Tag: yara

MalChela 3.2: More Cowbell? More Intel!

DFIR, Mac, Malware, open-source, Rust, yara

One of the things I value most about the open-source community is that the best improvements to a tool often don’t come from inside it — they come from outside conversations.  A short while back, the author of mlget, xorhex,  reached out and suggested I add more malware retrieval sources to FOSSOR, one of my earlier tools for pulling down samples from threat intel repositories.  It was a generous nudge, and it landed at exactly the right moment.

FOSSOR started as a simple script.  It did one job — grab malware samples from a handful of sources — and it did it well enough.  When I wrote it, I already knew it was a candidate for eventual MalChela integration, but “eventually” had stayed firmly in the future tense.  The message from xorhex gave me the push to actually sit down and do it properly.

The result is tiquery — and it’s become a new centerpiece to MalChela 3.2.

The Pattern I Keep Repeating (Deliberately)

If you’ve followed this blog or the MalChela project for a while, you might notice a recurring arc in how my tools tend to develop.  It goes something like this:

  • Step one:  write a focused script that solves a specific problem.
  • Step two:  that script evolves into a standalone tool as the scope grows.
  • Step three:  the tool finds its permanent home inside MalChela, where it benefits from the broader ecosystem — case management, the GUI, the MCP server integration, the portable workspace.
  • Step four:  When there’s overlap between tools, follow the KISS principle.

FOSSOR was in step one.  The conversation with xorhex accelerated the jump to step three.  What emerged was something more ambitious than just a source expansion — it’s a unified threat intelligence query engine, built from the ground up.

If you’re new to MalChela, it’s a Rust-based malware analysis toolkit built for DFIR practitioners — static analysis, string extraction, YARA rule generation, threat intel lookups, network analysis, and now a unified case management layer tying it all together.  Free, open-source, and built to run anywhere.

Introducing tiquery

tiquery is now the single threat intel tool in MalChela, replacing the retired malhash.  The core idea is straightforward: submit a hash, query multiple sources in parallel, get a clean color-coded summary back.  No waiting for one source to finish before the next one starts.  No manually juggling browser tabs or API wrappers.

Out of the box, tiquery works with eight confirmed sources:

  • VirusTotal
  • MalwareBazaar
  • AlienVault OTX
  • MetaDefender Cloud
  • Hybrid Analysis
  • FileScan.IO
  • Malshare
  • ObjectiveSee (no API key required — queries a locally-cached macOS malware catalogue)

Sources are tiered — free sources and registration-required sources are distinguished in the interface.  If you haven’t configured an API key for a given source, tiquery skips it gracefully rather than throwing an error. This means you can run it easily with whatever keys you have available.

The ObjectiveSee integration deserves a special mention.  It queries the objective-see.org/malware.html catalogue for macOS-specific threats using a locally-cached copy that refreshes every 24 hours, with a stale-cache fallback for offline use.  For anyone doing Mac forensics, this is a meaningful addition — a free, no-key-required check specifically against known macOS malware families.

Tiquery, like FOSSOR, supports batch lookups as well — point it to a .csv or .txt file of hashes and they’ll all be checked in parallel. You can also download samples directly, with MalwareBazaar supported in this release and additional sources on the way – (your vote matters).

What It Looks Like in Practice

The screenshots below show tiquery running in both the CLI and GUI.  In both cases, for any of the matching sources you get a basic classification (malware family, tags, detections,) and direct links to threat intelligence documents about the samples. It’s the perfect jumping off point when you want to leverage community research.

The CLI output is clean and tabular — source abbreviation, status (color-coded FOUND/NOT FOUND), family and tag information, detection count, and a direct reference URL.  Everything you need to make a quick triage decision, no scrolling through API response JSON required. You can run tiquery CLI as a stand-alone, or from within the MalChela CLI menu.

In the GUI, the experience is layered a bit more richly.  You can toggle individual sources on or off, switch between single-hash and bulk lookup modes, download the sample directly from MalwareBazaar, and export results to CSV — all from one interface.  The macOS ObjectiveSee source displays its cache age inline so you always know how fresh the data is.

Both outputs feed into MalChela’s case management system.  Check “Save to Case” in the GUI, and tiquery creates a valid case.json automatically — no separate case creation step needed.

