MalChela 3.2: More Cowbell? More Intel! One of the things I value most about the open-source community is that the best improvements to a tool often don’t come from inside it — they come from outside conversations.  A short while back, the author of mlget, xorhex,  reached out and suggested I add more malware retrieval sources to FOSSOR, one of my earlier tools for pulling down samples from threat intel repositories.  

MalChela 3.2: More Cowbell? More Intel!

One of the things I value most about the open-source community is that the best improvements to a tool often don’t come from inside it — they come from outside conversations.  A short while back, the author of mlget, xorhex,  reached out and suggested I add…

MalChela - YouTube Videos covering the MalChela malware and YARA analysis toolkit. | Github: https://github.com/dwmetz/MalChela\n | Docs: https://dwmetz.github.io/MalChela/

For anyone interested I’ve expanded this into a series. Feel free to let me know what else you’d like to see youtube.com/playlist?lis...

An AI image of Jesus rising in a cyber apocalyptic landscape

Just got an email for a “Cyber Easter” sale. Can we please stop making everything Cyber?

Yes I wrote CyberPipe and host Cyber Unpacked… but still…

A Study in DFIR: Open-Source, Enterprise, and the Art of Analysis Someone asked me recently how I see DFIR evolving — tooling, automation, and open-source versus enterprise platforms. It's the kind of question that sounds like a conference panel topic, but the answer is grounded in how work actually gets done. In practice, it isn't a binary choice. The most effective IR practitioners I've worked with use a combination of both commercial and open-source tools, depending on the problem in front of them.

A Study in DFIR: Open-Source, Enterprise, and the Art of Analysis

Someone asked me recently how I see DFIR evolving — tooling, automation, and open-source versus enterprise platforms. It's the kind of question that sounds like a conference panel topic, but the answer is grounded in how work…

New YouTube Video series covering the free open-source YARA & Malware Analysis toolkit, MalChela. Covers installation, Initial static analysis, YARA rule creation, REMnux integration and more.

MalChela Meets AI: Three Paths to Smarter Malware Analysis In a previous post I wrote about integrating MalChela with OpenCode on REMnux and giving the AI a quick briefing on the tool suite so it could incorporate them into its analysis workflow. That was a promising proof of concept, but it raised a natural follow-up question: how do you make these integrations more robust, reproducible, and persistent? Since that post, I've been experimenting with three different approaches to bringing MalChela into AI-assisted workflows — each suited to a different environment and use case.

MalChela Meets AI: Three Paths to Smarter Malware Analysis

In a previous post I wrote about integrating MalChela with OpenCode on REMnux and giving the AI a quick briefing on the tool suite so it could incorporate them into its analysis workflow. That was a promising proof of concept, but it…

On Feb 24 at Magnet's FREE virtual summit, @dwmetz.bsky.social and I will be talking about DF and IR, but not about "DFIR", if you know what I mean. magnetvirtualsummit.com/registration... #DFIR

@aaroncti.bsky.social interested in seeing the platform

Streamline Malware Hash Search with FOSSOR We’ve all encountered this scenario: you’re reading a threat report from CISA or Microsoft and come across hashes related to a malware infection. You start copying these hashes and head to one of your favorite virus repositories to check if there’s a source available for download so you can analyze the malware yourself. Unfortunately, you don’t find a match. So, you move on to another site and repeat the process.

Streamline Malware Hash Search with FOSSOR

We’ve all encountered this scenario: you’re reading a threat report from CISA or Microsoft and come across hashes related to a malware infection. You start copying these hashes and head to one of your favorite virus repositories to check if there’s a…

Enhancing Malware Analysis with REMnux and AI Those familiar with my work know that I’m a big fan of the REMnux Linux distribution for malware analysis. When I developed MalChela, I included a custom configuration that can be invoked that not only includes the MalChela tool suite but also integrates many of the CLI tools installed in REMnux, providing an easy-to-use GUI. Recently, a new REMnux release was released on Ubuntu 24.04.

