The Forensic 4Cast nominations are closing on May 15, so get your nominations in!
Cellebrite have a post about what they want you to nominate them for, but here’s my take on some of the peoples/companies/tools that deserve a nomination.

Due to the current COVID19 pandemic, SANS has also moved *all* of their classes until June 1 to be SANS Cybercast virtual events. What does this mean? It means that you can take the class of your choosing from the comfort of your own home! No need to travel, no expense reports, no need to wear pants (which is absolutely a requirement for the live events). What this also means is that if you want to take FOR500 with me in May, then you don’t need to travel down to Sydney either. It will be in the timezone that the class was originally meant to run though so something to keep in mind before signing up to a class on the other side fo the world.

Links only again this week, slowing down a bit so I can focus on this exciting news a little more.
Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, Thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Jessica Hyde at Magnet Forensics
  Understanding iOS time stamps 

• Roey Arato at Cellebrite
  Practical Guide to Huawei Device Extraction in UFED 

• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  
  • Not So Secret Messages
  • Ride Sharing 

• Stephen Davis at Fire Eye Threat Research
  Crescendo: Real Time Event Viewer for macOS 

• Jaron Bradley at The Mitten Mac
  • The TrueTree Concept
  • Incident Response With TrueTree 

• Marcos at ‘Un minion curioso’
  OP Tanjawi: Forensic Techniques on Fire – Forensic Analysis to VirtualBox 

• Tony Redmon at ‘Office 365 for IT Pros’
  Capturing “High-Value” Audit Events Requires Microsoft 365 Advanced Audit 

• Peter Stewart
  • Security Blue Team VIP CTF #1 – “Switching Teams” Write-up
  • Security Blue Team VIP CTF #1 – “Twin” Write-up
  • Security Blue Team VIP CTF #1 – “Weekpass” Write-up
  • Security Blue Team VIP CTF #1 – Sneaky Transmission Write-up 

• Teru Yamazaki at Forensicist
  MSSQL Forensics Series (3) 

• Joe Stocker at ‘The Cloud Technologist’
  Deploying MailItemsAccessed Audit Event in Office 365
  

THREAT INTELLIGENCE/HUNTING

• Adam at Hexacorn
  • Going BAT…mode crazy
  • Quick & Dirty Sysmon Replacement aka Process Hacker logging
  • StackOverflown in practice… 

• Anton Chuvakin
  Road to Detection: YARA-L Examples — Part 4 of 3 

• Auth0
  What Is Credential Stuffing? 

• Brad Duncan at Malware Traffic Analysis
  • 2020-03-09 – Quick post: Fastloader –> Trickbot gtag wmd44
  • 2020-03-10 – German malspam with password-protected zip files pushes Ursnif
  • 2020-03-11 – Pcap and malware for an ISC diary (Hancitor)
  • 2020-03-12 – Word doc macro caused a malware infection
  • 2020-03-14 – Traffic analysis exercise – Mondogreek
  • 2020-03-13 – Quick post: Qakbot infection 

• Check Point Research
  Cryptominers Dominate, Targeted Ransomware Hits Hard Shows the 2020 Cyber Security Report 

• CVE-2020–0796
  • Critical SMBv3 Vulnerability: Remote Code Execution, (Thu, Mar 12th)
  • CVE-2020-0796
  • Microsoft SMBv3.11 Vulnerability and Patch CVE-2020–0796 Explained 

• Didier Stevens
  CLSIDs in OLE Files 

• Dragos
  Energy Organizations Continue to be Compromised Globally 

• Devin Hurley at Elasticsearch
  Elastic SIEM detections 

• Koen Van Impe
  Integrating MISP and Cytomic Orion 

• Mike at “CyberSec & Ramen”
  Authoring a Sigma Rule for CSI.Exe 

• Cornelis de Plaa at Outflank
  Red Team Tactics: Advanced process monitoring techniques in offensive operations 

• Palo Alto Networks
  2020 Unit 42 IoT Threat Report 

• Chris Rothe at Red Canary
  What F1 racing can teach us about telemetry 

• Luke Paine at SpecterOps
  Through the Looking Glass — Part 1 

• Satnam Narang at Tenable
  COVID-19: Coronavirus Fears Seized by Cybercriminals 

• TrustedSec
  • Threat Hunting – Outbound RDP Surprises
  • Avoiding Get-InjectedThread for Internal Thread Creation 

• Jonathan Yarema at Trustwave SpiderLabs
  Persistent Cross-Site Scripting, the MSSQL Way
  

UPCOMING WEBINARS/CONFERENCES

• AceLab
  The ACE Lab Technology Conference on Data Recovery & Digital Forensics Will Take Place Online 

• Cellebrite
  • How Law Firms Increase Revenue with Data Collection
  • Cellebrite Premium Crash Course 

• Magnet Forensics
  Grayshift & Magnet Forensics: Slaying iOS Investigations
  

PRESENTATIONS/PODCASTS

• Chris Brenton at Active Countermeasures
  What Is Threat Hunting and Why Is It so Important? – Video Blog 

• Black Hills Information Security
  Webcast: Think You’re Compromised? What Do We Do Next? 

