6.1. Upgrading Installations

6.1.1. General Concepts

When upgrading:

• Previous Version is Removed: The installer will uninstall the previous version. Versions before 3.10 did not do this.

• Good List The Collector In Your EDRs/AV: You should update your AV and EDR providers with the hash values of the new Collector. You can find those in the History.

• Team Is Multi-Step: If you are running a Team cluster, remember to:

  • Restart the Server service. Instructions can be found in Upgrading a Service-based Server.

  • Update the clients as well. Their settings will transfer from the previous version.

Specific instructions include:

• Standard: Upgrading Standard

• Team: Upgrading Team

• PostgreSQL: Upgrading PostgreSQL

6.1.2. Backward Compatibility

• Unless it is a major version update, you will be able to open your previous incidents.

• The database schema of an older incident may get updated when it is opened, but you will still be able to open with an older version of Cyber Triage. Our upgrades are backward compatible.

• If you start to add hosts and do analysis with a newer version, then you may not be able to see the results with an older version. We recommend that you only use a single version of Cyber Triage at a time.

6.1.3. Upgrading Standard

To upgrade Cyber Triage, simply run the new MSI. With versions after 3.10.0, the previous version will be automatically uninstalled. Previous installers would keep the previous version.

All settings will be retained.

6.1.4. Upgrading Team

When a new version of Cyber Triage comes out, the following are the high-level upgrade steps:

• Download the new MSI installer. It’s the same one for the server and the clients.

• Find a time that no one will be using Cyber Triage. It will be down for everyone during the upgrade.

• Upgrade the server (instructions are below)

• Upgrade each of the clients (instructions are below)

The upgrade process for Cyber Triage Server is different depending on if it is configured to run as a service or not.

6.1.4.1. Upgrading a Non-Service Server

If you are running the Cyber Triage Server as a normal application (i.e. not as a service), then:

• Exit the application

• Install the new version using the new .MSI

• Start the application

• Proceed to update each of the clients (instructions below)

6.1.4.2. Upgrading a Service-based Server

If you are running the Server as a service, then the process is slightly different depending which version you are upgrading from.

6.1.4.2.1. Upgrading from 3.10 and Later

To upgrade a Server that is 3.10+:

• Open an Admin command prompt and change to the Cyber Triage service folder.

  cd C:\Program Files\Cyber Triage\cybertriage\service
  

• Stop the existing version of Cyber Triage using ‘svcmgr.bat’:

  svcmgr stop
  

• Run the new MSI installer. This will uninstall the previous version of Cyber Triage.

• Launch Cyber Triage using the user account that the service runs as. This ensures that you can review any configuration dialogs. Use shift + right click if needed to pick a different user account. Exit the application.

• Start the Cyber Triage service from the previous admin command prompt.

  svcmgr start
  

• Proceed to update each of the clients (instructions below)

6.1.4.2.2. Upgrading from 3.9 or Earlier

Prior to 3.10.0, each version of Cyber Triage had a version number in its path. Therefore, the service needed to be updated for each update to make sure that it referred to the right executable. If you do not update the service, the old version will continue to launch.

The update process is:

• Install Cyber Triage 3.10 or later on the server (you can keep the previous version running during this process).

• Open an Admin command prompt and change to the new installation folder.

  cd C:\Program Files\Cyber Triage\cybertriage\service
  

• Stop the previous version of the Cyber Triage service using ‘svcmgr.bat’:

  svcmgr stop
  

• Run the upgrade command so that the service points to the new path. The user account info will persist.

  svcmgr upgrade
  

• Launch Cyber Triage using the user account that the service runs as. This ensures that you can review any configuration dialogs. Use shift + right click if needed to pick a different user account. Close the application.

• Start the Cyber Triage service

  svcmgr start
  

• Manually uninstall the previous version (using the Windows Control Panel, etc.)

6.1.4.3. Upgrading Clients

Cyber Triage Clients need to be updated at the same time as the Server. On each client:

• Exit the Cyber Triage application if it is running

• Install the new version using the new .MSI

• Start the application

6.1.5. Upgrading Team from before 3.10 to 3.10 or later

The Team version of Cyber Triage 3.10.0 and beyond require user accounts for each license. Those need to be created during the upgrade process.

When upgrading from 3.9 to 3.10, you will need to:

• Upgrade the server as outlined in Upgrading Team

• Create user accounts for each examiner, as outlined in Create and Manage Team Users

• Upgrade each client and go to the options panel and choose the “Deployment” tab. Enter in the examiner’s login and password. They will need to reset it.

If you do not change the client to use the new user name and password, you will get an authentication error.

6.1.6. Upgrading from v2 to v3

Version 3 of Cyber Triage^® introduced a new backend database type and schema. This is a backward incompatible change and this section outlines how to make the upgrade and what is retained.

Here are some key concepts:

• You will not be able to access data in Cyber Triage^® version 3 (v3) that was created in Cyber Triage^® version 2 (v2).

• No v2 data is deleted, it is just not in the v3 database.

• You can install v3 alongside v2, but only one version can be run at a time. This will allow you to access old data.

• Your basic configuration settings from v2 will be used by v3.

• The collection tool schema changed. The Cyber Triage^® v3 UI cannot import v2 collection tool data.

6.1.6.1. Standard

If you have Cyber Triage^® Standard, then you can simply install Cyber Triage^® 3 and start using it with no other configuration changes.

6.1.6.2. Team

You have a couple of decisions to make when using the new Team version:

1. Retaining Access to v2 Data: If you want clients to be able to access older data, then you should get a new host for the v3 Cyber Triage^® Server. If you do not need access, then you can stop the v2 Cyber Triage^® Server and start v3 instead.

2. Database Type: With v3, you have a choice of SQLite or PostgreSQL. Choosing between them is outlined in Team Installation and Configuration.

3. If you have configured CT team server to run as a service, you will need to follow Installing Server as a Service to remove the service and reinstall the new version’s service.

For each client, you’ll need to:

• Configure them to use the new Server Password.

• Change the server address if you have a new host for the v3 Server.

Press OK. /