#dfir — Public Fediverse posts

Dr Fazeelat Duran explores how repeated exposure to distressing material affects law enforcement staff over time—and what organisations can do to better support them. https://www.forensicfocus.com/podcast/how-distressing-material-shapes-investigator-well-being/ #DigitalForensics #DFIR

Dr Fazeelat Duran explores how repeated exposure to distressing material affects law enforcement staff over time—and what organisations can do to better support them. https://www.forensicfocus.com/podcast/how-distressing-material-shapes-investigator-well-being/ #DigitalForensics #DFIR

История одного инцидента, или почему не стоит публиковать 1С

Всем привет, на связи команда DFIR JetCSIRT! Недавно мы столкнулись с кейсом, где злоумышленники были обнаружены на ранних этапах атаки. Они не успели довести дело до импакта, но изрядно наследили, что дало нам возможность изучить их тактики, техники и процедуры (TTP) в действии. Мы готовы рассказать, как это было, и дать рекомендации по повышению уровня защищенности.

https://habr.com/ru/companies/jetinfosystems/articles/1035226/

#Ransomware #DFIR #1С #Форензика #Forensics #информационная_безопасность #вредоносное_ПО #SOC #иб

@volexity Volcano Server & Volcano One v26.04.27 adds memory analysis for arm64 Windows, memory-only .NET assemblies, SRUM database, Linux systemd units, history & timers from RAM.

This release also adds detection of AppleScript usage, cleared Windows event logs, AV scanning of files & deployments across AWS accounts.

Contact us for more information: https://volexity.com/company/contact/

#memoryforensics #memoryanalysis #dfir

Investigation Scenario 🔎

You've discovered a user workstation with the Chrome Remote Desktop plugin installed. There's no business reason for the user to have this plugin, and they don't recall installing it.

What do you look for to investigate whether an incident occurred and the extent of its impact?

#InvestigationPath #DFIR #SOC

BelkaGPT in Belkasoft X analyses images, transcribes audio and video, and supports natural language search across 100+ languages. Watch the full walkthrough to see how multimodal AI can help investigators surface relevant evidence faster. https://youtu.be/795cwedo870

#DFIR #DigitalForensics #BelkaGPT #BelkasoftX

BelkaGPT in Belkasoft X analyses images, transcribes audio and video, and supports natural language search across 100+ languages. Watch the full walkthrough to see how multimodal AI can help investigators surface relevant evidence faster. https://youtu.be/795cwedo870

#DFIR #DigitalForensics #BelkaGPT #BelkasoftX

Explore a selection of the latest DFIR employment opportunities in this week’s Forensic Focus jobs round-up. https://www.forensicfocus.com/jobs/digital-forensics-jobs-round-up-may-11-2026/ #DigitalForensics #DFIR

Explore a selection of the latest DFIR employment opportunities in this week’s Forensic Focus jobs round-up. https://www.forensicfocus.com/jobs/digital-forensics-jobs-round-up-may-11-2026/ #DigitalForensics #DFIR

Email investigations are evolving fast—Eric Fookes of Fookes Software discusses AI, cloud evidence, privacy, and the future of forensic email analysis. https://www.forensicfocus.com/interviews/eric-fookes-founder-ceo-fookes-software/ #FookesSoftware #Aid4Mail #DigitalForensics #DFIR

Email investigations are evolving fast—Eric Fookes of Fookes Software discusses AI, cloud evidence, privacy, and the future of forensic email analysis. https://www.forensicfocus.com/interviews/eric-fookes-founder-ceo-fookes-software/ #FookesSoftware #Aid4Mail #DigitalForensics #DFIR

Discover what’s new on Forensic Focus – explore the emerging threat of AI-generated CSAM, preview what's to come at Techno East 2026, register free for Forensics Europe Expo 2026, and more. https://www.forensicfocus.com/news/forensic-focus-digest-may-08-2026/ #DigitalForensics #DFIR

Discover what’s new on Forensic Focus – explore the emerging threat of AI-generated CSAM, preview what's to come at Techno East 2026, register free for Forensics Europe Expo 2026, and more. https://www.forensicfocus.com/news/forensic-focus-digest-may-08-2026/ #DigitalForensics #DFIR

#DFIR Thoughts 💭
No AI has ever turned a subpar employee into a star employee. Hasn't happened and it never will.

