15. Upgrading Installations

15.1. General Concepts

When upgrading an existing installation of Cyber Triage, there are a few concepts to keep in mind:

  • The new version will uninstall the previous version. In versions before 3.10, the previous version would continue to be installed until you uninstalled int.

  • You should update your AV and EDR providers with the hash values of the new collector. You can find those in the History.

  • If you are running a Team cluster, remember to:

    • Restart the Server service. Instructions can be found in Upgrading a Service-based Server.

    • Update the clients as well. Their settings will transfer from the previous version.

With respect to backward compatibility:

  • Unless it is a major version update, you will be able to open your previous incidents.

  • The database schema of an older incident may get updated when it is opened, but you will still be able to open with an older version of Cyber Triage. Our upgrades are backward compatible.

  • If you start to add hosts and do analysis with a newer version, then you may not be able to see the results with an older version. We recommend that you only use a single version of Cyber Triage at a time.

The following have more details:

15.2. Upgrading Team from before 3.10 to 3.10 or later

The Team version of Cyber Triage 3.10.0 and beyond require user accounts for each license. Those need to be created during the upgrade process.

When upgrading from 3.9 to 3.10, you will need to:

  • Upgrade the server as outlined in Upgrade The Cyber Triage Server

  • Create user accounts for each examiner, as outlined in Create and Manage Team Users

  • Upgrade each client and go to the options panel and choose the “Deployment” tab. Enter in the examiner’s login and password. They will need to reset it.

If you do not change the client to use the new user name and password, you will get an authentication error.

15.3. Upgrading from v2 to v3

Version 3 of Cyber Triage® introduced a new backend database type and schema. This is a backward incompatible change and this section outlines how to make the upgrade and what is retained.

Here are some key concepts:

  • You will not be able to access data in Cyber Triage® version 3 (v3) that was created in Cyber Triage® version 2 (v2).

  • No v2 data is deleted, it is just not in the v3 database.

  • You can install v3 alongside v2, but only one version can be run at a time. This will allow you to access old data.

  • Your basic configuration settings from v2 will be used by v3.

  • The collection tool schema changed. The Cyber Triage® v3 UI cannot import v2 collection tool data.

15.3.1. Standard

If you have Cyber Triage® Standard, then you can simply install Cyber Triage® 3 and start using it with no other configuration changes.

15.3.2. Team

You have a couple of decisions to make when using the new Team version:

  1. Retaining Access to v2 Data: If you want clients to be able to access older data, then you should get a new host for the v3 Cyber Triage® Server. If you do not need access, then you can stop the v2 Cyber Triage® Server and start v3 instead.

  2. Database Type: With v3, you have a choice of SQLite or PostgreSQL. Choosing between them is outlined in Configuring a Team Environment.

  3. If you have configured CT team server to run as a service, you will need to follow Installing Server as a Service to remove the service and reinstall the new version’s service.

For each client, you’ll need to:

  • Configure them to use the new Server Password.

  • Change the server address if you have a new host for the v3 Server.

Press OK.