20. History

20.1. Ver 3.13.0 (Dec 18, 2024)

20.1.1. Memory Ingest Using MemprocFs

Added support for MemprocFS memory forensics tool in addition to the existing Volatility 2 integration. MemprocFS allows Cyber Triage to support more recent Windows builds. This expansion provides users with comprehensive coverage across both older and current Windows environments.

Key Benefits:

  • Enhanced support for modern Windows builds and memory structures

  • Faster processing times

  • Improved handling of large memory dumps

  • Same Cyber Triage user experience with same workflows and automated analysis

  • Users can choose between MemProcFS and Volatility 2

20.1.2. Add Hosts Directly from S3 and Azure

You can now directly process data from Amazon S3 and Azure Blob storage and have multiple regions and providers configured. When adding the output from the Cyber Triage Collector, users can browse the contents of cloud storage without requiring a manual download, significantly streamlining workflows. Support for multiple regions and providers was also added using “vendor profiles” that save credentials and bucket names.

Direct Processing Key Benefits:

  • Direct cloud processing eliminates local storage requirements

  • Seamless integration with both AWS S3 and Azure Blob Storage

  • Batch processing support for Team and Standard Pro editions enables concurrent ingestion of multiple files, maximizing efficiency and reducing processing time

Provider Profile Key Benefits:

  • Use buckets in multiple regions depending on processing regulations.

  • Save credentials to make it easier to save to the Collector each time

  • Manage write-only credentials for use by the Collector and read-write credentials for the analysis tool.

  • NOTE: Cyber Triage will no longer create the buckets. But, detailed instructions can be found in Cloud Storage Services.

20.1.3. Malware Scanning Updates

  • Imphash is now used with offline malware analysis in air-gapped networks. This gives you fuzzy malware matching when the content cannot be uploaded.

  • Added ability to right client and upload a file for malware scanning

  • Added ability to right click and upload a file for sandbox analysis on any file within a disk image.

  • Provide access to the full Recorded Future Sandbox report in addition to the summary of results.

  • Added ability to exclude specific folders from malware scanning. This can improve performance and reduce false positives from executables that are unique to the environment.

20.1.4. Artifacts and Scoring

Added comprehensive parsing support for Windows Jump List files, enabling deeper visibility into user activity and potential data exfiltration. The new capabilities include analysis of both AutomaticDestinations and CustomDestinations files, automatically generating Data Access artifacts to streamline investigation workflows

20.1.5. General improvements / Bug fixes

Enhanced System Features:

  • Expanded Team Server audit logging capabilities

  • Resolved Open/Save MRU path issues

  • When the score of an item is manually changed, the original description is retained instead of saying only “Manually Scored”.

  • The Collector can now split its JSON based on size to make it easier to copy from hosts using an EDR.

  • Added a cybertriage.com DNS resolver as an alternate to Google DNS (8.8.8.8). Requires a manual change - see User Manual.

  • Team license enforcement. Server licenses can be used only in Server mode and partial capacity clients cannot be used in Standard mode.

  • Time-based scoring uses the NTFS FILE_NAME attribute times

UI and Search Improvements:

  • Updated the filtering and sorting for the inbound and outbound logon panels

  • Added the MITRE ATT&CK link to the Item Details panel to make it easier to learn more about why something is Bad or Suspicious.

  • The dashboard was updated to give more real-time progress on an ingest.

  • Added a text search feature in the strings viewer of the Files tab, enabling rapid location of specific text within binary files, prefetch and other artifacts.

  • MITRE ATT&CK export updated to latest version

Fixes:

  • Various false positive fixes (exclusions for non-standard paths, how new, unsigned files are treated, double file extension, unexpected users, etc.)

  • Performance improvements with large file counts, large recycle bins, recommendation engine queries, and malware scanning.

  • Malware scanning will retry if there is a network issue instead of resulting in an error

Hashes:

  • SHA256 of Full MSI: c8a060905cba8099b40ba4261826d8a2af1224cf5833e0f462087ab2eca47b4f

  • SHA256 of Lite MSI: 632e596e53cacfa93496d3b798fa1f965119b18b6a94f5b469c5b920c3f0684e

  • SHA256 of CyberTriageCollector.exe: 1a487431088ae0dffac96c729ea9a7ffadf7657a90eb70b550a7d1abc0dbe3d2

  • SHA256 of CyberTriageCollector_XP.exe: 8979f16ea6a9672c0c66f9b64bd565e8719da35607a666729e25f866d96a72bb

20.2. Ver 3.12.1 (Nov 6, 2024)

  • Bug Fixes:
    • Fixed issue that prevented the application from launching if there was a large number of bad list items.

    • Fixed issue with bad list importing when a path had special characters in it.

