Tag: Binalyze AIR

Binalyze AIR 5.8

What’s New?

  • Evidence Collection in Windows Recovery Environment – AIR Windows off‑network responders can now collect evidence while operating inside the Windows Recovery Environment (WinRE). This enhancement allows analysts to acquire and preserve evidence from non‑bootable assets, reducing time and cost by avoiding full disk imaging while maintaining forensically sound collection.

  • Timezone Visibility and Filtering on the Assets Page – Assets in the Console now display their time zones in the asset detail view and can be filtered by timezone. This assists investigation teams in correlating multi‑regional logs and evidence timelines, accelerating timeline reconstruction across distributed environments.

  • macOS Artifact Expansion – Added support to collect macOS Spotlight indexes and USB Storage History artifacts. These enrich visibility into file creation, indexing behavior, and external device access, key evidence sources for insider activity and data movement investigations.

  • PowerShell Console Host History Line Numbering – Parsed results for PowerShell console history now display line numbers, allowing investigators to reference command execution order precisely and improve forensic timeline correlation during live response analysis.

  • MFT CSV Performance Refactor – The Master File Table (MFT) CSV export process has been refactored to use a faster, multi‑threaded parser, significantly reducing analysis time while maintaining evidence integrity. This supports large‑scale acquisitions and improves analyst productivity during file‑system timeline reviews.

  • Proxy Configuration Evidence Enhancement – Proxy configuration data is now included in collected evidence, allowing analysts to verify system‑level network redirection and potential unauthorized proxy use during the investigation of lateral movement or data exfiltration.

New Features & Improvements


AIR

Timezone Field for Assets

Each asset now includes a dedicated timezone field, visible on asset detail pages and filterable in the advanced search. This improves the correlation of evidence timestamps when investigating incidents spanning multiple geographies or distributed environments.

Analysts can quickly organize assets by timezone to validate whether log events align across regional systems or correlate deviations with adversary activities executed in different time windows.


TACTICAL

Evidence Collection within Windows Recovery Environment

Off-network responders can now operate in offline mode within Windows Recovery Environment (WinRE) to collect evidence when systems cannot boot normally. This capability enables the extraction of registry hives, event logs, and file artifacts directly from non‑operational assets without rebuilding the system or imaging the entire disk.

The feature helps analysts recover evidence from critical hosts after ransomware or system‑level compromise, preserving evidence integrity before remediation. Running the off‑network responder from a bootable USB drive ensures the collection process remains isolated and forensically sound.

Proxy Configuration Evidence Enhancements

Proxy configuration evidence has been extended to include a broader detection of system‑defined proxy settings. During an investigation, analysts can now verify proxy configurations to identify hidden network interception, redirection, or misconfiguration that may reveal traces of command‑and‑control communication or exfiltration channels.

MFT CSV Refactor with Enhanced Performance

The MFT (Master File Table) CSV export operation for Windows assets has been refactored to employ optimized parsing and resource utilization techniques. This delivers substantial performance improvements, significantly reducing parse time on large file systems.

This directly benefits analysts performing file-timeline correlation or change-detection tasks, accelerating triage in enterprise‑scale investigation scenarios.

PowerShell Console Host History Line Numbering

Parsed PowerShell Console Host History artifacts now include line number annotations. This refinement provides investigators with a clear command-execution order during user activity reconstruction, improving the accuracy of the timeline correlation between host actions and observed alerts.

macOS  Spotlight Artifacts

New evidence types have been introduced for macOS systems. Spotlight artifact collection provides visibility into system index data, revealing files that were accessed or created, even if they were later deleted from user directories.

Combined, these enhance macOS investigation depth and augment visibility into user behavior and adversary traces across Apple environments.

USB Storage History for macOS

A new artifact source now captures historical records of USB storage device connections on macOS assets. Analysts can identify device identifiers, connection timestamps, and usage relationships to support the validation of data theft or exfiltration hypotheses.


Responder

Configurable HTTP Request Headers

Responders can now override or add custom HTTP headers for console communications. This enables advanced network control or integration scenarios in which security gateways or monitoring tools require specific request identifiers without compromising protocol integrity.

Although primarily a convenience for integration, the feature helps enterprise security teams maintain consistent communication policies while keeping evidence transfer secure and auditable.

interACT Execution Command Update

The interACT execution command has been enhanced with a new --background alias (also available as --nowait), allowing analysts to execute commands asynchronously. This prevents command‑line session blocking during longer evidence collection operations.

Improvements to standard output and error stream handling prevent unexpected terminations and ensure complete records for audit logging, maintaining chain‑of‑custody assurance for interactive command activity.

Updated User‑Agent Header for Requests

Responders now identify themselves using updated, configurable User‑Agent header strings when sending requests to the Console. This ensures compatibility with enterprise firewalls and modern cloud proxy solutions, improving communication reliability across managed environments.


Bug Fixes

  • Edge Cookies Acquisition: Updated evidence collector paths for Microsoft Edge to include the latest “NetworkCookies” directory structure introduced in recent versions. This ensures accurate browser cookie collection and visibility inside Investigation Hub.

  • Case.db OS Version Correction: Fixed a discrepancy where Investigation Hub displayed Windows 11 Pro systems as Windows 10 Pro. The correction ensures accurate operating system reporting for all assets contributing to a case.

  • SAM Users and Groups Relationship: Corrected the issue preventing group names from displaying correctly under SAM Users acquisition results. Associations between users and groups are now properly recorded and visible in the Investigation Hub.

  • DRONE Filename Parsing: Resolved bug where filenames starting with zero caused path separator misinterpretation during YARA scanning, ensuring consistent evidence processing regardless of filename format.



