Links only this week, and probably for the next couple weeks to take a break. Need to spend a bit more time on some other commitments, so taking a small step back

I’ll be putting out the monthly either today or tomorrow, as well as a little post about the year.

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’
  • Daily Blog #575: Solution Saturday 12/22/18
  • Daily Blog #576: Sunday funday 12/23/18
  • Daily Blog #577: Christmas Eve 12/24/18
  • Daily Blog #578: Merry Christmas 12/25/18
  • Daily Blog #579: The meaning of Syscache.hve
  • Daily Blog #580: Applocker and Windows 10
  • Daily Blog #581: Forensic Lunch Test Kitchen 12/28/18 Syscache Applocker and Server 2012

• Alexis Brignoni at ‘Initialization vectors’
  Identifying installed and uninstalled apps in iOS

• Harlan Carvey at CrowdStrike
  Adversary Extends Persistence by Modifying System Binaries

• Cyber Forensicator
  • Dissecting Cozy Bear’s malicious LNK file
  • PA Toolkit

• Sarah Edwards at Mac4n6
  • On the Ninth Day of APOLLO, My True Love Gave to Me – A Beautiful Portrait – Analysis of the iOS Interface
  • On the Tenth Day of APOLLO, My True Love Gave to Me – An Oddly Detailed Map of My Recent Travels – iOS Location Analysis
  • On the Eleventh Day of APOLLO, My True Love Gave to Me – An Intriguing Story – Putting it All Together: A Day in the Life of My iPhone using APOLLO
  • On the Twelfth Day of APOLLO, My True Love Gave to Me – A To Do List – Twelve Planned Improvements to APOLLO
  • Video of ‘From Apple Seeds to Apple Pie’ from Objective by the Sea – Now Available!

• Maki
  • OtterCTF 2018
  • Real Gs move in silence like lasagna

• Hideaki Ihara at the Port 139 blog
  Windows 10 Storage sense and Recycle.bin

• Basil Alawi S.Taher at the SANS Internet Storm Centre Handler Diaries
  Live memory analysis using Rekall, (Tue, Dec 25th)

• Marcos at ‘Un minion curioso’
  #DFIR: “UserNotPresent”, When does Windows understand that the user is not present?
  

THREAT INTELLIGENCE/HUNTING

• CrowdStrike
  • How to Gain Full PowerShell Visibility with CrowdStrike Falcon
  • How to Generate Your First Detection with CrowdStrike Falcon

• Adam at Hexacorn
  Beyond good ol’ Run key, Part 97

• Rob King at InQuest
  Short-Circuiting Boolean Operators in YARA

• Matt Graeber at Palantir
  Tampering with Windows Event Tracing: Background, Offense, and Defense

• Roberto Rodriguez at SpecterOps
  • Real-Time Sysmon Processing via KSQL and HELK — Part 1: Initial Integration
  • Real-Time Sysmon Processing via KSQL and HELK — Part 2: Sysmon-Join KSQL Recipe
  • Real-Time Sysmon Processing via KSQL and HELK — Part 3: Basic Use Case
    

UPCOMING WEBINARS/CONFERENCES

• Metaspike
  Forensic Email Collector Power User Webinar

PRESENTATIONS/PODCASTS

• Brakeing Down Incident Response
  BDIR-009

• Matt Suiche at Comae Technologies
  Comae Stardust – New Features (Process Memory Dumps)

• Mathias Fuchs at CyberFox
  DFIR in 120 seconds

• Marc Ochsenmeier
  Check out @ochsenmeier’s Tweet

• OALabs
  • Unpacking Quick Tip: Two Breakpoints to Unpack Hermes Ransomware
  • OALabs Rewind 2018 – Reverse Engineering Bloopers

• Digital Forensic Survival Podcast
  DFSP # 149 – OWASP: Sensitive Data Exposure
  

MALWARE

• Mathias Fuchs at CyberFox
  Macro Malware Again

• InfoSecurityGeek
  Analysis of an Emotet Maldoc (December 2018)

• Didier Stevens at the SANS Internet Storm Centre Handler Diaries
  • Matryoshka Phish, (Thu, Dec 27th)
  • Video: De-DOSfuscation Example, (Sat, Dec 29th)

• Sebdraven
  Goblin Panda changes the dropper and reused the old infrastructure

• Pablo Ramos at Secjuice
  The Road To Reverse Engineering Malware

• Vitali Kremez
  Let’s Learn: Progression of APT28/Sofacy Golang Zebrocy Loader ‘Project2.Go’: WMIC & Hex Decode

• Diego Perez at We Live Security
  Analysis of the latest Emotet propagation campaign
  

MISCELLANEOUS

• Atola Technology
  The 2018 Atola Year in Review

• Ashley Hernandez at Blackbag Technologies
  Tagging Improvements as Easy as 1-2-3 with Blacklight 2018 R4

• Brett Shavers
  • Only race cars should burnout.
  • The Forensic Artifact Database

• Computer Forensics World
  How to Become a Digital Forensics Professional in 2019

• Michael Karsyan at the Event Log Explorer
  Using Event Log Explorer to access database events

• Christa Miller at Magnet Forensics
  A Look Back at 2018: Resources for ICAC Investigations

• SalvationData
  [Tips] How to Verify Digital Evidence with Hash Value

• Steven Alexander at ‘The Bug Charmer’
  The malware did it, I swear!

• Michael Cohen at Velociraptor
  • Configuring Velociraptor for SSL
  • Deploying Velociraptor with OAuth SSO

• Yogesh Khatri at Swift Forensics
  Making NSKeyedArchives human readable
  

SOFTWARE UPDATES

• Apache
  22 December 2018: Apache Tika Release

• Blackbag Technologies
  Blacklight 2018 R4 Release Notes

• Cellebrite
  Version Update: UFED 4PC, UFED Touch2 & UFED InField 7.12.1

• Didier Stevens
  • Update: XORSearch Version 1.11.2
  • Update: numbers-to-string.py Version 0.0.7
  • New Tool: SimpleEncoder
  • Update: format-bytes.py Version 0.0.7

• DME Forensics
  File System Update

• SalvationData
  [Software Update] Computer Forensics: DRS V18.7.3.292 New Version Release for Better User Experience!

• Velocidex
  Release 0.2.7
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!