We are excited to introduce Binalyze AIR 4.25, packed with six new feature enhancements and fixes designed to streamline and automate your investigations and incident response workflows. These updates will improve task efficiency, increase flexibility, and provide more control over the investigation process.
1. Edit Scheduled Tasks
Managing scheduled tasks has never been easier. The new Edit Scheduled Task feature lets you modify existing scheduled tasks avoiding the need to cancel and reconfigure them.
You can easily add or remove assets without restarting the task, saving valuable time and improving workflow efficiency. After selecting the assets, you can go on to update the task setup, customize options, and manage follow-up actions, streamlining task management for a smoother, faster process.
To modify a scheduled task, go to your Task listings page and filter by Status > Scheduled to display only the scheduled tasks:
From the filtered results, selecting the ‘eye’ icon presents you with the Edit or Delete Task options:
The Edit Scheduled Task wizard will now open, allowing the user to toggle off the "Only Selected Assets" switch (as shown below). This now reveals all other available assets that can be added to the scheduled task:
Step 2, the Setup, allows you to edit the Task Name, the Schedule and even the acquisition profile to be used:
Steps 3 and 4, Customization and Follow-Up, are fully configurable, giving you the ability to completely edit the scheduled task as needed.
More details can be found here in the Knowledge Base: Scheduling Tasks
2. Offline Acquisitions for Baseline Analysis and Compare
The Compare feature in Binalyze AIR enables proactive forensics through baseline analysis, allowing investigators to focus on forensic evidence from the earliest stages of an investigation.
Using a patent-pending approach, it identifies and highlights forensic artifacts that have been added, modified, or deleted between asset snapshots, providing critical insights in just 5 seconds. This fast analysis strengthens security by addressing vulnerabilities before they can be exploited, all without disrupting ongoing operations.
The Compare feature now supports both standard and offline acquisitions, giving investigators detailed metadata to fully assess potential security risks. Additionally, Compare analysis is performed directly on the Console, eliminating the need for direct access to assets, and streamlining the investigation process even further.
More details can be found here in the Knowledge Base: Compare
3. Pre-Validate Evidence Repository Connections Before Acquisition
To improve task reliability and prevent failed uploads, we've introduced a connection check for evidence repositories when starting acquisition tasks (both scheduled and immediate). Here's how it works:
When creating tasks like Acquisition or Acquire Image, AIR automatically checks the connection to the selected repository (SFTP, FTPS, Azure, or AWS).
If the connection check takes longer than 10 seconds, it will be canceled, and a warning message will appear. However, task creation is not blocked—you can choose to proceed or cancel the task if the repository is inaccessible.
UI Warning Message:
If the repository is inaccessible, you'll see this warning:
"The following evidence repositories are currently inaccessible. If responders cannot access these repositories, they will not be able to send the collected evidence. Please note that access to these repositories is managed through the AIR server. If the responders have access, evidence transmission will proceed without issues. Do you still want to continue?"
This feature ensures you're aware of potential access issues before initiating a task, helping you avoid wasted time on failed uploads. It’s important to note that this connection check occurs between the AIR console and the repository—not between the responders and the repository. While it's impractical to check every responder in large-scale tasks, a successful console check significantly reduces the likelihood of connection issues for responders.
4. Expanded Color Palette for Custom Flags
Flagging evidence has always been a core feature for categorizing and prioritizing findings. Now, we’ve expanded the color palette for custom flags, giving you greater flexibility in organizing and distinguishing flagged items.
This enhancement is particularly useful in complex investigations, allowing for better visual distinction and improved workflow management.
5. Event Log Time Zone Configuration
With the growing popularity of the AIR event log collection wizard, we’ve enhanced it by adding a time zone configuration option.
When collecting event logs, you can now select a specific time zone for the collection process. If no time zone is specified, AIR will use the browser’s default time zone setting. This update ensures precise event log collection, particularly useful in global or multi-region investigations.
Read more here in the Knowledge Base: Windows Event Records and how AIR handles them
6. New Browser Extension Data Collectors
We’ve expanded AIR’s evidence collection capabilities with new browser extension collectors for Windows, including:
Edge
Opera
Brave
Vivaldi
This enhancement provides more comprehensive browser evidence collection, strengthening your investigation capabilities across different web platforms.
For a full list of the evidence and artifacts supported by AIR please visit our Knowledge Base.
Recent Enhancements to Binalyze AIR’s MITRE ATT&CK Analyzer and YARA Rules
Binalyze AIR continues to improve its forensic investigation capabilities with the release of MITRE ATT&CK Analyzer version 7.1.0 (18/10/24), introducing powerful new YARA enhancements. These updates further strengthen the platform's ability to detect sophisticated malware and attack techniques, enabling security teams to respond more effectively to emerging threats.
Key Highlights of the Analyzer Update:
Enhanced Ransomware Detection
The most notable improvement in this release is the enhanced ransomware detection, with new YARA rules targeting several high-profile ransomware strains.
DragonForce Ransomware (T1486): A new rule has been added to detect binaries related to the destructive DragonForce ransomware, bolstering defenses against attacks aimed at data encryption.
Clop and MedusaLocker Ransomware (TA0040): These ransomware families, which were active in September 2024, are now detectable, ensuring that organizations can identify and mitigate these threats early in the attack lifecycle.
Advanced Threat Tools and Defense Evasion Detection
In addition to ransomware detection, this update improves the ability to detect tools used for network scanning and defense evasion, such as:
Angry IP Scanner (T1018): A popular tool for network scanning that has been leveraged by threat actors.
Defender Control Hack Tool (T1562.001): Often used to disable Microsoft Defender, this tool can now be detected more accurately, enhancing your ability to counter defense evasion tactics.
HRSword (T1562): A tool used by threat actors for defense evasion has also been added, providing better visibility into stealthy operations designed to bypass security measures.
Detection of Bugsleep Backdoor
A significant addition is the detection of Bugsleep, a backdoor linked to the Iranian MuddyWater APT group. This new YARA rule helps identify this highly evasive malware, improving your ability to detect advanced persistent threats (APTs) and prevent prolonged unauthorized access to your environment.
Additional Enhancements:
Multiple minor false positive (FP) fixes and performance improvements ensure more accurate and faster detection of known threats, reducing alert fatigue for security teams.
These updates highlight Binalyze’s commitment to providing cutting-edge detection capabilities, allowing organizations to stay ahead of evolving threats. The enhanced ransomware detection and defense evasion capabilities will significantly improve response times, helping security teams mitigate the impact of cyberattacks before they can cause significant damage.
For a deeper dive into our MITRE ATT&CK Analyzer visit the changelog in the Binalyze Knowledge Base.
In addition to the feature enhancements, several key bug fixes have been applied to improve usability and platform stability, these include:
Fixed an issue where the acquisition reports icon wasn’t always displayed in the AIR Console UI.
Resolved errors encountered when exporting flags.
Addressed search result display issues in the Investigation Hub.
Corrected a bug where scheduled tasks sometimes launched before the correct start date/time.
Binalyze AIR 4.25 continues to enhance your investigation workflows with powerful new features and improved reliability. These updates are designed to save you time, reduce complexity, and provide more flexible control over your forensic investigations.
Get started with AIR 4.25 today!
Explore these features in detail by visiting our Knowledge Base or contacting us to learn how they can benefit your team.