Thanks to everyone for their votes in the 4Cast Awards; getting nominated for one is a big deal because it shows that the community values our efforts every week. Very grateful to also win one 🙂 Special thanks to Lee Whitfield for all of his hard work every year.

No Lodrina this week as she was over at the DFIR Summit, but I had some time so I filled in those sections 🙂

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Alexis Brignoni at ‘Initialization Vectors’ shared some of the research he presented at the SANS DFIR Summit
  Android – Samsung Traces of Deleted Apps

• Marco Fontani at Amped demonstrates how to verify the time a photo was taken based on the exif data, as well as the content of the image
  No Need to Believe: How to Verify the Reliability of Time and Place Information in a Picture Using Amped Authenticate, Your Eyes, and the World Wide Web!

• Blanche Lagny shared an updated version of her paper on Amcache analysis
  Analysis of the AmCache

• There were a few posts on the Elcomsoft blog this week
  • Oleg Afonin provides an update on the current state of iCloud acquisition
    Accessing iCloud With and Without a Password in 2019
  • Vladimir Katalov expands on this covering the overall security of iCloud accounts
    Breaking and Securing Apple iCloud Accounts
  • As well as describing some of the changes in the current iOS 13 Beta
    iOS 13 (Beta) Forensics

• Joshua Hickman at ‘The Binary Hick’ looks into the data Google Assistant stores when the user starts a request but cancels partway
  Google Assistant Butt Dials (aka Accidental & Canceled Invocations)

• Marco Neumann at ‘Be-binary 4n6’ shows “the underlying structure of the most recent Skype version and some important things to know when analyzing it.”
  Analysis Skype App for Windows (Metro-App) – Version 14.xx
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn posted a few times this week
  • He demonstrates “a couple of strategies one can use to generate good keyword sets for malware research.”
    Finding good keywords
  • and describes some Search Processing Language gotchas for Splunk
    Couple of Splunk/SPL Gotchas
  • Adam also shares an updated list of PE Section names
    PE Section names – re-visited, again
  • and comments on agents being utilised for distinct functions.
    Moar and Moar Agents – sthap!

• Anton Chuvakin describes his thoughts on comparing threat intel to logs for detecting new threats
  Detecting Threats by Matching Threat Intel to Logs — Oh Really?

• The guys at Cyber Forensicator take a look at the ‘Image File Execution Options’ persistence mechanism
  Using MITRE ATT&CK for Forensics: Image File Execution Options Injection (T1183)

• Blaine Stancill, Sebastian Vogl, and Omar Sardar at Fire Eye have started a three part series on their updates to Volatility and Rekall to deal with Win10 compressed memory
  Finding Evil in Windows 10 Compressed Memory, Part One: Volatility and
  Rekall Tools

• Maarten Goet describes the streaming API for Microsoft Defender to “connect the Defender ATP data to ELK”
  Analyzing your Microsoft Defender ATP data in real-time in ELK using the new streaming API

• Sandfly Security reviews the use of scheduled tasks on Linux to maintain persistence
  Getting an Attacker IP Address from a Malicious Linux At Job

• Xavier Mertens at the SANS ISC questions whether we can track specific users as an IOC
  May People Be Considered as IOC?, (Wed, Jul 24th)

• Threat Recon have tracked the activity of the SectorF01 group and the various delivery methods they use to deliver their malware
  The Growth of SectorF01 Group’s Cyber Espionage Activities
  

PRESENTATIONS/PODCASTS

• AlienVault share the transcript from the recent ThreatTraq discussion on trusting threat intel from community sources
  Can you trust threat intelligence from threat sharing communities? | AT&T ThreatTraq

• Terry Sweeney at Black Hat interviewed Phil Montgomery from FireEye
  The Emerging Threat Landscape with Phil Montgomery,  FireEye

• Black Hills Information Security share their recent webcast on the required logging configuration changes to detect the attacks from a previous Attack Tactics webcast
  Webcast: Attack Tactics 7 – The Logs you are looking for

• Ed Michael has released a video on “how to use PA to process the encrypted backups folder on Apple Production orders received.”
  Using Cellebrite Physical Analyzer to Process Apple Productions

• The papers from DFRWS 2019 were uploaded
  Papers & Presentations

• On this week’s Digital Forensic Survival Podcast, Michael talks about “insufficient logging and monitoring.”
  DFSP # 179 – OWASP: Insufficient logging and monitoring

• Erik Van Buggenhout shared his presentation on MITRE ATT&CK from SANS Fire 2019
  Leveraging MITRE ATT&CK – Speaking the Common Language

