Doug Metz

@[email protected]
622 Followers
456 Following
549 Posts
Security guy at Magnet Forensics. šŸ”Ž
šŸšØ#DFIR , šŸ’» #PowerShell, šŸ‘¾#MalwareAnalysis, šŸ„ƒ #BourbonWhisperer, šŸ’Ø#Steampunk, and an appreciation for šŸ˜± mystery & the macabre. šŸ¦€ Latest obsession, #MalChela, a YARA and malware analysis toolkit written in #Rust.
Bloghttps://bakerstreetforensics.com/blog
GitHubhttps://github.com/dwmetz
GitHub.iohttps://dwmetz.github.io
Linked Inhttps://linkedIn.com/in/dwmetz
MalChelahttps://github.com/dwmetz/MalChela
MalChela Docshttps://dwmetz.github.io/MalChela/
Doug Metz6d ago

Just got an email for a ā€œCyber Easterā€ sale. Can we please stop making everything Cyber?

Yes I wrote CyberPipe and host Cyber Unpackedā€¦ but stillā€¦

Doug MetzMar 18

A Study in DFIR: Open-Source, Enterprise, and the Art of Analysis

Someone asked me recently how I see DFIR evolving ā€” tooling, automation, and open-source versus enterprise platforms. It's the kind of question that sounds like a conference panel topic, but the answer is grounded in how work actually gets done. In practice, it isn't a binary choice. The most effective IR practitioners I've worked with use a combination of both commercial and open-source tools, depending on the problem in front of them.

http://bakerstreetforensics.com/2026/03/18/a-study-in-dfir-open-source-enterprise-and-the-art-of-analysis/

A Study in DFIR: Open-Source, Enterprise, and the Art of Analysis

Someone asked me recently how I see DFIR evolving ā€” tooling, automation, and open-source versus enterprise platforms. Itā€™s the kind of question that sounds like a conference panel topic, but ā€¦

Baker Street Forensics
Doug MetzMar 11

New YouTube Video series covering the free open-source YARA & Malware Analysis toolkit, MalChela. Covers installation, Initial static analysis, YARA rule creation, REMnux integration and more.

http://bakerstreetforensics.com/2026/03/11/the-game-is-afoot-introducing-the-malchela-video-series/

The Game Is Afoot: Introducing the MalChela Video Series

Thereā€™s a moment every analyst knows ā€” the one where an unknown file lands on your desk and the clock starts ticking. You need answers, and you need them fast. MalChela was built for exactly ā€¦

Baker Street Forensics
Doug MetzMar 3

MalChela Meets AI: Three Paths to Smarter Malware Analysis

In a previous post I wrote about integrating MalChela with OpenCode on REMnux and giving the AI a quick briefing on the tool suite so it could incorporate them into its analysis workflow. That was a promising proof of concept, but it raised a natural follow-up question: how do you make these integrations more robust, reproducible, and persistent? Since that post, I've been experimenting with three different approaches to bringing MalChela into AI-assisted workflows ā€” each suited to a different environment and use case.

http://bakerstreetforensics.com/2026/03/03/malchela-meets-ai-three-paths-to-smarter-malware-analysis/

MalChela Meets AI: Three Paths to Smarter Malware Analysis

In a previous post I wrote about integrating MalChela with OpenCode on REMnux and giving the AI a quick briefing on the tool suite so it could incorporate them into its analysis workflow. That was ā€¦

Baker Street Forensics
Doug MetzFeb 10

Streamline Malware Hash Search with FOSSOR

Weā€™ve all encountered this scenario: youā€™re reading a threat report from CISA or Microsoft and come across hashes related to a malware infection. You start copying these hashes and head to one of your favorite virus repositories to check if thereā€™s a source available for download so you can analyze the malware yourself. Unfortunately, you donā€™t find a match. So, you move on to another site and repeat the process.

http://bakerstreetforensics.com/2026/02/10/streamline-malware-hash-search-with-fossor/

