Tag: Memory

MalChela 2.2 “REMnux” Release

DFIR, Forensics, Malware, Rust

MalChela’s 2.2 update is packed with practical and platform-friendly improvements. It includes native support for REMnux, better tool settings, and deeper integrations with analysis tools like YARA-X, Tshark, Volatility3, and the newly improved fileanalyzer module.

🦀 REMnux Edition: Built-In Support, Zero Tweaks

When the GUI loads a REMnux-specific tools.yaml profile, it enters REMnux mode.

Screenshot of yaml configuration applying REMnux mode

Native binaries and Python scripts like capa, oledump.py, olevba, and FLOSS are loaded into the MalChela tools menu, allowing you to mix and match operations with the embedded MalChela utilities and the full REMnux tool stack. No manual configuration needed—just launch and go. MalChela currently supports the following REMnux programs right out of the box:

Tool Name Description
binwalkFirmware analysis and extraction tool
capaIdentifies capabilities in executable files
radare2Advanced reverse engineering framework
Volatility 3Memory forensics framework for RAM analysis
exiftoolExtracts metadata from images, documents, and more
TSharkTerminal-based network packet analyzer (Wireshark CLI)
mraptorDetects malicious macros in Office documents
oledumpParses OLE files and embedded streams
oleidIdentifies features in OLE files that may indicate threats
olevbaExtracts and analyzes VBA macros from Office files
rtfobjExtracts embedded objects from RTF documents
zipdumpInspects contents of ZIP files, including suspicious payloads
pdf-parserAnalyzes structure and contents of suspicious PDFs
FLOSSReveals obfuscated and decoded strings in binaries
clamscanOn-demand virus scanner using ClamAV engine
stringsExtracts printable strings from binary files
YARA-XNext-generation high-performance YARA rule scanner

If you only need a subset of tools you can easily save and restore that a custom profile.

TShark Panel with Built-In Reference

Tshark and the integrated field reference

A new TShark integration exposes features including:

  • A filter builder panel
  • Commonly used fields reference
  • Tooltip hints for each example (e.g., `ip.addr == 192.168.1.1` shows “Any traffic to or from 192.168.1.1”)
  • One-click copy support

This helps analysts build and understand filters quickly—even if TShark isn’t something they use every day. Using the syntax builder in MalChela you can use the exact commands directly in Tshark or Wireshark.

YARA-X Support (Install Guide Included)

YARA-X module in MalChela

Support for YARA-X (via the `yr` binary) is now built in. YARA-X is not bundled with REMnux by default, but install instructions are included in the User Guide for both macOS and Linux users.

Once installed, MalChela allows for rule-based scanning from the GUI,and with YARA-X, it’s faster than ever.

fileanalyzer: Fuzzy Hashing, PE Metadata, and More

Updated FileAnalyzer Module

MalChela’s fileanalyzer tool has also been updated to include:

  • Fuzzy hashing support via `ssdeep`
  • BLAKE3 hashing for fast, secure fingerprints
  • Expanded PE analysis, including:
  • Import and Export Table parsing (list of imported and exported functions)
  • Compilation Timestamp (for detection of suspicious or forged build times)
  • Section Characteristics (flags like IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, etc., for detecting anomalous sections)

These improvements provide deeper insight into executable structure, helping analysts detect anomalies such as packers, suspicious timestamps, or unexpected imports/exports. Useful for everything from sample triage to correlation, fileanalyzer now digs deeper—without slowing down.

Memory Forensics Gets a Boost: Volatility 3 Now Supported

With the 2.2 release, MalChela introduces support for Volatility 3, the modern Python-based memory forensics framework. Whether you’re running MalChela in REMnux or on a customized macOS or Linux setup, you can now access the full power of Volatility directly from the MalChela GUI.

Volatility 3 in MalChela

There’s an intuitive plugin selector that dynamically adjusts available arguments based on your chosen plugin,. You can search, sort, and browse available plugins, and even toggle output options like –dump-dir with ease.

Like Tshark, there is an added plugin reference panel with searchable descriptions and argument overviews — a real time-saver when navigating Volatility’s deep and often complex toolset.

