HTCIA International Conference

I had the fortunate opportunity of presenting to the 2021 HTCIA (High Tech Crime Investigators Association) this week. I’d originally hoped to attend in person but we’ve still got travel restrictions in place so it was virtual attendance for me. There was a lot of good speakers and content through the week (triggering my imposter […]

Forensic Imaging Station – Steampunk Edition

I’ve worked remotely for the past 6 years which means I spend a lot of time in my home office.  Last year we moved into a new house with much better space for my office, and I’ve been shaping it more and more to my tastes. I do a lot of forensic imaging. I’ve got […]

Adding SIFT and REMnux to your Windows Forensics environment

I’ve been a fan of the SIFT Linux distribution from my very first SANS class. I think back then Ed Skoudis was teaching Nmap subnetting on an abacus, but still it’s been a loyal companion ever since. I’ve got an archive of all the distributions (with their class specific tweaks) from all the courses I’ve […]

Collecting from Microsoft Teams using PowerShell

There are two means by which to ingest Microsoft Teams information into Magnet Axiom for processing. The first approach uses Axiom Process. If you’re collecting in this manner you will need to have the credentials of the user you are collecting from. Axiom will use those credentials to log into O365 and retrieve the user’s […]

Questions from the Webcast

Recently my session on PowerShell Tools for IR Forensics Collection was re-broadcast by Magnet Forensics. During the event there were a few questions and I thought I’d share my responses here. If you missed the presentation, just look to the previous post and you’ll find a link for YouTube. Does the CSIRT script check for […]


A PowerShell script to collect memory and (triage) disk forensics for incident response investigations There’s a number of tools that support a one-to-many remote operation capability. However, not all organizations have that level of capability. I’ve also seen that in some large organizations how things are designed to work with remote assets, and how they […]

Getting Started with a PowerShell Menu

We’re often using PowerShell within the Incident Response team. I’m a big practitioner of spending 5 hours coding something to automate a 5 minute job. At first the math may not compute, but when that 5 minute job may be requested hundreds of times – and with it scripted it takes 30 seconds… that’s where […]

Forensic Imaging a Microsoft Surface Pro

Pre-Requisites: 4-port USB hub Flash Drive (Paladin bootable) – created with unetbootin – USB hard drive for evidence collection, minimum 1.5x capacity of device being imaged Keyboard Mouse *Keyboard/mouse can be either wired USB or one that leverages an RF dongle. (no Bluetooth) UEFI Configuration: Make sure the device is fully powered down (not in standby […]

Magnet Weekly CTF, Week 12 Solution Walk Through

The final challenge (#12) – Part 1: What is the PID of the application where you might learn “how hackers hack, and how to stop them”? Format: #### Warning: Only 1 attempt allowed! The first thing I did was open the memdump file in HxD Hex Editor. A quick search found several hits. I considered […]


Something went wrong. Please refresh the page and/or try again.

Follow My Blog

Get new content delivered directly to your inbox.