11. History

11.1. Ver 3.4.0 (Sep 26, 2022)

  • New Features:
    • Major update to logon sessions
      • New database schema that makes it possible to merge logon data from multple hosts and track logoff times.

      • Separate Inbound and Outbound Logon Session UIs to make it easier to focus on user activity versus lateral movement.

      • New UI concept with summary panels and search interfaces to make it easer to handle large data sets.

      • Events from Security and Terminal Services logs are automatically merged instead of the user having to know they are from the same session.

      • Logoff / Disconnect events are now parsed and stored.

      • New Logon Session related info panel (lower right) will show you what session was active when an item on top is selected.

    • Recorded Future Sandbox Integration
      • Individual files can now be submitted to the new Recorded Future Sandbox (by right cliking on the file).

      • This feature is included in all current licenses for no extra cost.

    • Collect Microsoft BITS Jobs
      • BITS Jobs are detected from the application database and event log files

      • Triggered Tasks are created for each job

      • Program Run entries are created for each notify command run

      • Added filter to Triggered Task area to allow user to focus on scheduled tasks, BITS, WMI, etc.

    • Processes now list the DLL files they loaded. Cyber Triage was previously collecting the files, but not associating them with a process.

  • Bug Fixes:
    • Fixed a bug where Good/Bad list panel was not resetting.

    • Fixed a bug where Triggered Tasks were not showing up when ingesting old data.

    • Fixed a bug where the bottom “Host Info” panel was not populating in rare cases.

    • Fixed a bug where a user was unable to open a host that had an error from Batching mode.

    • Fixed a bug that caused an error while initializing the Postgres database in Team version.

    • Fixed a bug that where bad listed files were occasionally not flagging Programs Run or Data Accessed entries.

    • Fixed a bug that caused the “update version” dialogue box to appear even if a user was running the most current version of Cyber Triage.

    • Fixed a bug that caused a proxy failure while using Active Directory credentials.

    • Fixed a collection tool bug that caused a crash while opening up the file system during phase 2 collection.

    • Fixed a bug that sometimes caused the source file report to generate.

    • Fixed a bug that caused the active connections list to display the wrong number.

    • Multiple security fixes and updates.

  • Hash of ZIP:
    • SHA-256: ec5f7003abdf40d60ec153b38472c1d001f672248fac8447a1e6e9d3d83a9ed6

11.2. Ver 3.3.1 (July 28, 2022)

  • Bug Fixes:
    • Fixed a bug that involved proxies using Active Directory for authentication.

11.3. Ver 3.3.0 (July 13, 2022)

  • New Features:
    • New Artifact Type: “Data Accessed”,a new Section to the UI Panel where you can view different types of artifacts that can shed insight into what data a particular user accessed.

    • Parsing of new Data Accessed artifacts from Office Recent Files, Shortct (LNK) Files, IE | Edge files and Open/Save MRU files.

    • Adobe PDF and Microsoft Office Dcouments are analyzed for suspicious actions and scripts to detect possible malware.

    • Logical files and folders can now be imported, including KAPE logical files.

    • Added the ability to collect source files (hives, logs, etc.) over 150MB.

    • Collect SHA-1 hashes in Collection Tool (in addition to MD5 and SHA-256).

    • Added SHA-1, SHA-256 to the Good and Bad Lists.

    • Added feature to automatically delete old JSONs.

    • Expanded the Live File batching feature to recurse one directory level to detect JSONs.

    • Updated to Java 17.

  • Bug Fixes:
    • Fixed a bug where ‘No data collected for this type’ displayed when data was collected.

    • Fixed a bug where duplicate “Notable” entries were being recorded. .

    • Fixed a bug where Cyber Triage failed to shut down completely.

    • Fixed a bug where an incorrect error was thrown when parsing the IE history file.

    • Fixed a bug that caused a client error when the connection to Team Server was momentarily lost.

    • Fixed a bug that did not allow a user to load View File in Directory from a different host.

    • Fixed a bug that caused some malware heuristics to not flag all relevant files.

    • Fixed an inconsistency between the Good List and the Bad List.

    • Updated the error message when the application cannot start due to low disk space.

    • Fixed a bug where Recent Messages were being duplicated in the Team Server edition.

    • Fixed a bug where an error was not being shown when an ingested JSON was corrupted.