Binalyze MITRE ATT&CK Analyzer is now at version 11.4.0

Dynamo Analyzer

The analyzer set has been expanded with coverage across multiple evidence types, including shell histories, browser activities, registry behaviors, and system configuration sources. These new analyzers enhance the detection of user activity, persistence mechanisms, and file execution patterns across Windows, macOS, and Linux disk images. Additionally, extended pattern recognition improves the identification of remote management and hacker tool usage through enriched analysis of command and environment variables.

MITRE ATT&CK Analyzer / YARA

Detection rules have been updated to identify Dystopia Windows RAT variants that leverage Discord, Telegram, and GitHub for command‑and‑control. Broader refinements across existing signatures further reduce false positives and strengthen behavioral coverage against unauthorized remote access activity.

Sigma

DRONE now incorporates the latest Sigma rule updates from both the SigmaHQ and Hayabusa repositories, ensuring analysts benefit from the most current community‑derived detection intelligence directly integrated into automated analysis workflows.

Binalyze AIR v5.7

What’s New?

  • Maintenance Mode for Device Assets: Analysts can now place assets into Maintenance Mode to safely prevent task execution while performing diagnostics or hardware maintenance. This prevents interference from live data collection or unintentional evidence overwrites during sensitive investigation windows. interACT and log gathering remain available, ensuring forensic continuity.

  • Global Search for Acquisition Profile Evidence Groups: Analysts can perform consolidated searches across all acquisition profiles and their associated evidence groups, significantly improving visibility and retrieval in large-scale investigations.

  • Acquire Evidence Menu Expansion: The “Acquire Evidence” section in the Quick Start menu now expands to show “From Device,” “From Disk Image,” and “From Cloud” options. This clearly differentiates evidence collection sources and helps analysts plan data acquisition strategies across hybrid infrastructures.

  • Device, Disk Image, and Cloud Menus in Navigation: The Asset menu has been redesigned to display Device, Disk Image, and Cloud as distinct top-level entries. This makes it faster for analysts to locate and manage specific asset types during ongoing operations.

  • Feedback Form and UI Flow Updates: A new feedback form enables analysts to provide direct, feature-level feedback from within AIR (limited to five submissions per day). The updated Resource Center layout ensures better visibility without obstructing navigation.

New Features & Improvements


AIR – Asset & Task Management

Implement Maintenance Mode for Device Assets

Maintenance Mode allows assets to be temporarily excluded from receiving automated tasks during planned maintenance or diagnostic sessions. Once activated, the mode restricts all actions except interACT and log gathering to preserve system stability and investigation continuity. Scheduled or bulk tasks automatically skip maintained assets, ensuring analysts prevent any accidental evidence interruption.

This feature addresses operational challenges where cloned or duplicated asset instances could previously respond with conflicting data. By isolating assets, analysts maintain chain-of-custody and ensure collected information remains contextually accurate. Maintenance Mode status is easily visible within filters and device details pages, supporting transparent asset control across large environments.

Acquire Evidence New Menu Structure

The “Acquire Evidence” section inside the Quick Start panel now expands into three distinct options—From Device, From Disk Image, and From Cloud. Each option guides analysts toward the applicable evidence acquisition path, allowing more targeted data gathering depending on the investigative context.

The new hierarchy promotes workflow clarity and improves onboarding for analysts operating across hybrid or multi-cloud environments. “From Disk Image” and “From Cloud” are marked as “Coming Soon,” preparing users for upcoming capabilities while maintaining consistent navigation design.

Asset Menu Changes

The primary navigation has been redesigned to replace the single “Asset” entry with separate Device, Disk Image, and Cloud menus. This ensures analysts can quickly access asset categories relevant to their operations without applying additional filters.

Device entries are drawn directly from responder APIs, while disk image and cloud asset types are sourced from the consolidated assets dataset. The design improves scalability for incident response workflows where analysts may manage thousands of distinct artifacts across asset classes.

Global Search for Acquisition Profile Evidence Groups

With this improvement, global search queries now return results for acquisition profile evidence groups. Analysts gain high-level visibility into evidence created under different profiles, making it easier to identify connections and perform comprehensive cross-case comparisons during active investigations.


AIR – Settings and UI Enhancements

Implementation of Feedback Form

This version introduces a built-in feedback mechanism that allows analysts to share direct insights from within the AIR Console. Each user may submit feedback up to five times per day, and entries are sent securely to the internal support channel for review.


AIR – Auth

User Role Name or Role ID in API Token Creation

Role and identification details have been enriched in token creation APIs to facilitate more consistent audit and authorization tracking across integrated systems. Analysts managing automation or delegated investigation tasks benefit from clearer accountability for token-based operations.


Bug Fixes

  • UI Overlap on New Policy Page: Corrected layout issue where Organization dropdown overlapped the Notifications panel, improving visual clarity and usability.

  • Schedule Task Duplication: Fixed a backend issue that caused duplicate tasks to appear during scheduled scans once execution began. The process now ensures each scheduled task instance triggers a single execution record.

  • Task Assignment in Offline Environments: Resolved an offline mode error preventing task assignment when exclusion files were inaccessible. Analysts can now run full or offline collection workflows without interruption.

  • Shareable Deployment Page Fixes: Corrected link behaviors causing broken or misleading redirects on shareable deployment pages. Asset links now behave consistently without exposing dummy login screens or undefined version indicators. Download links for release certificates now correctly trigger downloads.

  • Keyword Upload Validation: Improved keyword upload validation for acquisitions. Blank lines and unsupported characters are now automatically sanitized, preventing acquisition task failures.

  • Hunt/Triage Update Warning Message: Refined warning messages when updating Hunt/Triage rules created by other users, ensuring clearer communication about organization-level permissions.

  • Resource Center Icon Alignment: Adjusted UI positioning of the Resource Center element so that navigation controls remain accessible on smaller screens.