  • Hashes:
    • SHA256 of Full ZIP: 593df00cf4fa40246c8b9520e18c166eb992a9dfbadae965b0a850f0882372e0

    • SHA256 of lite MSI: 4638f735b3be6c4f235c5f442b0395786938207444fd3367147cb54b7be7ad7d

    • SHA256 of CyberTriageCollector.exe: 01576b1874b2f3c998f479348dc1d6b3dfc57f639ef08cbf675f43a233ebf9d4

    • SHA256 of CyberTriageCollector_XP.exe: bade71d341a08c90712f69fbdda0155737a40f3a76f4426e0af9db5bf81e93b7

20.3. Ver 3.12.0 (Sep 30, 2024)

  • Artifacts and Scoring
    • USB Devices:
      • New “Attached Devices” artifact that stores USB devices based on Windows registry data

      • Collect event logs associated with attached devices

    • Windows Defender endpoint data
      • Score Windows Defender event logs for detections and evasion techniques

      • Collect Windows Defender scan log and quarantined files

      • Detect processes that attempt to tamper with Windows Defender

    • PowerShell:
      • Score suspicious Powershell Windows events (based on console and event log) related to downloading, known bad scripts, and Defender evasion

      • Collect Powershell Transcript files

    • Data Exfiltration
      • Collect and detect data exfiltration tool existence and usage

      • Detect data exfiltration domain and host usage

    • Detect Impacket-based tools (smbexec.py, atexec.py, psexec.py)

    • Detect files with suspicious double file extension

    • Detect remote execution via ScreenConnect

    • Collect and detect additional remote management (RMM) tools

    • Added right click option to upload individual executable files for malware analysis after the initial processing.

    • Collect IPv6 version of host’s public IP (in addition to IPv4)

    • Add millisecond precision to task created events

    • Collect additional Windows events related to scheduled tasks

    • Collect additional Windows events related to services

    • Added support for encrypted VMDK images.

  • UI
    • Global Search: New feature that searches all past hosts. SHA256, IP, file path, and PID/VID for USB devices are supported.

    • Artifact Sources: New view within a host that shows the types of data artifacts that were parsed by Cyber Triage to make its information artifacts. For example, you can see all Process artifacts that were created based on Prefetch data.

    • Display original paths (including drive letter) in addition to the normalized path in the bottom “Item Details” panel.

    • Updated malware analysis results display to better show the outcome of the analyzed files and not report being out of limits as an error.

    • Add select Windows events to the timeline view if they are not being converted to information artifacts.

    • In the Collector GUI, the output file path can be customized

  • Host Dashboard UI updates
    • All sections have been updated to focus on relevant details about the host being investigated.

    • Host Reports has its own section now.

    • Analysis Tasks are all grouped together.

    • Status section breaks out the add hosts processing and gives the user a cleaner way to view the internal processing stages. Selecting the links will also display the detailed processing pipelines. This merges previous panels, such as messages.

    • Access to Recorded Future Sandbox results is directly available in Status.

    • New “Data Issues” section that displays any parsing or collection issues that were encountered during the ingest. Data issues may be due to various reasons such as network access or corrupted input sources etc. Each of these can be reviewed in detail from the “View Details”.

  • Team
    • Disk images and Cyber Triage Collector output can now be processed on the server if it has access to the data at the same path. This can allow the client to be disconnected after the paths are submitted.

    • The service batch file was updated to start the Cyber Triage server as “Delayed Start” to ensure database and other services have started.

  • Bad List Enhancements
    • Support process and triggered task arguments, including wildcards.

    • Task name and path are now optional and support wildcards

    • Process path and parent supports wildcards

  • Bug fixes
    • Fixed VMDK parsing issues with libvmdk update.

  • CLI updates
    • Updated CLI options for hash/imphash lookups

  • Performance Improvements
    • 3.11.1 and 3.11.2 improved performance when opening incidents with more than 20 hosts. Those releases were not announced to all users.

  • Hashes:
    • SHA256 of Full ZIP: dbc85cedc3c61512897aed3c5e43b1b70a98fd59f2cd4bc635ceff3d0028ed6a

    • SHA256 of lite MSI: 23b4e8d6e24160f3017afa4aee312ed312818a382cb5e39acd3944118c87cf14

    • SHA256 of CyberTriageCollector.exe: 34f4c7c429ae2b2e74e46bd65e1b2840aca82a6107004f48db3a9d62db07346d

    • SHA256 of CyberTriageCollector_XP.exe: 6a15db2857e82e350de67b0cb53173405c5c1c8ff66d5af490a1de2ef567cfae

20.4. Ver 3.11.2 (Jul 31, 2024)

  • Performance Improvement (limited release for specific customers)

20.5. Ver 3.11.1 (Jul 17, 2024)

  • Performance improvement loading the incident dashboard with a large number of hosts

20.6. Ver 3.11.0 (Jun 24, 2024)

  • Collector
    • Update Collector to record both IP and hostname in Windows events when available

    • Collect OSConfig setting that records what users are hidden from the logon screen

    • Create download artifacts from CryptnetUrlCache

  • Add Hosts:
    • Bitlocker support for disk images. Clear key, passcode, and recovery key are supported.

    • Support for VHDX disk image files

  • Scoring:
    • Flag suspicious download in CryptnetUrlCache

    • Flag suspicious use of certutil

    • Update brute force/credential spray to identify successful attacks

  • UI:
    • Updated File Explorer view with additional columns and tree navigation

    • Access to all files in a Disk Image, including files that were not collected explicitly by the Collector.

    • Mini-bad items timeline is more interactive:
      • Right click options added

      • Selecting the item will attempt to select the item in the main table if available

    • Multiple sources are shown for OS Accounts

    • OS Config Settings are included in search results

    • Added locks and changed library paths to enable Cyber Triage and a future Autopsy to run at the same time.