Extended Case Management Across the Toolkit

Speaking of case management — 3.2 extends “Save to Case” support across the full GUI.  File Analyzer, File Miner, and mStrings, all now include the checkbox.  This closes out the last gaps in the case workflow.  Whatever tool you’re using for a given task, if you want to preserve the output in a named case, it’s one click. You no longer have to start with the New Case workflow, however it is recommended if that’s the direction you’re going from the start.

The Strings to YARA tool also gains a companion “Save to YARA Library” checkbox.  Check it, and the generated rule gets copied directly into the project’s yara_rules/ directory alongside being saved to the case. This will automatically make the rule available when you run fileanalyzer on subsequent files.  It’s a small workflow improvement, but one that eliminates a manual copy step I was taking every time anyway. I also added a quick formatter so the special character most often in need of escaping “\” gets handled automatically when the rule is generated.

A Note on malhash

malhash is retired in 3.2.  If you’ve been using it in scripts or workflows, tiquery is its direct replacement — it does everything malhash did and then some.  This is a breaking change in the sense that the binary is gone, but functionally tiquery is a superset, not a lateral move.

malhash served its purpose well.  RIP. tiquery is where that purpose lives now.

Get It

MalChela 3.2 is available now on GitHub.  The full release notes are in the repo. 

Thanks to xorhex for the nudge.  Sometimes the best features start with someone saying “have you thought about…”

The Game Is Afoot: Introducing the MalChela Video Series

DFIR, Malware, Memory Analysis, MITRE ATT&CK, REMnux, Rust, SIgma, Triage, yara

There’s a moment every analyst knows — the one where an unknown file lands on your desk and the clock starts ticking. You need answers, and you need them fast. MalChela was built for exactly that moment.

Today I’m excited to announce the MalChela Video Series on YouTube — a growing collection of tutorial episodes walking through real malware analysis workflows using MalChela, the open-source Rust-based toolkit I’ve been building for the DFIR community. Whether you’re new to the tool or already running it in your lab, there’s something here for you.

Four episodes are available right now in the playlist.

What’s in the Playlist

Ep0 | Installation & First Run

Every case starts somewhere. Episode 0 is your onboarding — installing MalChela, walking through its dependencies, and getting oriented with both the CLI and GUI modes. If you’ve been curious about the tool but weren’t sure where to start, this is the episode to bookmark.

Ep1 | First Contact: Hash, Inspect, Identify

You’ve just been handed a suspicious file. What do you do first?

This episode covers the first three tools in a malware triage workflow — the exact sequence I reach for every time I encounter an unknown file:

  • hashit — generate MD5, SHA1, and SHA256 hashes to protect chain of custody and enable deduplication
  • fileanalyzer — static inspection: entropy analysis, PE header fields, compile timestamps, and import tables
  • malhash — simultaneous lookup against VirusTotal and MalwareBazaar to identify known malware families

By the end of this episode, you’ll take an unknown file from zero to confirmed malware family identification in under five minutes — no sandboxing required.

Ep2 | From Strings to Signatures

Continuing from Episode 1, we go deeper into the confirmed RedLine info-stealer sample using mStrings — MalChela’s string extraction engine. Unlike the traditional strings utility, mStrings runs every extracted string through a detection ruleset and MITRE ATT&CK mapping layer simultaneously, turning raw output into actionable intelligence.

We walk through 62 detections, including PDB path artifacts, hard-coded dropper filenames, WMI queries, credential harvesting patterns, anti-debug checks, and a code injection setup. We then feed the extracted IOCs into Strings2YARA to auto-generate a structured YARA rule — and confirm it fires against the sample using File Analyzer.

By the end, you’ll be reading a malware file not as a pile of strings, but as a window into the attacker’s tradecraft.

Ep3 | REMnux Mode & Custom Tools

MalChela doesn’t work in isolation. Episode 3 covers how to extend the toolkit through the tools.yaml config file and how enabling REMnux mode surfaces an entire distro’s worth of malware analysis utilities directly within MalChela’s interface.

We also explore three built-in integrations: Volatility 3 with a dynamic plugin builder, T-Shark with a searchable reference, and YARA-X — a faster, Rust-native rewrite of YARA.

What’s Coming

The series is ongoing. Future episodes will push further into advanced workflows — think directory-scale triage, corpus management, and the AI-assisted analysis capabilities introduced in MalChela’s MCP integration. Stay subscribed and you won’t miss them.