Binalyze MITRE ATT&CK Analyzer is now at version 11.3.1

Dynamo Analyzer

Detection logic has been expanded to include broader identification of hacker and remote monitoring management tools, with refined application name analysis to increase coverage. These enhancements improve the analyst’s ability to uncover unauthorized remote access utilities and misused commercial tools within collected evidence. Additional tuning enhances detection for crypto-mining related domains across network and DNS artifacts.

MITRE ATT&CK Analyzer / YARA

New detection rules cover Akira_V2 ransomware variants, along with associated binaries and ransom notes. Updates also enhance identification of PowerShell abuse techniques—such as AMSI bypass and ETW logging disablement—improving visibility into stealth tactics used on Windows assets. Detection of backdoors and implants like PlushDaemon, EdgeStepper, and C# AdaptixC2 frameworks expands the platform’s insight into advanced intrusion activity. Continuous refinement of driver-based threats such as Ollama.sys and hlpdrv.sys delivers deeper defensive analytics for kernel-level attacks.

Sigma

DRONE now includes the latest Sigma rule updates from both SigmaHQ and Hayabusa repositories. These updates extend behavioral coverage across event and log-based detections, ensuring analysts can continuously correlate current adversary techniques against timeline evidence within AIR’s Investigation Hub.

Binalyze AIR 5.6

What’s New?

  • Investigation Hub Live Collaboration and Activity Sync: Analysts can now observe real-time user presence, comment updates, and evidence flag changes within the Investigation Hub. This enables investigation teams to collaborate simultaneously on the same evidence and instantly see each other’s actions without refreshing the view.

  • Investigation Hub Search Enhancements with Prefix Support: The new prefix search capability allows using the “*” symbol in the Investigation Hub to find evidence names or keywords starting with a given text. This makes it faster to locate related items across large investigations, particularly when searching partial filenames, process names, or user activities.

  • Maintenance Window Configuration for SaaS Environments: Administrators can now select preferred maintenance windows directly within AIR. This ensures updates and maintenance operations occur within defined time slots, providing predictable scheduling for managed tenants.

  • Command Snippets Management Improvements: Snippets can now be tagged and grouped, making it easier to filter or categorize repeatable live-response actions in interACT sessions—improving operational efficiency and consistency for investigation teams.

  • Hunt/Triage Location Inclusion and Exclusion Support: Analysts define precise include/exclude path patterns for each platform in the Hunt/Triage feature. This ensures keyword and YARA scanning occurs only on relevant directories—improving performance and reducing noise during evidence analysis.

  • Expanded Evidence Support for macOS and Linux: New artifact sources, including DNF/YUM History, SSH Files, System Logs, and software update information, improve cross-platform visibility and provide deeper forensic coverage for investigations.

New Features & Improvements


AIR Console – Investigation Hub

Investigation Hub Live Activities, Data Reload and User Presence

This release further enhances real-time collaboration within the Investigation Hub. Active users are now visible in the interface, allowing analysts to see who else is working on the same case or evidence category. When actions such as flagging items, adding notes, or findings occur, all connected users receive immediate updates without manual refresh. Bulk actions performed by others are summarized with short status messages. These enhancements make the Investigation Hub a live, synchronized workspace where multiple analysts can collaboratively drive an investigation while maintaining full traceability.

The “Live Activities” and “User Presence” features can be toggled from the Investigation Hub user preferences button. For fast-paced incident response operations, this capability reduces communication delays and improves awareness of concurrent investigation actions.

Prefix Search in Investigation Hub

The Investigation Hub now supports prefix-based filtering. When analysts type a term followed by an asterisk (“*”), the system returns all evidence or findings beginning with that prefix. For instance, entering “inv*” retrieves matches such as “investigation” or “inventory.”

This enhancement is particularly valuable for analysts who need to rapidly investigate multiple variations of a file name, process, or event in large datasets.


AIR Console – Settings

Maintenance Window Implementation

Administrators can now define structured maintenance windows by selecting preferred days and times in the settings interface. These parameters control when SaaS maintenance and auto-updates may occur, ensuring predictable operations during off-peak hours. Each maintenance window defines a start time, duration, and day of week, all of which are retrievable through management APIs.

This configuration helps minimize interruptions during critical investigations and ensures alignment with internal change control policies.


AIR Console – Evidence Acquisition

Redesign Acquisition Profile Evidence Categories and Tabs

The acquisition profile interface is fully redesigned for clarity and usability. Tabs are reorganized into clear evidence groups such as System, Memory, Network, Disk & Filesystem, Applications, and Event Logs. Analysts now benefit from alphabetically ordered artifact lists and inline descriptions for quick comprehension. Each evidence item includes a tooltip describing its contents and importance.

A new “Only Show Selected” filter allows focusing on active collection settings. Together, these updates streamline acquisition configuration, ensure completeness, and improve planning for targeted investigations or large-scale asset acquisitions.


AIR Console – Notifications

Notification Broadcasting Service with SSE

Periodic polling for notifications has been replaced with Server-Sent Events (SSE). Instead of sending repeated requests every few seconds, AIR Console now pushes notifications to the UI instantly when new events occur. This reduces unnecessary traffic, improves efficiency, and provides immediate alert visibility for analysts monitoring active cases or system updates.

For investigation teams, this means that findings, responder updates, or evidence collection statuses appear in real time with lower network overhead and faster situational awareness.


Responder and RelayPro

Hunt/Triage Inclusion-Exclusion Support

With version 5.6.0, Hunt/Triage operations now support pre-scan inclusion and exclusion rules. Analysts can define directory patterns to include or omit during scanning. Each platform (Windows, macOS, Linux) can have separate path lists defined via console or policy configurations. Validation ensures patterns are accepted correctly and executed as expected by responders.

