Get your nominations in for the Forensic 4Cast Awards, which are closing May 15
Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Igor Mikhaylov at Cyber Forensicator
Checkm8 review translation - Oleg Afonin at Elcomsoft
- Howard Oakley at ‘The Eclectic Light Company’
Getting more out of metadata - John Lukach at Cloud 4n6ir
Updated Snapshot 4n6ir Imager for Docker - Check out Maxim Suhanov’s tweet about finding the OS that formatted a volume in $UpCase
Maxim Suhanov’s Tweet - Maxim Suhanov
Prepopulated artifacts - Peter Stewart
OtterCTF 2018 – Network Challenges – Otter Leak Write-up - Sarah Edwards at Mac4n6
Analysis of Apple Unified Logs: Quarantine Edition [Entry 7] – Exploring USBMSC devices with –style - Pieces0310
Second Space could let suspect play two different roles easily – Pieces0310
THREAT INTELLIGENCE/HUNTING
- J. A. Guerrero-Saade with Maciej Kotowicz at Check Point Research pull on threads from the Shadow Brokers leak, diving into the Nazar APT group
Nazar: Spirits of the Past - Chris Brenton at Active Countermeasures
Threat Hunting IoT and IIoT Devices - Adam at Hexacorn
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
Practical approach to Golden Ticket Attacks: one technique, five useful tools - Anton Chuvakin
Data Security and Threat Models - Borja Merino at BlackArrow
Ragnarok Stopper: development of a vaccine - CrowdStrike
Staying Off the Land: A Threat Actor Methodology - Raj Chandel at Hacking Articles
- cplsec at ijustwannaredteam
COM Hijacking for Lateral Movement - Walter Legowski at insinuator.net
Back from the ATT&CK jungle… - Jack Crook at ‘DFIR and Threat Hunting’
Hunting for Beacons Part 2 - Daan Raman at NVISO Labs
Releasing logalert.py – Smart piping of command output to email for alerting - Darizotas at Random ideas, shared notes – RSS
Windows Events, WECs and Splunk… voilà ta-windows-wec - Red Canary
- Salesforce
cloudsplaining - Security Art Work (en español)
- Adam Swan at SOC Prime
Sigma vs Indicators of Compromise - Roberto Rodriguez at Threat Hunters Forge
- TrustedSec
- Trustwave SpiderLabs
Attacking SCADA: Vulnerabilities in Schneider Electric SoMachine and M221 PLC (CVE-2017-6034 and CVE-2020-7489) - Vincent Lee at Zero Day Initiative
Analyzing a Trio of Remote Code Execution Bugs in Intel Wireless Adapters
UPCOMING WEBINARS/CONFERENCES
- Cellebrite
- Build Your Corporate Investigations & eDiscovery Strategy Leveraging Digital Intelligence
- The Transition Towards a New Mode of Operation: Current Trends in Policing and Adaptation Strategies
- Build Your Corporate Investigations & eDiscovery Strategy Leveraging Digital Intelligence
- Join Us For “Nothing to See Here? I Beg to DFIR”
- Greg Masterso at MSAB
Race Against the Clock Mobile Forensics: Rapid Data Extractions
PRESENTATIONS/PODCASTS
- 3MinMax series with Kevin Ripa at SANS
- AceLab
A Huge Success of the ACE Lab Online Technology Conference on Data Recovery & Digital Forensics 2020 - Black Hills Information Security
- BlackBag Technologies
Analyzing macOS with BlackLight’s APOLLO Plugin - Cellebrite
- Detections Podcast
Season 2 Episode 1: SOC (un)boxed Part One - Digital Forensic Survival Podcast
DFSP # 220 – Mobile Forensics For New Investigators - Lee Reiber at Mobile Forensic Investigations
Oxygen Forensics Episode 109 - Magnet Forensics
- Magnet Virtual Summit Keynote Intro
- Find Similar Pictures in Magnet AXIOM 4.0
- New Exporting and Reporting Features in Magnet AXIOM 4.0
- Faster. Flexible. Trusted. Magnet AXIOM 4.0 is the Strongest Version of AXIOM Yet
- Remotely (& Covertly) Acquire Mac with Magnet AXIOM Cyber
- From the Training Team: Magnet AXIOM Incident Response Examinations (AX310)
- Nuix
Powering eDiscovery Investigations Through Advanced Visual Analytics - Richard Davis at 13Cubed
Prefetch Deep Dive - Paolo Dal Checco at Studio d’Informatica Forense
Webinar IISFA sull’acquisizione delle fonti di prova online
MALWARE
- Mike Williamson and Chris Atha
Android Reversing for Examiners - Robert Neumann at Forcepoint expands on research originally presented at Botconf 2019, IOT botnets utilizing D-Link NAS or NVR devices
The Cereals Story – Creating a Botnet During Breakfast - Marco Ramilli shares improvements with Cyber Threat Observatory
Cyber Threats Observatory Gets Improvements - Bitdefender Labs
- Brad Duncan at Malware Traffic Analysis
- CrowdStrike
- Sam Curry at Cybereason
To Pay or Not to Pay - Jeremy Kennelly, Kimberly Goody, and Joshua Shilko at FireEye Mandiant Threat Intelligence
Navigating the MAZE: Tactics, Techniques and Procedures Associated With
MAZE Ransomware Incidents - Intel 471 Malware Intelligence team
