Last chance to throw in your nomination for the 2019 Forensic 4Cast Awards. You can place your nominations, including for this site, here. The awards will be taking place at the annual SANS DFIR Summit in Austin, Texas, July 25-26 and the agenda has just been released.

Lots of great talks at the DFIR Summit this year as usual, including one from Lodrina, who is currently recovering from lifting unbelievably heavy things and putting them back down again! As a result just links only for her sections this week

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Cellebrite share a step-by-step guide for Android extractions.
  UFED Step-by-Step Guide to Android Extractions

• DME Forensics announced their upcoming “Video Evidence Recovery and Analysis (VERA) Course”. “The course will focus on specialized investigative techniques for the examination of video to explore issues relating to the use of force, speed estimation, and identification.”
  Introducing Training for the Full Video Data Recovery & Analysis Process

• Oleg Skulkin has a post on Forensic Focus demonstrating how to examine a computer infected with a RAT
  Following The RTM: Forensic Examination Of A Computer Infected With A Banking Tr

• Teru Yamazaki at Forensicist demonstrates a method of using EvtxECmd to parse carved event log records
  Parsing carved evtx records using EvtxECmd

• Manuel Guerra at Glider shares his analysis of a test Google Home Mini device. I’m happy to see someone else documenting this research as I haven’t done much more than sharing the slides and tooling from my presentation last year
  OK Google ¿Me estás espiando?

• Jack Farley documents the variety of files and information that can be identified from an iOS backup
  Forensic Analysis of iTunes Backups

• Joshua Hickman at ‘The Binary Hick’ takes a look at some useful artefacts relating to Apple CarPlay that can be found on an iPhone (full file system extraction and iTunes backup)
  Ridin’ With Apple CarPlay

• Marcos at ‘Un minion curioso’ compares the impact of a variety of triage tools on a VM, as well as sharing his thoughts on the triage process
  #DFIR: Imaging or triage? 🤔 Doesn’t anyone think about noise?

• Stephen Stewart at Nuix demonstrates how Nuix can be used to ingest and examine the Mueller report
  The Mueller Report – An Amazing Lens Into a Modern Federal Investigation

• Richard Bejtlich at TaoSecurity
  Dissecting Weird Packets

• Sandor Tokesi at Forensics Exchange takes a look at DNS events on a Windows system
  DNS investigation on Windows

• Iria Piyo looks at the effects on timestamps for moving a folder across volumes via explorer or CLI
  Volume Folder Moveですべての時間が更新された件
  

THREAT INTELLIGENCE/HUNTING

• Chris Brenton at Active Countermeasures
  Identifying Beacons Through Session Size Analysis

• Adam at Hexacorn
  Old HotFix files + SFX CAB + DFIR artifacts

• Check Point Research
  PlaNETWORK: Face to Face with Cyber Crime

• ClearSky Cyber Security
  Iranian Nation-State APT Groups – “Black Box” Leak

• Anthony Kasza at Corelight
  How Zeek can provide insights despite encrypted communications

• Brian Carrier at Cyber Triage
  How to Speed Up Incident Response: Analyze Faster (Part 1)

• Monty St John at CyberDefenses
  Pursuing Quality Threat Intelligence Insight

• Verizon
  2019 Data Breach Investigations Report
  • My Takeaways from the 2019 DBIR Report
  • Key Concepts and Findings from the 2019 Verizon Data Breach Investigations Report
  • The 2019 DBIR is out

• Maarten Goet
  Supercharge your Powershell defenses with Azure Sentinel, MITRE ATT&CK and Sigma

• Matrix
  Post-mortem and remediations for Apr 11 security incident

• Marcus Bakker and Ruben Bouman
  DeTT&CT: Mapping your Blue Team to MITRE ATT&CK™

• Rob Mead and Tim Burrell at the Microsoft Threat Intelligence Center
  Detecting credential theft through memory access modelling with Microsoft Defender ATP

• Olivier Buez at Nviso Labs
  Optimizing Elasticsearch for security log collection – part 1: reducing the number of shards