This level of control allows investigation teams to focus on specific areas such as user profiles, temp directories, or system logs while skipping irrelevant locations. As a result, hunts/triages execute faster with reduced false positives and more targeted evidence coverage.

Responder Connection and Authentication Enhancements

Multiple improvements have been implemented in the Responder communication and authentication flows, including better handling of token refresh and timeout conditions. These changes strengthen system resilience during long-running investigations and ensure sustained secure connectivity even under adverse network conditions.

General Code and RelayPro Improvements

RelayPro now employs optimized buffer allocation and socket deadline management to prevent potentially idle connection debt. The synchronization of graceful exits across proxy connections enhances system stability and prevents resource leaks, improving long-term reliability in environments with continuous remote communication between the console and assets.


Evidence Expansion

New macOS and Linux Evidence Sources

Evidence acquisition coverage has been significantly expanded for both macOS and Linux platforms. The following new artifact sources have been added:

  • macOS: DMG File Opened, File Last Used, Finder Mounted Volume, Keyboard Dictionary, Mount, Software Update Information.

  • Linux: DNF History, SSH Files, ETC Files, Sysmon Logs, and YUM History.

These additions provide broader cross-platform investigation coverage. Analysts can trace activity histories, mount operations, and track configuration changes across operating systems, thereby improving the completeness of post-incident investigations.


Database

Support for Encrypted Connections for PostgreSQL Servers

PostgreSQL connections used by AIR are now secured with SSL encryption. This update ensures all data exchanges between the AIR Console and its database are encrypted in transit, meeting compliance requirements and reinforcing data protection for investigation records.

Bug Fixes

  • Global Search Input Reset Issue: Resolved a problem where typing quickly in the Global Search bar caused text to disappear or reset while searches were executed. AIR now waits until input stabilizes before re-triggering searches, preventing data loss during typing.

  • Task List Sorting Problem: Fixed an issue in the Task Details view where column sorting stopped functioning after reopening the column selection panel. Sorting now behaves consistently across all columns.

  • Auto Asset Tagging Task Completion: Addressed a condition causing some asset tagging operations to stay in “processing” despite completion. Task states now stay correctly aligned with responder responses, including when NATS is enabled.

  • Policy Isolation Allow List Transmission: A communication issue preventing isolation policy allow lists from being sent from the AIR Console to responders has been corrected. The feature now works as expected for applied network isolation workflows. (Credits: Ahmet M.)

  • ScreenConnect Artifact Collection: Corrected missing ScreenConnect log acquisition in Windows responder evidence sets. These artifacts are again reliably collected for remote assistance investigation scenarios.

  • Browser Login Data Timestamp Alignment: Fixed incorrect ordering of “Date Created” and “Date Last Used” fields in browser login data parsing for Windows evidence.



Binalyze MITRE ATT&CK Analyzer is now at version 11.0.0

Dynamo Analyzer

Detection coverage is expanded with intelligence-driven analytics. Version 10.9 introduced the identification of suspicious commands, file paths, and PowerShell behaviors within Windows registry environment variables. These rules highlight possible persistence and command execution activity tied to adversary tactics.

Version 11.0 further enhances this by adding a new SRUM Application Timeline Analyzer. This analyzer examines collected SRUM data to surface the use of remote monitoring or hacking tools across systems. It also refines recognition of common tool names used within investigations, delivering improved prioritization and context for analysts.

MITRE ATT&CK Analyzer / YARA

Detection coverage has been broadened to include additional remote access and reconnaissance utilities, such as FleetDeck, GoToResolve, Miradore, N-Able, Nezha Agent, PDQ, RustScan, and updated Vidar Stealer variants. Together, these rules improve AIR’s ability to highlight unauthorized remote access software and network reconnaissance patterns across both newly collected and historical evidence.

Ongoing refinements enhance accuracy, reduce false positives, and strengthen the classification of backdoor behaviors and encoded PowerShell execution activity detected on assets.

Sigma

The integrated Sigma engine now aligns fully with the latest SigmaHQ and Hayabusa repository updates. These rule improvements ensure analysts benefit from the latest community-driven detections and enhanced alignment with the MITRE ATT&CK tactics and techniques classification, enabling faster investigation, hunt/triage, and automated correlation within DRONE findings.

Binalyze AIR v5.4

What’s New?

  • DRONE analysis on previously or newly collected evidence files — Analysts can now initiate DRONE analysis directly from the Investigation Hub on any existing evidence file, whether or not it was previously analyzed by a responder. This enables rapid reassessment after rule updates and supports first-time analysis of evidence returned without prior DRONE processing, streamlining forensic validation and re-evaluation workflows.

 

  • RelayPro — A major milestone introducing the new secure, authenticated HTTPS relay server that replaces the legacy relay implementation. RelayPro enhances secure responder-to-console communication with JWT-based two-step authentication, independent deployment, manual administrative control, and improved reliability. RelayPro provides stronger assurance of data integrity and traceable asset communications within restrictive or segmented environments.

 

 

  • Bulk User Import via Email List or CSV Upload — Simplifies large-scale onboarding by allowing administrators to import users in bulk with role and group metadata. This improvement accelerates enterprise deployments and ensures consistent privilege configurations for security operations teams.

  • macOS Evidence Expansion — The responder now supports the collection of previously missing raw evidence sets from macOS systems, including SSH, Launchd, etc. configuration, Crashes, Apple System Logs, Gatekeeper data, and others — offering deeper asset visibility during Apple ecosystem investigations.

New Features & Improvements


AIR – Asset & Task Management

Rename the Triage Module to “Hunt/Triage”

The module renaming improves concept alignment with forensic workflows, emphasizing proactive hunting and triage analysis capabilities from within the same interface. It helps analysts better associate the feature with rule-based anomaly detection and evidence interrogation.