AI creates a false sense of achievement in underperforming employees. Period. Without the judgment to evaluate quality, they can't distinguish what works from what doesn't. #LLM

Si and Desi discuss a range of digital forensics topics, from writing forensic reports that juries can actually understand, to whether AI is coming for "button pusher" DFIR jobs. https://www.forensicfocus.com/podcast/dfir-in-2026-ai-button-pusher-forensics-writing-courtroom-reports-audio-breakthroughs-and-the-leica-geosystems-conference/ #DigitalForensics #DFIR

Si and Desi discuss a range of digital forensics topics, from writing forensic reports that juries can actually understand, to whether AI is coming for "button pusher" DFIR jobs. https://www.forensicfocus.com/podcast/dfir-in-2026-ai-button-pusher-forensics-writing-courtroom-reports-audio-breakthroughs-and-the-leica-geosystems-conference/ #DigitalForensics #DFIR

Can examiners talk about cases after trial? Ethical guidance
Watch or listen to the full conversation in the latest Digital Forensics Now podcast.
Watch here: https://www.youtube.com/live/4BcvznP_yEY
Listen on any and all podcasting platforms.

#DigitalForensics #MobileForensics #DFIR

Can examiners talk about cases after trial? Ethical guidance
Watch or listen to the full conversation in the latest Digital Forensics Now podcast.
Watch here: https://www.youtube.com/live/4BcvznP_yEY
Listen on any and all podcasting platforms.

#DigitalForensics #MobileForensics #DFIR

Can examiners talk about cases after trial? Ethical guidance
Watch or listen to the full conversation in the latest Digital Forensics Now podcast.
Watch here: https://www.youtube.com/live/4BcvznP_yEY
Listen on any and all podcasting platforms.

#DigitalForensics #MobileForensics #DFIR

Can examiners talk about cases after trial? Ethical guidance
Watch or listen to the full conversation in the latest Digital Forensics Now podcast.
Watch here: https://www.youtube.com/live/4BcvznP_yEY
Listen on any and all podcasting platforms.

#DigitalForensics #MobileForensics #DFIR

Can examiners talk about cases after trial? Ethical guidance
Watch or listen to the full conversation in the latest Digital Forensics Now podcast.
Watch here: https://www.youtube.com/live/4BcvznP_yEY
Listen on any and all podcasting platforms.

#DigitalForensics #MobileForensics #DFIR

ICYMI, in March I released a Linux DFIR scenario and proposed an investigations contest.

https://righteousit.com/2026/03/27/linux-forensic-scenario/

We received many excellent submissions and awarded some winners...with bragging rights and questionable fame, but sadly no fortune (what do I look like, MrBeast?).

https://www.linkedin.com/feed/update/urn:li:activity:7457038612812197890/

This week I've been posting the write-up of my investigation of the scenario data. Today I posted the final part where I describe the steps that I took as the attacker to create the scenario data.

https://righteousit.com/2026/05/07/linux-investigation-part-4/

Congratulations and thanks to all who participated!

