Last weekly for the year! Planning two more posts before the end of the year, lets see how that pans out 🙂

Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Alexis Brignoni at ‘Initialization Vectors’ has released iLEAPP: iOS Logs, Events, And Properties Parser, which merges his previous projects together. This looks like a great initiative, and I highly recommend you check the post out, even if it’s just to read the conclusion.
  iLEAPP: iOS Logs, Events, And Properties Parser

• Mattia Epifani at Zena Forensics shares an updated version of his iOS extraction and processing script. I hope that ultimately all of this automated processing gets merge in together to provide a free iOS alternative to the paid forensic suites
  Checkra1n Era – Ep 5 – Automating extraction and processing (aka “Merry Xmas!”)

• Olga Milishenko at Atola walks through using the Insight Forensic to image “into a file on an encrypted target drive, using VeraCrypt for data encryption.”
  Imaging into a file on an encrypted target

• Craig Ball at ‘Ball in your Court’ walks through manual collection of social media content
  Preserving Social Media Content: DIY

• Shubham Sharma at Hacking Articles demonstrates various tools for memory collection
  Multiple ways to Capture Memory for Analysis

• In Vol.45 of the Internet Infrastructure Review (IIR), Minoru Kobayashi’s paper on “Acquisition of memory image for Linux forensics”. (Japanese)
  Internet Infrastructure Review (IIR) Vol.45

• Jesse Spangenberger at Cyber Fēnix Tech shares his research on the Jabber client for Windows and his Cisco Collaboration Lab configuration.
  • Forensics on Cisco Collaboration
  • Cisco Collaboration Lab for Forensics

• SalvationData share a post on extracting “WeChat data from Huawei Mobile Student Mode”
  [Case Study] Mobile Forensics: Extraction for WeChat data from Huawei Mobile Student Mode

• The last edition of the Journal of Digital Investigation for the year was released
  Volume 31
  

THREAT INTELLIGENCE/HUNTING

• When you’re hunting for threats, how do offensive pen test tools allow you to practice your defense? To recognize commodity threats or more advanced attackers? This was discussed many places this week:
  • Daniel Miessler on tools and how they’re used.
    Comparing Offensive Security Tooling and Gun Control
  • Joe at Stranded on Pylos on practicality of offensive toolsets and ethics.
    The False Choice of Penetration Testing Tools
  • Adam at Hexacorn attempts to quantify the cost to develop offensive tools (en anglais).
    Le coût du développement des capacités
  • Jake Krasnov and Anthony Rose at BC Security introduce new features in Empire 3.0 including Python and Mimikatz updates. (Phills note: Dropping this on Christmas Eve had to be trolling right?)
    The Empire (3.0) Strikes Back

• Renée Burton at Infoblox discusses DNS attacks and links to a related journal paper Renée published earlier this year (25 page PDF).
  Tracing the evolution of Slow Drip attacks

• Michael Grafnetter at CQURE Labs begins a DSInternals PS module writeup including how to do AD “password audits, offline password resets and group membership changes, or SID history injection.”
  #CQLabs – DSInternals PowerShell Module by Michael Grafnetter
  

UPCOMING WEBINARS/CONFERENCES

• The CFP for the first DFRWS APAC is opened! Submissions for abstracts/workshops are due January 31, 2020. We’re looking for a few solid workshops to make the inaugural event a hit!
  Call for Abstracts

• Rob Lee announced the news that the DFIR Summit in Austin, TX will be held Jul 16-17, 2020 for the newly reduced fee of $275USD pp.
  “DFIR SUMMIT 2020 SNEAK PREVIEW”
  

PRESENTATIONS/PODCASTS

• Joshua James shares a couple of videos on programming
  • Hypothesis based problem solving with Bash and Imagemagick
  • Go Programming 003: Setting variables in Go

• On this week’s Digital Forensic Survival Podcast, Michael talked “about identifying REGSVC \ REGASM abuse”
  DFSP # 201 – Regsvcs Triage

• There were a couple of segments on Paul’s Security Weekly that may be of interest
  • Blue Team Tactics and Techniques – PSW #631
  • The State of Penetration Testing – PSW #631

• Recon Infosec shared “a quick guide to using basic query syntax for analyzing process creation events.”
  Graylog Basic Query Syntax – Process Creation

• Sumuri announced the winner of their Talino workstation
  SUMURI Gives Back 2019 Winner Announcement
  

MALWARE

• Alex Turing and Hui Wang at 360 Netlab look at Mozi botnet activity flagged incorrectly as Gafgyt.
  Mozi, Another Botnet Using DHT

• Oleg Skulkin at Group-IB shares recent IOCs related to Cobalt Gang activity.
  A Shortcut to Compromise: Cobalt Gang phishing campaign

