We got nominated for Resource and Show of the Year, thanks a lot! Voting closes mid July, get your votes in now 🙂
Forensic 4:cast Awards 2020 – Voting is Now Open

Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, thanks to those who give a little back for their support!

Check out Virtual Cyber School for teens interested in cybersecurity this summer (US/UK).

FORENSIC ANALYSIS

• Jai Minton at CrowdStrike shares new Windows 10 artefacts
  Employing FeatureUsage for Windows 10 Taskbar Forensics

• Marco Fontani at Amped
  Amped Authenticate’s PRNU Tampering Filter Turns Sensor Noise Into an Effective Forgery Localization Tool!

• Heather Mahalik at Cellebrite
  How to Use The New Application Insights in Cellebrite Physical Analyzer

• Howard Oakley at ‘The Eclectic Light Company’
  Bookmarks, a type of Alias: their access and use

• Kinga Kieczkowska
  • USB 101
  • USB Forensics

• Marco Neumann at ‘Be-binary 4n6’
  • App SKOUT on Android
  • App Nandbox Messenger on Android

• Maxim Suhanov
  • Deceptive NTFS short file names
  • OneDrive and NTFS last access timestamps

• Mike Iacovacci
  Automate VMware Fusion with Python

• Sarah Edwards at Mac4n6
  • Analysis of Apple Unified Logs: Quarantine Edition [Entry 8] – Man! What a process!?
  • Analysis of Apple Unified Logs: Quarantine Edition [Entry 9] – We all know you’re binging Netflix! Now Playing on your Apple Devices!
    

THREAT INTELLIGENCE/HUNTING

• Jamie William at the official MITRE ATT&CK blog begins a series writing about ATT&CK evals
  Dissecting a Detection: An Analysis of ATT&CK Evaluations Data (Sources) Part 1 of 2

• Jack Crook at ‘DFIR and Threat Hunting’ looks for bad in network data
  It’s all in the numbers

• John Ball at ‘Bytes of helpful information’ with a nice 1 page overview of hunting
  Threat investigation quick reference chart

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’ shares new Windws 10 features for packet monitoring
  Windows 10 packet monitor tool “pktmon” will allow real-time monitoring

• Check out the Verizon 2020 DBIR
  2020 Data Breach Investigations Report

• APT-C-23’s latest attack on the Middle East at 360 核心安全技术博客
  双尾蝎组织（APT-C-23）针对中东地区的最新攻击活动

• Active Countermeasures with tools and techniques for investigation
  • Tshark Examples – Theory & Implementation
  • BeaKer – Instant Forensics!

• Adam at Hexacorn reminding us that writing remote meeting software is hard
  • Lolbin Ltd
  • Command line do-nothingness
  • Normalizing our path to Splunk enlightenment
  • Wow! 64! Lolbin! Bring back NetMeeting!
  • Reverse Data Injection
  • Lolbin WOW Ltd

• Andrew Pease at HuntOps
  5/18/2020 – Update The Elastic Stack in ROCK

• Anomali
  Weekly Threat Briefing: Android Malware, APT, Data Breach, Spyware and More

• Troy Kent at Awake Security
  Encrypted Traffic Analysis: Encrypted DNS – Privacy, Security and the SOC (Part 2)

• Ben Bornholm at HoldMyBeer with setup advice
  • Reducing your alert fatigue with AskJeevesSecBot
  • My Homelab Docker setup

• Liviu Arsene and Bogdan Rusu at Bitdefender Labs
  Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia

• Allie Mellen at Cybereason
  IOCs vs. IOBs

• Daniel Miessler (10 min audio)
  Analysis of the 2020 Verizon Data Breach Report

• Frikkylikeme
  Introducing Shuffle — an Open Source SOAR platform part 1

• Raj Chandel at Hacking Articles
  • Persistence: Accessibility Features
  • Comprehensive Guide on Password Spraying Attack