#Linux #DFIR

Read the latest DFIR news – WAInsight WhatsApp forensics, Volatility3 and Hindsight updates, cloud forensics challenges, and more. https://www.forensicfocus.com/news/digital-forensics-round-up-may-06-2026/ #DigitalForensics #DFIR

Read the latest DFIR news – WAInsight WhatsApp forensics, Volatility3 and Hindsight updates, cloud forensics challenges, and more. https://www.forensicfocus.com/news/digital-forensics-round-up-may-06-2026/ #DigitalForensics #DFIR

The internal process of trying to convince/poach people to leave their cushy IT security jobs to join the Incident Response team is like trying to crew-up a pirate ship. Same pay, more stress, and shitty hours...but, but swashbuckling excitement!*

And we can't offer the prospect of prize money nor have the last resort of the "press" (i.e., kidnap them and get them aboard just as the ship sets sail)

*occasionally, ymmv, have to be vague when telling war stories

#DFIR #InfoSec

Investigation Scenario 🔎

While creating new user accounts in Active Directory, you find that several legitimate user accounts with no apparent connection are part of an undocumented group named "test".

What do you look for to investigate whether an incident occurred? Focus on the efficiency of your investigative actions here.

#InvestigationPath #DFIR #SOC

Part 2 of my Linux investigation is now available at RighteousIT.com. In this installment, I use some basic memory analysis techniques to further the investigation. Volatility 3 FTW!

https://righteousit.com/2026/05/05/linux-investigation-part-2/

#Linux #DFIR #Volatility

The last few days I was working on a case that made me thinking.

Its about a 15yr old boy who was victim to bullying at school. He came up with the story that his bully accesses his (and his parents) devices (phones, laptops). Changing hostnames, in-/uninstalling apps, sending text messages from one device to the other and the like. Finally there was a death-threat in a text file on the laptop.

My job was to prove or disprove the accusations.

Of course all this was made up and not a single trace on the devices supported his claims. Quiet the opposite. It was easy to prove, he staged all himself.

Unfortunately his parents are extreme no-tech people and believed their son every word how unlikely and not-technically-possilble his claims even were. But that's another story.

But... what a hell must he have lived in to stage such a story.

And if your kid comes up with some outrageous story ... there might be something behind, you should ask questions about.

--
BTW: The boy changed the school in the meantime.. and like magic.. no more "hacker" harassing him.

Stupid story, good ending.

#digitalforensics #dfir #bullying

The last few days I was working on a case that made me thinking.

Its about a 15yr old boy who was victim to bullying at school. He came up with the story that his bully accesses his (and his parents) devices (phones, laptops). Changing hostnames, in-/uninstalling apps, sending text messages from one device to the other and the like. Finally there was a death-threat in a text file on the laptop.

My job was to prove or disprove the accusations.

Of course all this was made up and not a single trace on the devices supported his claims. Quiet the opposite. It was easy to prove, he staged all himself.

Unfortunately his parents are extreme no-tech people and believed their son every word how unlikely and not-technically-possilble his claims even were. But that's another story.

But... what a hell must he have lived in to stage such a story.

And if your kid comes up with some outrageous story ... there might be something behind, you should ask questions about.

--
BTW: The boy changed the school in the meantime.. and like magic.. no more "hacker" harassing him.

Stupid story, good ending.

#digitalforensics #dfir #bullying

As AI-generated CSAM blurs the line between real and fabricated evidence, investigators need the right tools, legal awareness and forensic expertise to identify victims, prioritise leads and pursue justice responsibly. https://www.forensicfocus.com/articles/ai-generated-csam-staying-ahead-of-the-threat/ #Cellebrite #AI #DigitalForensics #DFIR

As AI-generated CSAM blurs the line between real and fabricated evidence, investigators need the right tools, legal awareness and forensic expertise to identify victims, prioritise leads and pursue justice responsibly. https://www.forensicfocus.com/articles/ai-generated-csam-staying-ahead-of-the-threat/ #Cellebrite #AI #DigitalForensics #DFIR

As AI-generated CSAM blurs the line between real and fabricated evidence, investigators need the right tools, legal awareness and forensic expertise to identify victims, prioritise leads and pursue justice responsibly. https://www.forensicfocus.com/articles/ai-generated-csam-staying-ahead-of-the-threat/ #Cellebrite #AI #DigitalForensics #DFIR

