Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
- Alexis Brignoni at ‘Initialization Vectors’ provides an overview of the Realm database storage type
Realm database storage primer for digital forensic examiners
- There were a couple of posts on the Elcomsoft blog this week
- Oleg Afonin demonstrates some workarounds for encryption used by the Synology NAS devices
Synology NAS Encryption: Forensic Analysis of Synology NAS Devices
- Vladimir Katalov walks through the jailbreak process for the Apple TV using the checkra1n jailbreak
Forensic Acquisition of Apple TV with checkra1n Jailbreak
- Oleg Afonin demonstrates some workarounds for encryption used by the Synology NAS devices
- Evild3ad demonstrates a PowerShell module for interacting with an offline registry hive
Installing ImportRegistryHive (PowerShell module)
- Ozan Unal shares an overview of the Windows Registry (in Turkish)
Registry Forensics Bölüm-1 Registry Yapısı
- SalvationData have a post on extracting Telegram data from an Android phone using SPF Pro
[Case Study] Mobile Forensics: Decryption and Extraction of Telegram Messages for supporting Hong Kong Police Force
- Some unique intel gathering shared by Curtis Brazzell this week. Curtis shows a way to see some information from users using MS Office documents in a phishing campaign, even without users enabling macros.
Getting Malicious Office Documents to Fire with Protected View
- CodeColorist looks at exceptions to get around macOS Hardened Runtime.
Two macOS persistence tricks abusing plugins
- Bill Stearns covers different traffic monitoring techniques at Active Countermeasures
- Adam at Hexacorn covers more Run key and other exploits this week
- Donnie Tindall at Crypsis Group looks at using DataDog and atop in IR investigations.
“Living Off the Land”: Forensic Investigators Use Hacker Strategy in Incident Response
- Hod Gavriel at Cyberbit writes about three different droppers related to the Dtrack RAT.
Dtrack: In-depth analysis of APT on a nuclear power plant
- MALWARE Shintaro Tanaka at JPCERT/CC examines malware delivered by ASUS WebStorage.
IconDown – Downloader Used by BlackTech
- liberty shell summarizes some existing Windows LOLBin techniques using scheduled tasks and hiding in ADS streams.
Part 2: Living Off The Land
- MENASEC shows how to check for disabled TeamViewer logging, attacks, and authorizing new devices.
Hunting for suspicious use of TeamViewer – Part 1/2
- Mike at CyberSec & Ramen shares blue team use for Windows Defender Exploit Guard.
Easy Wins for All…Slowing Attacks With the Basics
- Ping Yan at Salesforce Engineering looks at traffic metrics to identify credential stuffing and how to recover with browser fingerprinting and remediation with password reset.
How Salesforce Protects You From Credential Stuffers
- Jared Atkinson at SpecterOps considers where to focus in SOC investigations among collection, detection, triage, investigation, and remediation.
Introducing the Funnel of Fidelity
- Florian Roth argues that defenders shouldn’t share with red teamers how they were caught and why.
The Problems With Today’s Red Teaming
- Root combines a MS17_010 psexec metasploit module with a golden ticket attack.
A Refresher: Conducting Golden Ticket Attacks using NSA exploits
- StrangerealIntel reports on an Iranian APT threat first reported by @CTI_Marc.
APT33 continue to target US companies
- Scot Berner at TrustedSec shares how to create traps to be able to dump LSASecrets.
Creating Honey Credentials with LSA Secrets
- Tyranid’s Lair continues a series on AppLocker
- Belkasoft announced two upcoming webinars
- Adrian Crenshaw uploaded the presentations from Louisville InfoSec 2019
- Blackbag Technologies uploaded their recent webinar on Blacklight and its integration with Passware
New Triage Capabilities in BlackLight
- Muna Assi at Cellebrite describes their inbuilt translation capability
Ask the Expert: Cellebrite Smart Translator (powered by SDL) – by Muna Assi
- Some more talks from DEFCON were uploaded
- On this week’s Digital Forensic Survival Podcast, Michael describes some of the automation that he’s built around Linux live response
DFSP # 196 – autoLLR
- Jason at Sumuri gives an overview of the heat dissipation on the Talino workstation.
Talino’s Aluminum Chassis | SUMURI
- Omri Segev Moyal shares two important resources this week: first, a GoFundMe link to support malware researcher Yonathan Klijnsma (0x3a) though his fight with cancer, and *six* malware presentation recordings from the online malware con Omri organized.
Two Years of Malware Research Slack Group – Anniversary Event
- Alex Turing and Genshen Ye at 360 Netlab Blog write about ELF files and the Roboto Botnet.
The awaiting Roboto Botnet
- Bart at Blaze’s Security Blog investigates a potential compromise of Monero.