Triage Rules – Name and Tag Enhancements

A new mandatory name field has been added to Hunt/Triage rules, improving identification and readability across detection configurations. Analysts can now assign descriptive titles in addition to detailed descriptions, with character limits introduced for better data management.
Support for rule tagging during creation or update has been implemented, making it easier to categorize and organize triage logic based on tactics, data sources, or operational context. Deleting tags is also now fully supported, empowering analysts to maintain a focused and updated ruleset with minimal clutter.

Support Delete Hunt/Triage Rule Tag

Hunt/Triage tags can now be easily deleted, making management of categorization structures more flexible. Analysts can reorganize or clean up unused rule tags efficiently, helping maintain clarity within growing rule repositories.

Bulk Delete Support

Users can conduct bulk deletions for several feature sets—hunt/triage rules, acquisition profiles, auto asset tags, interACT command snippets, search profiles, tokens, and subscriptions. This feature removes redundant configuration data en masse, simplifying maintenance of forensic configurations and automation objects.


AIR – Settings

Bulk User Import Capability via Email List or CSV Upload

This enhancement introduces the ability to import multiple users simultaneously by uploading a CSV file or a list of email addresses. Optional metadata, such as organization, role, or group, can be included in the data for automatic assignment. A preview step allows validation before applying changes. For large enterprise security operations teams, this feature expedites onboarding, reduces human error, and maintains consistent access structures across operational environments.

Adding Version Convention to .abf Backup File Names

Backup management now incorporates version tagging directly into .abf file names, allowing teams to easily identify the AIR version linked to each backup. This improvement minimizes confusion during recovery and helps investigators quickly restore environments corresponding to specific builds for testing or audit verification.


AIR – Investigation Hub

Add DRONE Analysis Progress Indicator for Investigation Hub

Complementing the re-analysis capability, the Investigation Hub interface now includes a DRONE Analysis progress section under task details. security operations team can monitor DRONE analysis states, view running or completed analyses, and access outcomes within the same case environment. This improvement reduces the need for separate logs or external monitoring and ensures transparency during longer-running forensic evaluations.


Supported Evidence

Extended macOS Evidence Collection

New evidence collectors have been introduced for macOS systems, covering areas previously unavailable for collection. Analysts can now acquire SSH configuration files, Launchd and Cron job definitions, ETC system files, Installed Applications, Apple System and Crash logs, Chromium extensions, Gatekeeper configurations, and Startup Hook artifacts such as Re-Opened Apps and Login/Logout Hooks. Each data source enhances visibility into execution persistence and system-level behaviors familiar to macOS adversarial techniques, enabling more complete cross-platform forensic baselines.

A full, OS-specific listing is available in the Knowledge Base, showing which evidence and artifact items appear in the Investigation Hub, whether their source files are collected, and which artifacts provide parsed data or raw file collections.

Chrome Quick Assist

A new collector has been introduced to capture Chrome Quick Assist artifacts, providing visibility into remote support session activity.

This evidence will help investigators trace legitimate remote help sessions and identify instances where adversaries may leverage trusted remote access tools for persistence or lateral movement.


RelayPro

RelayPro represents a fundamental architectural evolution in secure relay operations. It implements a fully authenticated HTTPS proxy with JWT-based two-step verification for responders connecting through constrained networks. Unlike the previous SOCKS5 relays, RelayPro separates its deployment from endpoint agents, reducing attack surface and aligning with best security practices. Configuration is registered via the AIR Console to ensure only validated relays can relay traffic.

Each connection between a responder and RelayPro is authenticated, logged, and validated, providing end-to-end integrity and accountability for every command or evidence transfer. Logging has been modernized with JSON formatting accessible only from local administration, removing remote exposure risks. For DFIR specialists, RelayPro ensures traceable network intermediary communication and hardens AIR deployments in heavily segmented infrastructures or zero-trust environments.


DRONE

DRONE Analysis on the collected evidence file

The new DRONE Analysis Task introduces the capability to execute re-analysis on previously collected evidence directly on the AIR Console. Analysts can initiate this task on any case assignment, asset, or task detail page via the Run DRONE Analysis action. The feature operates entirely on the server side, leveraging existing DRONE processors to analyze already collected evidence without requiring endpoint connectivity. This advancement is crucial for post-incident investigations where analysts must validate updated threat intelligence or rule sets against archived evidence.

For responders working offline, analysis can also be triggered on evidence missing DRONE packages, ensuring full diagnostic coverage. Re-analysis results are written seamlessly into existing cases, preserving investigative continuity. DRONE-based re-analysis significantly enhances investigation agility by enabling rapid re-correlations and retrospective detection within both online and air-gapped scenarios.

DRONE analysis on existing evidence files

The new DRONE Analysis task introduces the ability to run or re-run analysis on any previously or newly collected evidence directly from the AIR Console. Analysts can initiate this task from any case, asset, or task detail page using the Run DRONE Analysis action.

This process runs entirely on the server side, using existing DRONE processors to analyze evidence without requiring asset connectivity. It is particularly valuable for post-incident investigations where analysts need to validate updated threat intelligence or newly added detection rules against previously collected evidence.

It is important to note that not all DRONE analyses can be performed server-side. Certain analysis modules — such as MITRE ATT&CK mapping and other context-aware detections — rely on the live asset for responder-side execution. When DRONE is run on collected evidence, these responder-dependent analyses are unavailable, but all compatible server-side rules and detections will execute as normal.

For responders working in offline or air-gapped environments, DRONE analysis can also be triggered on evidence that was collected without an embedded DRONE package, ensuring complete diagnostic coverage. Results are written directly into the originating case, maintaining full investigative continuity.

By allowing retrospective analysis and re-correlation within both connected and isolated environments, DRONE analysis enhances investigation agility and supports forensic-level validation across all collected evidence.


