Lots of travelling between Lodrina and I this week so links only. 

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Alexis Brignoni at ‘Initialization Vectors’
  Vendor binaries and data stores:  io-prefetcher.db

• Arman Gungor at Metaspike
  Dates in Hiding—Uncovering Timestamps in Forensic Email Examination

• Craig Ball at ‘Ball in your Court’
  Preserving Android Evidence: Return of the Clones?

• SalvationData
  [Case Study] DVR Forensics: How to retrieve CCTV footage from a live video surveillance system in a forensically sound manner?

• Sandor Tokesi at Forensics Exchange
  Defcon DFIR CTF 2019 writeup – Triage VM
  

THREAT INTELLIGENCE/HUNTING

• Chris Brenton at Active Countermeasures
  MITRE ATT&CK Matrix – C2 Connection Proxy

• Adam at Hexacorn
  • SilentProcessExit – quick look under the hood
  • WerFault – command line switches v0.1
  • Beyond good ol’ Run key, Part 116
  • ALPC Ports

• ClearSky
  The Kittens Are Back in Town Charming Kitten – Campaign Against Academic Researchers

• Allie Mellen at Cybereason
  Explaining Fileless Malware Succinctly with Examples from our Research

• Intezer
  Why we Should be Paying More Attention to Linux Threats

• Lab 52
  Geopolitical Strategy of Iran And The Cyberattacks of APT33

• Ivan Kirillov at MITRE
  New Wheels on the CAR: Updates to the Cyber Analytics Repository

• Shane Welcher at Red Canary
  Advanced persistence threats: to be a cybercriminal, think like a sysadmin

• SpecterOps
  • You Can Run, But You Can’t Hide — Detecting Process Reimaging Behavior
  • Shhmon — Silencing Sysmon via Driver Unload

• NSHC RedAlert Labs
  Hagga of SectorH01 continues abusing Bitly, Blogger and Pastebin to deliver RevengeRAT and NanoCore

• Trail of Bits
  QueryCon 2019: A Turning Point for osquery

• Erik Van Buggenhout
  Adversary Emulation using CALDERA
  

UPCOMING WEBINARS/CONFERENCES

• Belkasoft
  Belkasoft Evidence Center 9.7 Webinar

• Blackbag Technologies
  Windows 10 Activity Timeline: An Investigator’s Gold Mine

• Cellebrite
  Non-standard Chinese Phones Now Accessible with UFED Chinex Kit
  

PRESENTATIONS/PODCASTS

• Adrian Crenshaw
  BSidesSTL 2019 Videos

• Digital Forensic Survival Podcast
  DFSP # 187 – SUDOERS File and Forensics

• Deepak Kumar
  Threat Intelligence

• Magnet Forensics
  AXIOM at Work: Digging Deeper with the SQLite Viewer (Part 1)

• Paul’s Security Weekly
  Investigating the Insider Threat – Chris Bush – BSW #143

• Richard Davis at 13Cubed
  Memory Forensics Baselines

• SANS
  • Enabling KAPE at Scale
  • Advanced Zeek Usage  Scripting and Framework

• Sumuri
  SUMURI Latest Update | September 2019
  

MALWARE

• Cisco’s Talos
  • Emotet is back after a summer break
  • Cryptocurrency miners aren’t dead yet: Documenting the voracious but simple “Panda”

• Cofense
  • New Phishing Campaign Targets U.S. Taxpayers by Dropping Amadey Botnet
  • Emotet Malicious Phishing Campaigns Return in Force

• Joie Salvio at Fotinet
  Nemty Ransomware 1.0: A Threat in its Early Stage

• Intezer
  Russian Cybercrime Group FullofDeep Behind QNAPCrypt Ransomware Campaigns

• Shusei Tomonaga at JPCERT
  Malware Used by BlackTech after Network Intrusion

• Lucideus
  Portable Executable File

• Malwarebytes Labs
  Emotet is back: botnet springs back to life with new spam campaign

• Mike at “CyberSec & Ramen”
  Analysis of RTF document from Cyber Comm Drop

• Joel Snape at Nettitude Labs
  Maritime Malware Campaigns – Document Payloads

• Didier Stevens at NVISO Labs
  Analyzing a Malicious Spreadsheet Dropping a DLL

