As always, Thanks to those who give a little back for their support!

Links only for the Malware and Threat Hunting sections this week

FORENSIC ANALYSIS

• DFIR Investigator of the Year candidate, Alexis Brignoni at ‘Initialization Vectors’ posted a couple of times this week
  • He looks at the data stored by Samsung’s predictive text surrounding excluded words
    Android – Predictive text exclusions in Samsung devices
  • Alexis also looks at the Samsung My Files app, which also appears to track recently accessed media
    Android – Samsung My Files App

• Marco Fontani at Amped comments on the various dates that can be found in the EXIF data of a picture
  Time After Time: Amped Authenticate Shows a Lot of Dates/Times Related to Your Image, Learn How to Interpret Them!

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares a cheatsheet for Windows Security Event Logs
  Windows Security Event Logs: my own cheatsheet

• There were a couple of posts on the Cellebrite blog this week
  • Izhar Carmel demonstrates the utility of the com.apple.identityservices.idstatuscache.plist file for identifying when two iOS users began communicating over Facetime or iMessage
    How iOS Properties Files Can Confirm a Suspect’s Contacts Even If Deleted
  • Mati Goldberg provides a broad overview of the KnowledgeC database, which UFED PA now parses.
    How a Suspect’s Pattern-of-life Analysis is Enhanced with KnowledgeC Data

• Darkdefender demonstrates how to analyse some PCAPs using Bro/Zeek
  Analysing PCAPs with Bro/Zeek

• DME Forensics provide a guideline for determining if DVR Examiner was able to recover all of the available video on a drive
  How Do I Know DVR Examiner Found All the Video?

• Dr. Neal Krawetz at ‘The Hacker Factor Blog’ examines some altered photos related to a Russian automobile company, AvtoVAZ
  Fraud and Deception (Part 3): AvtoVAZ

• There’s a post on the Rendition Infosec blog about using Avml to acquire memory on a Linux box without dependencies, and also a script for downloading and installing Volatility on CentOS
  AVML – Memory Forensics For Linux
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  • Code Execution via surgical callback overwrites (e.g. DNS memory functions)
  • Enter Sandbox part 25: How to get into argument
  • Beyond good ol’ Run key, Part 108
  • Toying with inheritance

• Adam Chester at XPN
  Evading Sysmon DNS Monitoring

• Cybereason
  New Pervasive Worm Exploiting Linux Exim Server Vulnerability

• Dragos
  Threat Proliferation in ICS Cybersecurity: XENOTIME Now Targeting Electric Sector, in Addition to Oil and Gas

• Brett Hawkins at Fire Eye
  Hunting COM Objects (Part Two)

• Fortinet
  Cybercriminals Opt for Open Source Tools

• Ruud van Luijk and Anne Postma at Fox-IT
  Using Anomaly Detection to find malicious domains

• Matthew Green
  O365: Hidden InboxRules

• Katie Nickels at MITRE
  Getting Started with ATT&CK: Threat Intelligence

• Olaf Hartong
  Sysmon 10.0 – New features and changes

• Keya Horiuchi at Red Canary
  LSASS behaving badly

• Robert M. Lee
  Homogeneous Infrastructure and Scalable Attacks

• Richard Porter at the SANS Internet Storm Centre Handler Diaries
  What is “THAT” Address Doing on my Network, (Thu, Jun 13th)

• Andy Robbins at SpecterOps
  • Visualizing BloodHound Data with PowerBI — Part 1
  • Visualizing BloodHound Data with PowerBI — Part 2
    

PRESENTATIONS/PODCASTS

• Adrian Crenshaw uploaded the videos from ShowMeCon 2019

• Blackbag Technologies released a few short tip videos on YouTube
  • BlackBag Tip of the Day: Hash Sets
  • BlackBag Tip of the Day: Filtering
  • BlackBag Tip of the Day: Reporting
  • BlackBag Tip of the Day: Shellbags

• On this week’s Digital Forensic Survival Podcast, Michael discusses the challenges in cloud IR
  DFSP # 173 – Cloud Incident Response
  

MALWARE

• 0xffff0800
  A MuddyWater Cyber Spy

• Nick Guarino and Aaron Riley at Cofense
  Houdini Worm Transformed in New Phishing Attack

• Hod Gavriel at Cyberbit
  Formbook Research Hints Large Data Theft Attack Brewing

• Cylance Threat Research Team
  Threat Spotlight: MenuPass/QuasarRAT Backdoor

• Karsten Hahn at G Data
  Ransomware identification for the judicious analyst

• Michael Gorelik at Morphisec
  Security Alert: FIN8 is Back in Business, Targeting the Hospitality Industry

• Sergei Frankoff at OA Labs
  Disable ASLR for Easier Malware Debugging With x64dbg and IDA Pro

• Ruchna Nigam at Palo Alto Networks
  Hide ‘N Seek Botnet Updates Arsenal with Exploits Against Nexus Repository Manager & ThinkPHP

• SANS Internet Storm Centre Handler Diaries
  • Interesting JavaScript Obfuscation Example, (Mon, Jun 10th)
  • A few Ghidra tips for IDA users, part 4 – function call graphs, (Fri, Jun 14th)