Bug Fixes

  • Investigation Hub – MITRE Tactic Interaction: Fixed an issue where only the first tactic or technique link was clickable when multiple MITRE mappings were shown. All mapped tactics now open correctly, supporting complete navigation for threat correlation.

  • SMB Event Parsing: Addressed a decoding issue where SMB hex-formatted address strings appeared incorrectly escaped or truncated in DRONE databases. The updated converter preserves valid hexadecimal strings precisely.

  • Search in Sigma Hunt/Triage Event Records: Resolved a blocker where no results appeared for searches within Sigma Hunt/Triage records. Filtering and search now operate consistently across all evidence tables, improving investigative efficiency.



Binalyze MITRE ATT&CK Analyzer is now at version 10.8.0

Dynamo Analyzer

The Dynamo Analyzer has been upgraded with more comprehensive detection coverage across Windows, macOS, and Linux. It now identifies hacker and remote monitoring tools, suspicious commands, and relevant MITRE ATT&CK associations across numerous data types, including PowerShell logs, registry artifacts, scheduled tasks, and browser data. A new Browser Downloads Analyzer extends behavioral insight into potential malware delivery mechanisms through download patterns and referrers. The Amcache module has been retitled “Amcache Program Analyzer” to clarify its operational focus.

Additional refinements improve matching accuracy, introduce SRUM data enrichment, and enhance temporal context tracking for process analysis—significantly improving clarity and forensic reconstruction of attacker actions.

MITRE ATT&CK Analyzer / YARA

YARA-based detections have gained multiple new signatures identifying RATs, backdoors, and malicious utilities such as PipeMagic, Veeamp, Cloudflare Tunnel (cloudflared), Kazuar, and credential dumpers leveraging the WerfaultSecure binary. Extended rules also improve recognition of encoded PowerShell execution, credential access attempts, and exploitation of vulnerable drivers for privilege escalation. These updates deliver sharper threat visibility aligned with evolving ATT&CK techniques.

Sigma

The DRONE integration now includes the newest Sigma rule sets from both SigmaHQ and Hayabusa repositories. This ensures ongoing alignment with community threat intelligence and expands pattern coverage for Windows and Sysmon event sources while maintaining backward compatibility with prior Sigma rule definitions.

Binalyze AIR v5.0

What’s New?


  • Redesigned Timeline in Investigation Hub: The Timeline has been rebuilt for speed, precision, and interactivity. Analysts can now run high-performance attribute-based searches, apply advanced evidence-specific filters, and visualize events, findings, and flags in zoomable charts. Infinite-scroll tables with enriched metadata enable direct flagging, note-taking, and pivoting between timeline and evidence views. Exports to CSV (with optional detailed evidence context) streamline reporting, compliance, and collaborative workflows.
    New Timeline applies only to cases created after the 5.0 release.The previous timeline views will still be available temporarily for historical cases, but they will be deprecated with the 5.2 release.










  • Enhanced Case Management with Insights & Customization: The Cases module now includes visual task and disk usage metrics, member highlights, and a case overview panel for instant situational awareness. A redesigned Kanban board supports fully customizable tags and categories, allowing teams to organize, prioritize, and triage cases by type, severity, or workflow with greater flexibility.




  • Fleet AI – Multi-Agent DFIR Assistance with BYOAI Support: Fleet AI transforms natural language into expert-level technical outputs, enabling DFIR teams to generate threat hunting rules, scripts, and answers to investigative questions instantly. New in 5.0, BYOAI support allows connection to OpenAI GPT, Anthropic Claude, Google Gemini, and self-hosted Ollama models—empowering teams with customizable, privacy-focused AI capabilities.




 

New Features & Improvements

Investigation Hub

New Interactive Timeline

The Timeline feature has been completely overhauled and integrated directly into the Investigation Hub. This enables analysts to gain insights into events, flags, and findings across investigations with fine-grained temporal resolution. The timeline supports multiple time granularities (hour/day/month/year), interactive zooming, and a cursor with contextual highlights. Users can scroll, filter, and annotate time-ranged events, making it a powerful visual engagement point for time-based forensic analysis.

Timeline Table Enhancements

A redesigned Timeline table now lists all timeline events. Analysts can use it to inspect metadata, assign flags, create notes, or promote timeline events to confirmed findings. All changes to flags and notes are fully synchronized across the platform. The interface supports infinite scrolling, detailed expandable panels, and a high level of visual fidelity in representing time-correlated data. It complements the event bars to streamline root cause identification during incidents.

Evidence Category Specific Filters for Timeline

The Advanced Filters interface has been enhanced to allow filtering not only on standard investigation fields, but also using evidence-category specific attributes. You can now apply filters based on IP addresses, paths, user IDs and other fields unique to different types of forensic artifacts (e.g., unified audit logs, process lists, file systems). Highlighted fields explain why certain events were captured, with options to add these filters on click. This brings precision and depth to timeline data searches without visual clutter.

Functionally Enriched Timeline Bar

The timeline header view supports interactive zoom (keyboard/mouse), cursor locking, indicator visuals for out-of-view time slots, flags and findings overlays, and state persistence. Toggle switches allow showing or hiding flagged or finding-related events. Navigation is seamless via UI or keyboard shortcuts, all providing the forensics analyst with a fluid way to scale investigations over time.

Flagging and Finding Integration with Timeline

Flagging and finding operations have been extended across all views. Actions taken on timeline events will reflect in evidence and findings as well, ensuring consistent views regardless where the action originates. This bi-directional synchronization helps ensure analytical steps are fully traceable and consistent across modules.

Timeline Mini Map & Zoom Range Indicator

A mini-map below the timeline shows full activity distributions across your investigation. Users can select viewports, scroll horizontally, or apply zoom-in ranges directly from the mini-map view. This provides an immediate awareness of data density over time and supports analysts in exploring large ranges effectively without visual fatigue.

