Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, Thanks to those who give a little back for their support!

Lee Whitifeld has opened the voting for the Forensic 4Cast Awards, and I very much appreciate being nominated for DFIR Resource, Show, and Social Media person of the year.
Forensic 4:cast Awards 2019 – Voting is Now Open

FORENSIC ANALYSIS

• Marco Fontani at Amped demonstrates how to examine the embedded thumbnails found in some pictures
  Better to Take a Look Than to Overlook: Image Thumbnails May Contain Hidden Information, Authenticate Helps You Find Out!

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ describes the hibernation file and shows how to convert it for examination using Volatility
  How to read Windows Hibernation file (hiberfil.sys) to extract forensic data?

• Arman Gungor at Metaspike walks through verifying DKIM signatures to assist in email forensics
  Leveraging DKIM in Email Forensics

• Mike Williamson provides a method of extracting Signal data from an Android device using the Signal backup mechanism
  Obtain a logical dump of Signal data on Android with signal-back

• Iria Piyo tests the affects of selecting “Delete property and personal information” on a Word documents file system metadata
  ファイルコピーしたらMFT Modifiedも更新された件(2)
  

THREAT INTELLIGENCE/HUNTING

• John Strand at Active Countermeasures looks at how to show Command and Control techniques starting with “Commonly Used Port (T1043).
  MITRE ATT&CK HTTPS

• Brian Laskowski at Laskowski-Tech has released a Volatility malware triage script called Calamity and has a post demonstrating its use
  Calamity, a Volatility script to aid Malware Triage

• David Balcar at Carbon Black shares tips on how to become a threat hunter, not just a threat wrangler.
  Four Steps to Becoming a Threat Hunter

• Chronicle Blog shares information about the Linux variant of Winnti which comes in two pieces: a backdoor and an element to obfuscate the backdoor.
  Winnti: More than just Windows and Gates

• Anthony Kasza at Corelight looks at SSH-related events in Zeek.
  How Zeek can provide insights despite encrypted communications

• Cyber Forensicator looks at BITSAdmin and artifacts in host based Event Logs and the qmgr.dat ESE database.
  Using MITRE ATT&CK for Forensics: BITS Jobs (T1197)

• BlackBerry Cylance looks at overlapping artifacts found across Chinese threat actor groups.
  Reaver: Mapping Connections Between Disparate Chinese APT Groups

• Richard Gold examines the “Rana Institute” associated with Iran and associated ATT&CK mappings.
  Mapping Iran’s Rana Institute to MITRE Pre-ATT&CK™ and ATT&CK™

• James Cabe at Fortinet shares their 2019 operational technology security trends report discussing risks like custom attacks on manufacturing and other interconnected systems.
  Fortinet 2019 Operational Technology Security Trends Report

• Artem Karasev at Kaspersky Lab has a post on the benefits of threat intelligence
  Evaluating threat intelligence sources

• Kyle Hanslovan shares the stories of people suffering at the hands of the GozNym cybercrime group, giving an index to where different victim stories can be found in a report from a recent US indictment.
  Incident Education: Sales Ammo for the IT Arsenal

• Matthew Green looks at how to detect Binary Rename (T1036) of commonly abused binaries using WMI Eventing.
  Blue Team Hacks – Binary Rename

• Mike at “CyberSec & Ramen” describes how to detect Powershell Empire
  Defeating The Empire With The Basics: Detecting Powershell Empire

• Mike at ØSecurity audits for a certain username/password across endpoints using various tools including Metasploit and CrackMapExec.
  Password Spraying SMB

• Paolo Passeri at Netskope gives an overview of the cyber kill chain and recommends ways to mitigate the risk to cloud technologies.
  The Cyber Kill Chain in the Age of Cloud

• On the Red Canary Blog, Tony Lambert, Katie Nickels, and Greg Foss examine defense evasion detection using ATT&CK.
  Defense evasion: why is it so prominent & how can you detect it?

• Xavier Mertens at the SANS Internet Storm Centre Handler Diaries shares information about NTLM relay attacks and mentions SMBv3 and enable SMB signing as defensive mechanisms.
  The Risk of Authenticated Vulnerability Scans, (Thu, May 16th)

• Yoroi announces their annual report looking back at 2018 which examines malware, IP addresses associated with threat actors, data leaks and more.
  Yoroi Cyber Security Annual Report 2018
  

UPCOMING WEBINARS/CONFERENCES

• ADF will be hosting a webinar on their MDI product on June 18.
  Mobile Device Investigator for Android & iOS

• Dr Vico Marziale and Matt McFadden at Blackbag Technologies will be hosting a webinar on tracking insider threats on Thursday, May 23rd 2019 at 2:00 PM EST
  Finding Insider Threats: Digging Deeper

