As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’
  • Daily Blog #588: Solution Saturday 1/5/19
  • Daily Blog #589: Sunday Funday 1/6/19
  • Daily Blog #590: No Country for Old Unicorns
  • Daily Blog #591: SANS Jeddah March 2019
  • Daily Blog #592: Syscache and SHA 16bit hashes
  • Daily Blog #593: Forensic Lunch Test Kitchen 1/10/19 Windows 10 Userassist
  • Daily Blog #594: Forensic Lunch Test Kitchen 1/11/19 Server 2008 R2 Syscache Mimikatz

• Alexis Brignoni at ‘Initialization Vectors’
  iOS Mobile Installation Logs Parser

• Adam Harrison at 1234n6
  • Updated feature: Exchange Online mailbox audit to add mail reads by default
  • Some testing of SRUM on Windows Server 2019
  • Testing of SRUM on Windows Server 2019 (continued)

• Andrew Swartwood at ‘Between Two DFIRns’
  Walkthrough: TufMups Undercover Operation

• David Nia at Fire Eye
  Digging Up the Past: Windows Registry Forensics Revisited

• Teru Yamazaki at Forensicist
  NTFS Timestamps

• Sarah Edwards at Mac4n6
  Network and Application Usage using netusage.sqlite & DataUsage.sqlite iOS Databases

• Maxim Suhanov
  Hibernation and NTFS

• Hideaki Ihara at Port 139
  Task Scheduler Registry key and “Last Run Time”

• Antonio Sanz at ‘Security Art Work’
  • DEFCON 2018 DFIR CTF –  Reto forense (Nivel 2)
  • DEFCON 2018 DFIR CTF –  Reto forense (Nivel 3 + Conclusiones)

• Liam Booth at ‘Security EDC’
  It’s been a while…

• Joe at Sparky Tech
  TheDarkOverlord & VeraCrypt, Part 2: Peeling Back Layer2
  

THREAT INTELLIGENCE/HUNTING

• CERT OPMD
  [DNSpionage] – Focus On Internal Actions

• Muks Hirani, Sarah Jones, and Ben Read at Fire Eye
  Global DNS Hijacking Campaign: DNS Record Manipulation at Scale

• Forensic Focus
  Dissecting Malicious Network Traffic To Identify Botnet Communication

• Russ McRee at HolisticInfoSec
  gganimate: Animate YouR Security Analysis

• Michael Matonis
  yara_tools: Create YARA Rules In Python

• Microsoft
  Enable mailbox auditing in Office 365

• Tony Lambert at Red Canary
  Detecting All the Things with Limited Data

• Security Art Work
  Informe: Grupo Gamaredon

• LangTuBongDem
  • APT32 (OceanLotus) — Một chiến dịch APT bài bản như thế nào … (Phần 1)
  • APT32 (OceanLotus) — Một chiến dịch APT bài bản như thế nào… (Phần 2)

• Symantec DeepSight Adversary Intelligence Team
  Seedworm グループ: 電気通信や IT の企業、官庁、石油ガス産業が標的に

• Andreas Sfakianakis at ‘Tilting at windmills’
  Cooperation between CSIRTs and Law Enforcement: interaction with the Judiciary
  

UPCOMING WEBINARS/CONFERENCES

• ADF
  • Benefits of Digital Forensic Triage
  • Intro to Triage-Investigator
  • ADF & National White Collar Crime Webinar

• SANS
  • CTI Requirements and Inhibitors: Part 1 of the 2019 SANS Cyber Threat Intelligence Survey
  • CTI Tools, Usage and a Look Ahead: Part 2 of the 2019 SANS Cyber Threat Intelligence Survey
  • SOF-ELK®: A Free, Scalable Analysis Platform for Forensic, incident Response, and Security Operations
  • What’s new with FOR526 Advanced Memory Forensics and Threat Detection

• SANS DFIR Summit
  “DFIR Summit 2019 Call for Presentations (CFP) Now Open”
  

PRESENTATIONS/PODCASTS

• AccessData
  AccessData’s YouTube Channel

• Devon at AboutDFIR
  Episode 886: The Price Of A Hack

• Forensic Focus
  How Trustworthy Is Digital Evidence?

• Marc Ochsenmeier
  Windows Encrypting File System

• Mathias Fuchs at CyberFox
  DFIR in 120 Seconds – Shimcache

• OALabs
  Lazy String Decryption Tips With IDA PRO and Shade Ransomware Unpacked!

• Digital Forensic Survival Podcast
  DFSP # 151 – Autoweb Project

• SANS
  Finding the Balance in Security Automation – SANS Threat Hunting Summit 2018

• Virus Bulletin
  Unpacking the packed unpacker: reversing an Android anti-analysis library

• Martijn Grooten at Virus Bulletin
  VB2018 paper: Draw me like one of your French APTs – expanding our descriptive palette for cyber threat actors
  

MALWARE

• Carbon Black
  • TAU Threat Intelligence Notification: LamePyre (OSX)
  • TAU Threat Intelligence Notification: Israbye Wiper

• Aaron Riley at Cofense
  The Vjw0rm Malware Does It All. Here’s What to Watch For.