    • Option to opt out of telemetry data upload added

    • Feedback prompt when there is an abnormal amount of Bad/Suspicious items

    • Increase the default view of domain controller data to 60 days

    • Include failure reason in logon tables and descriptions

    • Triggered tasks related info view table is resizable.

    • Updated yarac with the latest copy from VirusTotal. The previous version we shipped with could cause false positives.

  • Malware Analysis:
    • Updated Recorded Future malware sandbox report with HTML export option.

    • Files can be uploaded to Recorded Future malware sandbox from File Explorer

  • Reporting:
    • Ability to export “All collected Files” or “All Source Files”

  • Team Server:
    • The service installer script was updated to start the Cyber Triage service using the startup type of delayed start.

    • Run Team Server as a service - remove the log message that says to “Press ‘ENTER’”

  • Bug Fixes:
    • Loaded DLL tab was not showing DLLs not found on disk

    • Malware rescans and exports were not allowed while other malware activity was occurring.

    • Null values printed from user account in the scheduled task (registry)

    • False positive Updates to remote user mismatch heuristic, reduce noise by marking earliest occurrence

    • Fix false positives associated with recent user activity for system/virtual accounts

    • Fix process run from non-std path false positive by adding dirs

    • Fix rclone false positive

    • Fix LNK with long arg false positive

  • Evaluation / Lite mode:
    • Separate installers for paid versus Live versions. They use different folders.

    • Evaluation license now allows you to finish two hosts without running out of malware limits.

    • Embedded evaluation license works only if not previously evaluated.

  • Hashes:
    • SHA256 of ZIP: 6263cb11e606b8d77e326d22b64cdd8c16a2fd5d24db23a75eaa60abce1dbfd7

    • SHA256 of CyberTriageCollector.exe: 0650f1b51b171b8c739e976b360b40a2f6feeef09f79ce7fc884b212a8236cb7

    • SHA256 of CyberTriageCollector_XP.exe: e9a0e7b42f6a7b7f54eceb56b752ce215bb26af66b541bd81847e6a30920c51a

    • SHA256 of Lite MSI: a51c42092843644da163e852dd43fe8c88eaae5afd826e2d80e8fa55d6e958a8

20.7. Ver 3.10.0 (Apr 30, 2024)

  • Linux
    • Can import UAC-based collections

    • Creates artifacts for user accounts, inbound logons, processes, scheduled tasks, network connections, web artifacts, and OS config settings.

    • Creates timeline from bodyfile

    • Submits executables for malware analysis

  • Domain Controller:
    • Collector:
      • Create logon sessions for NTLM and Kerberos authentications

      • Collect domain controller-specific audit and authentication settings

    • Scoring:
      • Detect suspicious Kerberos Ticket Granting Ticket (TGT)

      • Detect user enumeration kerberos attacks

      • Detect AS-REP Roasting

      • Detect Kerberoasting based on weak encryption algorithm requests

      • Detect brute force password guessing attempts based on authentication events

      • Detect credential spray attacks based on domain controller authentication events

    • UI:
      • New incident-level UI that displays domain controller-based authentications

  • ImpHash Fuzzy Matching
    • ImpHash can be used to query Reversing Labs for malware instead of file upload

    • ImpHash is used in “Other Occurrences” viewer to see similar files in past hosts

  • Remote Access Software:
    • Collect additional remote access logs (Action 1, Atera, DWAgent, Kaseya, Level, Remote Utilities, RustDesk, SplashTop, TightVNC, Xeox, ZohoAssist, UltraViewer)

    • Detect the existence of remote access tools and logs and mark them as bad or suspicious based on creation date.

  • Labels (Tags)
    • Added ability to add and remove labels to items

    • Added UI to view labeled items

    • Expanded “Notable Items” Incident-level UI to include all labeled items

  • Excel Report: New report that includes all bad, suspicious, and labeled items

  • Team server now supports access control, and requires authentication for each user.

  • Updated scoring heuristics will be downloaded from cybertriage.com servers

  • Collector:
    • Can upload collected data to Azure blob storage

    • Collect the last system restart date/time as host info.

    • Collect DHCP event logs and DHCP.MDB

    • Source information from Windows-API based data is more clear

    • Hostnames are no longer automatically resolved to IPs at time of collection

    • Resolve more GUIDs in paths to full paths

    • Updated PE parser to fix parsing issues

    • Collect bind time for listening/active connections

    • Collect CryptnetURLCache, IIS logs, and Powershell core event logs

    • Parse WinRM Event logs

    • Collect restricted admin mode setting and system timezone as OSConfig settings

    • Collect events related to system startup/shutdown

    • Collect service/system user profiles (registry hives)

    • Parse arguments used by services

    • Identify startup folder location based on registry settings

    • Collect user associated with task action run event

  • UI:
    • Allow user to rename the host display names

    • Rename “Malware” heading to “Process”

    • Merge “Startup Items” with “Triggered Tasks”

    • Option to disable the recommendation engine for the remainder of the session

    • Added “.lime” as an option when adding memory image

  • Changed installer behavior so that it removes the previous version and goes into a folder that does not have a version number.

  • Bugs:
    • Stop inferred file creation

  • Scoring:
    • Fix LNK created on other system

    • Fix issues from brand new systems

    • Fix newly created triggered task issue

    • Fix cmd/calc in unexpected location (winsxs)

    • Fix large number of failed logins

    • Added ScreenConnect detection for CVE-2024-1709 and CVE-2024-1708.