• Intel 471’s Blog
  A brief history of TA505

• Paul Litvak at Intezer
  The Evolution of APT15’s Codebase 2020

• Jayden Zheng
  Build Alerting Pipeline with Jupyter, Spark and SIGMA

• Jerry Gamblin
  Exploring OSQuery With Jupyter

• Matt “Rudy” Benton at MaverisLabs
  Domain Dispute – don’t lose that great looking C2 domain

• MDSec
  Analysis of CVE-2020-0605 – Code Execution using XPS Files in .NET

• Microsoft Threat Intelligence
  Open-sourcing new COVID-19 threat intelligence

• Nextron Systems
  Upcoming Changes in THOR v10.5

• One Night in Norfolk
  Looking Back at LiteDuke

• Penetration Testing Lab
  Persistence – COM Hijacking

• Mattia Campagnano at politoinc
  Weaponizing Windows Binaries and Scripts (LOLBAS): What’s Old Is New Again

• Red Alert
  Monthly Threat Actor Group Intelligence Report, March 2020

• Brian Beyer, Chris Rothe, Keith McCammon, and Katie Nickels
  at Red Canary
  Endpoint security: what’s changed and what hasn’t?

• Frank Kim at SANS
  Seven Security (Mis)Configurations in Java web.xml Files

• Don Smith at Secureworks
  Counter Threat Unit Researchers Publish Threat Group Definitions

• Matan Meir at SentinelOne
  Windows Security Essentials | Preventing 4 Common Methods of Credentials Exfiltration

• Jonathan Johnson at SpecterOps
  Engineering Process Injection Detections — Part 2: Data Modeling

• Desdemona Bandini at The Duo Blog
  Unpacking 2020’s Verizon DBIR – Human Error and Greed Collide

• Trustwave SpiderLabs
  • Phishing in a Bucket: Utilizing Google Firebase Storage
  • Securing SSH: What To Do and What Not To Do

• Tyranid’s Lair
  • Writing Windows File System Drivers is Hard.
  • OBJ_DONT_REPARSE is (mostly) Useless.
  • Silent Exploit Mitigations for the 1%

• Detection avoidance techniques used by Ocean Lotus by Hiroshi Takeuchi at Macnica
  OceanLotusが使う検出回避テクニック
  

UPCOMING WEBINARS/CONFERENCES

• Yulia Samoteykina at Atola
  Visit our virtual booth every Wednesday!

• Yuri Gubanov
  The Cat and Mouse Game with iOS Forensics

• Cellebrite
  • Ending the COVID-19 Lockdown: Achieving sustainable, effective and comprehensive contact tracing
  • Join Us For “Nothing to See Here? I Beg to DFIR” – Android Extractions
  • Build Your Corporate Investigations & eDiscovery Strategy Leveraging Digital Intelligence
  • Effectively Manage Your Digital Investigations with Cellebrite Guardian

• BlackBag Technologies
  Live Virtual BlackBag Forensic Workshops Dive into Digital Investigations for Windows & Mac

• Nuix
  Do More By Doing Less: A Different Approach to Digital Forensics

• Lauren at VTO Labs
  Chip-Off Forensics: What Lawyers Need to Know
  

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  Class 0 – DFIR Python Study Group

• Forensic Lunch
  Forensic Lunch 5/22/20

• Kevin Ripa at SANS
  • Episode 39: What is the defense expert’s role – Part 5
  • Episode 40: What is best evidence?
  • Episode 41:Two types of witnesses

• Basis Technology
  KAPE + EZ Tools and Beyond – OSDFCon 2019 – Eric Zimmerman

• Blacks In Cybersecurity Conference
  Blacks In Cybersecurity Conference

• Cyberwarcon
  CYBERWARCON 2019

• Detections Podcast
  Season 2 Episode 3: Long Take on Work From Home

• Didier Stevens
  • ZIP(EICAR File), Memorized
  • EICAR File, Memorized

• Digital Detectives
  eDiscovery Before and After COVID-19: What to Expect

• Digital Forensic Survival Podcast
  DFSP # 222 – User Enumeration

• Eric Conrad
  BSides Halifax

• Karsten Hahn at Malware Analysis For Hedgehogs
  Most controversial files on VirusTotal

