Category: Rust

The Game Is Afoot: Introducing the MalChela Video Series

DFIR, Malware, Memory Analysis, MITRE ATT&CK, REMnux, Rust, SIgma, Triage, yara

There’s a moment every analyst knows — the one where an unknown file lands on your desk and the clock starts ticking. You need answers, and you need them fast. MalChela was built for exactly that moment.

Today I’m excited to announce the MalChela Video Series on YouTube — a growing collection of tutorial episodes walking through real malware analysis workflows using MalChela, the open-source Rust-based toolkit I’ve been building for the DFIR community. Whether you’re new to the tool or already running it in your lab, there’s something here for you.

Four episodes are available right now in the playlist.

What’s in the Playlist

Ep0 | Installation & First Run

Every case starts somewhere. Episode 0 is your onboarding — installing MalChela, walking through its dependencies, and getting oriented with both the CLI and GUI modes. If you’ve been curious about the tool but weren’t sure where to start, this is the episode to bookmark.

Ep1 | First Contact: Hash, Inspect, Identify

You’ve just been handed a suspicious file. What do you do first?

This episode covers the first three tools in a malware triage workflow — the exact sequence I reach for every time I encounter an unknown file:

  • hashit — generate MD5, SHA1, and SHA256 hashes to protect chain of custody and enable deduplication
  • fileanalyzer — static inspection: entropy analysis, PE header fields, compile timestamps, and import tables
  • malhash — simultaneous lookup against VirusTotal and MalwareBazaar to identify known malware families

By the end of this episode, you’ll take an unknown file from zero to confirmed malware family identification in under five minutes — no sandboxing required.

Ep2 | From Strings to Signatures

Continuing from Episode 1, we go deeper into the confirmed RedLine info-stealer sample using mStrings — MalChela’s string extraction engine. Unlike the traditional strings utility, mStrings runs every extracted string through a detection ruleset and MITRE ATT&CK mapping layer simultaneously, turning raw output into actionable intelligence.

We walk through 62 detections, including PDB path artifacts, hard-coded dropper filenames, WMI queries, credential harvesting patterns, anti-debug checks, and a code injection setup. We then feed the extracted IOCs into Strings2YARA to auto-generate a structured YARA rule — and confirm it fires against the sample using File Analyzer.

By the end, you’ll be reading a malware file not as a pile of strings, but as a window into the attacker’s tradecraft.

Ep3 | REMnux Mode & Custom Tools

MalChela doesn’t work in isolation. Episode 3 covers how to extend the toolkit through the tools.yaml config file and how enabling REMnux mode surfaces an entire distro’s worth of malware analysis utilities directly within MalChela’s interface.

We also explore three built-in integrations: Volatility 3 with a dynamic plugin builder, T-Shark with a searchable reference, and YARA-X — a faster, Rust-native rewrite of YARA.

What’s Coming

The series is ongoing. Future episodes will push further into advanced workflows — think directory-scale triage, corpus management, and the AI-assisted analysis capabilities introduced in MalChela’s MCP integration. Stay subscribed and you won’t miss them.

Get Involved

If MalChela is useful in your work, the best thing you can do is help spread the word:

  • 📺 Subscribe to the YouTube channel — Subscribe to the channel and save the playlist so you don’t miss new episodes as they land.
  • 📖 Follow Baker Street Forensics — Writeups, major releases, and workflow deep dives live here.
  • 💬 Share and comment — If an episode clicks for you, pass it along to a colleague or drop a comment on the video. That feedback genuinely shapes what comes next.

The game is afoot. Let’s get to work.

MalChela is open-source and freely available. Find the project on GitHub.

2025 Year in Review: Open Source DFIR Tools and Malware Analysis Projects

DFIR, Forensics, Mac, Malware, MITRE ATT&CK, PowerShell, Python, Raspberry Pi, Rust, SIgma, Triage, USB, yara

As 2025 draws to a close, I’m taking a moment to reflect on what turned out to be one of my most productive years in code. From major releases to entirely new projects, this year saw significant evolution across my DFIR toolkit—driven by real-world incident response needs, classroom teaching experiences, and late-night tinkering sessions fueled by good bourbon and better puzzles.

What started as continuing work on CyberPipe evolved into a year of substantial innovation: creating MalChela for YARA and malware analysis, building a portable Raspberry Pi forensics platform, developing automated timeline generation workflows, and crafting specialized utilities that solve specific problems I encountered in the field. Each tool represents not just lines of code, but practical solutions to challenges that digital forensics and incident response professionals face daily.

Whether you’re a seasoned forensic analyst, an incident responder building your toolkit, or a student just getting started in DFIR, my hope is that these open-source projects make your work a little easier and a lot more efficient. All tools remain freely available on GitHub, because I believe the best way to advance our field is to share knowledge and capabilities openly.