  • Hashes:
    • SHA256 of ZIP: 2ae26964044a128d44c39cbc093fc6a3f4777677eb96ea7027632a015c84e68f

    • SHA256 of CyberTriageCollector.exe: 071696c3645a0df01c265c646357caf0c5a01bce434839f0da4dfdf7b0533e83

    • SHA256 of CyberTriageCollector_XP.exe: 025496f768351e24e0cd7f64d7bdbc3a7efcc32c4b7c5642a001691fe013e4d3

20.8. Ver 3.9.2 (Feb 8, 2024)

  • Feature:
    • Collector will copy PE files created within the last 30-days.

  • Bug Fixes:
    • Changed DLL Injection analysis to reduce false positives when file is not found on disk.

    • Changed process analysis to reduce false positives associated with cmd.exe running as SYSTEM.

  • Hashes:
    • SHA256 of ZIP: 852cf1ff262517bacdf9d9932b347bb8b35726b0f6f99613c6fadb3120917ec8

    • SHA256 of CyberTriageCollector.exe: beb0389a39d1be289fcf3937e659d9ac3a66844794a05e681b5da1cb76b5c1d6

    • SHA256 of CyberTriageCollector_XP.exe: 7d3ca339cc70c5c79e52b9ed30b7934e1a15c175e1ae366c63b60be1a0d28992

20.9. Ver 3.9.1 (Jan 11, 2024)

NOTE: This release is available from support. It has bug fixes that had a significant impact on only a few customers.

  • Bug Fixes:
    • Allow multiple instances of Cyber Triage to run on the same host if they run as different users.

    • Certificates are no longer stored in the ‘data directory’. This was causing problems for a customer who would backup and restore this frequently.

  • Hashes:
    • SHA256 of ZIP: 667e8f9c8fe81aa24106c9816db81b5112a6ebc73ad80d3c4c79ac56934b85bf

    • SHA256 of CyberTriageCollector.exe: 6810d598c172e4514b333434f132d73644784096eee5e541f25bdb017d30cb6d

    • SHA256 of CyberTriageCollector_XP.exe: 7ae6751cfefc9ed8c1d3017fe3d31a4edf45cc318db7dc2c56590cc2f293e8df

20.10. Ver 3.9.0 (Dec 5, 2023)

  • Incident-Level UIs:
    • New opening and incident management dialogs that are full screen.

    • New breadcrumb at top that you can always use for navigation

    • New Incident-level IOC search to search all artifact metadata

    • New advanced search that shows you all artifacts of a given type across all hosts in a given time range.

    • New notable items view that shows all bad items from all hosts, sorted by time.

  • Collector:
    • The Collection Tool has been renamed the Collector, and therefore CyberTriageCollector.exe.

    • The Collector can now output to UNC paths

  • Artifacts and Analytics
    • Scheduled Tasks are extracted from the registry in addition to files and are merged from other sources.

    • Collect Powershell and Bat files

    • Show deleted file based on recycle bin contents

    • Show MFT Milliseconds - useful for time stomping detection

    • Added timestamp to bad items table and report

    • Added ability to export selected source files

    • Propagate score to Data Accessed artifacts if docx/pdf is bad.

    • Do not keep good list in memory

    • Fix bug that reported local logins as remote

    • Added many heuristics

  • Infrastructure
    • Added ability to communicate with PostgreSQL over TLS

    • Added ability to import a certificate for server / client communication

    • Added ability to import host data from the command line (Standard Pro and Team Only)

    • Changed how ‘net use’ was used so that the password is not passed as an argument

    • Fixed Timesketch report so that the header works

    • Confirmed that the latest versions of PsExec do not work with Windows XP.

    • Added the ability to select and copy text from all UI panels

  • Security
    • Fixed Apache Commons Text vulnerability

    • Fix ActiveMQ vulnerability

    • Fix logback vulnerability

  • Hashes:
    • SHA256 of ZIP: 6d80b7afbfd448a5174206b54854c871415bf51b488f2cf0197c36fd36c2d9ea

    • SHA256 of CyberTriageCollector.exe: b0b80a303768b8a93eadae47def8cd5b320238ac3853f20b94a991be777fa776

    • SHA256 of CyberTriageCollector_XP.exe: 104a1bc9716d0066fd29511dc754075eee78d432a2a183a642d3ad6781434d90

20.11. Ver 3.8.0 (Aug 29, 2023)

  • New Features:
    • Added Malware analysis features to prevent users from hitting limits:
      • New Flex tier provides 1,000 lookups/month to help finish a host

      • New Boost codes allow users to purchase additional lookups with a credit card

      • Display the historical average number of lookups per host required in the Malware Details panel.

      • Files are now uploaded to Cyber Triage API instead of ReversingLabs.

    • Added ability to Standard and Standard Pro to export an incident so that it can be opened in Autopsy.
      • All files are accessible on a disk image.