As AI-generated CSAM blurs the line between real and fabricated evidence, investigators need the right tools, legal awareness and forensic expertise to identify victims, prioritise leads and pursue justice responsibly. https://www.forensicfocus.com/articles/ai-generated-csam-staying-ahead-of-the-threat/ #Cellebrite #AI #DigitalForensics #DFIR

As AI-generated CSAM blurs the line between real and fabricated evidence, investigators need the right tools, legal awareness and forensic expertise to identify victims, prioritise leads and pursue justice responsibly. https://www.forensicfocus.com/articles/ai-generated-csam-staying-ahead-of-the-threat/ #Cellebrite #AI #DigitalForensics #DFIR

There's a new Hindsight release! New features in v2026.04 include:

- Parsing of Sessions_* and Tabs_* files (SNSS) into both the Timeline and a dedicated "Sessions" tab in the XLSX output

- Parsing of Platform Notifications (including when shown, clicked, and more!)

- More fields for URL Visit rows: Categories, Entities, Cluster, Window ID, Tab ID, and Response Code

More details: https://dfir.blog/hindsight-parses-sessions-and-notifications/
Release: https://github.com/RyanDFIR/hindsight/releases/tag/v2026.04

#DFIR #Hindsight #Chrome #BF4SA

Sorry for the LinkedIn link, but I wanted to announce the results of my recent Linux DFIR scenario.

https://www.linkedin.com/feed/update/urn:li:share:7457038609695707136/

#Linux #DFIR

You need communication resilience and security. Security cannot be black box, platform and operating system needs to be in house. Crypto agility and geostationary routing. I think you need something way better.
#comsec #opsec #resilience #redteam #satcom #dfir #outofband #preparedness

Unmasking the Moon: Comparing LunaStealer Samples with MalChela and Claude

As one tends to do on Saturday mornings with coffee in hand, I was reviewing two samples that were attributed to the LunaStealer / LunaGrabber family. Originally I was validating that tiquery was working with the MCP configuration, however what started as a quick TI check turned into a full static analysis session — and it gave me a good opportunity to put the MalChela MCP integration through its paces in a real workflow. This post walks through how that investigation unfolded, what the pivot points were, and what we found at the bottom of the rabbit hole.

The Setup

If you haven’t seen the MalChela MCP plugin before, the short version is this: MalChela is a Rust-based malware analysis toolkit I’ve been building for a while — tools like tiquery, fileanalyzer, mstrings, and others. The MCP server exposes all of those tools to Claude Desktop natively, so instead of dropping to the terminal for every command, I can run analysis steps conversationally and let Claude help interpret the results and suggest next moves.

This is not replacing the terminal — it’s augmenting it. The pivot decisions still come from the analyst. But having a reasoning layer that can look at mstrings output and say “that SetDllDirectoryW + GetTempPathW combination is staging behavior, and here’s the ATT&CK mapping” is genuinely useful when you’re moving fast.

Both samples were sitting in a folder on my Desktop. I had SHA-256 hashes. Let’s go.

Phase 1: Threat Intelligence Query

First move is always TI. The MalChela tiquery tool hits MalwareBazaar, VirusTotal, Hybrid Analysis, MetaDefender, and Triage simultaneously and returns a combined results matrix. Two calls, two answers.

Sample 1 (4f3b8971...) came back confirmed LunaStealer across all five sources. First seen 2025-12-01. Original filename sdas.exe. VT tagged it trojan.generickdq/python — already telling us something about the build.

Sample 2 (d4f57b42...) was more interesting. MalwareBazaar returned both LunaGrabber and LunaStealer tags. Triage clustered it with BlankGrabber, GlassWorm, IcedID, and Luca-Stealer. The original filename was loader.exe. That’s a different kind of name than sdas.exe. One sounds like a throwaway test artifact. The other sounds deliberate.

The TI results alone suggested these weren’t just two copies of the same thing. They were potentially different components of the same campaign.