• Frederick Huang and Kalpesh Jain at Cellebrite will be hosting a webinar on the new features in their recent releases on 22nd May 2019 at 11:00am India Standard Time
  Cellebrite Webinar: Introduction and major release updates

• Magnet Forensics and Grayshift will be hosting a webinar on their recent updates. This session is LE only. The webinars will take place on May 21
  10:00AM ET and 2:00PM

• Hal Pomeranz will be hosting a SANS webcast on fileless malware on Wed, May 29, 2019, at 11:00 am Singapore / 12:00 pm Tokyo / 1:00 pm Sydney
  Fileless Malware Fun
  

PRESENTATIONS/PODCASTS

• Adrian Crenshaw uploaded the presentations from NolaCon 2019

• On this week’s Digital Forensic Survival Podcast, Michael projects where he thinks DFIR is going.
  DFSP # 169 – Will The Future Kill DFIR?

• SANS shared Charity Wright’s presentation from the 2019 CTI Summit
  Happy Hunting! Lessons in CTI Psychology from TV’s Favorite Serial Killer – SANS CTI Summit 2019

• Lesley Carhart was interviewed on The Many Hats Club podcast this week
  Ep. 58, Pancake Con (with Lesley Carhart)
  

MALWARE

• Dan Horea Lutas and Andrei Vlad Lutas at Bitdefender discovered in late 2018 a threat similar to Meltdown and link to more information about the vulnerability at Intel.
  Yet Another Meltdown – A Microarchitectural Fill Buffer Data Sampling Vulnerability (CVE-2018-12130)

• Swee Lai Lee at Carbon Black posted a couple of articles this week
  • She looks at JCry ransomware (.jcry extension), purportedly delivered as an Adobe flash update, written in Go.
    CB TAU Threat Intelligence Notification: JCry Ransomware Pretends to be Adobe Flash Player Update Installer
  • She also describes the RobbinHood ransomware
    CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption

• Daniel Pistell shares that Cerbero Suite has a new disassembler in the advanced version and the trial version is more user friendly.
  Cerbero Suite 3.0 is out!

• There were a couple of posts on the Cofense blog this week
  • Aaron Riley shares details about the open source Babylon RAT which can turn a machine into a SOCKS proxy and launch DoS attacks.
    Babylon RAT Raises the Bar in Malware Multi-tasking
  • Max Gannon shares the technique of delivering malware through an image file and how the .NET framework is exploited.
    Pretty Pictures Sometimes Disguise Ugly Executables

• Tomer Helvin at Cyberbit examines the Hawkeye malware
  Hawkeye Malware Analysis

• Kurt Natvig weighs the balance between blocking Office maldocs and examining the documents to classify them and steps through examining a PDF sample.
  Assessing risk in Office documents – Part 1: Introduction

• Minh Tran at Fortinet shares how dynamic analysis can be used to examine UEFI malware such as LoJax.
  How to Cost-Effectively Dynamically Analyze UEFI Malware

• Pieter Arntz at Malwarebytes Labs gives a general overview of CrySIS aka Dharma ransomware given the recent uptick seen in the early part of 2019.
  Threat spotlight: CrySIS, aka Dharma ransomware, causing a crisis for businesses

• Marco Ramilli has been trying to classify a malware collection for testing and shares a way that the community can better classify files for sharing on GitHub.
  Malware Training Sets: FollowUP

• Arnold Osipov at Morphisec gives a technical overview of the fileless delivery of Hworm aka njRAT.
  A look at Hworm / Houdini AKA njRAT

• Rushikesh Vishwakarma at Netskope looks at the LockerGoga .zip shared via cloud services like OneDrive and Box.
  Ransomware Bulletin: LockerGoga

• Xavier Mertens at the SANS Internet Storm Centre Handler Diaries shares analysis of an email delivering ransomware initially not known to VT and still undergoing analysis.
  From Phishing To Ransomware?, (Mon, May 13th)

• Kaspersky Securelist looks at the ScarCruft TA, targeting the Korean peninsula. The infection starts with UAC bypass and before delivering a backdoor.
  ScarCruft continues to evolve, introduces Bluetooth harvester

• Rohan Viegas at VMRay shares new features available for URL analysis, including tracking redirections and recursive analysis (following downloaded files).
  Delivering More Comprehensive and In-Depth URL Analysis in VMRay Analyzer 3.0

• Anton Cherepanov at WeLiveSecurity examines the Plead backdoor delivered by a malicious .ico file, recently seen launched by ASUS signed process AsusWSPanel.exe.
  Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage

• Luigi Martire, Davide Testa, Antonio Pirozzi, and Luca Mella at Yoroi examine TA505 delivering the FlawedAmmy RAT.
  The Stealthy Email Stealer in the TA505 Arsenal

• z3roTrust write about North Korean ScarCruft malware, associated with Lazarus Group, which harvests Bluetooth data and obfuscates its traffic.
  ScarCruft APT Malware Uses Image Steganography
  

MISCELLANEOUS

• Jessica Hyde shared a short video about a new initiative to get students intersted in DFIR
  Check out @B1N2H3X’s Tweet!