    • Added a Yara rule to detect OneNote files with embedded executable content

  • Notable Bug Fixes:
    • Password special character fix

    • Paid licenses will overrule the embedded evaluation license expiration

  • Hashes:
    • SHA256 of ZIP: f087d8f8b31fb722b3dbe097de805eb634a263165314250af54fde1908856162

    • SHA256 of CyberTriageCLI.exe: b4bcc8b71aa0be4856eeb1c029c9582ddf8d8a7d04e3f09dba3b2f5583b17ebb

    • SHA256 of CyberTriageCLI_XP.exe: 92b4119ba017c4c7feaabf72a27f69c2f0e78a37b9710303d9ea1a67fd3cf140

20.12. Ver 3.7.0 (Jun 30, 2023)

  • New Features
    • Custom File Collection Sets: Users can specify additional files that Cyber Triage should collect

    • Propagate score to other instances of an item:
      • When a file is manually scored as bad, propagate the score to other hosts in the incident and future hosts.

      • Manually scored items can be exported as JSON for threat intel sharing.

      • Manually scored items can be imported as bad list items for threat intel sharing

      • Users can chose to suppress propagation of items that were previously incorrectly scored

      • Changed the “Other Occurrence Viewer” to differentiate exact match occurrences and fuzzy match.

    • MITRE ATT&CK categorization is applied to automated analysis results.
      • Items will have a link to the MITRE ATT&CK page

      • HTML report will show which category an item belongs to

      • JSON report can be generated to import into ATT&CK Navigator

    • New TLS certificate verification:
      • A new self-signed certificate is created for each installation.

      • The Collection Tool now requires –cert_hash to be given when connecting to a server. The argument must either be the server certificate hash or ‘nohash’ to skip verification.

      • Team Clients will prompt the user to confirm the server certificate when they first launch.

    • Collect more artifacts:
      • Collect possible ransomware notes by looking for files in common locations with the same name and size.

      • Collect Sysmon, Powershell, and Windows Defender log files

      • Collect public facing IP

      • Expanded collection of downloaded files by looking for Zone.Identifier during full scan, always collecting its content, and also downloading Onenote files. Web artifacts are created from Zone.Identifier files.

      • Make processes from Run/RunOnce events

      • Parse LNK files on the Collection Tool and also collect the destination

    • Scoring:
      • Flag services if they are cmd or powershell

      • Parse Microsoft-Windows-VHDMP-Operational.evtx and flag when ISO files are mounted

      • Flag processes that could be dumping LSASS memory or running mshta or wscript

      • Flag BITSJobs that use IPs

      • Flag Run keys that use LNK files

      • Flag LNK files not created on the local system

      • Flag artifacts that reference admin file shares

      • Made rescan more clear

    • Added process column to logons table

    • Expanded search to include Windows events

    • Added ability to provide in-app feedback

  • Bug Fix
    • Updated file explorer UI to better identify files that were inferred by Cyber Triage to previously exist.

    • OS Accounts could sometimes have duplicates if they were not properly merged

  • Hash of Zip:
    • SHA-256: 253fade3b94a51ff94750d168c0e6153661f1735e8204b136de17dd2b6c7bfa3

20.13. Ver 3.6.0 (Feb 20, 2023)

  • New Features
    • Process view was redesigned:
      • Includes artifacts from the Program Run view so that you can see current and past processes at the same time.

      • New search and grouping interface to make it easier to focus on certain types of processes.

      • Added a tree interface to allow users to navigate by hierarchy.

      • The Execution History tab on the bottom was removed and the Process tab now shows all past processes.

      • Added process tree diagram to bottom process tab.

      • Changed how scoring was applied and now each process instance gets its own score. This will cause higher counts when a false positive happens, but it gives more control.

      • Processes now store if they were running with elevated privileges.

    • OS Accounts
      • Accounts are now created for “non-existent” users, which are created from failed logons.

      • Merged the concept of an “inferred” account with “unknown”. These accounts where a reference is found in a log, but it was not found in the registry, etc.

      • Updated the filters in the “Account” view.

      • Score accounts as suspicious if they were recently created and have admin privileges.

    • User Logons
      • Parse more 4648 events for outbound logon details.

      • Collect log files (but not parse) from 3rd party remote logon applications. They are shown as “Source Files’’ in the Collection Details panel.

      • Bottom inbound logon panel will now show country of remote host

    • OS Configuration:
      • Record log maximum sizes and rotation policy to detect if an attacker made them small to reduce evidence.

      • Record Windows PE (MiniNT) registry setting.

    • Add Host Options:
      • Added the ability to import a local drive, which can be used when an image is locally mounted (for example if it was encrypted with BitLocker).

    • Triggered Tasks:
      • Services are now created based on event log data that shows a service was installed.

      • Services that were recently created are scored as suspicious.

      • PsExec service will be scored as suspicious.

    • Downloads:
      • Collect downloaded files from Temp folder based on Zone.Identifer ADS existence.

      • Collect content of more downloaded file types (LNK, ISO, etc.) if created within the past 6 months.

      • Recently downloaded ISO and LNK files are scored as suspicious.

    • Search:
      • Panel was updated to make its capabilities more obvious. Same functionality.

    • New Reports:
      • Export all files scored as bad as a ZIP file

      • Export all file hashes as a text file

      • Export all IP addresses as a text file

    • Collection Details:
      • Files that were searched for, but not found are now listed.