Volatility Plugin Reference

Smarter Tool Configuration via YAML

The tool configuration system continues to evolve:

  • Tools now declare their input type (file, folder, or hash)
  • The GUI dynamically adjusts the interface to match
  • Alternate profiles (like REMnux setups) can be managed simply by swapping `tools.yaml` files via the GUI
  • Easily backup or restore your custom setups
  • Restore the default toolset to get back to basics

This structure helps keep things clean—whether you’re testing, teaching, or deploying in a lab environment.

Embedded Documentation Access

The GUI now includes a link to the full MalChela User Guide in PDF. You can also access the documentation online.

From tool usage and CLI flags to configuration tips and install steps, it’s all just a click away—especially useful in offline environments or when onboarding new analysts. I’ll be honest, this is likely the most comprehensive user guide I’ve ever written.

Whether you’re reviewing binaries, building hash sets, or exploring network captures—MalChela 2.2 is designed bring together the tools you need, and make it easier to interoperate between them.

The new REMnux mode makes it even easier to get up and running with dozens of third party integrations.

Have an idea for a feature or application you’d like to see supported — reach out to me.

GitHub: REMnux Release

MalChela User Guide: Online, PDF, Web

Shop: T-shirts, hats, stickers, and more

CyberPipe v5.1 – Streamlined Profiles, Better Flexibility

DFIR, Forensics, PowerShell, RAM, Triage, USB

CyberPipe v5.1 is out with a few targeted improvements to make live response a bit smoother.

What’s New:

  • Collection profiles can now be passed directly as arguments using -CollectionProfile. No need to modify the script or hardcode anything — just run with the profile you need.
  • Improved support for saving to network shares, ideal for remote collections triggered by EDR.
  • Better error handling and logging, including clearer messages when tools are missing or when BitLocker key recovery fails.

The default profile still covers the most common triage needs:

✔️ Memory dump (RAM)

✔️ Pagefile

✔️ Volatile data (network config, hives, running procs)

✔️ System artifacts

But now, you can swap that out on the fly:

Usage Examples:

.\CyberPipe.ps1 ## default profile, capture RAM, Pagefile, Volatile and System Files

.\CyberPipe.ps1 -CollectionProfile RAMOnly ## just the RAM

.\CyberPipe.ps1 -CollectionProfile RAMSystem ## just the RAM and System Files (triage lite)

.\CyberPipe.ps1 -CollectionProfile RAMPage ## RAM & Pagefile

.\CyberPipe.ps1 -CollectionProfile Volatile ## Just Volatile data

Useful for tailoring collections based on available time, scope, or system stability — especially during incident response where conditions change quickly.

CyberPipe still captures memory with DumpIt or RAM Capture, grabs volatile system data, checks for encryption, and recovers the BitLocker key when possible. But now it’s just a bit easier to tailor to the job at hand — whether you’re responding interactively or invoking it remotely via EDR integration.

As always, no dependencies beyond what’s in the Tools folder, and no assumptions about the system you’re collecting from.

See the full changelog and usage notes in the README on GitHub.

Book Review: Cloud Forensics Demystified

Forensic Imaging, Forensics, M365, Malware, Memory Analysis, RAM, Triage

At this point, we’ve all heard the expression ‘There is no cloud; It’s just someone else’s computer.’ While there is some truth to that, there are some fundamental differences when it comes to digital forensics when cloud resources are part of the investigation.

Recently, I had the chance to read Cloud Forensics Demystified: Decoding cloud investigation complexities for digital forensic professionals, by Ganesh Ramakrishnan and Mansoor Haqanee. I received a complimentary this book in exchange for an honest and unbiased review. All opinions expressed are my own.

I’ve been doing DFIR for about 15 years now. In the early days, almost all investigations involved having hands on access to the data or devices being investigated. As I moved into Enterprise Incident Response, it became more and more frequent that the devices I would be investigating would be in a remote location, be it another state – or even another country. As the scope of my investigations grew, so did my techniques need to evolve and adapt.

Cloud Forensics is the next phase of that evolution. While the systems under investigation may still be in another state or country, extra factors come into play like multi-tenancy and shared responsibility models. Cloud Forensics Demystified does a solid job of shedding light on those nuances.

The book is divided into three parts.

  • Part 1: Cloud Fundamentals
  • Part 2: Forensic Readiness: Tools, Techniques, and Preparation for Cloud Forensics
  • Part 3: Cloud Forensic Analysis: Responding to an Incident in the Cloud

Part 1: Cloud Fundamentals

This section provides a baseline knowledge of the three major cloud providers, Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. It breaks down the different architectural components of each, and how the platforms each handle the functions of virtual systems, networking and storage.