Get Involved

If MalChela is useful in your work, the best thing you can do is help spread the word:

  • 📺 Subscribe to the YouTube channel — Subscribe to the channel and save the playlist so you don’t miss new episodes as they land.
  • 📖 Follow Baker Street Forensics — Writeups, major releases, and workflow deep dives live here.
  • 💬 Share and comment — If an episode clicks for you, pass it along to a colleague or drop a comment on the video. That feedback genuinely shapes what comes next.

The game is afoot. Let’s get to work.

MalChela is open-source and freely available. Find the project on GitHub.

2025 Year in Review: Open Source DFIR Tools and Malware Analysis Projects

DFIR, Forensics, Mac, Malware, MITRE ATT&CK, PowerShell, Python, Raspberry Pi, Rust, SIgma, Triage, USB, yara

As 2025 draws to a close, I’m taking a moment to reflect on what turned out to be one of my most productive years in code. From major releases to entirely new projects, this year saw significant evolution across my DFIR toolkit—driven by real-world incident response needs, classroom teaching experiences, and late-night tinkering sessions fueled by good bourbon and better puzzles.

What started as continuing work on CyberPipe evolved into a year of substantial innovation: creating MalChela for YARA and malware analysis, building a portable Raspberry Pi forensics platform, developing automated timeline generation workflows, and crafting specialized utilities that solve specific problems I encountered in the field. Each tool represents not just lines of code, but practical solutions to challenges that digital forensics and incident response professionals face daily.

Whether you’re a seasoned forensic analyst, an incident responder building your toolkit, or a student just getting started in DFIR, my hope is that these open-source projects make your work a little easier and a lot more efficient. All tools remain freely available on GitHub, because I believe the best way to advance our field is to share knowledge and capabilities openly.

Here’s what kept me busy in 2025:

MalChela – YARA & Malware Analysis Toolkit (Rust)

My flagship project that evolved significantly throughout 2025:

  • March: Initial release – Combined 10 programs into one Rust workspace for YARA and malware analysis
  • May: v2.1 – Added smoother workflows, better third-party tool integration, and enhanced argument handling
  • May: v2.2 “REMnux Release” – Native support for REMnux, integrations with Volatility3, Tshark, YARA-X
  • June: v3.0 – Major update introducing Case Management system, FileMiner (replacing MismatchMiner), and tool suggestion capabilities based on file characteristics
  • July: v3.0.1 – Refinements to mStrings, improved MITRE mappings, “Select All” functionality, optimizations for running on Toby
  • August: v3.0.2 – Enhanced threat hunting with MITRE ATT&CK technique lookup

MalChela at a Glance

  • Rust-based malware analysis toolkit combining YARA scanning, file analysis, hash generation, string extraction with MITRE ATT&CK mapping, and automated malware sample extraction from password-protected archives 
  • Multiple specialized utilities including mzhash/xmzhash for corpus generation, file type mismatch detection, entropy analysis, PE structure examination, and fuzzy hashing capabilities 
  • Integrated threat intelligence with VirusTotal and Malware Bazaar API support, NSRL database queries for known-good file filtering, and Sigma rule application for IOC identification 
  • Case management system (v3.0) featuring unified tracking of files, tools, and notes in case.yaml format with auto-saved outputs, tagging, search functionality, and VS Code integration 
  • Extensible architecture supporting custom tool integration via tools.yamlconfiguration, enhanced support for Volatility 3, TShark, and YARA-X, with both GUI and CLI modes (WSL2-compatible on Windows)
  • Complete documentation embedded as PDF or online
MalChela v3.0: Case Management, FileMiner, and Smarter Triage

https://github.com/dwmetz/MalChela

CyberPipe – Incident Response Collection Tool (PowerShell)

Continued evolution of the enterprise digital evidence collection script:

  • May: v5.1 – Streamlined profiles with better flexibility, customizable collection profiles
  • October: v5.2 – Improved collection methods with dual disk space validation, SHA-256 hashing of artifacts, single-file reporting, network collection simplification
  • November: v5.3 – Critical PowerShell 5.1 compatibility fixes, dual validation logic, enhanced reliability across all PowerShell environments
CyberPipe v5.3: Enhanced PowerShell Compatibility and Reliability

https://github.com/dwmetz/CyberPipe

CyberPipe-Timeliner ✱New✱ (PowerShell)