Enhancing Malware Analysis with REMnux and AI

Those familiar with my work know that I’m a big fan of the REMnux Linux distribution for malware analysis. When I developed MalChela, I included a custom configuration that can be invoked that not only includes the MalChela tool suite but also…

Sounds pretty atomic

2025 Year in Review: Open Source DFIR Tools and Malware Analysis Projects In 2025, significant advancements in DFIR toolkit development were achieved, including the evolution of MalChela for malware analysis, streamlined CyberPipe tools, and the introduction of Toby, a portable forensics platform. The focus was on creating practical solutions for digital forensics professionals, with all tools available as open-source on GitHub. #DFIR #MalwareAnalysis #OpenSource

Wrapping up 2025 with the year in code, including the evolution of MalChela for malware analysis, streamlined CyberPipe tools, and the introduction of Toby, a portable forensics platform. Focus was on creating practical solutions for #DFIR professionals and students for triage and #MalwareAnalysis

What a start…

CyberPipe-Timeliner: From Collection to Timeline in One Script CyberPipe-Timeliner was developed in response to a colleague's query about integrating Magnet Response collections with ForensicTimeliner. This tool automates the workflow, transforming collection data into a unified forensic timeline. With features like date filtering and flexible input options, it streamlines the timeline generation process, making it efficient and user-friendly. #DFIR

CyberPipe-Timeliner was developed to integrate Magnet Response collections with ForensicTimeliner. This tool automates the workflow of EZTools, and transforms collection data into a unified forensic timeline. #DFIR

CyberPipe v5.3: Enhanced PowerShell Compatibility and Reliability

I'm pleased to announce the release of CyberPipe v5.3, bringing critical compatibility improvements for Windows PowerShell 5.1 and enhanced reliability across all PowerShell environments. The Problem After releasing v5.2 with the…

God is an Eagles fan. #GoBirds

You'll pry these Oxford commas out of my cold, dead, third thing hands

When you’re paranoid but any old tin foil hat won’t do. a.co/d/1GvRbfT

Streamline Digital Evidence Collection with CyberPipe 5.2 CyberPipe, developed for incident response, is a PowerShell script facilitating efficient digital evidence collection in enterprise settings. Recent updates include improved collection methods, capabilities like QuickTriage for faster artifact gathering, and enhanced reliability with advanced error handling. Version 5.2 aims to streamline operations while ensuring forensic integrity and transparency. #DFIR

CyberPipe, a PowerShell script for digital evidence collection, has been updated with enhancements in collection, capabilities, and reliability. New features include intelligent collection with dual disk space validation, a QuickTriage profile, and improved BitLocker recovery. #DFIR

Swore I was reading @theonion.com

Cross-Platform DFIR Tools: MalChelaGUI on Windows A trick and a treat this week with a quiet milestone for cross-platform DFIR tooling — MalChelaGUI now runs seamlessly inside Windows through Ubuntu WSL2, with zero configuration required. #DFIR #MalwareAnalysis

A trick and a treat this week with a quiet milestone for cross-platform DFIR tooling — MalChelaGUI now runs seamlessly inside Windows through Ubuntu WSL2, with zero configuration required. #DFIR #MalwareAnalysis

S2:E4 // Voices from the field: Trends, challenges, and what’s next in DFIR - Magnet Forensics Digital Forensics and Incident Response (DFIR) has evolved rapidly from purely reactive investigations to incorporating proactive approaches that utilize cloud-powered forensics and AI. But while the ...

On Oct 8, join us for a special episode of #CyberUnpacked where hosts @dwmetz.bsky.social & Jeff Rutherford will bring together a panel of #DFIR leaders to explore top challenges investigative teams face and the state of #DigitalInvestigations today: ow.ly/jRVq50X2r0L

Go Birds!

Sign Petition: Stop Masked Immigration Raids. This Is Not How a Democracy Operates. These agents are using masks to shield themselves from accountability for their willingness to participate in dangerous overreach. (51529 signatures on petition)

Masked ICE aren’t about safety; they’re about fear and evading responsibility. Demand transparency and accountability by adding your name to this petition:

In DFIR, reliable storage is essential for effective workflows. Crabwise, a USB benchmarking utility, addresses performance variability by calculating read and write speeds under direct conditions, bypassing caching and logs results for easy comparison. #DFIR

Enhance Threat Hunting with MITRE Lookup in MalChela 3.0.2 The recent update of MalChela 3.0.2 introduces MITRE Lookup, a tool that allows forensic investigators to search the MITRE ATT&CK framework offline. This feature enhances investigation speed by supporting keyword and Technique ID searches while providing tactic categories and detection guidance. Users can save results directly for future reference, enhancing analysis efficiency.

MalChela 3.0.2 introduces MITRE Lookup, a tool that allows forensic investigators to search the MITRE ATT&CK framework offline. This feature enhances investigation speed by supporting keyword and Technique ID searches while providing tactic categories and detection guidance. #DFIR #MalwareAnalysis

💙🐕 Toby ! :)