• Stan Hegt at Outflank
  Evil Clippy: MS Office maldoc assistant

• Sandfly Security
  Using Linux Process Environment Variables for Live Forensics

• Chad Tilbury at SANS
  “Finding Registry Malware Persistence with RECmd”

• Symantec
  Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak
  

UPCOMING WEBINARS/CONFERENCES

• Griffeye will be hosting a 101 webinar on Analyze Di Pro on May 28, 2019 at 3 pm CEST (9 am EDT)
  Webinar | Griffeye 101: Analyze DI Pro Intro Course
  

PRESENTATIONS/PODCASTS

• Douglas Brush interviewed Obsidian Security’s Ben Johnson on Cyber Security Interviews
  #069 – Ben Johnson: Break Down The Problems

• On this week’s Digital Forensic Survival Podcast, Michael explained why he chose to attain the CEH certification
  DFSP # 168 – Is CEH Still Relevant?

• Magnet Forensics shared a video on how to use their updated SQLite viewer in Axiom 3.1
  How to Use the Enhanced SQLite Viewer in Magnet AXIOM

• Richard Davis at 13Cubed posted a couple of videos this week
  • The Volume Shadow Knows
  • Mounting VHD/VHDX Images in Linux

• SANS shared Mitchell Edwards’s presentation from the 2019 CTI Summit
  Language and Culture in Threat Intelligence – SANS CTI Summit 2019

• SANS also shared Kevin Ripa’s previous webcast on the new FOR498 Battlefield Forensics class
  From Seizure to Actionable Intelligence in 90 Minutes or Less
  

MALWARE

• Takahiro Haruyama at Carbon Black
  fn_fuzzy: Fast Multiple Binary Diffing Triage with IDA

• William Largent at Talos
  Threat Roundup for May 3 to May 10

• Cybereason
  • Assaf Dahan and Ryuzo Okudera
    GandCrab’s new Evasive Infection Chain
  • Philip Tsukerman
    Excel4.0 Macros – Now with Twice The Bits!

• Sepehr Akhavan Masouleh at Cylance
  Improving Malware Detection Accuracy by Extracting Icon Information

• Fortinet
  New Spam Attack Targets Romanian Corporation

• Miriam Cihodariu at Heimdal Security
  Security Alert: Mass Credit Card Stealing Campaign Detected in Online Shops

• Ignacio Sanmillan at Intezer
  Technical Analysis: Pacha Group Competing against Rocke Group for Cryptocurrency Mining Foothold on the Cloud

• Koen Van Impe
  Submit malware samples to VMRay via MISP – Automation

• Pieter Aintz at Malwarebytes Labs
  What to do when you discover a data breach?

• Palo Alto Networks
  SilverTerrier – 2018 Nigerian Business Email Compromise

• Rootsecdev
  Windows Sandbox

• Ryan Campbell at ‘Security Soup’
  FlawedAmmyy RAT & Excel 4.0 Macros

• SANS Internet Storm Centre Handler Diaries
  • Didier Stevens
    Text and Text, (Mon, May 06th)
  • Brad Duncan
    Email roulette, May 2019, (Wed, May 08th)
  • Xavier Mertens
    DSSuite – A Docker Container with Didier’s Tools, (Fri, May 10th)

• Sebdraven
  Chineses Actor APT target Ministry of Justice Vietnamese

• Yury Namestnikov and Félix Aime at Securelist
  FIN7.5: the infamous cybercrime rig “FIN7” continues its activities

• Andrew Brandt at Sophos
  MegaCortex, deconstructed: mysteries mount as analysis continues

• Raphael Centeno at TrendMicro
  Dharma Ransomware Uses AV Tool to Distract from Malicious Activities

• Francis Montesino at VMRay
  Get Smart with Enhanced Memory Dumping in VMRay Analyzer 3.0

• Matthieu Faou at WeLiveSecurity
  Turla LightNeuron: An email too far

• Adam Chester at XPN
  Exploring Mimikatz – Part 1 – WDigest

• Yoroi blog
  • ATMitch: New Evidence Spotted In The Wild
  • Campagna Gootkit verso PEC Italiane
    