Filter-Aware Timeline View

Global filters—such as dates, assets, finding types, and evidence categories—are now persistent and actively constrain visible ranges on the timeline. Disabled range regions visually communicate current filters. Additionally, if views are out of bounds, informative warnings ensure analysts are never misled by partial evidence renders.

Timeline Preferences Panel

The timeline bar supports multiple layout and display options. Users can switch between bar or line chart views, choose to display or hide empty ranges for compact timelines, and toggle cursor visibility. These preferences let analysts adapt views for complex investigations or high-volume triage needs.

Timeline Evidence Synchronization & Visualization

Each evidence item now can optionally show where and how its data appears on the Timeline. Analysts can click on a timestamp in evidence detail panel to jump directly to the timeline segment, or use context filters to see only timeline events from a particular artifact. This cross-linking streamlines correlation and root cause analysis.

Display Flags / Findings Toggle Controls

New toggle controls allow selective viewing of flags and finding indicators across the Timeline. This improves clarity during large or long-running investigations and supports focused drill-down during follow-ups or collaborative analysis.

Export Timeline Table with Evidence

Users now have the ability to export Timeline event tables to CSV—either with UTC/Z timestamps or local time. A toggle allows export of associated evidence metadata in JSON format. This export mechanism can assist investigations that require importing timeline artifacts into external case systems, or for cross-organization communication and auditing.

Timeline Table and Bar Chart Synchronization

A toggle has been introduced to synchronize focus between the timeline bar chart and the corresponding data table. When enabled, any zoom, pan, or date range selection in the chart view will reflect in the table below. Activated by default, this synchronization ensures investigators focus exclusively on relevant time-bound events with no manual toggling between context layers.

Flag-Based Sorting for Findings

Findings and evidence tables can now be sorted by Flag status. This enhancement is crucial for post-incident reviews, allowing analysts to immediately focus on findings previously marked during investigations. Analysts can leverage this to return to prioritized artifacts without re-filtering large datasets.


 

Case Management

Case Overview & Metrics

The case overview page has been revitalized to present key investigation metrics such as total assets, task distribution by type and status, team members, disk usage, and case notes. A new metrics overview panel offers aggregated views of case counts by status, asset volumes, disk usage, and task types over time, helping coordinators monitor throughput and resource allocation. A fixed insights pane provides a persistent at-a-glance summary of case activity, asset counts, and disk usage directly from the Cases page.

Detailed Case View

Clicking on a case now opens an expanded view or details drawer containing complete metadata, including tasks, assigned members, tags, notes, and disk usage. Ownership can be assigned directly, and collaborative note-taking with tagging and mentions is supported. Visual task breakdowns make it easy for managers to assess the scope, progress, and contributions of each team member.

Kanban Board Redesign

The Kanban interface has been modernized with full drag-and-drop support for case cards and dynamic column updates. Cards display enriched metadata, including tags, categories, and assignments, for quick identification of high-priority cases. User-specific layout preferences for grouping by status, tag, or category are saved for a seamless experience.

Tags & Categories for Flexible Organization

A new tag and category model enables analysts to classify cases with visual labels such as Malware or Phishing, and workflow categories such as For Review or Escalated. Cases can be grouped dynamically by status, tag, or category to reflect organizational priorities, with grouping logic respecting organizational scope for real-time workload segmentation.

Insight-Driven Case Management

The case insights panel aggregates investigation statistics and timelines into a single view for DFIR leads, integrating task metrics, disk usage tracking, and asset counts to support data-driven prioritization and escalation decisions.

Asset and Task Management

Enhanced Evidence Upload Strategy

Task data downloading from repositories has been improved to detect and handle interrupted or incomplete archive writes. This enhancement prevents partial evidence archives from silently corrupting post-processing and improves forensic traceability.

Improved interACT Shell Session Handling

Terminating an interACT remote shell session using the UI close action now ensures task status is correctly marked as completed. Additionally, controls for minimizing and exiting fullscreen are now fully visible, even after layout changes—addressing analyst UX complaints in remote operations.

One-Click DRONE Configuration

Initiating acquisition tasks with DRONE analyzers now includes an improved UX flow—allowing users to select a single option and enable all related analysis logic. This simplification accelerates task creation, especially in time-sensitive breach scenarios.


 

Fleet AI

Fleet AI is Binalyze’s next-generation multi-agent intelligence platform built to provide SOC and response teams with on-demand, expert-level assistance. It transforms natural language prompts into actionable, technical outputs—removing complexity and speeding up every stage of the investigative workflow.

Multi-Agent Intelligence for Investigations

Fleet AI hosts specialized agents capable of handling different DFIR-related tasks:


  • Detection Engineer Agent: Converts investigative objectives into professional-grade threat hunting rules.



  • Scripting Agent: Translates plain English into interACT commands.



  • These agents operate collaboratively to produce contextual, precise outputs that are ready for immediate use.


Natural Language to Actionable Results


  • Analysts can describe investigative needs in everyday language—Fleet AI handles the translation into technical rules, queries, and commands.



  • Eliminates the need to memorize syntax, consult documentation, or wait for specialist input.



  • Supports complex multi-step requests by breaking them down and generating results for each stage.


BYOAI – Bring Your Own AI (New in 5.0)

Fleet AI now allows customers to connect their own AI models or accounts for enhanced flexibility and privacy:


  • OpenAI GPT



  • Anthropic Claude



  • Google Gemini



  • Ollama


BYOAI ensures sensitive investigative data can remain within customer-controlled environments.

AWS Bedrock integration is planned for a future release.

Enterprise-Ready Design


  • Authentication & Security: JWT-based authentication supports secure integration with enterprise identity systems.



