Pipe Notes

I’ve been on leave for surgery recovery for the past week with another one to five more to come. The office/lab has converted nicely to a recovery room. Needless to say there hasn’t been a lot of DFIR going on. The requirement to be as sedentary as possible has given me good time to focus […]

Play it Again Sam – A Recap of MUS 2022

I had a wonderful time participating in the Magnet User Summit, both in person and virtually. After 2 years of participating virtually, it was my first time attending the Summit in person. It was great to meet for the first time in person, not just many of my coworkers, but many of the regulars in […]

Swag for Charity

You can now get Baker Street Forensics swag, everything from shirts and stickers to onesies and pillows. I’m especially fond of the notebooks. I worked with a number of independent artists to commission a few new logo designs. This is where I need your help. What’s your favorite of the designs? The winner will be […]

CSIRT-Collect Summit Edition

Just in time for the 2022 Magnet User Summit and my presentation on FREE Tools for DFIR Triage Collections, an updated release (v3.1) of CSIRT-Collect. Special thanks to Kevin Pagano for contributing. You can register for my talk Free Tools for DFIR Triage Collections here.

DIY Home Network Rack – the Lack Rack

I’ve got an abundance of equipment in my home office/lab. I’d been contemplating doing a rack setup for a while but all of the options I was looking at were above budget for what I wanted to spend. Also, while I liked the idea of the functionality of a rack I wasn’t too keen on […]

Summit Bound

January 2020, the last time I had work related travel, seems like an eon ago. Later that year I had planned my first attendance at the Magnet User Summit in Nashville. Then COVID entered the scene and every event going forward for me was remote only. Don’t get me wrong, I’m an introvert and being […]

QuickPcap – Capturing a PCAP with PowerShell

Earlier today I was asked for a ‘quick and easy’ PowerShell to grab a packet capture on a Windows box. I didn’t have anything on hand so I set off to the Google and returned with the necessary ingredients. The star of the show is netsh trace, which is built into Windows. If we wanted […]

Using WSL Profiles for Frequent Applications

Windows Subsystem for Linux (WSL) adds a lot of capability and convenience for running DFIR applications on a Windows host. Previously I wrote about how to add a SIFT/REMnux Ubuntu distribution to WSL. Another tip I’d like to share with you is setting up separate profiles for frequently used applications. Volatility is one of the […]


CSIRT-Collect USB can be found in the main repository for CSIRT-Collect. CSIRT-Collect is a PowerShell script to collect memory and (triage) disk forensics for incident response investigations. CSIRT-Collect USB is designed to run directly from a USB device. While a network deployment certainly supports automation, as an Incident Responder I can think of several examples […]

Adding RAM collections to KAPE Triage

If you’re utilizing KAPE to collect triage collections, are you also collecting a RAM image with the operating system artifacts?Included in the Modules section of KAPE there are three modules that can create a RAM image. The modules for DumpIt and Winpmem have been available for a while. (I wrote the DumpIt module and Eric […]


Something went wrong. Please refresh the page and/or try again.

Follow My Blog

Get new content delivered directly to your inbox.