BakerStreetForensics – 2022 Year in Review

Happy New Year to all the readers. 2022 was a handful, but there were a lot of things to celebrate. I completed my first full year as an employee of Magnet Forensics. Between the people I work with, and the satisfaction of the mission, I couldn’t be happier with where I’m at.

The first blog post of the year, QuickPcap – Capturing a PCAP with PowerShell, wound up being the most popular post of the year and a repeat traffic driver. Adding SIFT and REMnux to your Windows Forensics environment would have to concede to being #2 after a very long run.

In February the Lack Rack began,

though it wouldn’t be til September that I called an end to the “one more thing” adjustments. It’s definitely one of my favorite DIY projects to date.

There were lots of little successes as well, like finally cleaning up and re-organizing my ‘go-bag.’

As my focus has been more concentrated on malware investigation and analysis – that meant that in no time there’d be something I could automate with PowerShell, and so came Mal-Hash. A few months after the initial release, I was able to update it. Included in the refinements was the ability to now run the script on Windows, Mac, and Linux (via PowerShell).

I also went back to all my O365 related PowerShell Scripts and updated them all to support the latest modern auth / MFA protocols from Microsoft.

After several years of Covid isolation, I was back to attending and presenting at conferences. This year I was able to participate in the Magnet User Summit

and the Magnet Virtual Summit, which included my presentation on Free Tools for Triage Collections. CSIRT-Collect got a number of feature updates as a result.

Other events included Techno Security and the HTCIA Conference, as well as presenting as part of the HTCIA Tech Tuesday series.

Last but not least, one of the biggest milestones was passing 10k views on this wee ‘lil blog, including a day that had over 1k all on its own. Thank you to everyone who continues to return here and interact from all over the world. Cheers!

Thank you for your continued support of Baker Street Forensics. Is there something you’d like to see more of? Leave a comment and let me know.

Play it Again Sam – A Recap of MUS 2022

I had a wonderful time participating in the Magnet User Summit, both in person and virtually. After 2 years of participating virtually, it was my first time attending the Summit in person. It was great to meet for the first time in person, not just many of my coworkers, but many of the regulars in my Twitter stream as well. What a gathering of brilliant, yet equally humble, investigators.

During the Summit I participated on a panel about Bringing your Forensics Lab to the Cloud. I also had fun co-presenting on two talks, Walkthrough of a BEC (Business Email Compromise) and. Walkthrough of a Ransomware Investigation, where we looked at the examinations from a Law Enforcement and from a corporate perspective.

There was the surreal moment of realizing that the boss doesn’t just rock, he ROCKS!

This year there was an in person and a virtual CTF with separate evidence and challenges. For the in-person CTF we examined a Linux laptop and an iPhone. Also, the long anticipated Dark Mode is a treat for the retinas.

For the virtual CTF the evidence sources were a Windows image and an Android mobile device, and a Google TakeOut. I surprised myself with how well I did on the Android and that hasn’t been my area of expertise.

During the virtual summit I enjoyed sharing my presentation, Free Tools for DFIR Triage Collections. Special thanks to everyone who engaged with me during and after the presentations, and from all different time zones. Your support was very much appreciated. If you missed it during the Summit or want to watch it again, you can head over to the Presentations page.

You can also check out all the other recorded presentations from the 2022 Magnet User Summit via the link below.