Part 1 also includes a broad yet thorough introduction to the different Cyber and Privacy legislation that come into play for cloud investigations. This section is not only valuable to investigators. Whether you’re a lawyer providing legal counsel for an organization, or responsible for an organizations overall security at a CISO level, this material is beneficial in understanding the challenges and responsibilities that come from hosting your data or systems in the cloud, and the different legislation and regulations that follow those choices.

Part 2: Forensic Readiness: Tools, Techniques, and Preparation for Cloud Forensics

As with enterprise investigations, logging is often where the hunting for incident indicators begins with telemetry and the correlation of different log sources. This section focuses on the different log sources available in AWS, GCP, and Azure. It also provides a detailed list of log types that are enabled by default and those that require manual activation to ensure that you have access to the most relevant data for your investigations when an incident occurs. This section also covers the different providers offerings for log analysis in the cloud including AWS Cloud Watch, Microsoft Sentinel and Google’s Cloud Security Command Center (Cloud SCC) as examples.

Part 3: Cloud Forensic Analysis: Responding to an Incident in the Cloud

As an Incident Responder, this was the section I enjoyed the most. While the first two sections are foundational for understanding the architectures of networking and storage, part three provides detailed information on how to acquire evidence for cloud investigations. The section covers both log analysis techniques as well as recommendations for host forensics and memory analysis tools. The book covers the use of commercial forensic suites, like Magnet Axiom, as well as open-source tools like CyLR and HAWK. Besides covering investigations of the three Cloud Service Providers (CSPs), there is also a section covering the cloud productivity services of Microsoft M365 and Google Workspace, as well as a brief section on Kubernetes.

Summary

Whether you’re a gray-haired examiner like me, or a neophyte in the world of digital forensics, chances are high that if you’re not running investigations in the cloud yet – you will be soon enough.  Preparation is the first step in the Incident Response lifecycle. To properly prepare for incidents you need to know both what sources will be most informative to your investigations, as well as the methodology to capture and process that evidence efficiently. 

Cloud Forensics Demystified is a comprehensive guide that covers cloud fundamentals, forensic readiness, and incident response. It provides valuable insights into cloud investigation techniques, log analysis, and evidence acquisition for major cloud providers and productivity services. The book is valuable for both experienced and novice digital forensics professionals to prepare for cloud investigations.

CyberPipe version 5.0

DFIR, Forensic Imaging, PowerShell, RAM, Triage, USB

The latest update to CyberPipe (the code formerly known as CSIRT-Collect), has been revised to leverage the free triage collection tool, MAGNET Response. As with previous versions it also runs Encrypted Disk Detector, another free tool from MAGNET.

Script Functions:

  • Capture a memory image with MAGNET DumpIt for Windows, (x32, x64, ARM64), or MAGNET RAM Capture on legacy systems,
  • Create a Triage collection* with MAGNET Response,
  • Check for encrypted disks with Encrypted Disk Detector,
  • Recover the active BitLocker Recovery key,
  • Save all artifacts, output and audit logs to USB or source network drive.

* There are collection profiles available for:

  • Volatile Artifacts
  • Triage Collection (Volatile, RAM, Pagefile, Triage artifacts)
  • Just RAM
  • RAM & Pagefile
  • or build your own using the RESPONSE CLI options

Prerequisites:

The setup is simple. Save the CyberPipe script to a USB drive. Next to the script is a Tools folder with the executables for MAGNET Response & EDD. Before running, customize the script to select a collection profile. Run the script from the USB drive and collect away. Move on to the next PC and run it again.

Network Usage:

CyberPipe 5 also has the capability to write captures to a network repository. Just un-comment the # Network section and update the \\server\share line to reflect your environment.

In this configuration it can be included as part of automation functions like a collection being triggered from an event logged on the EDR.

Prior Version (KAPE Support):

If you’re a prior user of CyberPipe and want to use the previous method where KAPE facilitates the collection with the MAGNET tools, or have made other KAPE modifications, use v4.01.

Download:

Download the latest release of CyberPIpe on GitHub.

https://github.com/dwmetz/CyberPipe