Phase 2: Static PE Analysis

fileanalyzer and mstrings on both samples.

The first thing that jumped out was the imphash — f3c0dbc597607baa2ea891bc3a114b19 — identical on both. Same section layout, same section sizes, same import count (146), same 7 PE sections including the .fptable section that PyInstaller uses for its frozen module table. These two samples were compiled from the same PyInstaller loader template with different payloads bundled inside.

But the entropy diverged sharply. Sample 1 (sdas.exe) came in at 3.9 — low, even for a PyInstaller bundle. Sample 2 (loader.exe) was 6.9 — high, indicating the embedded payload is compressed or encrypted more aggressively. Combined with the file size difference (47 MB vs 22 MB), this was the first signal that what was inside each bundle was meaningfully different.

mstrings gave us 22–23 ATT&CK-mapped detections across both samples — largely the same set: IsDebuggerPresent, QueryPerformanceCounter, SetDllDirectoryW, GetTempPathW, ExpandEnvironmentStringsW, OpenProcessToken. Standard infostealer staging behavior. Tcl_CreateThread showed up in both, which is a PyInstaller artifact from bundling Python with Tkinter. The VT python family tag made more sense in context.

Phase 3: PyInstaller Extraction

Both samples were extracted with pyinstxtractor-ng. This is where the two samples started to diverge clearly.

Sample 1 entry point: sdas.pyc — Python 3.13, 112 files in the CArchive, 752 modules in the PYZ archive.

Sample 2 entry point: cleaner.pyc — Python 3.11, 113 files, 760 modules.

The name cleaner.pyc inside a file called loader.exe is a tell. That’s not a stealer payload name. That’s something that runs after.

The bundled library sets were nearly identical between both — requests, requests_toolbelt, Cryptodome, cryptography, psutil, PIL, sqlite3, win32 — same stealer framework. But Sample 2 had a unique addition: a l.js reference (mapped to T1059 — Command and Scripting Interpreter). A JavaScript component not present in the December build. The OpenSSL versions also differed: Sample 1 bundled libcrypto-3.dll (OpenSSL 3.x), Sample 2 had libcrypto-1_1.dll (OpenSSL 1.1). Different build environments, roughly one month apart.

At this point the working theory was solid: Sample 1 is a standalone stealer. Sample 2 is a later-generation dropper/installer with an updated payload and additional capability.

Phase 4: Bytecode Decompilation

decompile3 couldn’t handle Python 3.11 or 3.13 bytecode. That’s a known limitation. pycdc (Decompyle++) handles both.

sdas.pyc decompiled cleanly — the import stack made the capability set immediately obvious:

 from win32crypt import CryptUnprotectData  from Cryptodome.Cipher import AES  from PIL import Image, ImageGrab  from requests_toolbelt.multipart.encoder import MultipartEncoder  import sqlite3  

CryptUnprotectData for browser master key decryption. AES for the decryption itself. ImageGrab for screenshots. MultipartEncoder for structured exfiltration. Classic infostealer, nothing surprising.

cleaner.pyc was a different story. The decompiler output opened with this:

 __________ = eval(getattr(__import__(bytes([98,97,115,101,54,52]).decode()), ...  

Heavy obfuscation — byte arrays used to reconstruct eval, getattr, and __import__ at runtime so none of those strings appear in plain text. The approach is designed to evade static string detection. Decode the byte arrays and you get:

 bytes([98,97,115,101,54,52])        → "base64"  bytes([90,88,90,104,98,65,61,61])   → b64decode("ZXZhbA==") → "eval"  bytes([90,50,86,48,...])            → "getattr"  bytes([88,49,57,112,...])           → "__import__"  

Standard Python malware obfuscation. But buried further down in the decompile output was a large binary blob — a bytes literal starting with \xfd7zXZ. That’s the LZMA magic header.

