Busy week this week so just links only. Seems like everyone has been busy because it’s a big one too!

Lodrina asked me to share this article that she wrote last week and I forgot, so it’s right here, now, go read it!
Tracking Every Move: From Location-Based Apps to Stalkerware and Advanced Attackers

Also, the New York Times posted an article on phone tracking that was pretty eye opening
Twelve Million Phones, One Dataset, Zero Privacy

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Tony at AbooutDFIR
  Pattern of Life – Tracking Through Mobile Applications

• Checkrain-related posts
  • Jailbreaking – Checkra1n Configuration
  • BFU Extraction: Forensic Analysis of Locked and Disabled iPhones
  • Checkra1n Era – Ep 4 – Analyzing extractions “Before First Unlock”
  • Take advantage of Checkra1n to Jailbreak iDevice for App analysis – Pieces0310

• Oleg Afonin at Elcomsoft
  Extracting Skype Histories and Deleted Files Metadata from Microsoft Account

• Manuel Guerra at Glider
  Router Forensics: El ojo que todo lo ve.

• Iria Piyo
  NTFSのトンネリングとHardlink
  

THREAT INTELLIGENCE/HUNTING

• Anton Chuvakin
  Security Correlation Then and Now: A Sad Truth About SIEM

• David Pearson at Awake Security
  DNS Exfiltration: The Light at the End of the DNS Tunnel

• Bitdefender Labs
  RDP Abuse and Swiss Army Knife Tool Used to Pillage, Encrypt and Manipulate Data

• Fox IT
  Operation Wocao : Shining a light on one of China’s hidden hacking groups

• Huseyin Rencber
  Sigma Kural Yapısı ve SIEM Arama Formatına Dönüştürme

• Sarah Yoder and Jackie Lasky at MITRE
  Automating Mapping to ATT&CK: The Threat Report ATT&CK Mapper (TRAM) Tool

• Jen Miller-Osborn and Mike Harbison at Palo Alto Networks
  Rancor: Cyber Espionage Group Uses New Custom Malware to Attack Southeast Asia

• Penetration Testing Lab
  Persistence – Application Shimming

• Bri Hand at Rapid7
  Building a Daily Threat Simulation Tool with Todd Beebe

• Red Canary
  Privilege escalation revisited: webinar highlights

• Robin Moffatt
  • Detecting and Analysing SSH Attacks With ksqlDB
  • Analysing network behaviour with ksqlDB and MongoDB

• Sandfly Security
  How To Decloak Stealth Linux Cryptocurrency Mining Malware

• Securelist
  OilRig’s Poison Frog – old samples, same trick

• Gabor Szappanos and Andrew Brandt at Sophos
  MyKings botnet spreads headaches, cryptominers, and Forshare malware
  

UPCOMING WEBINARS/CONFERENCES

• Cellebrite
  Checkm8 and Checkra1n – Full Filesystem extractions for iOS devices

• Virus Bulletin
  VB2020 call for papers – now open!
  

PRESENTATIONS/PODCASTS

• Chris Brenton at Active Countermeasures
  Finding the Cumulative Communication Time Between Systems Using Zeek – Video Blog

• Black Hills Information Security
  Let’s Talk About ELK Baby, Let’s Talk about You and AD

• DEF CON
  DEF CON

• Joshua James at DFIR.Science
  • Extracting text from images with gImageReader and Tesseract OCR on Windows
  • GO Programming 001: Installing Golang
  • GO Programming 002: First program in Golang – Hello World!

• Didier Stevens
  Analyzing .DWG Files With Embedded VBA Macros

• Digital Forensic Survival Podcast
  DFSP # 200 – Audit Log Clearing

• Robert Neumann at Forcepoint
  Botconf 2019 – “The Cereals Botnet” presentation slides and review

• Forensic Focus
  Graeme Horsman On The Fast Pace Of Digital Forensics, And The Need To Share Research

• Kringlecon 2019
  Kringlecon 2019

• Richard Davis at 13Cubed
  Introduction to Kansa (PowerShell-based Incident Response)

• Anastasios Pingios & Willem Gerber
  FIRST TC (Amsterdam 2019): Incident response in the age of serverless
  

MALWARE

• 360 Netlab
  Dacls, the Dual platform RAT

• James Quinn at Binary Defense
  An Updated ServHelper Tunnel Variant

• Brian Laskowski at Laskowski-Tech
  • OSINT Threat Hunting Powershell Empire
  • The Empire Rises again…

• CERT Polska
  Free decryption tool for Mapo ransomware

• Cisco’s Talos
  • Incident Response lessons from recent Maze ransomware attacks
  • 2019: The year in malware

• Cofense
  • PowerShell Scripts Delivered Via Office Macro Attachments Target Polish Employees
  • This Advanced Keylogger Delivers a Cryptocurrency Miner
  • Emotet Modifies Command & Control URI Structure and Brings Back Link-based Emails

• Didier Stevens
  Analyzing .DWG Files With Embedded VBA Macros

• Jérôme Segura at Malwarebytes Labs
  Spelevo exploit kit debuts new social engineering trick

• Morphisec
  • ConnectWise Control Abused Again to Deliver Zeppelin Ransomware
  • Trickbot Returns in a New eCommerce Shopping Campaign