Monero project compromised
- Michał Praszmo at CERT Polska breaks down an email targeting Polish users purportedly from “DHL” delivering brushaloader.
Brushaloader gaining new layers like a pro
- Alexey Bukhteyev at Check Point Research examines Phorpiex moving away from IRC control and delivering various worms and infostealers.
- Simon Finn at Cisco looks at the importance of collecting Netflow and where ML and AI fit in related to known vs unknown threats.
The Importance of the Network in Detecting Incidents in Critical Infrastructure
- David Liebenberg and Kendall McKay at Cisco Talos look at Q4 threats: ransomware, banking trojans, and coin miners.
Cryptominers, ransomware among top malware in IR engagements in Q4
- Cofense shared two articles on phishing this week
- Assaf Dahan at Cybereason pivots from last month’s Raccoon infostealer post with research into the Phoenix keylogger.
Phoenix: The Tale of the Resurrected Keylogger
- Nebu_73 at Follow The White Rabbit covers a wide variety of malware reverse engineering basics.
Malware Dissection: Looking at the eyes of Evil [ESP]
- Fortinet examines the “Frenchy” packer, seen in recent versions of the LimeRAT, Tesla spyware, and Lokibot.
Packers: What’s in the Box?
- Karsten Hahn at G Data Security shares information about a new sample of the .NET SectopRAT.
Remote access malware utilizes second desktop to control browsers
- Ignacio Sanmillan at Intezer discovers a unique, sophisticated Linux and Windows backdoor.
ACBackdoor: Analysis of a New Multiplatform Backdoor
- Llyod Davies shares a way to deobfuscate C# code.
Writing a Simple Deobfuscator For A Simple C# Malware Variant
- There were a couple of posts on the Malwarebytes Lab blog this week
- Matt at Bit_of_Hex looks at a malicious shortcut file, launching a VBScript file to lower security settings and gain persistence.
“Say Cheese!” An analysis of foto.lnk
- Brad Duncan at Palo Alto Networks shares how earlier this month, Trickbot has been seen stealing OpenSSH and OpenVPN passwords.
Trickbot Updates Password Grabber Module
- Shelby Pace at Rapid7 shares news about encrypted, compiled payloads in Metasploit.
Metasploit Shellcode Grows Up: Encrypted and Authenticated C Shells
- There were a number of posts on the SANS Internet Storm Centre Handler Diaries
- Cheap Chinese JAWS of DVR Exploitability on Port 60001, (Tue, Nov 19th)
- Hancitor infection with Pony, Evil Pony, Ursnif, and Cobalt Strike, (Wed, Nov 20th)
- Abusing Web Filters Misconfiguration for Reconnaissance, (Fri, Nov 22nd)
- Gathering information to determine unusual network traffic, (Thu, Nov 21st)
- Local Malware Analysis with Malice, (Sat, Nov 23rd)
- Mario Ciccarelli at SentinelOne examines an example of Smoke Loader using Flare and IDA Pro.
Going Deep | A Guide to Reversing Smoke Loader Malware
- Gabrielle Joyce Mabutas at TrendMicro looks at a malicious document and Flash player that appear to be related to the Lazarus group.
Mac Backdoor Linked to Lazarus Targets Korean Users
- There were a few posts on the Virus Bulletin blog this week
- VB2019 paper: Domestic Kitten: an Iranian surveillance program
- VB2019 video: Discretion in APT: recent APT attack on crypto exchange employees
- VB2019 paper: Different ways to cook a crab: GandCrab Ransomware-as-a-Service (RaaS) analysed in depth
- VB2019 paper: Fantastic Information and Where to Find it: A guidebook to open-source OT reconnaissance
- There were a few posts on the Carbon Black blog this week
- Threat Analysis Unit (TAU) Threat Intelligence Notification: Ramnit Banking Trojan
- Threat Analysis Unit (TAU) Threat Intelligence Notification: OSX.Yort
- Threat Analysis Unit (TAU) Threat Intelligence Notification: AsyncRAT
- Threat Analysis Unit (TAU) Threat Intelligence Notification: Estemani Ransomware
- Active C2 Discovery Using Protocol Emulation Part1 (HYDSEVEN NetWire)
- WeLiveSecurity shares how DePriMon, seen previously with ColoredLambert, registers a new local port monitor to gain persistence.
Registers as “Default Print Monitor”, but is a malicious downloader. Meet DePriMon
- Yoroi shares news of an Italian Ursnif campaign.