• Palo Alto Networks
  The Legend of Adwind: A Commodity RAT Saga in Eight Parts

• Ryan Campbell at ‘Security Soup’
  Analysis of a New Emotet Maldoc with VBA Downloader

• SANS Internet Storm Centre Handler Diaries
  • Emotet malspam is back, (Wed, Sep 18th)
  • Investigating Gaps in your Windows Event Logs, (Tue, Sep 17th)
  • Encrypted Sextortion PDFs, (Mon, Sep 16th)
  • Agent Tesla Trojan Abusing Corporate Email Accounts, (Thu, Sep 19th)
  • Blacklisting or Whitelisting in the Right Way, (Thu, Sep 19th)

• Vitali Kremez at SentinelOne
  FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals

• Symantec
  Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks

• TrendMicro
  • Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload
  • Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites
  • Fileless Cryptocurrency-Miner GhostMiner Weaponizes WMI Objects, Kills Other Cryptocurrency-Mining Payloads
  • Mac Malware that Spoofs Trading App Steals User Information, Uploads it to Website

• Yoroi
  • Ritorno delle Campagne di Attacco Emotet
  • Nuove Operazioni di Attacco Gootkit
  • Commodity Malware Reborn: The AgentTesla “Total Oil” themed Campaign
    

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  New AboutDFIR Contributor

• Brett Shavers at DFIR.Training
  What’s New at DFIR Training?

• Chris Vance at ‘D20 Forensics’
  Setting up an Android for Fun and Profit (Testing)

• Forensic Focus
  • MSAB Launches Mobile Forensics Blog
  • Sneak Peak Of New Belkasoft Evidence Center 2020
  • How To Use Text Analytics With Rosoka Integration
  • BlackBag Now Provides Law Enforcement Agencies With AI-Based Image Recognition
  • How To Integrate AD Enterprise And The CyberSponse Platform Using The AccessData
  • Video Playback And Redaction Is Even Easier With Amped Replay’s Newest Features

• What’s Happening In Forensics’ series
  • What’s Happening In Forensics – Sep 16, 2019
  • What’s Happening In Forensics – Sep 18, 2019
  • What’s Happening In Forensics – Sep 19, 2019

• Heather Mahalik at Smarter Forensics
  I’m not hiding, I swear!

• Magnet Forensics
  AXIOM at Work Events Are Coming to Cities Across the U.S.

• MSAB
  Four critical success factors in mobile forensics

• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — September 8 to September 14

• SANS
  “Strengthen Your Investigatory Powers by Taking the New FOR498: Battlefield Forensics & Data Acquisition Course from SANS”

• The Leahy Center for Digital Investigation
  • Magnet User Summit 2019
  • Using Memory Forensics Analysis to Guide Your Investigation
  • Leveraging PowerShell & Python MUS 2019
  • Windows Store and Apps  Analysis – MUS2019
  • Internet of Things at Magnet User Summit 2019
  • Magnet User Summit 2019: Solving Cyber Crimes with the University of Notre Dame
  • Virtual Currency Investigations: Fear Not the Blockchains
  • Exploring Axiom 3.0 and the Child Protection System at MUS 2019
  • Magnet User Summit Experience
    

SOFTWARE UPDATES

• Binalyze
  Version 1.9.6

• Cellebrite
  Exclusive access to untouched evidence in Samsung Exynos devices

• Didier Stevens
  • Update: pecheck.py Version 0.7.7
  • Update: hash.py Version 0.0.7
  • Update: hex-to-bin.py Version 0.0.3

• Eric Zimmerman
  • Kape Changelog
  • ChangeLog

• MISP
  MISP 2.4.116 released (aka the new decaying feature)

• MobilEdit
  New MOBILedit 7.0.2 supports iOS 13!

• Radare2
  3.9.0 – Carxofes

• Sumuri
  RECON IMAGER 4.0.4 now includes Enhanced Logical Imaging!

• TZWorks
  Sept 2019 build (package)

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!