Streamline Malware Hash Search with FOSSOR

Weā€™ve all encountered this scenario: youā€™re reading a threat report from CISA or Microsoft and come across hashes related to a malware infection. You start copying these hashes and head to one of yā€¦

Baker Street Forensics
Doug MetzFeb 9

Enhancing Malware Analysis with REMnux and AI

Those familiar with my work know that Iā€™m a big fan of the REMnux Linux distribution for malware analysis. When I developed MalChela, I included a custom configuration that can be invoked that not only includes the MalChela tool suite but also integrates many of the CLI tools installed in REMnux, providing an easy-to-use GUI. Recently, a new REMnux release was released on Ubuntu 24.04.

http://bakerstreetforensics.com/2026/02/09/enhancing-malware-analysis-with-remnux-and-ai/

Enhancing Malware Analysis with REMnux and AI

Those familiar with my work know that Iā€™m a big fan of the REMnux Linux distribution for malware analysis. When I developed MalChela, I included a custom configuration that can be invoked that not ā€¦

Baker Street Forensics
Doug MetzDec 5

Wrapping up 2025 with the year in code, including the evolution of MalChela for malware analysis, streamlined CyberPipe tools, and the introduction of Toby, a portable forensics platform. Focus was on creating practical solutions for #DFIR professionals and students for triage and #MalwareAnalysis

http://bakerstreetforensics.com/2025/12/05/2025-year-in-review-open-source-dfir-tools-and-malware-analysis-projects/

2025 Year in Review: Open Source DFIR Tools and Malware Analysis Projects

In 2025, significant advancements in DFIR toolkit development were achieved, including the evolution of MalChela for malware analysis, streamlined CyberPipe tools, and the introduction of Toby, a pā€¦

Baker Street Forensics
Doug MetzNov 5

CyberPipe-Timeliner was developed to integrate Magnet Response collections with ForensicTimeliner. This tool automates the workflow of EZTools, and transforms collection data into a unified forensic timeline. #DFIR

http://bakerstreetforensics.com/2025/11/05/cyberpipe-timeliner-from-collection-to-timeline-in-one-script/

CyberPipe-Timeliner: From Collection to Timeline in One Script

CyberPipe-Timeliner was developed in response to a colleagueā€™s query about integrating Magnet Response collections with ForensicTimeliner. This tool automates the workflow, transforming colleā€¦

Baker Street Forensics
Doug MetzNov 4

CyberPipe v5.3: Enhanced PowerShell Compatibility and Reliability

I'm pleased to announce the release of CyberPipe v5.3, bringing critical compatibility improvements for Windows PowerShell 5.1 and enhanced reliability across all PowerShell environments. The Problem After releasing v5.2 with the new unified banner design, several users reported an interesting issue: CyberPipe would execute perfectly in PowerShell Core, but in Windows PowerShell 5.1, the script would complete the Magnet Response collection successfullyā€”then immediately fail with an exit code error and stop before running EDD and BitLocker key recovery.

http://bakerstreetforensics.com/2025/11/04/cyberpipe-v5-3-enhanced-powershell-compatibility-and-reliability/

CyberPipe v5.3: Enhanced PowerShell Compatibility and Reliability

Iā€™m pleased to announce the release of CyberPipe v5.3, bringing critical compatibility improvements for Windows PowerShell 5.1 and enhanced reliability across all PowerShell environments. Theā€¦

Baker Street Forensics
Doug MetzOct 16

CyberPipe, a PowerShell script for digital evidence collection, has been updated with enhancements in collection, capabilities, and reliability. New features include intelligent collection with dual disk space validation, a QuickTriage profile, and improved BitLocker recovery. #DFIR

http://bakerstreetforensics.com/2025/10/16/streamline-digital-evidence-collection-with-cyberpipe-5-2/

Streamline Digital Evidence Collection with CyberPipe 5.2

CyberPipe, developed for incident response, is a PowerShell script facilitating efficient digital evidence collection in enterprise settings. Recent updates include improved collection methods, capā€¦

Baker Street Forensics