      • Bitlocker detection is shown

    • IP Addresses:
      • Mark IPs as suspicious if they are frequently by attackers for data exfiltration (such as mega)

      • Updated Dynamic DNS provider list

    • Other:
      • The Host Information panel will now show what drives the host had mounted

      • Sources tab will show payload for Windows Events

      • New evaluation panel with reduced options and allows users to import their own system

      • Updated event log parser to use EVTX for disk images and logical file imports (https://github.com/omerbenamram/evtx)

  • Bug Fixes: Many bug fixes are included, but notable ones from customer support issues include:
    • Very large NTFS folders are now detected and alerted versus exhausting memory.

    • Logical folder ingest works with long folder names.

  • Hash of ZIP:
    • SHA-256: 8ddb62c4961f6fc7600aaa114a31f013487b421aced725f814eb6eef7094dccc

20.14. Ver 3.5.0 (Nov 21, 2022)

  • New Features:
    • New Collection Details panel
      • New panel which quickly shows you high-level informaton about your incident.

      • View all source files collected and the number of artifacts extracted from them.

      • New “Export All” button allows you to export all collected source files in one click.

    • Data Accessed artifacts are now merged
      • Artifacts in this category are now merged if they come from the same event.

      • You can still view each individual data source in the “Sources” tab within the File Info Panel.

      • This change improves visual clarity when reviewing these artifacts.

    • Updated Inbound and Outbound Logon Summary Panels
      • New Logon Histogram graphic shows a visual overview of logon activity on the host.

      • Updated widgets allow an examiner to see the dates and ranges of logons, without having to drill through the Logons Sessions tab.

    • Accounts panel was updated with more filters to make it easier to focus on relevant accounts.

    • Outbound Logons are created using data from Microsoft-Windows-TerminalServices-RDPClient/Operational log.

    • Mini-timeline can be minimized to save UI space.

    • Event log clearing is now scored based on existence of specific events.

    • GPO files are collected.

    • KAPE collections from Velociraptor are now supported (different naming conventions).

    • Links to cybertriage.com pages now exist in the “Sources” Panel for some Data Accessed types.

    • Files can be exported to a ZIP file with the “infected” password.

    • Times now use ISO 8601 format (YYYY-MM-DD HH:MM:SS).

  • Bug Fixes:
    • OpenSaveMRU artifacts no longer sometimes show the user’s home directory in the path.

    • Google DNS is now used to resolve names and identify high flux domains.

    • Logon merging algorithm is now more accurate.

    • Recorded Future Sandbox results now display more data.

    • LNK file path parsing is improved.

    • Web artifacts show correct user when the user is admin.

    • Common Programs Run items from AppData (such as Windows Defender and OneDrive) are no longer scored as suspicious.

    • Program Run ‘File Content Available Only’ filter works in all scenarios.

    • DNS Cache now reliably shows countries.

    • HTML report columns no longer go off screen.

    • Recommendation Engine now comes up when Logon Sessions are scored.

    • Comments can be edited without causing an error.

    • Badlist rescans can now be performed.

    • Fixed an issue where the user showed as blank or unknown for a Logon Session when we only have the SID.

    • Back Button will now go back to the Logon Sessions instead of the Logon Search panel.

  • Hash of ZIP:
    • SHA-256: 2e92de8b9801c347c55a664a0ef384b99a0d3e05fcac74d094b36d6df9ebe2fa

20.15. Ver 3.4.0 (Sep 26, 2022)

  • New Features:
    • Major update to logon sessions
      • New database schema that makes it possible to merge logon data from multple hosts and track logoff times.

      • Separate Inbound and Outbound Logon Session UIs to make it easier to focus on user activity versus lateral movement.

      • New UI concept with summary panels and search interfaces to make it easer to handle large data sets.

      • Events from Security and Terminal Services logs are automatically merged instead of the user having to know they are from the same session.

      • Logoff / Disconnect events are now parsed and stored.

      • New Logon Session related info panel (lower right) will show you what session was active when an item on top is selected.

    • Recorded Future Sandbox Integration
      • Individual files can now be submitted to the new Recorded Future Sandbox (by right cliking on the file).

      • This feature is included in all current licenses for no extra cost.

    • Collect Microsoft BITS Jobs
      • BITS Jobs are detected from the application database and event log files

      • Triggered Tasks are created for each job

      • Program Run entries are created for each notify command run

      • Added filter to Triggered Task area to allow user to focus on scheduled tasks, BITS, WMI, etc.

    • Processes now list the DLL files they loaded. Cyber Triage was previously collecting the files, but not associating them with a process.

  • Bug Fixes:
    • Fixed a bug where Good/Bad list panel was not resetting.

    • Fixed a bug where Triggered Tasks were not showing up when ingesting old data.

    • Fixed a bug where the bottom “Host Info” panel was not populating in rare cases.

    • Fixed a bug where a user was unable to open a host that had an error from Batching mode.

    • Fixed a bug that caused an error while initializing the Postgres database in Team version.

    • Fixed a bug that where bad listed files were occasionally not flagging Programs Run or Data Accessed entries.

    • Fixed a bug that caused the “update version” dialogue box to appear even if a user was running the most current version of Cyber Triage.

    • Fixed a bug that caused a proxy failure while using Active Directory credentials.

    • Fixed a collection tool bug that caused a crash while opening up the file system during phase 2 collection.

    • Fixed a bug that sometimes caused the source file report to generate.

    • Fixed a bug that caused the active connections list to display the wrong number.