• Alexander Hanel at CrowdStrike
  Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware

• Kimberly Goody, Jeremy Kennelly, Jaideep Natu, and Christopher Glyer at Fire Eye
  A Nasty Trick: From Credential Theft Malware to Business Disruption

• Ignacio Sanmillan at Intezer
  ChinaZ Revelations: Revealing ChinaZ Relationships with other Chinese Threat Actor Groups

• Kryptos
  North Korea APT(?) and recent Ryuk Ransomware attacks

• Lastline Labs
  Threat Actor “Cold River”: Network Traffic Analysis and a Deep Dive on Agent Drable

• Adam Kujawa at Malwarebytes Labs
  Ryuk ransomware attacks businesses over the holidays

• John Fokker and Christiaan Beek at McAfee Labs
  Ryuk Ransomware Attack: Rush to Attribution Misses the Point

• Patrick Wardle at Objective-See
  The Mac Malware of 2018

• SANS Internet Storm Centre Handler Diaries
  • Malicious .tar Attachments, (Sun, Jan 6th)
  • Analyzing Encrypted Malicious Office Documents, (Mon, Jan 7th)
  • Heartbreaking Emails: “Love You” Malspam, (Thu, Jan 10th)
  • Quick Maldoc Analysis, (Fri, Jan 11th)
  • Snorpy a Web Base Tool to Build Snort/Suricata Rules, (Sat, Jan 12th)

• Securelist
  A Zebrocy Go Downloader

• Mike Bautista at Talos
  Pylocky Unlocked: Cisco Talos releases PyLocky ransomware decryptor

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  VBSIOC Search: a simple VBS script for IoC search on old Windows systems

• Security Response Attack Investigation Team
  Shamoon: 破壊的な脅威が、新たな武器を備えて再び復活

• Vitali Kremez
  • Let’s Learn: Deeper Dive into Gamaredon Group Pteranodon Implant Version ‘_512’
  • Let’s Learn: (Over)Analyzing One of the Latest APT28 Zepakab/Zebrocy Delphi Implant
    

MISCELLANEOUS

• Yulia Samoteykina at Atola
  Lifting HPA and DCO with Atola TaskForce

• Brett Shavers
  This is how I know someone will make it in DFIR (or in anything)

• Computer Forensics World
  BE A CONTRIBUTOR CONTEST…COMING SOON!

• Lee Whitfield at the Forensic 4Cast
  • Gamble? Not with your future.
  • 2019 Forensic 4:cast Awards – Coming Soon

• Adam at Hexacorn
  • Blue Sheet Of Cyber v0.1
  • Blue Sheet Of Cyber v0.2

• Patrick Olsen at ‘Incident Response Readiness’
  • Building Your DFIR Lab
  • Configuring Your DFIR Lab
  • DFIR Lab – Alternatives
  • BitLocker Drive Encryption – WipeFreeSpace
  • DFIR Lab – Acquiring Artifacts for Beginners
  • DFIR Lab – Install Docker for Windows

• Joe Farndon at IntaForensics
  • Lima v2.6 Changing the Layout of the Case Record (New Feature)
  • Lima v2.6 Adds Imaging Import: SPEKTOR and MacQuisition
  • Lima v2.6 Adds Exhibit (Evidence) Item Count

• SalvationData
  [Case Study] Mobile Forensics: See How SalvationDATA Extracts and Decrypts from the Latest Wechat

• Howard Oakley at ‘The Eclectic Light Company’
  • Links and aliases beyond local files: advanced file system techniques
  • Copies, clones, links and aliases: summary in tables
  • Inside Mojave’s Aliases and Bookmarks
  • Aliases and Bookmarks are smarter than you think
  • Finder Aliases and Bookmarks: a summary

• ThinkDFIR
  What Did I Listen To On Spotify For iOS?

SOFTWARE UPDATES

• Berla
  iVe Software v2.2 Release

• Cellebrite
  PA 7.13 – Filter reports based on date range to focus your investigative efforts

• Didier Stevens
  Update: msoffcrypto-crack.py Version 0.0.2

• Eric Zimmerman
  Check out @EricRZimmerman’s Tweet

• ExifTool
  ExifTool 11.24

• Metaspike
  Forensic Email Collector (FEC) Changelog

• NetworkMiner
  NetworkMiner 2.4 Released

• Radare2
  codename: rumours

• Sandfly Security
  Sandfly 1.6.0 – 200 Sandflies!

• TZWorks
  Jan 2019 build (package)

• X-Ways
  X-Ways Forensics 19.8 Beta 3
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!