  • Speech-to-Text: Converts verbal queries into Fleet AI prompts, enabling faster hands-free interactions.



  • Deployment Options: Embedded directly in the Binalyze AIR UI for a seamless investigative environment.


Modern Architecture


  • Backend: FastAPI for high-performance, scalable processing.



  • Frontend: Next.js chat interface for smooth, real-time interaction.



  • Modes: Iframe-embedded deployments without additional dependencies.



  • Optimized for responsiveness and low-latency communication with AI models.


Integration with the DFIR Workflow

Fleet AI is designed to integrate directly into investigation workflows inside AIR:


  • Suggests relevant interACT commands while reviewing evidence.



  • Generates threat hunting rules based on findings.



  • Produces technical documentation and investigation reports without manual drafting.



  • By embedding expertise directly into the platform, Fleet AI reduces time-to-insight and helps standardize investigative output quality.



 

Integrations

Improved Role Handling for API Users

The update user API now supports both role IDs and role tags (e.g., “l1_l2_analyst”) to simplify automation workflows, especially when integrating with external identity and provisioning systems.

Support for Acquisition Profile Metadata

Case task query APIs now include metadata about acquisition profiles and custom task types. This allows sorting, filtering, and reporting based on which methodology was used per task—critical for consolidating analytical evidence and profiling collection behaviors.


Settings

SSL Certificate Identifier Algorithm Update

The serial number generation logic for internal SSL certificates has been hardened for increased cryptographic entropy and compatibility with key management tools.

Improved Role Update Flexibility

User update endpoints now support passing role names in addition to role IDs, improving human readability and automation compatibility across identity tooling pipelines.


 

Bug Fixes


  • Repository Explorer – Processor Not Found Error: Addressed a production-level UI/backend inconsistency where users received a “Processor Not Found” error in repository contexts. This situation prevented effective file browsing and strained case loading efforts during live investigations.



  • SSO User Group Persistence: Resolved an issue in which SSO-linked users were being unintentionally removed from user groups. This bug mostly affected teams operating large-scale environments with regulated access control schemes.



  • Improved IIS Autotag Rule Logic: Updated the auto asset tagging heuristic to avoid falsely identifying Windows 11 endpoints as IIS servers due to the presence of the default /inetpub directory. This misclassification could otherwise affect triage flows and policy assignments.



  • Case Import Stability: Fixed an issue in which SaaS users experienced incomplete task data within Investigation Hub due to intermittent failures in temporary file downloads during import. This was caused by unflushed disk writes that rendered archives unreadable. The fix improves reliability for case-based evidence visibility when operating in S3-backed environments.



  • Export Accuracy Fixes for Asset Lists: Resolved a reported bug in which the “Managed” status field displayed incorrect values in exported asset data.



  • UI Improvements for interACT: interACT task windows now close correctly when terminated via the ‘x’ button, resolving an issue where tasks were stuck in “processing” state. Additionally, window sessions and maximize/close UI controls are now rendered correctly in all resolution settings.



 

Binalyze MITRE ATT&CK Analyzer is now at version 10.3.2

MITRE ATT&CK Analyzer / YARA

A wave of crucial updates enhances detection capabilities across multiple malware categories. New signatures now identify RustyClaw, a Rust-based downloader; SnipBot (RomCom 5.0), which exhibits data exfiltration and post-exploitation capabilities; and Mythic C2 based malware leveraging recent WinRAR vulnerabilities. Additionally, detection covers obfuscated VBScript, heartCrypt packers, and variants used by threat groups like UAT-5647 and UAT-7237. Improvements were also made in identifying Cobalt Strike strings and LNK file padding exploits targeting known CVEs.

Dynamo Analyzer

Detection logic now identifies high-frequency scheduled tasks, which are often signs of automated persistence or malware propagation mechanisms. Naming detection of known hacker tools across evidence further assists DFIR analysts in quickly determining adversarial toolkit usage during triage and deeper investigations.

Sigma

The embedded Sigma engine has been updated to include advanced detections for PowerShell-based data collection and newly contributed rules from Hayabusa and SigmaHQ, increasing its efficacy in recognizing attacker behavior patterns across logs and endpoint activities.

Upcoming Events

Alongside your regular check-ins with your Customer Account Director, we have two upcoming opportunities to connect and learn:

Public Launch WebinarSeptember 10, 2025
Join Lee Sult, Binalyze’s Chief Investigator, for a high-level overview of AIR and its latest capabilities, including the redesigned Timeline feature. While aimed at those less familiar with AIR, customers are very welcome to attend.
Register here →

Quarterly Customer WebinarSeptember 17, 2025
Our first customer-only session, hosted by the Binalyze CERT team, will dive into workflow best practices — starting with how to leverage AIR 5.0’s API for supercharged workflow automation.
Save the date and bring your questions! Save your seat now →

Best regards,
Binalyze Team

The Future of SOC: Smarter, Faster, and More Resilient

Security Operations Centers (SOCs) are evolving. The traditional model—reliant on alert-driven workflows and manual, cumbersome investigations—is struggling to keep up with the complexity and volume of cyber threats. The SOC of the future must be faster, smarter, and more resilient, embracing efficiency driving automation, forensic insights, and seamless integration across security tools.

Why Business Email Compromise Investigations Need a New Approach

BEC Attacks: Silent But Costly Threat

Business Email Compromise (BEC) remains one of the most financially damaging cyber threats, with global losses exceeding $50 billion over the past decade (FBI IC3, 2023). Unlike traditional phishing attacks, BEC is not about malware—it’s about deception, social engineering, and compromised identities. In the security stack, the human element remains the weakest link, as BEC exploits human trust and error rather than technical vulnerabilities, making employees the primary target for social engineering attacks.