    • Fixed a bug where the Multi-Client Incident Name and Description failed to update between clients.

    • Fixed an error where Memory settings were not taking effect after rebooting Cyber Triage from the Options Panel.

    • Fixed a bug where the Memory Allocation panel occasionally showed blank in the Options Panel.

    • Fixed a bug where the user’s memory settings were not transferring over when switching from Client to Team Server mode.

11.4. Ver 3.2.0 (Apr 8, 2022)

  • New Features:
    • Added ability to batch live files, disk images, and memory images for ingest and processing in Team and Standard Pro

    • Team server will no longer reject connections when it is at capacity. It will now save the data to disk and schedule them for processing.

    • Added ability to ingest KAPE VHD output for additional analysis

    • Added ability to export ‘source’ files (registry hives, event logs, etc.) to a local directory

    • Added a dialogue box to alert the user if a new version of Cyber Triage is available

    • Added a link within the application to the Cyber Triage User Guide

    • Calculate SHA-256 for collected files

    • First version to support Standard Pro license

  • Bug Fixes:
    • Fixed an error where a program flagged for “ran from a non-standard path” was displaying twice in the analysis results

    • Fixed an error where occasionally selecting a single entry in the startup items and adding to the good list would cause other items to disappear from the table.

    • Native Image dll’s from .NET will now be given a score of “none” when unsigned to reduce false-positives

    • Fixed an issue in Team Server where the hosts panel could freeze if the connection to the server was lost

    • Fixed bug that prevented previous scores and comments from getting saved into correlation database

    • Fixed various bugs in Cyber Triage Lite and enabled web artifact extraction

    • Fixed a bug that caused the info panel to blank when a user right-clicked.

    • Various other minor bug fixes

  • Version 3.2.0 Installer Hash:
    • SHA-256: 8d05492efbd86584e9d030c79d7ed1ee975f250e58867b77dbe7850de786bd3a

11.5. Ver 3.1.1 (Mar 14, 2022)

  • Bug Fixes:
    • Collection tool is now signed (it was not in 3.1.0)

    • Fixed memory leak in main application

    • Fixed issue when collecting from hosts with non-ASCII characters in host name

  • Known Issues:
    • If hostname has non-ASCII characters, then you should use the IP address instead of the hostname for “Live Automatic”

11.6. Ver 3.1.0 (Feb 10, 2022)

  • New Features:
    • Added ability to keyword search all artifact metadata within a host.

    • OS Configuration:
      • Expanded OS Configuration artifacts to have a group and be scored.

      • Collect more settings, such as RDP.

      • Flag if EventLog or Windows Defender are disabled.

      • Flag if EventLog or Windows Defender are enabled, but not running.

      • Provide more context about why OS Configuration settings are important

    • Improved Program Run Performance:
      • Changed the UI so that specific run times are not shown on top.

      • Run times are shown at the bottom and paged.

      • When a “Program Run” is marked as suspicious or bad, only the first and last times will show up in the “mini-timeline”.

    • Improved User Login performance by decreasing memory requirements in pipelines.

    • Added ability to select multiple items and score or export them.

    • Collect PowerShell History Console and Windows UAL file

    • Added ability to add a logo to the HTML report.

    • Added Offline Mode that will not generate warnings each time that the Internet can’t be connected to.

    • Added feature to allow you to pick a timezone other than the current one or UTC.

    • New evaluation dashboard with list of options.

  • Bug Fixes:
    • Reduced amount of WMI database processing to improve performance.

    • Encrypted archives are only flagged as suspicious if they are less than 3 months old (to reduce false positives).

    • Fixed false positives associated with Swedish OS Account names.

    • Various other minor bug fixes

  • NOTE: For quality assurance, this release will upload a subset of anonymized artifact metadata to a server to help identify and fix false positives. The data is sanitized and not stored in any way to associate it with where it came from.

11.7. Ver 3.0.2 (Nov 30, 2021)

  • New Features:
    • Collect WofCompressedData files using native APIs.

    • Added creation time and file sizes to various UIs.

