Binalyze AIR 4.19

We are thrilled to announce the latest updates in Binalyze AIR with the release of versions 4.18 and 4.19. These updates bring significant enhancements, new features, and improvements to make your investigative workflows more efficient and effective. Here’s an in-depth look at what’s new and improved in these versions.

Key Highlights of AIR 4.19

VMDK Support in AIR File Explorer

One of the standout features in this release is the addition of VMDK support in AIR File Explorer. Investigators can now create assets from VMDK disk images and browse through files and folders within them, regardless of whether the images are segmented or contained in a single file. This new capability complements our existing support for RAW, E01, and Ex01 image files.

Tool Tip for File Explorer Users:

• Ex01 and E01 Images: Are accessible immediately in File Explorer. Using AIR to generate these files avoids the need to unzip files in the Evidence Repository.

• DD Images: Are generated and placed in a zip file by AIR. To access, connect to the Evidence Repository, uncompress the zip, and then mount/explore the image in File Explorer.

For more details, please check out our File Explorer FAQ.

AWS S3 Bucket Support in AIR File Explorer

Many of our customers store their evidence collections and forensic image files in AWS S3. With this update, AIR File Explorer now supports accessing and mounting these forensic image files directly from AWS S3, enhancing your ability to manage and investigate evidence collections seamlessly. This feature streamlines the workflow by eliminating the need to manually download and upload files, saving valuable time and reducing the risk of errors during evidence handling.

Enhancements to the Investigation Hub

The Investigation Hub continues to evolve, offering enhanced workflows with comprehensive insights and collaborative tools. Here are some of the key enhancements:

• Detachable Evidence Details Window: This feature allows users to open evidence details in a standalone window that can be resized and repositioned anywhere on the screen(s) for improved clarity. The window maintains its form even when displaying new evidence items. Clicking on a new row in the table updates the detached details view to match the newly selected item. This flexibility allows investigators to compare multiple pieces of evidence side by side, improving the overall analysis process.

• Fullscreen Evidence Tables: Users can now view evidence tables in full-screen mode, which is particularly useful for large, multi-column data sets. This feature maximizes the available screen space, making it easier to navigate and analyze complex data sets without the need for scrolling or resizing.

• Sticky Column Headings: Both column selection and position will remain saved/static within your browser for all AIR sessions unless you clear your browser cookies. This ensures that your preferred layout and organization of data remain consistent, enhancing efficiency and user experience.

These enhancements ensure efficient case management and significantly boost productivity across all investigative activities.

New AIR Audit Log Retention Policy

AIR v4.19 introduces a new audit log retention policy aimed at optimizing platform performance and data management. Audit logs will now be saved in PostgreSQL and retained for 3 months before deletion. We strongly advise users to back up their audit logs regularly to prevent data loss.

There are three options to export your AIR Audit Logs:

• Export Logs: Directly from the console’s Audit Log page.

• Send Logs to Syslog Server: Utilize the feature in AIR’s settings to send logs to your Syslog Server.

• Use the AIR API: See our API documentation to use it to retrieve the Audit Logs.

For detailed instructions on backing up audit logs, please refer to our Knowledge Base.

This new policy not only improves system performance but also ensures compliance with various data retention regulations, making it easier for organizations to manage their audit data.

Frank.AI Copilot Configuration

Frank.AI is designed to be your investigation partner, available directly within the AIR console. Users can now choose to enable or disable Frank.AI from the AIR 'Settings > Features' page.

 

By default, Frank.AI is active. Frank.AI aims to provide direct access, instant knowledge support, and enhanced rule creation to assist in your investigative processes.

• Direct Access: Frank.AI is instantly available across the AIR console for any inquiries, speeding up your investigations.

• Instant Knowledge Support: Quick, AI-powered insights to bridge gaps in your forensic analysis, ensuring you're always prepared for the next step.

• Enhanced Rule Creation: Simplified creation of YARA, Sigma, and osquery rules, expanding your toolkit without the complexity.

As AI technology becomes more trusted and policies for its use are established, it is expected that AI will become an essential tool in forensic investigations. We will continue to develop Frank.AI to ensure it meets the highest standards of reliability and usefulness. You can learn more about Frank.AI and our future development plans in the Knowledge Base.

MITRE ATT&CK Analyzer 6.3.0 Update

We also want you to know that the Binalyze MITRE ATT&CK Analyzer has been updated to version 6.3.0 as of 07/08/24. This update brings several significant enhancements to improve threat detection and analysis capabilities.

Yara enhancements now include:

• Detection for North Korean Lazarus/Andrariel Groups: Added detection for Indicators of Compromise (IOCs) linked to these groups, as outlined in the CISA report (G0032, G0138).

• APT Group StormBamboo/Evasive Panda: Added detection for this APT group that compromised an internet service provider (ISP) to poison DNS responses for target organizations.

• Shellcode Loaders: Improved detection capabilities for shellcode loaders, enhancing the ability to identify malicious code execution.

• SharpSploit Post-Exploitation Tool: Added detection for the SharpSploit tool used in post-exploitation scenarios.

• Lilith RAT: Added detection for the open-source Lilith Remote Access Trojan (RAT) (T1219).

• Metasploit Implants for Linux: Improved detection for Metasploit implants targeting Linux systems.

• Java-based STRRAT: Added detection for STRRAT and related IOCs, improving coverage for Java-based threats.

• Other Fixes and Improvements: Various minor fixes and improvements to enhance overall detection accuracy and performance.

For the full changelog, please visit the Binalyze MITRE ATT&CK Analyzer changelog.

These updates ensure that our users are equipped with the latest tools and techniques to effectively identify and respond to advanced threats. Stay tuned for more updates as we continue to enhance our cybersecurity capabilities.

Additional Features and Fixes

Beyond these updates, we have also addressed various bugs and implemented minor improvements to enhance performance and the overall user experience.

Conclusion

These updates in AIR v4.18 and v4.19 are aimed at enhancing your experience and making your forensic investigations more efficient and effective. The introduction of VMDK and AWS S3 support, along with the enhancements to the Investigation Hub and the new audit log retention policy, are designed to streamline your workflows and improve data management. Frank.AI continues to be an invaluable tool, providing AI-powered insights and support for your investigations.

We are confident that these new features and improvements will significantly benefit your workflows. As always, your feedback is invaluable. Please let us know if you have any questions or require further assistance.

For more information, please visit our Knowledge Base.