• Lee Reiber at Mobile Forensic Investigations
  Oxygen Forensics Episode 111

• Morven MacKellar
  [Talk] Whodunnit? The Art of Attribution in DFIR

• Sarah Edwards at Mac4n6
  New Webinar: Analyzing macOS with BlackLight’s APOLLO Plugin

• Sumuri
  SUMURI Podcast Episode 008 – Cryptanalysis Workstations

• The Incident Response Podcast
  • Ep 011 – ARTHIR – ATT&CK Remote Threat Hunting Incident Response tool
  • Ep 012 – Laughing at Binaries – LOLBin/LOLBas
    

MALWARE

• Hasherezade at Malwarebytes and prsecurity at HYAS co-author a 186 (!) page PDF on ZeuS variants
  Shining a light on “Silent Night” Zloader/Zbot

• Mike at “CyberSec & Ramen” walks through malicious use of MSBuild step by step
  Another Maldoc Analysis Article

• Jinye at 360 Netlab Blog
  New activity of DoubleGuns‘ gang, control hundreds of thousands of bots via public cloud service

• Dax Morrow with Ofer Caspi at AlienVault Labs
  TrickBot BazarLoader In-Depth

• Andreas Klopsch at ‘Malware and Stuff’
  Reversing PebbleDash’s FakeTLS Protocol

• Avast Threat Labs
  GhostDNS Source Code Leaked

• Silviu Stahie, Adina Mateescu, and Alin Mihai Barbatei at
  Bitdefender Labs
  Android Malware in COVID-19 Clothes Steals SMS and Contacts

• Warren Mercer, Paul Rascagneres, and Vitor Ventura at Cisco Talos
  The wolf is back…

• EvilC0de.com reversing posts
  • Getting Started Reversing C++ Objects with Ghidra (Part 1)
  • Reversing Basic C++ Objects with Ghidra: Inheritance and Polymorphism (Part 2)
  • Reversing Control Structures with Ghidra: Loops

• Anthony Giandomenico at Fortinet
  Offense and Defense – A Tale of Two Sides: (Windows) OS Credential Dumping

• Myrtus 0x0 at MalwareInDepth
  CypherIT Static Decryption

• c0d3inj3cT at Neutralize Cyber Threats
  Android Locker targeting Russian Users

• Daniel Smith and Pascal Geenens at Radware (1 hour video)
  Radware Threat Researchers Live: DDoS & IoT Botnets

• SANS Internet Storm Center
  • Antivirus & Multiple Detections, (Sun, May 17th)
  • Automating nmap scans, (Mon, May 18th)
  • What is up on Port 62234?, (Tue, May 19th)
  • Wireshark Release –  2.6.17, 3.0.11 and 3.2.4 – https://www.wireshark.org/news/20200519.html, (Tue, May 19th)
  • VMWare Security Advisory – VMSA-2020-0010 – https://www.vmware.com/security/advisories/VMSA-2020-0010.html, (Tue, May 19th)
  • Microsoft Word document with malicious macro pushes IcedID (Bokbot), (Wed, May 20th)
  • Malware Triage with FLOSS: API Calls Based Behavior, (Thu, May 21st)
  • AgentTesla Delivered via a Malicious PowerPoint Add-In, (Sat, May 23rd)
  • Some Strings to Remember, (Fri, May 22nd)

• SANS ISC: Brad Duncan malware samples
  2020-05-19 – Pcap and malware for an ISC diary (IcedID)

• Jim Walter at SentinelOne
  Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks

• Sophos
  • Ragnar Locker ransomware deploys virtual machine to dodge security
  • Asnarök attackers twice modified attack midstream

• Luke Leal at Sucuri Blog
  Steam Phishing Campaign Uses CS:GO Skin Gambling Lure

• Dennis Schwarz at tildedennis links to a co-authored blog with Matthew Mesa at Proofpoint
  There is always a Zeus.

