| Blog | https://bakerstreetforensics.com/blog |
| GitHub | https://github.com/dwmetz |
| GitHub.io | https://dwmetz.github.io |
| Linked In | https://linkedIn.com/in/dwmetz |
| MalChela | https://github.com/dwmetz/MalChela |
| MalChela Docs | https://dwmetz.github.io/MalChela/ |
Mind Palace: A Personal Search Engine for the Way I Actually Work
"I consider that a man's brain originally is like a little empty attic, and you have to stock it with such furniture as you choose." — Sherlock Holmes, A Study in Scarlet There's a particular kind of frustration that I suspect a lot of researchers know well: you're in the middle of something, an analysis, a blog post, a deck, and you know you've written or read or bookmarked something about this before.
MalChela v4.1: Mac Malware Analysis Arrives
MalChela v4.1 is out today, and the headline is something I've been wanting to tackle for a while: dedicated Mac malware analysis tooling. If you've been following the channel or the blog, you know MalChela started as a triage-first toolkit aimed at the kinds of samples that show up in Windows-centric IR engagements. That coverage was never the full picture. Mac malware — infostealers, adware loaders, APT implants — has become too common to treat as an edge case.
Unmasking the Moon: Comparing LunaStealer Samples with MalChela and Claude
As one tends to do on Saturday mornings with coffee in hand, I was reviewing two samples that were attributed to the LunaStealer / LunaGrabber family. Originally I was validating that tiquery was working with the MCP configuration, however what started as a quick TI check turned into a full static analysis session — and it gave me a good opportunity to put the MalChela MCP integration through its paces in a real workflow.
The Long Game: MalChela v4.0
When I started building MalChela, I had a narrow problem to solve. I was doing a lot of malware triage during incident response engagements and I kept reaching for the same scattered set of tools — VirusTotal, some strings extraction, a hash lookup here, a YARA scan there. The workflow existed, but it wasn't a workflow. It was a series of scripts and context switches dressed up as a process.
http://bakerstreetforensics.com/2026/05/01/the-long-game-malchela-v4-0/
From QR to Threat Identification in one Click
Recently I introduced Threat Intel Query (tiquery), a multi-source threat intelligence lookup tool. The first iteration expanded on the capability of malhash and enabled for the submission of malware hashes against multiple threat intel sites. Then yesterday I was targeted with an SMS phishing message. (Note: I don't know why but I detest the term 'smishing', or any of the other '
http://bakerstreetforensics.com/2026/04/25/from-qr-to-threat-identification-in-one-click/
MalChela 3.2: More Cowbell? More Intel!
One of the things I value most about the open-source community is that the best improvements to a tool often don’t come from inside it — they come from outside conversations. A short while back, the author of mlget, xorhex, reached out and suggested I add more malware retrieval sources to FOSSOR, one of my earlier tools for pulling down samples from threat intel repositories.
http://bakerstreetforensics.com/2026/04/17/malchela-3-2-more-cowbell-more-intel/
Just got an email for a “Cyber Easter” sale. Can we please stop making everything Cyber?
Yes I wrote CyberPipe and host Cyber Unpacked… but still…
A Study in DFIR: Open-Source, Enterprise, and the Art of Analysis
Someone asked me recently how I see DFIR evolving — tooling, automation, and open-source versus enterprise platforms. It's the kind of question that sounds like a conference panel topic, but the answer is grounded in how work actually gets done. In practice, it isn't a binary choice. The most effective IR practitioners I've worked with use a combination of both commercial and open-source tools, depending on the problem in front of them.
New YouTube Video series covering the free open-source YARA & Malware Analysis toolkit, MalChela. Covers installation, Initial static analysis, YARA rule creation, REMnux integration and more.
http://bakerstreetforensics.com/2026/03/11/the-game-is-afoot-introducing-the-malchela-video-series/
MalChela Meets AI: Three Paths to Smarter Malware Analysis
In a previous post I wrote about integrating MalChela with OpenCode on REMnux and giving the AI a quick briefing on the tool suite so it could incorporate them into its analysis workflow. That was a promising proof of concept, but it raised a natural follow-up question: how do you make these integrations more robust, reproducible, and persistent? Since that post, I've been experimenting with three different approaches to bringing MalChela into AI-assisted workflows — each suited to a different environment and use case.