• Kirk Sayre shares his presentation on malicious VB analysis
  Analysis of Malicious Visual Basic

• Magnet Forensics shared a few videos this week on Atlas Lite, the new Office Wellness features in Axiom, and using Connections in data exfil investigations
  • Magnet ATLAS Lite Overview
  • Exploring the Officer Wellness Features in Magnet AXIOM
  • Officer Wellness: A Message from Jad Saliba
  • AXIOM at Work: Connections for Data Exfiltration Cases

• Paraben Corporation shared a series of short videos on their E3 platform
  • Searching with regular expressions in the E3 Platform
  • Searching using predefined lists in the E3 Platform
  • Searching in Office 365 Data with the E3 Platform
  • Searching for hidden files in the E3 Platform
  • Searching Digital Evidence in E3 Platform using File Masks
  • Paraben Android Root Utility

• Richard Davis at 13Cubed walks through the usage of Eric Zimmerman’s EvtxECmd
  Introduction to EvtxECmd

• Ryan Benson at dfir.blog has written out the first part of his 2018 SANS DFIR Summit presentation on Chrome forensics
  Deciphering Browser Hieroglyphics: Intro (Part 1)

• SANS shared the presentations from the 2019 DFIR Summit
  DFIR Summit & Training 2019 (July 2019)

• And Michael Raggi’s presentation from the 2019 CTI Summit
  Schroedinger’s Backslash: Tracking the Chinese APT Goblin Panda with RTF Metadata – SANS CTI Summit

• As well as brief course overviews by Alissa Torres and Sarah Edwards for the FOR508, FOR526, and FOR518 classes
  • All you need to know about FOR508: Advanced Incident Response, Threat Hunting & Digital Forensics
  • All you need to know about SANS FOR526; Advanced Memory Forensics & Threat Detection
  • What you need to know about SANS FOR518; Mac and iOS Forensic Analysis and Incident Response

• Michael Cohen shared the recent workshop and presentation that he gave with Nick Klein at RSA Asia 2019
  RSA Asia Pacific And Japan 2019
  

MALWARE

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ describes the recent attack on SysTech by the 0v1ru$ group
  The SyTech Hack: a brief screenshot-based attack analysis

• Scott Hanson guest posts on the Carbon Black blog regarding the IR process and how CB helped on an engagement investigating the Kwampirs malware.
  Lessons Learned from the Incident Response Trenches: Investigating and Eradicating Kwampirs

• Jared Myers at Carbon Black examines a DLTMiner campaign that alters its activity if it detects Carbon Black on the system
  CB TAU Technical Analysis: DLTMiner Campaign Targeting Corporations in Asia

• Cerbero Suite 3.2 was released
  Cerbero Suite 3.2 is out!

• Jake Longden at Cofense shares some details on a recent wave of phishing emails
  Phishing Attackers Are Abusing WeTransfer to Evade Email Gateways

• Cybereason analyse some recent activity from the Spelevo exploit kit being used to deliver the Shade ransomware
  Exploit Kits “Shade” Into New Territory

• Omri Misgav at Ensilo examines a new loader malware, TxHollower.
  GandCrab Doppelgänged His Shell?

• There were a couple of posts on the Fortinet blog this week
  • Kai Lu analyses the child processes of the IcedID malware
    A Deep Dive Into IcedID Malware:  Part III – Analysis of Child Processes
  • The team also shared a playbook for the Yet Another Panda threat actor
    Zegost from Within – New Campaign Targeting Internal Interests

• Harold Ogden analyses a maldoc delivering Dridex
  • Malicious Document delivering Dridex — analysis and emulation (part 1)
  • Malicious Document delivering Dridex — analysis and emulation (part 2)

• Kristina Savelesky, Ed Miles, and Justin Warner at Gigamon analyse a backdoor, Badhatch, being used by Fin8
  ABADBABE 8BADF00D: Discovering BADHATCH and a Detailed Look at FIN8’s Tooling

• Hasherezade at Malwarebytes Labs examines the Phobos ransomware and its similarity to Dharma.
  A deep dive into Phobos ransomware

• There were a couple of posts on the SANS Internet Storm Centre Handler Diaries
  • Didier Stevens examines a malicious RTF file
    Malicious RTF Analysis CVE-2017-11882 by a Reader, (Sun, Jul 21st)
  • Didier also examines a maldoc containing VBA macros
    Analyzing Compressed PowerShell Scripts, (Mon, Jul 22nd)

• Larry Ponemon shared the “annual Cost of a Data Breach Report”
  What’s New in the 2019 Cost of a Data Breach Report

