NSRL Query from the Command Line
In digital forensics, we’re frequently trying to separate the signal from the noise. When examining operating systems – including mobile, it can be helpful to know what files came with the operating system. By filtering those out we can concentrate on what’s new on the device as we start looking for activity. The National Software…
KAPE batch mode, ARM Memory, updates to CSIRT-Collect, and all the things I learned along the way.
A couple weeks ago, a reader commented on the post Adding RAM collections to KAPE triage, “Couldn’t this be implemented by using linear processing with KAPE in batch mode?” and I couldn’t be more grateful for their inquiry. When I was first introduced to KAPE, ‘batch mode’ didn’t exist yet as a feature. From the…
BakerStreetForensics – 2022 Year in Review
Happy New Year to all the readers. 2022 was a handful, but there were a lot of things to celebrate. I completed my first full year as an employee of Magnet Forensics. Between the people I work with, and the satisfaction of the mission, I couldn’t be happier with where I’m at. The first blog…
Mal-Hash.ps1 (v1.3 Update)
I’ve made some updates to the Mal-Hash PowerShell script. Most notable is that the script now works (via PowerShell) on Windows, Mac and Linux. The script takes the input of a file, calculates the hashes (MD5, SHA1, SHA256), and then submits the HASH to Virus Total for analysis. The script will also run Strings against…
Group collections from O365 with PowerShell
If you’re working in or responding to an O365 environment, there’s plenty of opportunities where you need to search and collect from multiple O365 custodians at the same time. While the experience of the Security & Compliance Center has improved over the years, I still find it inefficient for creating larger collections – especially when…
Mal-Hash – interacting with Virus Total API via PowerShell
Virus Total started in 2004 as a free service to analyze files and URLs for malicious behavior. In 2012 Virus Total (VT) was acquired by Google. Virus Total can provide a boon of information for the nascent investigator, though OpSec should remain a concern. It’s rare to be in a security class where Virus Total…
Lack Rack part III: the Final chapter
If you caught the last blog installment you’ve seen that I’m a big proponent of the Steve Jobs “one more thing” methodology. To ‘finish out’ (as if) the rack design I’ve made two more modifications. The first was reversing the switch positioning and doing some OCD-level cable maintenance. The last, and the piece de resistance…
Lack Rack Updates
I have a tendency for DIY projects to never be finished. Actually that’s not entirely true. I finish them, but then I continue to build/expand on them. This has been true of many elements of my home office since moving to our home two years ago. A few months back I posted my DIY network…
Magnet 2022 CTF – iOS15
One of the evidence items during the 2022 Magnet User Summit CTF was a full file system extraction of an iPhone running iOS 15. Recently the CTF creators made the evidence (and corresponding challenge questions) available at CyberDefenders.org. You can register for a free account and then download the evidence. There’s several recommended tools listed…
AXIOM, YARA, GitHub – Oh My!
Version 6 of Magnet Axiom added support for YARA rules. By default the installation ships with the free Open-Source YARA rules from Reversing Labs. These YARA rules may be updated within Axiom periodically. In addition to the included rules, AXIOM supports adding your own YARA source folders. If you need to update the included rules…
Loading…
Something went wrong. Please refresh the page and/or try again.
Follow My Blog
Get new content delivered directly to your inbox.
Baker Street Forensics 