• Derek Kleinhen  at Kindred Security shares a writeup with an ultimate delivery of the njRAT.
  Bashar Bachir Infection Chain Analysis

• Omri Misgav at Fortinet shares a writeup on delivery of the Carbanak backdoor.
  Introducing BIOLOAD: FIN7 BOOSTWRITE’s Lost Twin

• Brad Duncan at Palo Alto Networks shares how to look for Ursnif in Wireshark.
  Wireshark Tutorial: Examining Ursnif Infections

• Borna Zeba at Reversing Labs attempts to identify malware authors based on geography and same named mutexes.
  When malware RATs on their owners

• There were a number of posts on the SANS Internet Storm Centre Handler Diaries
  • Extracting VBA Macros From .DWG Files, (Sun, Dec 22nd)
  • New oledump.py plugin: plugin_version_vba, (Mon, Dec 23rd)
  • Malspam with links to Word docs pushes IcedID (Bokbot), (Tue, Dec 24th)
  • Timely acquisition of network traffic evidence in the middle of an incident response procedure, (Wed, Dec 25th)
  • Bypassing UAC to Install a Cryptominer, (Thu, Dec 26th)
  • Corrupt Office Documents, (Sat, Dec 28th)
  • Enumerating office365 users, (Fri, Dec 27th)

• Sophos with contributions from JamesWT tracks Gozi campaigns and attempts to circumvent defenses.
  Gozi V3: tracked by their own stealth

• Symantec looks at the prevalence of LOLbins, PS, and WMI attacks.
  Living off the land: Attackers leverage legitimate tools for malicious ends

• David Fiser at Trend Micro examines WordPress attacks.
  Looking into Attacks and Techniques Used Against WordPress Sites

• Joshua Deacon, Diana Lopera, and Fahim Abbasi at Trustwave look at .ISOs ultimately distributing the Remcos RAT.
  Leveraging Disk Imaging Tools to Deliver RATs

• Mac attacks are in the news again – see Sergei Shevchenko’s presentation from VB2019 on one example of macOS malware.
  VB2019 paper: Never before had Stierlitz been so close to failure (or: what is a Soviet super-spy doing in a popular bundleware for Mac?)

• Anastasios Pingios talks about implications of Marcus Hutchins registering the kill switch domain (and Anastasios’ influence) to stop WannaCry.
  A short story around WannaCry
  

MISCELLANEOUS

• A few companies shared an overview of some of their accomplishments over the last year
  • Atola
    2019. A Year in Review
  • Cellebrite
    Top 10 Digital Forensics Challenges Cellebrite Solved in 2019
  • Elcomsoft
    Our Developments and Achievements in 2019

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares some OSINT tools.
  Pockint: a portable OSINT Swiss Army Knife

• Marcus Thompson at Professor Bike posted a couple of time
  • He walks through the process of getting Timesketch running in Docker
    Getting Started with Timesketch and Docker
  • As well as lists out some tools for dealing with large CSV files; I do need to look into a command-line tool (Windows) that gives me similar functionality to Excels filtering capabilities and is easy to use. Any suggestions let me know!
    Handling Large CSV Files for Digital Forensics and Incident Response

• Brett Shavers highlights some pivotal moments in digital forensics over the last two decades.
  The Second Decade of the 2000s is almost over!

• Kristian Lars Larsen at Data Narro lists 10 E-discovery blogs to follow
  The Top 10 E-Discovery Blogs for 2020

• Whitney Champion at Recon InfoSec walks through the process of ingesting “multiple sources of Cylance logs into Graylog”
  Graylog and Cylance Protect Integration

• Ryan Campbell at ‘Security Soup’ shares his infosec news picks of the week
  Weekly News Roundup — December 22 to December 28

• Over on my ThinkDFIR blog I shared some research I did with Troy Larson on Applocker (and it’s logging capabilities). Applocker is the application whitelisting and execution prevention capability available in Windows.
  Applocker FTW

• Martijn Grooten steps down as VB editor at the end of this month and shares some parting thoughts.
  Parting thoughts 5: bringing the good news
  

SOFTWARE UPDATES

• Binalyze released a new version of IREC v1.9.9
  Version 1.9.9 (Christmas Edition)

• CDQR 20191226 was released
  CDQR 20191226

• Cellebrite updated UFED InField to v7.27
  UFED InField 7.27: Perform Full File System Extractions From iOS Devices

• Didier Stevens shared some updates
  • zoneidentifier.exe
  • Update: zipdump.py Version 0.0.16
  • Update: pdf-parser.py Version 0.7.4 and pdfid.py Version 0.2.7

• Matt Seyer released v0.3.0 of his Rust-based Windows toolkit
  v0.3.0 – 2019-12-24

• SalvationData updated DRS to V18.7.3.304
  [Software Update] Computer Forensics: DRS V18.7.3.304 New Version Release for Better User Experience!
  

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!