Software Update: Cyber ​​Triage 3.0

Version 3.0 of Cyber ​​Triage has been released. This program aims to analyze computers and collect evidence when a computer has been the target of a cyber attack. Brian Carrier is one of the people behind Cyber ​​Triage, and we know him from Autopsy and The Sleuth Kit, among others. Incidentally, the program originated as a module for Autopsy, has subsequently become a standalone product, and steps have now been taken to improve these two. to make it work together. Below is an overview of the most important changes that we can find in version 3.0.

New Database

The main event of 3.0 is the new database. Cyber ​​Triage now uses the same relational database as autopsy. As we outlined in the last blog post, this required Cyber ​​Triage to push some features back into the last Autopsy release. We’ll talk about all of the things this new database enables later, but let’s first go over some of the core concepts of the new database approach based on the different versions:

• the standard version relies on SQLite for all of its databases.
• the Team version can operate with either SQLite or PostgreSQL. SQLite is easiest to deploy because everything is embedded, but it has performance limitations. Alternatively, a PostgreSQL server can be installed on either the same host as the Cyber ​​Triage Server or a dedicated host (or cloud service). The User’s Guide helps you pick between these models.

Regardless of version or database type, Cyber ​​Triage adopted Autopsy’s model of many small databases instead of one big monolithic one. A new database will be created for each incident and a single database will be used to store the attributes that get correlated on. This makes it easy to segment and archive data.

Everything Is Part of an Incident

A side effect of the new design is that any time you add a host to Cyber ​​Triage, you need to first create an incident. Previously, you could optionally add a host to an incident. It’s not a big change, but it does slightly change the process. You’ll first make an incident using either an the default or an explicit name.

You’ll next be brought to the incident dashboard and should pick “Add New Host”. Then it’s the same process as before and you pick how you want to get data from the endpoint into Cyber ​​Triage (though we did slightly change the name and ordering based on user feedback). This panel allows you to either send the collection tool out over the network to the live host, import live data from a USB drive or S3 bucket, or bring in an image.

Data Deletion!

Want to know what our most embarrassing customer support question was?
Customer: How can I delete data I just added into your application?
Support: Sorry, you can’t.
I always hated that response, but it was a side effect of our database setup. But, that’s now gone. In 3.0, you can delete an entire incident or a single host within an incident!

Same Analysis Features

The main theme of 3.0 was the new backend. It has the same scoring analytics and recommendation engine that make the analysis more efficient. After the data is added, you’ll have the same experience as before. We’ll soon be bringing in new analytical features!

REST APIs

If you are a Team customer, there are now more REST APIs that can be used to access data from within Cyber ​​Triage. Previously, clients would connect directly to the database and the REST API on the server was only for integrations with SIEM/SOAR systems. Now, clients connect to the REST APIs and that means other systems can also access those APIs.