    • Multiple security fixes and updates.

  • Hash of ZIP:
    • SHA-256: ec5f7003abdf40d60ec153b38472c1d001f672248fac8447a1e6e9d3d83a9ed6

20.16. Ver 3.3.1 (July 28, 2022)

  • Bug Fixes:
    • Fixed a bug that involved proxies using Active Directory for authentication.

20.17. Ver 3.3.0 (July 13, 2022)

  • New Features:
    • New Artifact Type: “Data Accessed”,a new Section to the UI Panel where you can view different types of artifacts that can shed insight into what data a particular user accessed.

    • Parsing of new Data Accessed artifacts from Office Recent Files, Shortct (LNK) Files, IE | Edge files and Open/Save MRU files.

    • Adobe PDF and Microsoft Office Dcouments are analyzed for suspicious actions and scripts to detect possible malware.

    • Logical files and folders can now be imported, including KAPE logical files.

    • Added the ability to collect source files (hives, logs, etc.) over 150MB.

    • Collect SHA-1 hashes in Collection Tool (in addition to MD5 and SHA-256).

    • Added SHA-1, SHA-256 to the Good and Bad Lists.

    • Added feature to automatically delete old JSONs.

    • Expanded the Live File batching feature to recurse one directory level to detect JSONs.

    • Updated to Java 17.

  • Bug Fixes:
    • Fixed a bug where ‘No data collected for this type’ displayed when data was collected.

    • Fixed a bug where duplicate “Notable” entries were being recorded. .

    • Fixed a bug where Cyber Triage failed to shut down completely.

    • Fixed a bug where an incorrect error was thrown when parsing the IE history file.

    • Fixed a bug that caused a client error when the connection to Team Server was momentarily lost.

    • Fixed a bug that did not allow a user to load View File in Directory from a different host.

    • Fixed a bug that caused some malware heuristics to not flag all relevant files.

    • Fixed an inconsistency between the Good List and the Bad List.

    • Updated the error message when the application cannot start due to low disk space.

    • Fixed a bug where Recent Messages were being duplicated in the Team Server edition.

    • Fixed a bug where an error was not being shown when an ingested JSON was corrupted.

    • Fixed a bug where the Multi-Client Incident Name and Description failed to update between clients.

    • Fixed an error where Memory settings were not taking effect after rebooting Cyber Triage from the Options Panel.

    • Fixed a bug where the Memory Allocation panel occasionally showed blank in the Options Panel.

    • Fixed a bug where the user’s memory settings were not transferring over when switching from Client to Team Server mode.

20.18. Ver 3.2.0 (Apr 8, 2022)

  • New Features:
    • Added ability to batch live files, disk images, and memory images for ingest and processing in Team and Standard Pro

    • Team server will no longer reject connections when it is at capacity. It will now save the data to disk and schedule them for processing.

    • Added ability to ingest KAPE VHD output for additional analysis

    • Added ability to export ‘source’ files (registry hives, event logs, etc.) to a local directory

    • Added a dialogue box to alert the user if a new version of Cyber Triage is available

    • Added a link within the application to the Cyber Triage User Guide

    • Calculate SHA-256 for collected files

    • First version to support Standard Pro license

  • Bug Fixes:
    • Fixed an error where a program flagged for “ran from a non-standard path” was displaying twice in the analysis results

    • Fixed an error where occasionally selecting a single entry in the startup items and adding to the good list would cause other items to disappear from the table.

    • Native Image dll’s from .NET will now be given a score of “none” when unsigned to reduce false-positives

    • Fixed an issue in Team Server where the hosts panel could freeze if the connection to the server was lost

    • Fixed bug that prevented previous scores and comments from getting saved into correlation database

    • Fixed various bugs in Cyber Triage Lite and enabled web artifact extraction

    • Fixed a bug that caused the info panel to blank when a user right-clicked.

    • Various other minor bug fixes

  • Version 3.2.0 Installer Hash:
    • SHA-256: 8d05492efbd86584e9d030c79d7ed1ee975f250e58867b77dbe7850de786bd3a

20.19. Ver 3.1.1 (Mar 14, 2022)

  • Bug Fixes:
    • Collection tool is now signed (it was not in 3.1.0)

    • Fixed memory leak in main application

    • Fixed issue when collecting from hosts with non-ASCII characters in host name

  • Known Issues:
    • If hostname has non-ASCII characters, then you should use the IP address instead of the hostname for “Live Automatic”

20.20. Ver 3.1.0 (Feb 10, 2022)

  • New Features:
    • Added ability to keyword search all artifact metadata within a host.

    • OS Configuration:
      • Expanded OS Configuration artifacts to have a group and be scored.

      • Collect more settings, such as RDP.

      • Flag if EventLog or Windows Defender are disabled.

      • Flag if EventLog or Windows Defender are enabled, but not running.

      • Provide more context about why OS Configuration settings are important

    • Improved Program Run Performance:
      • Changed the UI so that specific run times are not shown on top.

      • Run times are shown at the bottom and paged.

      • When a “Program Run” is marked as suspicious or bad, only the first and last times will show up in the “mini-timeline”.

    • Improved User Login performance by decreasing memory requirements in pipelines.

    • Added ability to select multiple items and score or export them.

    • Collect PowerShell History Console and Windows UAL file

    • Added ability to add a logo to the HTML report.

