Week 7 – 2020

Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, Thanks to those who give a little back for their support!



  • John Wunder at MITRE ATT&CK wants you to share more ATT&CK Sightings in the wild. If you’ll be at RSA there’s an information session on sharing intel as well
    ATT&CK Sightings — We Need YOU! 





  • Jon Munsey at Computer Forensic Reviews Online has written a lengthy review of Blackbag Technologies’ Macquisition. I’m a little surprised by some of his findings however, as I haven’t run into that many issues with it. Sometimes I’ve had issues with MQ not booting, and rewriting the firmware back to the drive fixed it. Not to mention the whole dealing with T2 and fusion drives is a huge plus to the product. I think I’ve had a couple instances where I’ve used Target Disk Mode and disk arbitration but that’s rare, and definitely not recently (albeit I don’t deal with nearly as many Macs now that I’m out of LE). Overall, I’d still pick it a key piece of kit if you’re imaging Mac’s regularly.
    Macquisition (BlackBag) 2019R1.2 Review 
  • Mary Ellen Kennel at ‘What’s A Mennonite Doing In Manhattan?!’ shared the picture of the first Kringle Coin, as well as a link to the NYC KringleCon party recording.
    The World’s First Kringle Coin! 
  • Gabriel Mathenge released “a little C# tool that uses @Blurbdust’s kickass work (CVE-2019-18988) to enumerate and decrypt TeamViewer credentials from Windows registry.”
    Check out @_theVIVI’s Tweet 
  • Brett Shavers shared the (tentative) table of contents for the 2nd edition of the X-Ways Forensics Practitioner’s Guide
    XWF/2E Table of Contents


  • ExifTool 11.87 was released with new tags and bug fixes
    ExifTool 11.87 
  • Maxim Suhanov updated his dfir_ntfs file system parser to v1.0.2
  • Thiago Canozzo Lahr shared a new tool, UAC, which “is a command line shell script that makes use of built-in tools to automate the collection of system artifacts”.
  • Ulf Frisk released MemProcFS version 3.1
    Version 3.1 

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s