Campagna di Attacco “Nuovo Documento”
- Andrew Rathbun at AboutDFIR posted a couple of content updates
- Noam Weisberg at Cellebrite gives an overview of the recent updates to the database viewer within UFED PA to accommodate the Realm database type. Heather Mahalik also demonstrates the viewer in this video
Meditations on Redesigning the Database Viewer
- Chapin Bryce at Pythonic Forensics walks through the process of creating an RDP honeypot for intelligence gathering
Build your own RDP Honeypot
- Bill Bradley & Tim Bandos at Digital Guardian wrote an article about their collection too, DG Wingman and DLP. I hadn’t heard of it before so thought to include it here. There’s been a lot of motion in the endpoint triage utility space, someone should really write a comparison post (*hint hint*). I think this year alone we’ve seen things like KAPE, Velociraptor, and DFIR ORC hit the scene, as well as various others seeing resurgence. knowing their pros and cons and utility would be helpful if anyone’s looking for a way to contribute.
Mastering DFIR: Digital Guardian for DFIR and Data Protection
- Oleg Afonin at Elcomsoft gives an overview of encryption and subsequently, decryption
What is Password Recovery and How It Is Different from Password Cracking
- There were a number of posts on Forensic Focus this week
- Jade James reviews Blackbag’s Macquisition
Review: MacQuisition From BlackBag
- They share a walkthrough of XRY Photon’s manual option
Walkthrough: XRY Photon Manual
- They uploaded the recording and transcript of Griffeye’s presentation on Griffeye Brain
How To Use Griffeye Brain – Artificial Intelligence
- Blackbag announced that the next release of Blacklight will integrate with Passware for enhanced decryption capabilities
BlackBag Partners With Passware To Provide Full Disk Decryption In New Release
- They uploaded the recording and transcript of Magnet Forensics’ presentation on using Axiom for Mac USB investigations
How To Use Magnet AXIOM In Mac USB Investigations
- Christa Miller gives an overview of Preston Farley’s presentation from Techno Security Myrtle Beach surrounding the use and support of emoji’s from forensic tools
Can Your Investigation Interpret Emoji?
- Oxygen Forensics describe their acquisition capabilities for the Viber app on various data sources
Viber Messenger Extraction In Oxygen Forensic Detective
- They shared an article on “BitLocker protectors and talks about the best ways to get the data decrypted, even for computers that are turned off.”
How To Decrypt BitLocker Volumes With Passware
- Oleg Skulkin posts about the value of prefetch files
Hunting For Attackers’ Tactics And Techniques With Prefetch Files
- Magnet Forensics announced a new training course in collaboration with Graykey for acquiring and examining full file system images of iOS devices
Sign Up For MAGaK (Magnet AXIOM And GrayKey) Advanced iOS Examinations (AX301)
- Griffeye posted about their Intelligence Database
How To Use The Griffeye Intelligence Database
- Jade James reviews Blackbag’s Macquisition
- Passware shared the process for transferring a decryption session from one machine to another
How To Transfer A Password Recovery Process To A Different Computer Using Passwa
- They also continued their ‘What’s Happening In Forensics’ series
- Greg Masi posted a review of Magnet Outrider.
Knock ‘n’ Talk!
- Hideaki Ihara at port139 tests the deduplication feature in Windows Server 2019
Windows Server 2019 and Dedupe
- Chris Currier at MSAB shares some case studies where using data from an older mobile phone was pivotal
The Case for Ye Olde Phones
- OpenText shared the results of the OpenText Hero Awards held during Enfuse. Congrats to the winners, including my ex-colleague Brian!
Enfuse 2019 wraps with OpenText Hero award winners
- Zachary Burnham demonstrates how to upload offline Windows event logs into an ELK stack via winlogbeat.
Manually upload EVTX log files to ELK with Winlogbeat and PowerShell
- Plaso 20190916 was released
Plaso 20190916 released
- Eric Zimmerman updated Timeline Explorer, PECmd, Registry Explorer, AppCompatCacheParser, and AmcacheParser
- GetData released Forensic Explorer v220.127.116.1148
20 November 2019 – 18.104.22.16848
- Griffeye released Analyze 19.3
Release of Analyze 19.3
- Intezer can now perform analysis on Golang malware.
Genetic Malware Analysis for Golang
- Jan Kaiser released a “script that checks for available updates for the most commonly used Digital Forensics tools”
Forensic Version Checker
- Passmark released OSForensics V7.1 build 1000
V7.1 build 1000 19th November 2019
- RTCrowley has released a parser for BITS metadata
- Sandfly 2.3.3 was released with “more methods to help spot packet sniffers and suspicious immutable files common with malware”
Sandfly 2.3.3 – More Linux Sniffer and Immutable File Detection
- USB Detective v1.6.0 was released
Version 1.6.0 (11/18/2019)
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!