    • Added Offline Mode that will not generate warnings each time that the Internet can’t be connected to.

    • Added feature to allow you to pick a timezone other than the current one or UTC.

    • New evaluation dashboard with list of options.

  • Bug Fixes:
    • Reduced amount of WMI database processing to improve performance.

    • Encrypted archives are only flagged as suspicious if they are less than 3 months old (to reduce false positives).

    • Fixed false positives associated with Swedish OS Account names.

    • Various other minor bug fixes

  • NOTE: For quality assurance, this release will upload a subset of anonymized artifact metadata to a server to help identify and fix false positives. The data is sanitized and not stored in any way to associate it with where it came from.

20.21. Ver 3.0.2 (Nov 30, 2021)

  • New Features:
    • Collect WofCompressedData files using native APIs.

    • Added creation time and file sizes to various UIs.

  • Bug Fixes:
    • Fix ransomware note bug that could flag the wrong file (with the same name)

20.22. Ver 3.0.1 (Nov 10, 2021)

  • New Features:
    • Flag Ransomware notes based on known names and heuristics

    • Flag commands that disable volume shadow and Windows backup

    • Added ability to filter OS Accounts based on their actions on the system

    • Detect and mark WOF compressed files (content is still not collected)

    • Added ability to collect only hashes instead of file content to the UI

  • Bug Fixes:
    • Fixed issues with collection from IPv6 hosts

    • Fixed Google Object upload bug

    • Fixed bug about not being able to open Yara rule

    • Fixed issue when deleting multiple hosts.

    • Various other minor bug fixes

20.23. Ver 3.0.0 (Sep 13, 2021)

  • New Feature:
    • The backend database was replaced with SQLite and PostgreSQL and the same schema as used by Autopsy. This results in better stability.

    • Added ability to delete incidents.

    • Added ability to soft delete hosts. They are not shown in the UI, but the actual data is still retained. This will be improved.

    • All collected data must now be part of an Incident.

    • Collection tool JSON schema changed and is not compatible with v2.

    • Renamed Session to Host.

    • Added host name to the top of each panel (user request)

    • Users are reported as being local or domain

  • Team Changes:
    • More extensive REST APIs exist because clients now connect to the REST API instead of directly to the database

    • Clients must use a Server Key to connect to the REST API.

  • Bug Fixes:
    • Fixed issue where a process would be collected twice

    • No longer create an inferred user from a failed login for an account that didn’t exist

20.24. Ver 2.14.5 (Jun 4, 2021)

  • Fixes:
    • Fixed parsing error with WMI Databases

    • Updated URL to download evaluation data

20.25. Ver 2.14.4 (Apr 15, 2021)

  • New Feature:
    • Collect Exchange files from wwwroot for WebShell detection

    • Distribute NSA-based Yara rules to detect web shells related to recent Exchange compromises

    • Added keyboard short cuts for scoring items.

    • Added --skip_file_contents and --skip_source_file_contents command line arguments to collect only MD5s and not file content.

  • Fixes:
    • Do not flag inferred accounts when there are no local logins. Inferred accounts come from event logs.

    • Support PsExec 2.3 and above

    • Fixed bug that prevents Server from stopping when it was run as a Windows server

20.26. Ver 2.14.3 (Mar 1, 2021)

  • New Feature:
    • Temporary S3 Session Tokens can be used.

  • Fixes:
    • Better deal with corrupt compressed JSONs

    • Better UI feedback while encrypted JSONs are being checked

    • Fixed bug that incorrectly reported local login as remote

    • Fixed bugs with parsing some startup items

    • Fixed bug with WMI Action heuristics

    • Fixed Bug showing WMI DB in timeline

    • Collection tool will use different output folder if run from SysWow (via EDR)

20.27. Ver 2.14.2 (Jan 25, 2020)

  • New Features
    • DLLs of running processes are collected

    • Files can be rescanned by new Yara rules and bad lists after initial collection

    • Updated Volatility for Windows 10 19041 Profile

  • Fixes
    • Improved event log parsing performance

    • Fixed bug that prevented S3 uploads on large JSON files

    • Allow new version of PsExec (2.3) to be used.

    • Fix UI refresh issues over RDP

    • Fixed memory issue with large encrypted JSONs

20.28. Ver 2.14.1 (Oct 28, 2020)

  • New Features:
    • S3 Test button uses configured proxy

    • Collection tool can use proxy for S3 using configuration file

    • Added CSV and JSONL incident-level reporting

  • Bug Fixes:
    • Changed JMX to not listen for remote connections and require TLS.

    • Fixed bug with Team options panel

    • Fixed HTML incident-level reporting

20.29. Ver 2.14.0 (Oct 7, 2020)

  • New Features:
    • Collection Tool output can now be encrypted using AES

    • Collection Tool output is now compressed when saved to local file

    • Collection Tool output can be uploaded to S3 bucket

    • Yara rules are applied to memory images using Volatility

    • The Event Log Id is displayed in the UI

    • Session files are no longer deleted after they are imported

    • When evaluating, a session can be automatically created with evaluation data.

  • Bug Fixes:
    • Faster processing of systems with a large number of user accounts and logins.

    • Fixed UI rendering issues from font scaling

    • Partial files are collected when read errors occur (most often occurs with event logs that use NTFS compression)