• Satnam Narang at Tenable shares details of the WatchBog malware
  WatchBog Malware Adds BlueKeep Scanner (CVE-2019-0708), New Exploits (CVE-2019-10149, CVE-2019-11581)

• Jindrich Karasek and Augusto Remillano II at TrendMicro share details of some recent botnet activity used to deliver various backdoors
  Multistage Attack Delivers BillGates/Setag Backdoor, Can Turn Elasticsearch Databases into DDoS Botnet ‘Zombies’

• Gianfranco Tonello and Michele Zuin at VirIT analyse the Ryuk ransomware
  19/07/2019 08:30:36 – Technical analysis of Ryuk ransomware that targets the large organizations

• Luigi Martire, Davide Testa and Luca Mella of Cybaze-Yoroi Z-LAB dissect some malware acquired from a P2P sharing network
  P2P Worm Spreads Crypto-Miners in the Wild
  

MISCELLANEOUS

• 0D0AResearch shares their thoughts on setting up Velociraptor on a test network
  • Getting started with Velociraptor
  • Getting started with Velociraptor: Part 2

• Richard Frawley at ADF demonstrates how to use MDI to acquire an iOS device.
  How to Create a Forensic Backup of an iOS Device with MDI

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares a couple of commands that can be useful for retrieving hard drive information
  How to retrieve hard disk information and properties with WMIC and lsblk

• Ashley Hernandez at Blackbag Technologies describes “the basics of both types of searching [available in BlackLight 2019 R1], as well as tips and techniques for how and when to use each method.”
  Searching Tips and Tricks in BlackLight

• Dr. Neal Krawetz at ‘The Hacker Factor Blog’ reviews the recent articles on Facebook embedding additional data in photos on its site
  Forbes, Facebook, and FUD

• There were a few posts on Forensic Focus this week
  • They shared Vladimir Katalov and Mattia Epifani’s presentation from DFRWS EU 2019.
    Apple Watch Forensics: Is It Ever Possible, And What Is The Profit?
  • Scar shared her forum post roundup for the month
    Forensic Focus Forum Round-Up
  • Larry Lieb has written a post on creating an encrypted drive and imaging a computer for preservation once an employee has resigned.
    Employee Turnover And Computer Forensic Analysis Best Practices
  • They shared the presentation and transcript from Griffeye’s intro to Analyze DI Pro
    Webinar: Griffeye 101 – Analyze DI Pro Intro Course

• They also continued their ‘What’s Happening In Forensics’ series
  • What’s Happening In Forensics Jul 22, 2019
  • What’s Happening In Forensics Jul 25, 2019
  • What’s Happening In Forensics Jul 24, 2019
  • What’s Happening In Forensics Jul 26, 2019

• Gergely Révay shares his thoughts on the FOR508 course and accompanying GCFA certification
  SANS FOR 508: Setting a thief to catch a thief

• Raj Chandel at Hacking Articles gives an overview of ExifTool
  ExifTool : A Meta-Data Extractor

• Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
  Weekly News Roundup — July 21 to July 27

• Over on my ThinkDFIR blog, I wrote a review of the Guardonix write blocker that Deepspar sent me to play with
  Testing A USB Write Blocker

• John Patzakis at X1 describes some of the recent changes to X1 Social Discovery
  Post-Cambridge Analytica Social Media Collection for Compliance  and Legal Purposes
  

SOFTWARE UPDATES

• UFED Physical Analyzer v7.21.1 was released to fix some bugs with v7.21

• David Dym at EasyMetaData updated MetaDiver to v3.3.0.2346
  MetaDiver 3.3.0.2346 released

• Elcomsoft updated their Elcomsoft Phone Breaker and Elcomsoft Phone Viewer tools
  ElcomSoft Phone Breaker 9.15 supports iOS 13 and iPadOS beta, extracts iCloud tokens from macOS

• KAPE 0.8.5.2 was released
  Kape Changelog

• ExifTool 11.59 was released with new tags and bug fixes
  ExifTool 11.59

• Yogesh Khatri has released an update to mac_apt
  20190720

• Magnet Forensics released Axiom v3.4
  Download Magnet AXIOM 3.4 to Get New Mac Updates and Officer Wellness Features

• Maxim Suhanov updated his dfir_ntfs file system parser to v1.0.0-beta19
  1.0.0-beta19

• Nicole Ibrahim released her DSStoreParser tool
  DSStoreParser v0.2.1

• Skadi 2019.4 was released
  Skadi 2019.4

• Ulf Frisk released MemProcFS version 2.7.2
  Version 2.7.2

• Velociraptor 0.3.2 was released
  Release 0.3.2

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!