Moving blog to

toolsmith and HolisticInfoSec have moved.I’ve decided to consolidate all content on one platform, namely an R markdown blogdown site running with Hugo for static HTML creation. My frustration with Blogger/Blogspot met its limit when a completed draft o…

August 7, 2018

toolsmith #133 – Anomaly Detection & Threat Hunting with Anomalize

June 4, 2018

When, in October and November‘s toolsmith posts, I redefined DFIR under the premise of Deeper Functionality for Investigators in R, I discovered a “tip of the iceberg” scenario. To that end, I’d like to revisit the concept with an additional discovery and opportunity. In reality, this is really a case of DFIR (Deeper Functionality for Investigators in R) within the general practice of the original and paramount DFIR (Digital Forensics/Incident Response).As discussed here before,…


toolsmith #130 – OSINT with Buscador

January 2, 2018

In addition to my work as an information security leader and practitioner at Microsoft, I am privileged to serve in Washington’s military as a J-2 which means I’m part of the intelligence directorate of a joint staff. Intelligence duties in a guard unit context are commonly focused on situational awareness for mission readiness. Additionally, in my unit we combine part of J-6 (command, control, communications, and computer systems directorate of…


toolsmith #128 – DFIR Redefined: Deeper Functionality for Investigators with R – Part 1

October 18, 2017

“To competently perform rectifying security service, two critical incident response elements are necessary: information and organization.” ~ Robert E. Davis I’ve been presenting DFIR Redefined: Deeper Functionality for Investigators with R across the country at various conference venues and thought it would helpful to provide details for readers.The basic premise?Incident responders and investigators need all the help they can get.Let me lay just a few statistics on you, from’s The…


Toolsmith Tidbit: Windows Auditing with WINspect

September 11, 2017

WINSpect recently hit the toolsmith radar screen via Twitter, and the author, Amine Mehdaoui, just posted an update a couple of days ago, so no time like the present to give you a walk-through. WINSpect is a Powershell-based Windows Security Auditing Toolbox. According to Amine’s GitHub README, WINSpect “is part of a larger project for auditing different areas of Windows environments. It focuses on enumerating different parts of a Windows machine…


Toolsmith Release Advisory: Magic Unicorn v2.8

August 28, 2017

David Kennedy and the TrustedSec crew have released Magic Unicorn v2.8.Magic Unicorn is “a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory, based on Matthew Graeber‘s PowerShell attacks and the PowerShell bypass technique presented by Dave and Josh Kelly at Defcon 18. Version 2.8: shortens length and obfuscation of unicorn command removes direct -ec from PowerShell command Usage: “Usage is simple, just run Magic Unicorn…


Toolsmith #127: OSINT with Datasploit

August 16, 2017

I was reading an interesting Motherboard article, Legal Hacking Tools Can Be Useful for Journalists, Too, that includes reference to one of my all time OSINT favorites, Maltego. Joseph Cox‘s article also mentions Datasploit, a 2016 favorite for fellow tools aficionado,, see 2016 Top Security Tools as Voted by Readers. Having not yet explored Datasploit myself, this proved to be a grand case of “no time like the present.”Datasploit…


Toolsmith #126: Adversary hunting with SOF-ELK

July 8, 2017

As we celebrate Independence Day, I’m reminded that we honor what was, of course, an armed conflict. Today’s realities, when we think about conflict, are quite different that the days of lining troops up across the field from each other, loading muskets, and flinging balls of lead into the fray.We live in a world of asymmetrical battles, often conflicts that aren’t always obvious in purpose and intent, and likely fought…


Toolsmith #125: ZAPR – OWASP ZAP API R Interface

May 22, 2017

It is my sincere hope that when I say OWASP Zed Attack Proxy (ZAP), you say “Hell, yeah!” rather than “What’s that?”. This publication has been a longtime supporter, and so many brilliant contibutors and practitioners have lent to OWASP ZAPs growth, in addition to @psiinon‘s extraordinary project leadership. OWASP ZAP has been 1st or 2nd in the last four years of @ToolsWatch best tool survey’s for a damned good…


Toolsmith #124: Dripcap – Caffeinated Packet Analyzer

Dripcap is a modern, graphical packet analyzer based on Electron. Electron, you say? “Electron is a framework for creating native applications with web technologies like JavaScript, HTML, and CSS. It takes care of the hard parts so you can focus on the core of your application.“We should all be deeply familiar with the venerable Wireshark, as it has long been the forerunner for packet analysts seeking a graphical interface to…

March 27, 2017