• Trend Micro
  • MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools
  • CVE-2019-2725 Exploited and Certificate Files Used for Obfuscation to Deliver Monero Miner
  • Outlaw Hacking Group’s Botnet Observed Spreading Miner, Perl-Based Backdoor
  • Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns
  • Advanced Targeted Attack Tools Found Being Used to Distribute Cryptocurrency Miners
  • AESDDoS Botnet Malware Infiltrates Containers via Exposed Docker APIs

• Yoroi
  • How Ursnif Evolves to Keep Threatening Italy
  • Dissecting NanoCore Crimeware Attack Chain
    

MISCELLANEOUS

• Jonathan Shorter at AccessData advised how AD can assist LE’s need for mobile and cloud based storage/processing.
  AccessData is assisting law enforcement with deployment of massive investigation capabilities in the face of evolving terror and critical incidents.

• Brett Shavers at DFIR.Training shares a method of creating your own DFIR training stream using cheap or open source methods. Speaking of, I did see that California Cybersecurity Institute posted this up, and Jai Minton posted this which would be a good start. From there it’s just about reading and testing everything you can.
  DIY DFIR Training

• Bryan Ambrose at Data Digitally demonstrates how to enable Windows PowerShell transcription logging
  Windows PowerShell Transcription Logs

• Cellebrite announced their UFED Premium product, which allows LE customers to unlock and extract data from iOS and high-end Android devices.

• Cellebrite shared a few case studies
  • Analytics identifies opioid dealer now serving sentence for murder
  • Cross-border tiger poaching syndicate uncovered with smartphone data
  • Digital intelligence connects the dots to catch global ATM hackers

• And Ariel Watson at Cellebrite describes the new ‘UFED on Android’ collection utility
  5 Ways UFED on Android Empowers Frontliners with Actionable Data Anytime, Anywhere

• David Dym at EasyMetaData advised that a new build of MetaDiver will be released soon
  New build of MetaDiver dropping soon

• Oleg Afonin at Elcomsoft describes that various considerations surrounding jailbreaking an iOS device to obtain a full file system acquisition.
  Forensic Implications of iOS Jailbreaking

• There were a couple of posts on Forensic Focus this week
  • Amped share an article on “perspective stabilization And perspective super resolution”
    How To Read A Moving Low-Quality License Plate Using Amped FIVE
  • They provide a roundup of forum posts from the month
    Forensic Focus Forum Round-Up

• They also continued their ‘What’s Happening In Forensics’ series
  • What’s Happening In Forensics
  • What’s Happening In Forensics
  • What’s Happening In Forensics
  • What’s Happening In Forensics
  • What’s Happening In Forensics

• Jim Hoerricks at ‘Forensic Video and Image Analysis’ announced he will be teaching his “Retrieval / Seizure of Electronic Evidence from Crime Scenes” again
  Retrieval / Seizure of Electronic Evidence from Crime Scenes

• Magnet Forensics advised that their Axiom product “is now VICS certified for use with Project VIC and CAID hash sets.”
  Magnet AXIOM Now VICS Certified by Project VIC International

• MantaRay Forensics shared their 2019 Q2 hash sets

• Voting for OSDFCon 2019 presentations is now open.
  OSDFCon 2019 Presentation Voting

• Over on my ThinkDFIR blog I posted a review of the Magnet AX200 course.
  AX200 – Magnet AXIOM Examinations Review
  

SOFTWARE UPDATES

• Brian Maloney released SEPparser to parse “Symantec’s Endpoint Protection logs into a human readable form”
  Introducing SEPparser

• Cellebrite released a hotfix for UFED InField (v7.18.0.205)

• Didier Stevens updated some of his tools
  • Update: sets.py Version 0.0.3
  • Update: virustotal-search.py Version 0.1.5
  • New Tool: amsiscan.py

• Eric Zimmerman updated EvtxECmd, Timeline Explorer, and Registry Explorer
  ChangeLog

• ExifTool 11.51 was released with new tags and bug fixes
  ExifTool 11.51

• GetData released Forensic Explorer v4.6.8.8600 to fix some bugs
  10 June 2019 – 4.6.8.8600

• Griffeye released Analyze 19.0, which includes the new Griffeye Intelligence Database to replace the existing hash database, DB Manager
  Release of Analyze 19.0

• JPCERT updated LogonTracer to v.1.3.1
  v1.3.1

• Idaho National Laboratory released Malcolm, “a powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs.”

• Martin Willing released isodump, which “is a simple Python script utilized to assist incident responders analyzing ISO files (ISO 9660 disk image format) containing malware.”
  isodump.py v0.1

• MISP 2.5.109 was released with “improvements, bug fixes and a minor security fix”
  MISP 2.4.109 released (aka cool-attributes-to-object)

• OpenText released Tableau Firmware Updater v7.28, updating the TX1, and TD3
  Tableau Firmware Revision History

• Regipy 1.2.1 was released with some bug fixes
  Fixed some bugs

• Veeral Patel released Incidents, which is a “web application for managing non-trivial security incidents.”
  Incidents

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!