Phase 5: LZMA Stage 2 Extraction

The blob was located at offset 0x17d4 in the pyc file. Extract and decompress it:

 import lzma  blob = open('cleaner.pyc', 'rb').read()  idx = blob.find(b'\xfd7zXZ')  decompressed = lzma.decompress(blob[idx:])  # → 102,923 bytes  

One important detail: the decompression is wrapped in a try/except LZMAError block with os._exit(0) on failure. If the decompression fails — as it would in some emulated sandbox environments — the process exits silently with no error. That’s the anti-sandbox mechanism.

The decompressed payload was another obfuscated Python source using a custom alphabet substitution encoding. The final execution chain was compile() + exec(). Decoding the full stage 2 revealed everything:

The injection URL:

 https://raw.githubusercontent.com/Smug246/luna-injection/main/obfuscated-injection.js  

This is the live Discord injection payload. The stage 2 pulls this JavaScript file from GitHub and injects it into the Discord desktop client’s core module, persisting across restarts.

The capability set from stage 2:

• Anti-analysis checks on startup: process blacklist (~30 entries including wireshark, processhacker, vboxservice, ollydbg, x96dbg, pestudio), MAC address blacklist (80+ VM prefixes), HWID blacklist, IP blacklist, username/PC name blacklists
• Discord token theft from all three release channels (stable, canary, PTB)
• Browser credential theft across 20+ Chromium and non-Chromium browsers
• Roblox session cookie harvesting (.ROBLOSECURITY= targeting with API validation)
• Desktop screenshot capture
• Self-destruct: ping localhost -n 3 > NUL && del /F "{path}"

The ping delay is a simple trick — the 3-second wait lets the process fully exit before the delete fires, so the file removes itself cleanly after execution.

What MalChela + MCP Added to This Workflow

The honest answer is: speed and synthesis.

tiquery hitting five TI sources in one call versus five separate browser tabs or CLI invocations is a meaningful time saving, but that’s the surface benefit. The deeper value showed up in the mstrings step — getting ATT&CK-mapped output with technique IDs alongside the raw strings meant the behavioral picture came together faster than manually correlating imports against the ATT&CK matrix.

The MCP integration meant each of those steps — TI query, PE analysis, string extraction — could happen within the same conversation context. Claude could see the fileanalyzer output and the mstrings output together and note that the entropy difference between the two samples was significant, that the identical imphash meant shared loader infrastructure, that the staging imports in mstrings were consistent with the exfil approach suggested by the TI tags. That cross-tool synthesis is where the integration earns its keep.

The parts that still required manual work: pyinstxtractor-ng, pycdc, the LZMA extraction, and decoding the stage 2. Those are terminal steps on the Mac.

IOCs at a Glance

Samples:

Injection URL:

 https://raw.githubusercontent.com/Smug246/luna-injection/main/obfuscated-injection.js  

Self-destruct pattern:

 ping localhost -n 3 > NUL && del /F "{executable}"  

Imphash (shared loader stub):

 f3c0dbc597607baa2ea891bc3a114b19  

A full IOC list including ~60 C2 IPs, MAC address blacklists, and HWID blacklists is in the analysis report linked below.

Downloads

• 📄 [Full Analysis Report] — Complete investigation narrative, sample properties, capability breakdown, IOC documentation, campaign timeline, and recommendations. (LunaStealer_Analysis_Report.pdf)
• 🛡️ [YARA Rules — PE] — Four rules targeting the PE samples: exact hash match, shared PyInstaller stub (imphash-based), infostealer payload strings, generic PyInstaller infostealer. (lunastealer_pe.yar)

If you’re running MalChela in your environment and want to reproduce the TI query steps, the MalChela MCP plugin source is on GitHub at github.com/dwmetz/MalChela. Questions or additions to the IOC list — find me on the usual channels.