• Also on improving DFIR education, the US Marine Corps share an article on their Cyber Auxiliary, which is “a volunteer organization aimed at increasing Marine Corps cyberspace readines”
  Marine Corps Establishes Volunteer Cyber Auxiliary To Increase Cyberspace Readiness

• Adam at Hexacorn provide some very useful advice for writing DFIR reports
  The art of writing (for IT Sec)

• Ashley Hernandez at Blackbag Technologies provides an overview of the recent update to Macquisition
  Apple T2 Chip Systems: Create Decrypted Physical Images With Macquisition

• Brett Shavers at DFIR.Training encourages practitioners to keep a level head and be guided by the data on the devices, rather than what the client or examiner wants the data to say
  Be careful to not judge the world only by the sliver that you see

• Bryan Ambrose at Data Digitally provides an overview of running Axiom Process over a NIST forensic image
  Processing an Image with Axiom Process

• Cellebrite shared a few case studies
  • Law Enforcement and Digital Intelligence: Delivering the Art of the Possible
  • Deleted text messages reveal attempted homicide
  • GPS Data Extraction Helps Change the Focus of a Murder Investigation in Brazil
  • Conversations recovered from a suspect’s phone uncover organizer and accomplices of a homicide

• Darkdefender shares a list of useful texts to improve your security knowledge
  InfoSec101 — Part Four: Books, Books, & More Books

• Matt Shannon at F-Response describes the new Web Admin UI in F-Response Universal v8
  F-Response Universal v8 – New Look Web Admin UI

• There were a few posts on Forensic Focus this week
  • The 2019 Digital Forensics Challenge “by the Korean Institute of Information Security & Cryptology” has begun
    Digital Forensics Challenge 2019
  • Scar shared her roundup of forum posts
    Forensic Focus Forum Round-Up
  • Christa Miller explores how Facebook’s privacy manifesto may affect digital forensics
    Facebook’s Privacy Manifesto: What Does It Mean For Digital Forensics?

• “MantaRay Forensics will release the 2019 Q2 Update 01 (link: http://VirusShare.com) VirusShare.com (358-365) refined hash set Monday, 20 May 2019”
  Check out @MantaRay4ensics’s Tweet!

• Sarah Edwards at Mac4n6 advised on some recent iOS 12 related updates to her Apollo script
  iOS 12 APOLLO Updates

• Michael Cohen has create a new site to point people to the latest release of the Pmem imager tools. There was a bit of confusion where people have been going to the older versions rather than grabbing the latest one
  The Pmem Suite
  

SOFTWARE UPDATES

• AceLab updated their PC-3000 and Data Extractor products
  Software Updates for PC-3000 and Data Extractor Are Added

• Atola released the 2019.4.1 update for the TaskForce to fix some bugs
  TaskForce Changelog

• Cellebrite released UFED Physical Analyzer 7.18, improving integration with Analytics, as well as speed improvements and better visibility into device information. they released a short video about the update
  Streamline data from UFED Physical Analyzer to Analytics, and selectively extract cloud tokens with UFED 7.18

• Cellebrite also released UFED Cloud Analyzer 7.8, and have uploaded a short video about the update
  Move your investigations forward with data from iCloud and Samsung backups

• Brian Carrier at Cyber Triage shows how a recent update allows for better file and folder browsing.
  Finding Intrusion Evidence in the Same Folder

• Cyber Triage 2.7 was released

• “Elcomsoft Phone Viewer is updated to enable the exporting of digital evidence collected from iOS device backups, iCloud and file system images to Microsoft Excel.”
  Elcomsoft Phone Viewer 4.50 adds data export support, allows evidence analysis in external tools

• Eric Zimmerman updated MFTECmd, PECmd, RECmd, EvtxECmd, LECmd, RBCmd, VSCMount, TimelineExplorer, and JumplistExplorer
  ChangeLog

• ExifTool 11.43 was released with new tags and bug fixes
  ExifTool 11.43 – “Write HEIC and CR3”

• GetData released Forensic Explorer v4.6.8.8542 with various improvements and bug fixes
  19 May 2019 – v4.6.8.8542

• Matt Bromiley has released a new tool, Pollen, which is a command line interface to TheHive incident management platform.
  pollen — A command-line tool for interacting with TheHive

• Maxim Suhanov updated his dfir_ntfs file system parser to v1.0.0-beta14
  1.0.0-beta14

• “A new version of MISP (2.4.107) has been released with a host of new features, improvements and security fixes.”
  MISP 2.4.107 released (aka Too many improvements)

• Radare2 v3.5.1 was released
  3.5.1

• Regipy v1.1.4 was released
  1.1.4
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!