• Brakeing Down Security Podcast
  2020-009-Dave Kennedy, Offensive Tool release (Part 1) 

• Cellebrite
  • Ask the Expert: The AppGenie in UFED Physical Analyzer by Or Begam
  • How to Discover Artifacts in UFED Physical Analyzer – Part 1 

• Digital Forensic Survival Podcast
  DFSP # 212 – Learning Python 

• SANS
  Analyzing User Mode Dumps With WinDbg 

• Sarah Edwards at Mac4n6
  New Presentation – Exploring macOS with APOLLO from #OBTS 3.0 

• Virus Bulletin
  VB2019 presentation: Nexus between OT and IT threat intelligence
  

MALWARE

• Check Point Research
  • How to de-obfuscate a huge AutoIT script in less than two minutes
  • Phorpiex Arsenal: Part II
  • Vicious Panda: The COVID Campaign 

• Sam Curry at Cybereason
  Ghost in the Machine: Reconciling AI and Trust in the Connected World 

• Dor Neemani, Omer Fishel, Hod Gavriel
  Lost in the Maze 

• Xiaopeng Zhang at Fortinet
  New Variant of TrickBot Being Spread by Word Document 

• Hasherezade
  Trickbot 

• James Haughom at Lastline Labs
  IQY files and Paradise Ransomware 

• Jérôme Segura at Malwarebytes Labs
  Rocket Loader skimmer impersonates CloudFlare library in clever scheme 

• SANS Internet Storm Centre Handler Diaries
  • Agent Tesla Delivered via Fake Canon EOS Notification on Free OwnCloud Account, (Wed, Mar 11th)
  • Not all Ethernet NICs are Created Equal – Trying to Capture Invalid Ethernet Frames, (Fri, Mar 13th)
  • Hancitor distributed through coronavirus-themed malspam, (Thu, Mar 12th)
  • Phishing PDF With Incremental Updates., (Sat, Mar 14th)
  • Excel Maldocs: Hidden Sheets, (Sun, Mar 8th) 

• Anton Kivva and Igor Golovin at Securelist
  Cookiethief: a cookie-stealing Trojan for Android 

• Megan Roddie and Limor Kessem at Security Intelligence
  PXJ Ransomware Campaign Identified by X-Force IRIS 

• Phil Stokes at SentinelOne
  macOS Malware Researchers | How To Bypass XProtect on Catalina 

• TrendMicro
  • Busting Ghostcat: An Analysis of the Apache Tomcat Vulnerability (CVE-2020-1938 and CNVD-2020-10487)
  • Operation Overtrap Targets Japanese Online Banking Users Via Bottle Exploit Kit and Brand-New Cinobi Banking Trojan 

• Diana Lopera at Trustwave SpiderLabs
  More Excel 4.0 Macro MalSpam Campaigns 

• Virus Bulletin
  • VB2019 paper: Kimsuky group: tracking the king of the spear-phishing
  • VB2019 paper: Attribution is in the object: using RTF object dimensions to track APT phishing weaponizers
  • VB2019 paper: Defeating APT10 compiler-level obfuscations 

• Katie Dematteis at VMware Carbon Black
  2019: Looking Back at Malware 

• Matthieu Faou at WeLiveSecurity
  Tracking Turla: New backdoor delivered via Armenian watering holes 

• Wilbur Security
  Harma and Odveta Ransomware 

• Yoroi
  • The North Korean Kimsuky APT keeps threatening South Korea evolving its TTPs
  • Karkoff 2020: a new APT34 espionage operation involves Lebanon Government
  • Intensificazione degli Attacchi “GhostCat”
  • New Cyber Attack Campaign Leverages the COVID-19 Infodemic
  • Grave Vulnerabilità in Apache Tomcat (GhostCat)
  • Nuova Campagna di Attacco Ursnif
    

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 3/11/2020 

• Lori Tyler at AccessData
  KISS (Keep It Simple, Sherlock!) Your Caseload Away with the Quin-C Predesigned Forensic Workflow 

• Sam Holt at AccessData
  Triage in Digital Forensics 

• AceLab
  The PC-3000 Portable III: New Features and Supported Devices 

• Elan at DFIR Diva
  How I’ve Been Studying for Certifications 

• Forensic Focus
  • Interview With Francis De Giorgio, Director Of Product Development, Susteen
  • Opinion: When Vendors Hire Research Talent, Where Does It Leave Research?
  • 10 Quick Facts About Oxygen Forensic Cloud Extractor
  • Sarah Edwards On iOS Forensics And APOLLO
  • NIST Test Results For Mobile Device Acquisition Tools –  MSAB XRY 

• Christopher Vance at Magnet Forensics
  A Few Mac Artifacts You Should Be Paying Attention To 

• Minoru Kobayashi
  Pre-compiled libyal libraries 

• Hatem Tammam at MSAB
  Big Data in Digital Forensics: The challenges, impact, and solutions 

• Oxygen Forensics
  10 Quick Facts About Oxygen Forensic Cloud Extractor 

• Michael Haag
  Splunk BOTS — Setup
  

SOFTWARE UPDATES

• AChoir
  AChoir Version 4.3+ 

• Amped
  Amped FIVE Update 16112: Introducing the Audio Panel, Audio Redaction, H.264 Quality and More 

• Didier Stevens
  • Update: oledump.py Version 0.0.48
  • Update: cmd.dll Version 0.0.5
  • pecheck.py Version 0.7.10 

• KAPE
  0.9.0.1 2020-03-10 

• GetData
  13 Mar 2020 – 5.1.2.9372 

• Itay Kruk
  get-injected-code 

• dfir_ntfs
  1.0.3 

• MISP
  MISP 2.4.123 released (aka the dashboard and security fix release) 

• OpenText
  Tableau Firmware Update Revision History for 20.1.1 

• Timesketch
  20200310 

• Velociraptor
  Release 0.4.0
  

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!