Changes in REvil ransomware version 2.2 - Paul Litvak at Intezer
Kaiji: Chinese IoT malware turning to Golang - Glen at IronMoon
PDF Malware: Part 1 Understanding PDF Files - Malwarebytes Labs
- Brittany Barbehenn and Doel Santos at Unit 42
Threat Brief: Maze Ransomware Activities - Daniel Smith at Radware
Who’s Viktor? Tracking down the XTC/Polaris Botnets. - Tomislav Peričin at ReversingLabs
Introducing Explainable Threat Intelligence - SANS Internet Storm Center
- Trend Micro
Targeted Ransomware Attack Hits Taiwanese Organizations - Virus Bulletin with research from Shusei Tomonaga, Tomoaki Tani, Hiroshi Soeda, and Wataru Takahashi at JPCERT/CC, Japan
VB2019 paper: APT cases exploiting vulnerabilities in region-specific software - Luigi Martire, Antonio Pirozzi, and Pierluigi Paganini at Yoroi
Poulight Stealer, a new Comprehensive Stealer from Russia - Less COVID related threat news this week:
- Rachel Scobey at CrowdStrike
Application Hygiene for a Remote Workforce - Mark Simos, Kristina L., and John Dellinger at Microsoft Security
Lessons learned from the Microsoft SOC—Part 3c: A day in the life part 2 - Jessica Ellis at The PhishLabs Blog
COVID-19 Phishing Update: Money Mule Scams Use Remote Opportunities to Entice Victims - Trend Micro
Teaming up with INTERPOL to combat COVID-19 threats
- Rachel Scobey at CrowdStrike
MISCELLANEOUS
- Dave Cowen at the ‘Hacking Exposed Computer Forensics Blog’
- Andrew Rathbun at AboutDFIR
AboutDFIR Content Update 5/5/2020 - Vitaliy Mokosiy at Atola
Insight Forensic 4.16 released with E01 segmented images - Adrian at AGood
TheHive in Docker - azeemnow
How to Quickly Analyze a PCAP File - Belkasoft
- Bryan Ambrose at Data Digitally
- Cellebrite
- How to Open A Case In Physical Analyzer
- Interview with Mark Gambill, EVP & Chief Marketing Officer at Cellebrite
- E-Book: How to Transition to a New Mode of Operation In Times of Crisis
- How to Do Quick-and-Easy Redactions in Physical Analyzer
- Discover Flexible Training Options to Build Your Skills and Stay Ahead
- Paula Januszkiewicz at Cqure Academy
1 day to Windows Forensics Mastery – online course on cyber security operations - CrowdStrike
- Michael Savitz at Crypsis Group
What Can You Learn From a “Wiped” Computer? - Resha Chheda at Cybereason
2 Metrics to Evaluate MITRE ATT&CK Results - Demux
- Elan at DFIR Diva
How to Incorporate Home Lab Experience into Your Resume - Griffeye
- Magnet Forensics
- Rely on AXIOM: New Detailed Scan Summaries with Exception Reporting
- New Exporting and Reporting Features in Magnet AXIOM 4.0
- Up to 5X Faster Search Filtering in Magnet AXIOM 4.0
- Remotely (& Covertly) Acquire Mac with Magnet AXIOM Cyber 4.0
- Find Similar Pictures in Magnet AXIOM 4.0
- An Exciting Kick Off to the Magnet Virtual Summit!
- Mike Williamson’s Forensic 4:cast Award Nominations
- MantaRay Forensics
VirusShare Q1 Update - Matt C. A. Smith
Why virtual cyber security conferences should be the new normal - Morphisec
How Emerging Threats Outwit Existing Endpoint Security - Chris Currier at MSAB
Keywords matter: Tips on improving your investigative search - Hope Swancy-Haslam at OpenText
What’s new in CE 20.2 for Tableau Forensic Imager (TX1) - Oxygen Forensics
- Paraben Corporation
- ADF
- Chris Crowley at ‘Risk, Failure, Survival’
MY SANS Mentor to Certified Experience - Ryan Campbell at ‘Security Soup’
- SANS
- Brett Shavers at X-Ways Forensics Practitioner’s Guide/2E
XWF/2E Contributors & Your Stories!
SOFTWARE UPDATES
- AccessData
AccessData Launches AD QBlaze™, New Platform for Simplified Legal Review and Processing - AceLab
The new versions of PC-3000 SAS Ver. 6.7.12, Data Extractor Ver. 5.10.7, Data Extractor RAID Edition Ver. 5.10.7 are available! - Atola
Atola Insight Forensic 4.16 - Brim
v0.9.1 - Cellebrite
New and Improved UI in UFED Physical Analyzer 7.33 - DissectMalware
xlrd2 - Elcomsoft
Elcomsoft Cloud Explorer 2.31 extracts more of Google Dashboard - Eric Zimmerman
ChangeLog - MD5
VFC Version 5 Build v5.1 Released - HancomWITH
MD-NEXT v.1.89.0 Supports New Physical Extraction Method For Android Version 10 - GetData
7 May 2020 – 5.2.2.9526 - John Lukach at Cloud 4n6ir
Snapshot 4n6ir Imager Toolkit v0.2.1 - Magnet Forensics
Faster. Flexible. Trusted. Magnet AXIOM 4.0 is the Strongest Version of AXIOM Yet - Alexandre Borges
Malwoverview 3.0.0 - MISP
MISP 2.4.125 released (aka self-registration feature and feed improvements release) - Open Source DFIR
Plaso 20200430 Released - Oxygen Forensic
Oxygen Forensic Detective version 12.4 - Timesketch
20200507
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 