  • NovemberCyberPipe-Timeliner – New companion project to CyberPipe that automates the workflow from Magnet Response collections to unified forensic timelines using Eric Zimmerman’s EZ Tools and ForensicTimeliner
CyberPipe-Timeliner: From Collection to Timeline in One Script

https://github.com/dwmetz/CyberPipe-Timeliner

Toby – Portable Raspberry Pi Forensics Toolkit

  • July: Released Toby – A compact forensics toolkit built on Raspberry Pi Zero 2 W running customized Kali Linux, designed for headless operation via SSH/VNC, perfect for field analysis and malware triage
Portable Forensics with Toby: A Raspberry Pi Toolkit

Toby-Find

  • JulyToby-Find – Terminal-based command-line helper tool for discovering CLI forensics tools in KALI and REMnux environments, created initially for university teaching
Toby-Find: Simplifying Command-Line Forensics Tools

https://github.com/dwmetz/Toby

Crabwise – USB Device Benchmark Utility (Rust)

  • August: Released Crabwise – A lightweight USB benchmarking tool that measures true read/write speeds of USB devices for forensic workflows. Tests write throughput with pseudo-random data and read performance under uncached conditions. Includes logging functionality to track performance across different cables, hubs, and connection paths, helping forensic investigators optimize their hardware setups.
Is your USB device slowing down your forensic investigation?

https://github.com/dwmetz/Crabwise

Toolbox Utilities – Specialized Python and Bash Scripts

Standalone tools maintained in the Toolbox repository:

  • OctoberCoreBreaker.py – Breaks large yara-rules-core files into smaller .yar files for tool ingestion
  • OctoberEtTu.py – Caesar cipher brute force decoder (created for Murdle puzzle solving); After all, All work and no play makes Jack a dull boy.
  • Novembercloudtrail_timeline.py – Parses AWS CloudTrail JSON logs and outputs CSV format for Timeline Explorer
  • Novembermac_triage_timeline.sh – Processes Mac-Triage ZIP files and generates timeline for Timeline Explorer
  • Novemberuac_timeline.sh – Processes UAC tar.gz files and generates timeline for Timeline Explorer (Linux/macOS)

https://github.com/dwmetz/Toolbox

All projects are available on my GitHub at github.com/dwmetz, with detailed documentation on bakerstreetforensics.com. My goal is making DFIR and malware analysis more accessible, automated, and efficient for incident responders and forensic analysts.

Toby-Find: Simplifying Command-Line Forensics Tools

DFIR, Forensics, Malware, Memory Analysis, Raspberry Pi, Triage

In digital forensics, we often take a toolbox approach — success hinges on having the right tool for the job. Some tools offer broad functionality, while others are deeply specialized. Distributions like KALI and REMnux do a fantastic job bundling a wide range of forensic and security tools, but keeping track of what’s actually installed can be a challenge.

If you’re using a graphical interface, browsing through available packages is fairly intuitive. But when you’re living in the terminal — as many analysts do — that discoverability disappears. There’s no built-in index of command-line tools or how to invoke them.

The first version of Toby-Find was born out of necessity. I teach a Network Forensics course at the university, using a custom VM loaded with tools like Zeek, Tshark, Suricata, and more. I wanted students to have an easy, searchable way to see what CLI tools were available and how to run them — without needing to memorize commands or dig through man pages.

Later, when I built Toby (a forensic-focused Raspberry Pi rig running a customized KALI install), I updated Toby-Find to include the complete CLI toolset geared toward forensics and malware analysis from the KALI ecosystem.

And because I can’t leave well enough alone, I decided to build a REMnux-compatible version too.

Once installed, you can launch Toby-Find (via tf, toby-find, or tf-help) from any terminal and instantly search for tools, descriptions, examples, and more.

Toby-Find on REMnux
Toby-Find on Kali

📦 Installation

1. Clone the repository:

git clone https://github.com/dwmetz/Toby.git

2. Make the install script executable:

cd Toby
chmod +x install.sh

3. Run the installer:

./install.sh

4. Follow the prompt to choose your environment (KALI or REMnux)
5. Open a new terminal or run:

source ~/.bashrc   # or ~/.zshrc depending on shell

🚀 Usage

tf [keyword]

Examples:

tf yara
tf volatility
tf hash

To view the full list:

tf-help

Whether you’re working from a custom VM, a rugged Pi, or a hardened REMnux box, Toby-Find gives you a fast, terminal-friendly way to surface the tools at your disposal — without breaking focus. It’s lightweight, portable, and easy to extend for your own lab or classroom.

You can grab the full installer from GitHub, and contributions are always welcome. If you find it helpful — or build on it — I’d love to hear about it.