Just two more weeks to the Magnet Virtual Summit 2025! If you’ve been procrastinating on registering, don’t miss out. It’s completely free! The conference is scheduled for February 10th through the 14th.
I’m excited to present two talks this year. The first one is titled “Unlocking DFIR: Free Resources for Efficient Triage and Acquisition.” In this talk, I’ll cover free triage acquisition solutions for Windows, Mac, and Linux.
The second talk is called “Zen & the Art of Digital Forensics: Enhancing Insight through Mindfulness.” In this talk, I’ll explore how applying Zen principles like mindfulness, non-attachment, and the ‘beginner’s mind’ can lead to improved investigations and mental well-being.
I’m excited to share with you a new script I’ve written, Magnet RESPONSE PowerShell.
Magnet RESPONSE is a free tool from Magnet Forensics that makes it easy for investigators as well as non-technical operators to collect triage collections quickly and consistently.
Released initially as a GUI tool for law-enforcement investigators, it’s a single executable that requires no installation. The available command line syntax also makes it very flexible for enterprise use.
So what do I do when there’s a command line interface available, I PowerShell the hell out of it.
If you’ve been following my CyberPipe project, you’ll definitely want to check this one out.
MagnetRESPONSEPowerShell.ps1
Functions:
💻 Capture specified triage artifacts using profiles with Magnet RESPONSE,
🐏 Capture a memory image with DumpIt for Windows or Magnet RAM Capture,
💾 Save all artifacts, output, and audit logs to network drive.
Web server where you can host MagnetRESPONSE.zip that’s accessible to endpoints.
File server repository to save the file collections to.
Please note this is not a Magnet supported product. This script is open source. If you have comments, updates, or suggestions – please do so here or on GitHub via discussion or pull request.
There are two areas of the script for you to customize.
The Variable Setup contains the case identification, file server and web server locations.
The second section, Collection Profiles, define which artifact groups you want to collect. You can see all the options available in the Magnet RESPONSE CLI Guide.
VARIABLE SETUP
$caseID = "demo-161" # no spaces
$outputpath = "\\Server\Share" # Update to reflect output destination.
$server = "192.168.4.187" # "192.168.1.10" resolves to http://192.168.1.10/MagnetRESPONSE.zip
COLLECTION PROFILES
Within the script we need to have at least one set of collection arguments defined. In this case I’ve built multiple profiles, which are simply un-commented to mark the profile as active. You only want to have one profile enabled at a time. You can design your own collection profiles using any of the available CLI options, just follow the format below.
Once your environment and collection variables are defined, go ahead and run the script on your endpoints. Every host that executes the script will download RESPONSE from the web server, run the specified collection profile, and then save the output to the file server. All data defined in the collection profile will be collected and organized by case name, hostname and timestamp of collection in the central location. The returned files can be examined manually, using open source tools, or products like Magnet AXIOM Cyber.
If you’d like to learn more about the script, and how I integrated it with AXIOM Cyber and Magnet AUTOMATE, you can register for my webcast, Responding at Scale with Magnet RESPONSE. I hope to see you there.
On August 2, join me on behalf of Magnet Forensics, to learn how to build your own ‘Windows to Go’ drive to support offline collections with Magnet OUTRIDER & Magnet ACQUIRE, as well as free tools for live collections like Magnet RESPONSE, Magnet DumpIt, & Magnet RAM Capture. Registration link below.
If you’re looking for the hard drive referrenced in the talk: [amazon] Samsung T7 SSD
I had a wonderful time participating in the Magnet User Summit, both in person and virtually. After 2 years of participating virtually, it was my first time attending the Summit in person. It was great to meet for the first time in person, not just many of my coworkers, but many of the regulars in my Twitter stream as well. What a gathering of brilliant, yet equally humble, investigators.
During the Summit I participated on a panel about Bringing your Forensics Lab to the Cloud. I also had fun co-presenting on two talks, Walkthrough of a BEC (Business Email Compromise) and. Walkthrough of a Ransomware Investigation, where we looked at the examinations from a Law Enforcement and from a corporate perspective.
There was the surreal moment of realizing that the boss doesn’t just rock, he ROCKS!
This year there was an in person and a virtual CTF with separate evidence and challenges. For the in-person CTF we examined a Linux laptop and an iPhone. Also, the long anticipated Dark Mode is a treat for the retinas.
For the virtual CTF the evidence sources were a Windows image and an Android mobile device, and a Google TakeOut. I surprised myself with how well I did on the Android and that hasn’t been my area of expertise.
During the virtual summit I enjoyed sharing my presentation, Free Tools for DFIR Triage Collections. Special thanks to everyone who engaged with me during and after the presentations, and from all different time zones. Your support was very much appreciated. If you missed it during the Summit or want to watch it again, you can head over to the Presentations page.
You can also check out all the other recorded presentations from the 2022 Magnet User Summit via the link below.
Baker Street Forensics 