Week 48 – 2018


  • Hideaki Ihara at the Port 139 blog demonstrates amcache activity for process tracking on Win10
    USB and Amcache
  • Brian Moran at BriMor Labs walks through his process of parsing Skype Lite data
    Skype Hype/Gripe
  • Matt Shannon at F-Response explains how SIP and APFS affect an engagement using F-Response. I don’t know much about the SIP side of things, but the APFS problem will slowly go away. Unfortunately, it just takes a bit of time.
    F-Response, APFS, and SIP – Oh my


  • MITRE have published a post on how various EDR vendors fared “based on real-world adversary behaviors found in ATT&CK”. Frank Duff has published a post on medium explaining the methodology used. The posting also resulted in responses from vendors included in the testing, such as those listed below
    First Round of MITRE ATT&CK™ Evaluations Released
  • Roberto Rodriguez at SpecterOps provides detection guidance against an attack where an adversary coerces “a domain controller (DC) to authenticate to a server configured with unconstrained delegation, capture the domain controller’s Ticket-Granting-Ticket (TGT), and export the TGT in order to impersonate the DC and perform attacks such as DCSync to request any domain user’s password”
    Hunting in Active Directory: Unconstrained Delegation & Forests Trusts


  • The CFP for DFRWS 2019 has opened and will close January 25 2019. The event will take place July 14-17th
    Check out @DFRWS’s Tweet
  • John Priest, Detective Rob Mauro, and John Kennedy at Cellebrite and FBINAA will be hosting a webinar on using social media data in investigations. The webinar will take place on Monday, December 10th at 1pm Eastern/10 am Pacific Time
    Building an Investigation Using Social Media


  • Corey Tomlinson at the Nuix Unscripted Podcast interviewed Chris Woods and Chris Brewer about their presentation at Sector 2018 on developing threat intel
    Homebrew Threat Intelligence


  • Steven Alexander at ‘The Bug Charmer’ walks through the process of examining a maldoc with the ‘Hybrid Analysis’ service
    Analyzing infected documents


  • Eric Huber at ‘A Fistful of Dongles’ continues his ‘Life After Law Enforcement’ series, this time covering resume writing. The post got me thinking that it’s worthwhile writing down your achievements throughout your career at your current workplace because one day you will need to use it to remind yourself. I definitely have forgotten details of some of the projects or cases I’ve worked on, so having it written down somewhere makes your life easier down the line
    Life After Law Enforcement: Can We Talk About Your Resume?
  • Brett Shavers shares a couple of stories where people assume that DFIR is simple, and underestimate the simple but important tasks that we undertake to ensure our work holds up against scrutiny. I think that the basics of preservation are really important, easy to learn and easy to screw up, but if they’re done right then you can pretty much do whatever you want after that. Knowing when you’re out of your depths, and how to identify different scenarios requiring bringing in subject matter experts or further training is very important.
    Digital Forensics is Really Easy
  • Chris Crowley at ‘Risk, Failure, Survival’ shares some details about why his SANS MGT517 course was cancelled and advises that he’s going to try to keep the content available in 2019 via a non-SANS vehicle
    Very Good: Not Good Enough


  • Ross Wolf and Paul Ewing at Endgame advise that Endgame has released their Event Query Language tool. “This release includes the core EQL language, a schema mapping to Sysmon, and a set of analytics initially focused on Atomic Blue.”
    EQL for the Masses
  • Evimetry 3.0.12 was released with a number of bug fixes
    Release 3.0.12
  • OpenText released Encase Forensic 8.08 adding support for additional cloud-based evidence sources, encryption schemes (including APFS), and Microsoft Edge artefacts. Release notes are behind a login page though, so can’t link to them, unfortunately.
  • “Sandfly 1.5.0 has been released with many new detection methods for Linux rootkits, malware and suspicious activity”
    Sandfly 1.5.0 Released
  • Maxim Suhanov released yarp 1.0.27

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!

As always, thanks to those who give a little back for their support!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s