Here’s what kept me busy in 2025:

MalChela – YARA & Malware Analysis Toolkit (Rust)

My flagship project that evolved significantly throughout 2025:

  • March: Initial release – Combined 10 programs into one Rust workspace for YARA and malware analysis
  • May: v2.1 – Added smoother workflows, better third-party tool integration, and enhanced argument handling
  • May: v2.2 “REMnux Release” – Native support for REMnux, integrations with Volatility3, Tshark, YARA-X
  • June: v3.0 – Major update introducing Case Management system, FileMiner (replacing MismatchMiner), and tool suggestion capabilities based on file characteristics
  • July: v3.0.1 – Refinements to mStrings, improved MITRE mappings, “Select All” functionality, optimizations for running on Toby
  • August: v3.0.2 – Enhanced threat hunting with MITRE ATT&CK technique lookup

MalChela at a Glance

  • Rust-based malware analysis toolkit combining YARA scanning, file analysis, hash generation, string extraction with MITRE ATT&CK mapping, and automated malware sample extraction from password-protected archives 
  • Multiple specialized utilities including mzhash/xmzhash for corpus generation, file type mismatch detection, entropy analysis, PE structure examination, and fuzzy hashing capabilities 
  • Integrated threat intelligence with VirusTotal and Malware Bazaar API support, NSRL database queries for known-good file filtering, and Sigma rule application for IOC identification 
  • Case management system (v3.0) featuring unified tracking of files, tools, and notes in case.yaml format with auto-saved outputs, tagging, search functionality, and VS Code integration 
  • Extensible architecture supporting custom tool integration via tools.yamlconfiguration, enhanced support for Volatility 3, TShark, and YARA-X, with both GUI and CLI modes (WSL2-compatible on Windows)
  • Complete documentation embedded as PDF or online
MalChela v3.0: Case Management, FileMiner, and Smarter Triage

https://github.com/dwmetz/MalChela

CyberPipe – Incident Response Collection Tool (PowerShell)

Continued evolution of the enterprise digital evidence collection script:

  • May: v5.1 – Streamlined profiles with better flexibility, customizable collection profiles
  • October: v5.2 – Improved collection methods with dual disk space validation, SHA-256 hashing of artifacts, single-file reporting, network collection simplification
  • November: v5.3 – Critical PowerShell 5.1 compatibility fixes, dual validation logic, enhanced reliability across all PowerShell environments
CyberPipe v5.3: Enhanced PowerShell Compatibility and Reliability

https://github.com/dwmetz/CyberPipe

CyberPipe-Timeliner ✱New✱ (PowerShell)

  • NovemberCyberPipe-Timeliner – New companion project to CyberPipe that automates the workflow from Magnet Response collections to unified forensic timelines using Eric Zimmerman’s EZ Tools and ForensicTimeliner
CyberPipe-Timeliner: From Collection to Timeline in One Script

https://github.com/dwmetz/CyberPipe-Timeliner

Toby – Portable Raspberry Pi Forensics Toolkit

  • July: Released Toby – A compact forensics toolkit built on Raspberry Pi Zero 2 W running customized Kali Linux, designed for headless operation via SSH/VNC, perfect for field analysis and malware triage
Portable Forensics with Toby: A Raspberry Pi Toolkit

Toby-Find

  • JulyToby-Find – Terminal-based command-line helper tool for discovering CLI forensics tools in KALI and REMnux environments, created initially for university teaching
Toby-Find: Simplifying Command-Line Forensics Tools

https://github.com/dwmetz/Toby

Crabwise – USB Device Benchmark Utility (Rust)

  • August: Released Crabwise – A lightweight USB benchmarking tool that measures true read/write speeds of USB devices for forensic workflows. Tests write throughput with pseudo-random data and read performance under uncached conditions. Includes logging functionality to track performance across different cables, hubs, and connection paths, helping forensic investigators optimize their hardware setups.
Is your USB device slowing down your forensic investigation?

https://github.com/dwmetz/Crabwise

Toolbox Utilities – Specialized Python and Bash Scripts

Standalone tools maintained in the Toolbox repository:

  • OctoberCoreBreaker.py – Breaks large yara-rules-core files into smaller .yar files for tool ingestion
  • OctoberEtTu.py – Caesar cipher brute force decoder (created for Murdle puzzle solving); After all, All work and no play makes Jack a dull boy.
  • Novembercloudtrail_timeline.py – Parses AWS CloudTrail JSON logs and outputs CSV format for Timeline Explorer
  • Novembermac_triage_timeline.sh – Processes Mac-Triage ZIP files and generates timeline for Timeline Explorer
  • Novemberuac_timeline.sh – Processes UAC tar.gz files and generates timeline for Timeline Explorer (Linux/macOS)

https://github.com/dwmetz/Toolbox

All projects are available on my GitHub at github.com/dwmetz, with detailed documentation on bakerstreetforensics.com. My goal is making DFIR and malware analysis more accessible, automated, and efficient for incident responders and forensic analysts.