The Long Game: MalChela v4.0

When I started building MalChela, I had a narrow problem to solve. I was doing a lot of malware triage during incident response engagements and I kept reaching for the same scattered set of tools — VirusTotal, some strings extraction, a hash lookup here, a YARA scan there. The workflow existed, but it wasn’t a workflow. It was a series of scripts and context switches dressed up as a process. I wanted something that unified those steps under one roof, ran locally, and felt like a tool a forensicator actually built.

What I got was MalChela. What I didn’t expect was how far it would go.

From Rust Experiment to Field Platform

The first version was modest. A handful of tools with a unifying CLI runner. The goal was simple: hash a malware sample, look it up, pull strings, run YARA. The kind of triage you want to do in the first ten minutes with an unknown file.

Version 2 brought a desktop GUI — MalChelaGUI, built on egui/eframe. It was a genuine step up in accessibility. Analysts who weren’t comfortable in the terminal had a way in. The toolset kept growing.

Version 3 added structure around the investigation itself. Case management landed, giving results somewhere to live across a session. MCP server integration followed, opening up a whole new mode of operation — Claude working alongside the tools, not just alongside me.

But the GUI carried freight. It meant building for a specific platform, managing a Rust GUI dependency chain, and ultimately shipping something that couldn’t easily follow MalChela into its most interesting new use case: the field.

Toby Changed Everything

If you’ve been following Baker Street Forensics for the last few months, you’ve seen the ‘TOBYgotchi‘ project take shape — a Raspberry Pi Zero 2W running Kali Linux, with a Waveshare e-ink display, PiSugar battery, and MalChela pre-installed. Boot it up, it announces itself on the network, and you’re ready to triage. And yes, I am working on making a full build of TOBY available to the public. Stay tuned…

The original field kit vision was: SSH in, run tools from the CLI, pull results. Simple and functional. But the more I used Toby in practice, the more I wanted a better interface — something that worked without a terminal, something a colleague could pick up at a scene without knowing the command syntax.

MalChelaGUI on a Pi Zero 2W is possible but not comfortable. The egui overhead, the X display stack, remote display via VNC — it all works, but it’s friction. What I wanted was something lighter. Something any browser on the network could reach. Something that felt native on an iPad.

That’s what pulled me toward the PWA.

v4.0: The PWA Takes Over

MalChela v4.0 retires the desktop GUI entirely and replaces it with a Progressive Web App as the primary interface.

Every tool that lived in MalChelaGUI has been ported. Most have been improved in the process. The PWA is served locally from the server/ directory — run setup-server.sh once after building the binaries, then start-server.sh on every subsequent boot. Open any browser on the local network and you’re in.

On Toby, this is now part of autostart. Boot the Pi — battery-powered, no cables required — and the server comes up automatically. Connect from your desktop, phone or iPad directly to the PWA. No VNC, no X display overhead, no SSH tunnel. Just a browser pointing at the Pi’s IP.

And here’s the part that makes it genuinely useful in the field: you can upload files directly from whatever device you’re browsing from to the MalChela server. Phone, iPad, laptop — if it has a browser and can reach Toby on the network, it can submit a sample for analysis. The triage station travels with you, and so does the interface.

This is still a work in progress, but the direction is clear: a battery-powered Pi you can drop on a table at a scene, pull out your tablet, and start triaging — no keyboard, no monitor, no additional hardware required.

The field kit I was imagining finally snapped into focus.

REMnux Support

Running MalChela on a REMnux instance? It’s now even easier to load the REMnux configuration tools.yaml.

Configuration > tools.yaml > Load REMnux

then refresh the browser and you’ve got access to all the REMnux CLI tools from within MalChela.

What Else Is New

Simplified case management. This one’s been on my list for a while. In previous versions, case management was tied to starting with a file or folder — you had to know what you were investigating before you could create a case. That’s not how IR actually works. v4.0 breaks that dependency: any result can be saved to a case, and you can create a new case from within a running tool session. All the output, whether from the included cargo tools, or 3rd party add-ons like TShark or Volatility, can be saved to your case. The investigation defines the case, not the other way around.

