• Improved license capacity checks

• Improved LDAP login

• Highly optimized task core module performance

• Highly optimized endpoint task queue memory usage

• Highly optimized audit log storage

• Highly optimized realtime task assignment to endpoints

• Optimized logging on agent

• Optimized debugging log on worker tasks

• Optimized Agent Installer download performance

• Optimized task result upload performance

• Optimized db bulk operations

• Optimized triage rule storage

• Optimized task storage

• Refactored worker core module

• Fixed an issue related to sending triage task result

• Fixed performance issue caused by Patrol module

• Fixed disappearing endpoint tags after AD sync issue

• Fixed loading up tasks to endpoint queue issue caused by db migration

• Fixed the register required bug that is caused by latency on endpoint registration

• Fixed the performance issue on visit requests caused by agent update load balancer

• Fixed investigating same endpoints multiple times in the same investigation

• Fixed security token mismatch bug on visit requests

• Fixed the bug caused by reloading task details on the UI

• Fixed the bug related to license validation for online and offline environments

Version 1.7.23

• Improved endpoint connection error logging

• Changed max memory cache size to maximum

• Highly improved memory usage of the endpoint task queue

• Increased node's memory usage limit to 6GB

• Reduced effect of long-running tasks on the starting speed of the application

• Fixed performance and memory issue on sending events to Syslog and audit logs

• Fixed a minor bug on the endpoint registration issue

• Fixed a minor bug on fix endpoint issue task

• Fixed a minor bug on the installer

Version 1.7.20

• Fixed minor bugs

Version 1.7.13 (RC)

• Fixed an issue in agent installer

• Other minor bug fixes and improvements

Version 1.7.11 (RC Sunburst Edition)

Fixed minor typo

Version 1.7.8 (RC)

• Fixed an issue in event log parser

Version 1.7.6 (Beta)

• Minor improvements and bug fixes

Version 1.7.3 (Beta)

• Added support for downloading report as HTML (credits: Turkcell CDC)

• Improved Quick Acquisition Profile

• Improved agent update mechanism (credits: Orhan Solak - Barikat Cyber Security)

• Fixed an issue in agent task processing mechanism (credits: Burak Karapınar - HAVELSAN)

• Fixed an issue in agent manual uninstallation (credits: Orhan Solak - Barikat Cyber Security)

Version 1.6.14

• Added support for parsing SRUM Application Resource Usage

• Added support for parsing SRUM Network Data Usage

• Added new event records

• Added MAC time to crash dumps

• Added Custom Content collection from all drives (credits: Mason Toups)

• Added Triage on all disk drives (credits: Mason Toups)

• Added host content to report

• Added export process table as CSV (credits: Alexander Jarvis)

• Added Last Write Time for Installed Applications

• Added support for CPU usage limitation (credits: Turkcell CDC)

• Added Refresh button to the endpoint groups section

• Added Delete All Tags button to the endpoint tags section

• Added Delete button to all detail pages

• Improved settings page design

• Improved design of table action buttons

• Improved Browser History acquisition

• Improved Network Share connection check

• Improved exception handling

• Fixed an issue with event logs

• Fixed WMI query exception problem

• Fixed Downloads section processed count

• Fixed an issue with timestamping