We're thrilled to announce that the latest update of AIR, version 4.17, is now generally available! This release brings a host of enhancements across the board, designed to streamline your investigative process and enhance overall system usability.
What’s New:
EWF2 (Expert Witness Format 2) Support: AIR now supports the creation and upload of forensic disk and volume images in the EWF2 format. This includes improved functionality for browsing these images via the AIR File Explorer, whether they are segmented or stored as single files.
Enhanced Investigation Hub: Experience a more robust and efficient Investigation Hub, now with dynamic filtering options for Flagged items.
New Evidence Category for 'Other Evidence': This update introduces a dedicated category for findings that previously did not fit into any existing evidence category, ensuring every finding is accounted for on the Investigation Hub dashboard.
Extended File System Support: With the addition of Windows FAT file system support, AIR broadens its compatibility, complementing the existing support for ext4, ext3, and NTFS systems.
Nested Tagging in Asset Tagging: Enhance your asset organization with the new Nested Tagging feature, allowing for more detailed and structured categorization for assets.
These updates are designed to improve the functionality and flexibility of AIR, ensuring that our platform continues to meet the evolving needs of your investigative workflows. As always, we value your feedback and look forward to hearing how these enhancements help streamline your operations.
For a complete overview of all enhancements and new features, please refer to the attached release notes.
Features
EWF2 (Expert Witness Format 2) support
AIR now supports the creation of forensic disk and volume images in the EWF2 format. These images can be directly uploaded to your AIR Evidence Repositories.
EWF2 is commonly used in digital forensics to store and compress digital evidence and the format supports the inclusion of metadata.
Investigators can now use the AIR File Explorer feature to create assets from EWF disk images. You can then browse through files and folders within both E01 and Ex01 formats. This functionality is available regardless of whether the images are segmented or contained in a single file.
This compliments the functionality we alread have for RAW image files. Please read more in our File Explorer FAQ’s.
New Browser Data Collectors:
Thumbnails: Now includes support for Vivaldi, Brave, Chromium, Opera, Edge, QQ, and Arc.
Form History: Collect form history data from Vivaldi, Brave, Chromium, Opera, Edge, QQ, and Arc.
Cookies: Enhanced cookie collection capabilities for Vivaldi, Brave, Chromium, Opera, Edge, QQ, and Arc.
Favicons: Collect favicons from Vivaldi, Brave, Chromium, Opera, Edge, QQ, and Arc.
New ESXi Collectors:
Cross Active Connections: Monitor and collect data on active connections.
Datastores: Gather information from ESXi datastores.
Hardware Clock: Access and collect hardware clock settings.
Networks: Collect detailed network configuration and activity data.
VMware Version: Track and collect information on the VMware software version.
Investigation Hub
The Investigation Hub in AIR is the central point for all your investigations, enhancing workflows with comprehensive insights and collaborative tools. It includes advanced search options and a new dynamic filter, making it essential for efficient case management and boosting productivity across investigative activities.
New Evidence Category for ‘Other Evidence’, these items being Findings without an Evidence Category in AIR
This enhances the clarity of the Findings displayed to users. Previously, some findings identified by the DRONE did not correspond to any of the available evidence categories.
With this change, all findings without a specific category will be grouped under 'Other Evidence'. This ensures every finding is allocated an evidence record within a category, allowing the total count of findings on the Investigation dashboard to accurately match the number shown in the evidence list.
New filter option for flagged items
Users can now use the advanced filter to include or exclude flagged items in the Investigation Hub table views, enhancing the ability to focus on prioritized or highlighted evidence.
Windows FAT file system support
AIR now supports the FAT filesystem, expanding our compatibility for logical imaging with ext4, ext3, and NTFS file systems.
Nested Asset Tagging
Nested Tagging has been added for your Assets, providing tag grouping for the organization of assets. This new feature allows for a more structured and detailed structuring of assets within AIR, making navigating the more complex network structures easier.
To create a nested tag, go to the Asset Info page and use a colon (:) to separate each level of the hierarchy. For deeper nesting, simply add additional colons between each subsequent tag level:
In the example below you see a new nested tag about to be created; “LEVEL 1” being nested under “Analyst_1” which is itself nested under “HenryStanley”:
In the next example below you see another new nested tag about to be created; “SAFE_12/07/2024” being nested under our second analyst; “Analyst_2” who nested under “HenryStanley”:
Under the "Assets" section in the Secondary Menu, the "Tags" option now displays all existing tags as well as the newly created nested tags:
Nested tagging in AIR brings significant value by allowing for a customizable and hierarchical organization of assets. This structure enhances asset management by:
Improving Clarity: Clearly defines relationships and dependencies between assets, facilitating a more intuitive understanding of asset networks.
Increasing Efficiency: Streamlines the search and retrieval process, saving time when navigating through large volumes of assets.
Enhancing Flexibility: Adapts to diverse operational needs, allowing users to define and adjust categorizations as requirements evolve.
Supporting Scalability: Efficiently manages growing asset inventories, maintaining order and accessibility as complexity increases.
Cross-Site Scripting (XSS) Vulnerability Patched
We have addressed and resolved a critical vulnerability that allowed attackers to potentially take over accounts through Cross-Site Scripting (XSS) in compromised hosts. This fix significantly strengthens the security of our system against unauthorized access.