Adding SIFT and REMnux to your Windows Forensics environment

I’ve been a fan of the SIFT Linux distribution from my very first SANS class. I think back then Ed Skoudis was teaching Nmap subnetting on an abacus, but still it’s been a loyal companion ever since. I’ve got an archive of all the distributions (with their class specific tweaks) from all the courses I’ve […]

Collecting from Microsoft Teams using PowerShell

There are two means by which to ingest Microsoft Teams information into Magnet Axiom for processing. The first approach uses Axiom Process. If you’re collecting in this manner you will need to have the credentials of the user you are collecting from. Axiom will use those credentials to log into O365 and retrieve the user’s […]

Questions from the Webcast

Recently my session on PowerShell Tools for IR Forensics Collection was re-broadcast by Magnet Forensics. During the event there were a few questions and I thought I’d share my responses here. If you missed the presentation, just look to the previous post and you’ll find a link for YouTube. Does the CSIRT script check for […]


A PowerShell script to collect memory and (triage) disk forensics for incident response investigations There’s a number of tools that support a one-to-many remote operation capability. However, not all organizations have that level of capability. I’ve also seen that in some large organizations how things are designed to work with remote assets, and how they […]

Getting Started with a PowerShell Menu

We’re often using PowerShell within the Incident Response team. I’m a big practitioner of spending 5 hours coding something to automate a 5 minute job. At first the math may not compute, but when that 5 minute job may be requested hundreds of times – and with it scripted it takes 30 seconds… that’s where […]

Forensic Imaging a Microsoft Surface Pro

Pre-Requisites: 4-port USB hub Flash Drive (Paladin bootable) – created with unetbootin – USB hard drive for evidence collection, minimum 1.5x capacity of device being imaged Keyboard Mouse *Keyboard/mouse can be either wired USB or one that leverages an RF dongle. (no Bluetooth) UEFI Configuration: Make sure the device is fully powered down (not in standby […]

Magnet Weekly CTF, Week 12 Solution Walk Through

The final challenge (#12) – Part 1: What is the PID of the application where you might learn “how hackers hack, and how to stop them”? Format: #### Warning: Only 1 attempt allowed! The first thing I did was open the memdump file in HxD Hex Editor. A quick search found several hits. I considered […]

Magnet Weekly CTF, Week 11 Solution Walk Through

Challenge 11, Part 1: What is the IPv4 address that resolves to? I was able to find this pretty quick going back to last week’s artifacts. In week 10, I used bulk_extractor to carve a PCAP out of the memory image. Opening the same PCAP file I applied a String filter for ‘myaccount’. In […]

Magnet Weekly CTF: Week 10 Solution Walk Through

This weeks challenge was another round of memory forensics. As with the previous weeks challenge most* of my solves were done using a REMnux VM. REMnux includes both Volatility 2.61 (SSL support deprecated) and the beta of Volatility 3. Challenge 10, Part 1: At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was […]


Something went wrong. Please refresh the page and/or try again.

Follow My Blog

Get new content delivered directly to your inbox.