MISCELLANEOUS

• Devon at AboutDFIR has created a list of notable women in the field. Devon also wrote a couple of posts about the recent updates to the site
  #women in #dfir
  • Weekend of Updates
  • Weekend of Updates part deux

• Richard Frawley at ADF describes how to acquire an Android device with their MDI tool
  How to Start an Android Forensic Scan with MDI

• Brian Carrier talks about the one of the new features surrounding loading data into the Communications UI in Autopsy
  Getting Data Into the Communications UI

• Christian at IT-Dad provides an overview of the DFIR related content on WonderHowTo
  Kostenlose IT-Forensik Kurse Teil VIII – WonderHowTo

• Craig Ball at ‘Ball in your Court’ provides a synopsis of the “2019 Georgetown E-Discovery Training Academy”
  Electronic Storage in a Nutshell

• Chet Hosmer’s new book has been released
  PowerShell and Python Together: Targeting Digital Investigations

• There were a few posts on Forensic Focus this week
  • Blackbag Technologies have partnered with Traversed to provide additional digital forensics services
    BlackBag Technologies Announces Partnership With Traversed
  • They interviewed Umit Karabiyik from Purdue University
    Interview With Umit Karabiyik, Assistant Professor, Purdue University
  • They also share a tutorial on using the Logicube Falcon Neo to image a network repository
    How To Image From A Network Repository Using Logicube’s Forensic Falcon-NEO

• Jon Glass shares a Windows Recycle Bin parser for cyberchef
  Check out @GlassSec’s Tweet

• Carl Osborne at IntaForensics shows how to access location data on iOS and Android
  Location Services “ON”

• Jesse Spangenberger at Cyber Fēnix Tech comments on the benefits of specialisation when it comes to career progression
  Life Lessons Learned

• Kate Carruthers shares some brief thoughts on digital forensics
  Thoughts on digital forensics

• Sherri Davidoff at LMG Security provides some guidance on negotiating ransomware payments
  Ransomware Negotiation: Dos and Don’ts

• The Q2 2019 VirusShare hashsets have been released by MantaRay Forensics
  MantaRay Forensics Activity

• Mike Williamson spoke with Eric Zimmerman about his work coding forensic tools
  Chatting .NET with Eric Zimmerman

• Mike also gives an overview of the concept behind his forensicBlend program
  forensicBlend: Designing a scalable community plugin API

• Greg Smith at Trewmte shares descriptions of some of his favourite DFIR resources, including this site. Thanks Greg!
  Observations from the digital backyard…

• Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
  Weekly News Roundup — May 5 to May 11
  

SOFTWARE UPDATES

• Eric Zimmerman updated RECmd, Timeline Explorer, and Evtxcmd
  ChangeLog

• ExifTool 11.41 was released with new tags and bug fixes
  ExifTool 11.41

• Blackbag Technologies released updates to Blacklight and Macquisition this week. I haven’t done much testing but they’ve also added AFF4 as an imaging format in Macquisition. AFF4 should hopefully mean an improvement in imaging speeds, however not all tools will ingest it natively.
  BlackBag’s MacQuisition 2019 R1: Decrypt Physical Images From Macs With T2 Chips

• Magnet Forensics released Axiom v3.1 improving the Sqlite viewer, integration with Graykey, and updating a variety of artefacts
  GrayKey Integration and Further Cloud and Mac Support Come to Magnet AXIOM 3.1

• Maxim Suhanov released v1.0.0-beta12 of his DFIR_NTFS file system parser
  1.0.0-beta12

• Metaspike updated their Remote Authenticator to v1.8.2
  Forensic Email Collector (FEC) Changelog

• Passmark released OSFMount V3.0.1002 to improve performance when mounting split E01s
  Check out @PassMarkInc’s Tweet

• evtx2json-20190510 was released
  evtx2json-20190510

• Kenneth Ray shared a new tool, aptly named YAFORTO, as well as his GIAC GCFE Gold Paper
  YAFORTO
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!