  • Bug Fixes:
    • Fix ransomware note bug that could flag the wrong file (with the same name)

11.8. Ver 3.0.1 (Nov 10, 2021)

  • New Features:
    • Flag Ransomware notes based on known names and heuristics

    • Flag commands that disable volume shadow and Windows backup

    • Added ability to filter OS Accounts based on their actions on the system

    • Detect and mark WOF compressed files (content is still not collected)

    • Added ability to collect only hashes instead of file content to the UI

  • Bug Fixes:
    • Fixed issues with collection from IPv6 hosts

    • Fixed Google Object upload bug

    • Fixed bug about not being able to open Yara rule

    • Fixed issue when deleting multiple hosts.

    • Various other minor bug fixes

11.9. Ver 3.0.0 (Sep 13, 2021)

  • New Feature:
    • The backend database was replaced with SQLite and PostgreSQL and the same schema as used by Autopsy. This results in better stability.

    • Added ability to delete incidents.

    • Added ability to soft delete hosts. They are not shown in the UI, but the actual data is still retained. This will be improved.

    • All collected data must now be part of an Incident.

    • Collection tool JSON schema changed and is not compatible with v2.

    • Renamed Session to Host.

    • Added host name to the top of each panel (user request)

    • Users are reported as being local or domain

  • Team Changes:
    • More extensive REST APIs exist because clients now connect to the REST API instead of directly to the database

    • Clients must use a Server Key to connect to the REST API.

  • Bug Fixes:
    • Fixed issue where a process would be collected twice

    • No longer create an inferred user from a failed login for an account that didn’t exist

11.10. Ver 2.14.5 (Jun 4, 2021)

  • Fixes:
    • Fixed parsing error with WMI Databases

    • Updated URL to download evaluation data

11.11. Ver 2.14.4 (Apr 15, 2021)

  • New Feature:
    • Collect Exchange files from wwwroot for WebShell detection

    • Distribute NSA-based Yara rules to detect web shells related to recent Exchange compromises

    • Added keyboard short cuts for scoring items.

    • Added --skip_file_contents and --skip_source_file_contents command line arguments to collect only MD5s and not file content.

  • Fixes:
    • Do not flag inferred accounts when there are no local logins. Inferred accounts come from event logs.

    • Support PsExec 2.3 and above

    • Fixed bug that prevents Server from stopping when it was run as a Windows server

11.12. Ver 2.14.3 (Mar 1, 2021)

  • New Feature:
    • Temporary S3 Session Tokens can be used.

  • Fixes:
    • Better deal with corrupt compressed JSONs

    • Better UI feedback while encrypted JSONs are being checked

    • Fixed bug that incorrectly reported local login as remote

    • Fixed bugs with parsing some startup items

    • Fixed bug with WMI Action heuristics

    • Fixed Bug showing WMI DB in timeline

    • Collection tool will use different output folder if run from SysWow (via EDR)

11.13. Ver 2.14.2 (Jan 25, 2020)

  • New Features
    • DLLs of running processes are collected

    • Files can be rescanned by new Yara rules and bad lists after initial collection

    • Updated Volatility for Windows 10 19041 Profile

  • Fixes
    • Improved event log parsing performance

    • Fixed bug that prevented S3 uploads on large JSON files

    • Allow new version of PsExec (2.3) to be used.

    • Fix UI refresh issues over RDP

    • Fixed memory issue with large encrypted JSONs

11.14. Ver 2.14.1 (Oct 28, 2020)

  • New Features:
    • S3 Test button uses configured proxy

    • Collection tool can use proxy for S3 using configuration file

    • Added CSV and JSONL incident-level reporting

  • Bug Fixes:
    • Changed JMX to not listen for remote connections and require TLS.

    • Fixed bug with Team options panel

    • Fixed HTML incident-level reporting

11.15. Ver 2.14.0 (Oct 7, 2020)

  • New Features:
    • Collection Tool output can now be encrypted using AES

    • Collection Tool output is now compressed when saved to local file

    • Collection Tool output can be uploaded to S3 bucket

    • Yara rules are applied to memory images using Volatility

    • The Event Log Id is displayed in the UI

    • Session files are no longer deleted after they are imported

    • When evaluating, a session can be automatically created with evaluation data.

  • Bug Fixes:
    • Faster processing of systems with a large number of user accounts and logins.

    • Fixed UI rendering issues from font scaling

    • Partial files are collected when read errors occur (most often occurs with event logs that use NTFS compression)