• Positive Technologies
  Turkish tricks with worms, RATs… and a freelancer

• SANS Internet Storm Center
  • Malicious .DWG Files?, (Mon, Dec 16th)
  • VirusTotal Email Submissions, (Sun, Dec 15th)
  • Is it Possible to Identify DNS over HTTPs Without Decrypting TLS?, (Tue, Dec 17th)
  • Emotet infection with spambot activity, (Wed, Dec 18th)
  • More DNS over HTTPS: Become One With the Packet. Be the Query. See the Query, (Thu, Dec 19th)
  • Wireshark 3.2.0 Released, (Sat, Dec 21st)

• Lloyd Macrohon and Rodel Mendrez at Trustwave SpiderLabs
  Undressing the REvil

• VMware Carbon Black
  • Threat Analysis Unit (TAU) Threat Intelligence Notification: CrescentCore (macOS)
  • Threat Analysis Unit (TAU) Threat Intelligence Notification: DeathRansom Ransomware

• Yoroi
  • Nuovi Attacchi Ursnif in Corso “GLS-Italy”
  • Unveiling JsOutProx: A New Enterprise Grade Implant

• Yuya Kanesawa
  FGSMを使ってマルウェア検知器（MalConv）を回避する
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 12/18/2019

• Chris Miles at AccessData
  5 Public Sector DFIR Trends for 2020

• Cellebrite
  • 2019: A Look Back On Our Business Customers’ Journey
  • How Cellebrite Partners with Universities to Empower the Next Generation of Digital Forensics Professionals

• Oleg Afonin at Elcomsoft
  Challenges in Computer and Mobile Forensics: What to Expect in 2020

• Forensic Focus
  • How To Extract Credential Data Using KeyScout
  • Interview With Sarah Edwards, Senior Digital Forensic Researcher, BlackBag
  • The Goldilocks Effect
  • Nuix Investigate: Giving Investigators Something To Talk About
  • How To Perform A Link Screen Capture On DataPilot 10
  • Review: Digital Evidence Investigator PRO From ADF
  • Review: XAMN From MSAB
  • Investigating Nonconsensual Intimate Image Sharing
  • Interview With Raphael Bousquet, CTO, ADF Solutions
  • How To Search For Visual Data With Griffeye Analyze DI
  • Register For Webinar: What’s New In EnCase Forensic 8.10 & Mobile Investigator
  • Belkasoft Summarizes the Results of 2019 for Belkasoft Evidence Center
  • Continuing The Fight Against Cybersex Trafficking
  • Six Tips For A Smarter Investigation Workflow
  • There’s No Such Thing As Big Data
  • Oxygen Forensics Innovations Of 2019
  • How To Use Social Graph In Oxygen Forensic Detective
  • Forensic Focus Forum Round-Up
  • How To Parse AirDrop Artifacts In Magnet AXIOM
  • Forensic Focus Legal Update December 2019 – Part I
  • Interview With Stefano Bianchi, Amped Software
  • Webinar: New Triage Capabilities In BlackLight
  • Enfuse 2019 – Recap
  • Vico Marziale, Senior Digital Forensics Researcher, BlackBag Technologies
  • How To Use Data Pilot 10 For Fast Acquisition From Android Devices
  • Jessica Hyde, Magnet Forensics And Vitaliy Mokosiy, Atola Technology
  • Forensic Focus Legal Update December 2019 – Part II: Search And Seizure
  • Interview With Martin Westman, Product Specialist, MSAB
  • Interview With Robert O’Leary, Head Of Investigations For USG & Corporate, Nuix

• Kristian Lars Larsen at Data Narro
  • Your 2020 Digital Forensics Conference Calendar
  • The Top 20 E-Discovery Conferences for 2020

• LockBoxx
  Misconceptions Regarding “Offensive Security Tools”

• Magnet Forensics
  • 2019: A Year in Review
  • 2019 in Review: Highlights From Our Forensics Experts
  • 2019 in Review: Mac Support Updates in Magnet AXIOM
  • Using Magnet AXIOM for Your Forensic Analysis

• Mike at ØSecurity
  Splunk REST API Python Example

• Nirsoft
  Delete history records of Chrome and Firefox with BrowsingHistoryView

• Richard Frawley at ADF
  How to Scan Multiple Devices

• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — December 15 to December 21

• SecFallacy
  What’s better, few or many input ports in Logstash/Graylog?

• Sumuri
  Forensic Workstation to be Donated to a Law Enforcement Agency in Need

• Teri Radichel
  The attackers are in your network — now what?
  

SOFTWARE UPDATES

• Amped
  DVRConv Update 15182: Concatenation and Ability to Split Converted Files

• Blackbag Technologies
  BlackLight 2019 R3

• Cellebrite
  UFED Ultimate 7.27: Facebook & Google Warrant Returns, Plus Full File-System Extractions From iOS Devices

• Didier Stevens
  Update: oledump.py Version 0.0.44

• DME Forensics
  DVR Examiner Version 2.8.2

• Elcomsoft
  • iOS Forensic Toolkit 5.21 extracts keychain from locked iOS devices
  • ElcomSoft Phone Breaker 9.40 is out with support for Skype chats, files and metadata

• Eric Zimmerman
  ChangeLog

• ExifTool
  ExifTool 11.80

• Passware
  Passware Kit 2020v1: Dictionary Manager and Support for VeraCrypt GPT

• GetData
  20 December 2019 – 5.1.2.9226

• MSAB
  New XRY 8.2.2

• Passmark Software
  V7.1 build 1003 16th December 2019

• Passware
  Passware Kit 2020 v1

• radare2
  4.1.1 – reantull

• SalvationData
  [Software Update] DVR Forensics: VIP 2.0 V19.0.1.1030 New Version Release for Better User Experience!

• Timesketch
  20191220

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!