Cross-Platform DFIR Tools: MalChelaGUI on Windows

Forensics, Malware, Rust

It’s a Trick and a Treat

Sometimes the best breakthroughs are the ones you don’t plan for.  After a routine Windows update this week, I launched MalChelaGUI from the Ubuntu terminal on an Ubuntu WSL2 instance — and it simply opened. No X-server, no environment tweaks, no extra packages.

🎉 😱 A Rust native GUI app on Windows, via Ubuntu WSL terminal!

The latest WSL 2.5 + WSLg 1.0.66 update from Microsoft quietly unlocked full Wayland and GPU acceleration for Linux GUI apps on Windows 11 24H2.  (Note the latest WSL at the time of this post is 2.61)

The result? MalChelaGUI now runs as a true desktop app on Windows, powered entirely by Ubuntu WSL.  

Why This Matters

  •  🧰 No configuration needed — just follow the default instructions at GItHub, and build MalChela as usual.  (WSL, Ubuntu 24.04 or later)
  • 🪟 Native windowing — Clipboard, display scaling, and GPU acceleration all handled automatically.  
  • 🦀 Cross-platform parity — macOS, Linux, and now Windows (via WSL) all run the same GUI experience.

It’s a small but meaningful proof of concept: cross-platform DFIR tooling can now live comfortably in every environment analysts work in — even Windows, without compromise.

Call for Testers

If you’re running Windows 11 24H2 or newer, update WSL and give it a try:

```powershell
wsl --update

Then from Ubuntu WSL

./target/release/MalChelaGUI

If it launches successfully, drop me a note or tag me — I’d love to hear how it behaves across different hardware and GPU setups.

Is your USB device slowing down your forensic investigation?

DFIR, Forensic Imaging, Rust, USB

In digital forensics and incident response, reliable storage isn’t a luxury — it’s a requirement. Whether you’re capturing evidence from a live system, processing large data sets with specialized tools, or running a virtual machine in the middle of a case, storage throughput can make or break your workflow.

The challenge? Reported specifications from manufacturers often don’t tell the full story. A drive rated for up to 400 MB/s might only deliver a fraction of that in real-world use. And performance isn’t determined by the drive alone: the quality of your USB cable, the number of hops between your system and the media (direct vs. through a hub), and the system’s own caching behaviors all play a part.

To eliminate the guesswork, I built Crabwise, a simple USB benchmarking utility designed with forensic workflows in mind.

How Crabwise Works

Crabwise calculates read and write speeds by creating a temporary file on the target device and measuring throughput under direct (uncached) conditions.

  • Write Test: The tool writes a pseudo-random 1 GiB file (size adjustable) to the USB drive in blocks, ensuring that system caching doesn’t skew results.
  • Read Test: It then reads the file back from the device, again bypassing caches, so the reported numbers reflect device-level throughput rather than RAM speeds.
  • Progress Feedback: While testing, Crabwise shows real-time percentages and MB/s estimates, so you can spot performance bottlenecks as they happen.

The result is a clean, standardized benchmark of the USB device’s true performance.

Building a Reference Table

One of the most useful features in Crabwise comes after the test: you’re prompted to save the results to the root of the device. If you choose to do so, Crabwise appends the results to a simple log file called crabwise.log.

Each entry includes:

  • Session name (you provide this — e.g., “coil cable via hub” or “direct to Mac”),
  • Read speed,
  • Write speed,
  • Timestamp of the test.

When you cat the file, you get an instant side-by-side comparison of your runs:

=== crabwise.log ===
coil cable, usb-c hub          |  293.87 Mbps |  295.97 Mbps | 2025-08-27 11:27:09
dual 90 deg cable, usb-c hub   |  293.77 Mbps |  298.57 Mbps | 2025-08-27 11:29:11
dual 90 cable, to mac          |  327.16 Mbps |  331.88 Mbps | 2025-08-27 11:31:02
coil cable, to mac             |  324.74 Mbps |  330.94 Mbps | 2025-08-27 11:32:53

Over time, this builds into a practical reference table that lets you quickly compare how different cables, hubs, and ports affect performance. What looks like a subtle cabling change can sometimes mean the difference between a VM booting smoothly or crawling.

Closing Thoughts

In forensic and investigative work, you don’t always get to choose the hardware you’re handed — but you can make informed decisions about how you connect and use it. Tools like Crabwise give you a way to validate your environment, document your results, and avoid unpleasant surprises when timing matters most.

Whether you’re testing cables, validating a new hub, or verifying a forensic workstation setup, Crabwise turns USB benchmarking into a repeatable, documented process.

Download crabwise from GitHub: https://github.com/dwmetz/crabwise/