Improved Volatility support. The Volatility integration got a meaningful UX overhaul. The reference panel has been improved, and output now streams inline within the PWA — no more spawning a separate terminal window to see results, which was one of the more awkward edges of the old GUI experience.

Rapid tool iteration via tools.yaml. The PWA is built around a tools.yaml configuration file that defines the tool manifest. Add a new tool, update the YAML, refresh the interface — done. No recompiling the GUI, no rebuilding the binary for a UI change. This makes extending MalChela considerably faster in practice, and opens the door for community-contributed tool configs down the road.

Try MalChela for Yourself

MalChela v4.0 is available on GitHub now: https://github.com/dwmetz/MalChela/

The CLI isn’t going anywhere. If you’re scripting triage workflows, running MalChela headless in an automated pipeline, or just prefer the terminal, everything you relied on in v3.x is still there. The PWA is the new face of MalChela; the CLI is still the engine.

Want to run MalChela on Windows? You can build it in an Ubuntu instance in WSL. Once you start the server in WSL, the Windows host can access the PWA via http://localhost:8675. (In modern WSL2 Microsoft automatically forwards WSL loopback → Windows localhost.)

If you hit any constraints, open an issue on GitHub. I tried to be as thorough as possible in my testing, but there’s only so much a one-man dev team can do. I’m happy assist in troubleshooting and improve the documentation. Rest assured you won’t get a “well, it works in my environment…”

Magnet User Summit 2026 celebrates standout agencies, prosecutors, and rising digital investigators whose leadership, innovation, and commitment to justice are shaping the future of digital forensics. https://www.forensicfocus.com/news/magnet-forensics-honors-2026-agency-impact-and-scholarship-award-recipients/ #MagnetForensics #MagnetUserSummit #DigitalForensics #DFIR

Magnet User Summit 2026 celebrates standout agencies, prosecutors, and rising digital investigators whose leadership, innovation, and commitment to justice are shaping the future of digital forensics. https://www.forensicfocus.com/news/magnet-forensics-honors-2026-agency-impact-and-scholarship-award-recipients/ #MagnetForensics #MagnetUserSummit #DigitalForensics #DFIR

Magnet Forensics is bringing AI-powered intelligence, instant evidence sharing, and new third-party integrations to Magnet One — connecting mobile, vehicle, cloud, drone, and computer evidence in a single investigative workflow. https://www.forensicfocus.com/news/magnet-forensics-redefines-digital-investigations-with-evolution-of-magnet-one/ #MagnetForensics #MagnetOne #DigitalForensics #DFIR

Magnet Forensics is bringing AI-powered intelligence, instant evidence sharing, and new third-party integrations to Magnet One — connecting mobile, vehicle, cloud, drone, and computer evidence in a single investigative workflow. https://www.forensicfocus.com/news/magnet-forensics-redefines-digital-investigations-with-evolution-of-magnet-one/ #MagnetForensics #MagnetOne #DigitalForensics #DFIR

Read the latest DFIR news – Techno East 2026, Apple Watch acquisition techniques, macOS metadata gaps, ALEAPP 3.4.1, and more. https://www.forensicfocus.com/news/digital-forensics-round-up-april-29-2026/ #DigitalForensics #DFIR

Read the latest DFIR news – Techno East 2026, Apple Watch acquisition techniques, macOS metadata gaps, ALEAPP 3.4.1, and more. https://www.forensicfocus.com/news/digital-forensics-round-up-april-29-2026/ #DigitalForensics #DFIR

Magnet Forensics has introduced Magnet AI and Intelligent Insights, helping investigators cut through complex digital evidence, surface meaningful connections, and move cases forward faster while keeping human judgment at the centre. https://www.forensicfocus.com/news/magnet-forensics-unveils-magnet-ai-advancing-the-next-era-of-digital-investigative-intelligence/ #MagnetForensics #MagnetAI #DigitalForensics #DFIR