QuickPcap – Capturing a PCAP with PowerShell

Earlier today I was asked for a ‘quick and easy’ PowerShell to grab a packet capture on a Windows box. I didn’t have anything on hand so I set off to the Google and returned with the necessary ingredients. The star of the show is netsh trace, which is built into Windows. If we wanted […]

Using WSL Profiles for Frequent Applications

Windows Subsystem for Linux (WSL) adds a lot of capability and convenience for running DFIR applications on a Windows host. Previously I wrote about how to add a SIFT/REMnux Ubuntu distribution to WSL. Another tip I’d like to share with you is setting up separate profiles for frequently used applications. Volatility is one of the […]


CSIRT-Collect USB can be found in the main repository for CSIRT-Collect. CSIRT-Collect is a PowerShell script to collect memory and (triage) disk forensics for incident response investigations. CSIRT-Collect USB is designed to run directly from a USB device. While a network deployment certainly supports automation, as an Incident Responder I can think of several examples […]

Adding RAM collections to KAPE Triage

If you’re utilizing KAPE to collect triage collections, are you also collecting a RAM image with the operating system artifacts?Included in the Modules section of KAPE there are three modules that can create a RAM image. The modules for DumpIt and Winpmem have been available for a while. (I wrote the DumpIt module and Eric […]

VS Code Interactive Notebooks

I’ve been using Visual Studio Code as my go to editor for PowerShell, JSON, plain text, and recently even a dash of Python. VS Code is very extensible and much like the App Stores we’ve come to know, there’s an extension marketplace to broaden its capabilites. One of my favorite extensions is the .NET Interactive […]

HTCIA International Conference

I had the fortunate opportunity of presenting to the 2021 HTCIA (High Tech Crime Investigators Association) this week. I’d originally hoped to attend in person but we’ve still got travel restrictions in place so it was virtual attendance for me. There was a lot of good speakers and content through the week (triggering my imposter […]

Forensic Imaging Station – Steampunk Edition

I’ve worked remotely for the past 6 years which means I spend a lot of time in my home office.  Last year we moved into a new house with much better space for my office, and I’ve been shaping it more and more to my tastes. I do a lot of forensic imaging. I’ve got […]

Adding SIFT and REMnux to your Windows Forensics environment

I’ve been a fan of the SIFT Linux distribution from my very first SANS class. I think back then Ed Skoudis was teaching Nmap subnetting on an abacus, but still it’s been a loyal companion ever since. I’ve got an archive of all the distributions (with their class specific tweaks) from all the courses I’ve […]

Collecting from Microsoft Teams using PowerShell

There are two means by which to ingest Microsoft Teams information into Magnet Axiom for processing. The first approach uses Axiom Process. If you’re collecting in this manner you will need to have the credentials of the user you are collecting from. Axiom will use those credentials to log into O365 and retrieve the user’s […]

Questions from the Webcast

Recently my session on PowerShell Tools for IR Forensics Collection was re-broadcast by Magnet Forensics. During the event there were a few questions and I thought I’d share my responses here. If you missed the presentation, just look to the previous post and you’ll find a link for YouTube. Does the CSIRT script check for […]


Something went wrong. Please refresh the page and/or try again.

Follow My Blog

Get new content delivered directly to your inbox.