• TrendMicro
  • Netwalker Fileless Ransomware Injected via Reflective Loading
  • Backdoor, Devil Shadow Botnet Hidden in Fake Zoom Installers

• Jared Myers at VMware Carbon Black
  TAU Technical Report: New Attack Combines TinyPOS With Living-off-the-Land Techniques for Scraping Credit Card Data

• WeLiveSecurity
  • No “Game over” for the Winnti Group
  • Insidious Android malware gives up all malicious features but one to gain stealth

• Luigi Martire, Giacomo d’Onofrio, Antonio Pirozzi, and Luca Mella at Cybaze-Yoroi ZLAB
  Cyber-Criminal espionage Operation insists on Italian Manufacturing
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 5/21/2020

• Emre Tinaztepe at Binalyze
  SHIELDing DFIR against CryptoLockers!

• Welcome to DFIR blogging, bluesmoke!
  bluesmoke4n6’s first blog post

• Belkasoft
  Belkasoft is nominated as one of three best DFIR Commercial tools of the Year

• Cellebrite
  • Uncovering Tax Fraud Evidence in a Digital World
  • The Evolution of Cellebrite’s Digital Intelligence Solutions Suite

• Jon Munsey at Computer Forensic Reviews Online
  • Forensic Explorer V5.2 – GetData
  • Article – Which Hard Drives are the Most Reliable ?

• Magnet Forensics
  • How to Enable Your Virtual Workforce to Seamlessly Collaborate, Process, and Access Cases
  • Magnet AXIOM Cyber Examinations (CY200) Now Available!

• MailXaminer
  • Get the Perfect Way to Examine Emails in Different Search Index Languages
  • Know the Difference Between Scanning Document and OCR
  • Analyze Thunderbird MBOX Artifacts with Thunderbird Email Viewer
  • Gmail Email Forensics Analysis – Explore Internet Header
  • OLK File Forensics – Examine OLK14 File and Export Evidence

• MantaRay Forensics
  VirusShare

• Kevin Kyono at MSAB
  Sniffer dog Heidi finds hidden electronics

• Nextron Systems
  End-of-Life ASGARD v1 and Master ASGARD v1

• Oleg Afonin at Elcomsoft
  • Tighter Control over Personal Information with Attacks on Encryption Metadata
  • Unlocking BitLocker: Can You Break That Password?

• Oxygen Forensics
  Telegram Forensics

• Bradford Oliver at ADF
  Learn To Use Digital Forensic Screen Capture on iOS | Android Devices

• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — May 10 to May 16

• Studio d’Informatica Forense
  Disponibile per il download la nuova release del toolkit Bento

• John Patzakis at X1
  True Proportionality for eDiscovery Requires Smart Pre-Collection Analysis
  

SOFTWARE UPDATES

• AccessData
  Forensic Tools 7.3.0

• Atola
  TaskForce Changelog

• Binalyze
  Version 2.2.0 (Preview)

• CERT-Polska
  mquery v1.2

• Didier Stevens
  Update: oledump.py Version 0.0.50

• DissectMalware
  XLMMacroDeobfuscator-v0.1.2-beta

• Elcomsoft
  Elcomsoft Distributed Password Recovery 4.21 updated with stronger privacy control, breaks Mozilla Firefox master password

• Eric Zimmerman
  Kape Changelog

• Amped
  Get The Latest Amped Authenticate Update 16636

• Hex Rays
  IDA Pro 7.5 released

• Maxim Suhanov
  1.0.4

• Metaspike
  Forensic Email Collector (FEC) Changelog

• Nettitude Labs
  Introducing PoshC2 v6.0

• NirBlog
  View Firefox images (gif, png, jpg ) and text-based files (HTML, CSS, JSON, JavaScript)

• Velociraptor
  Release 0.4.3

• Xways
  • X-Ways Forensics 19.7 SR-8
  • X-Ways Forensics 19.8 SR-11
  • X-Ways Forensics 19.9 SR-7
  • X-Ways Forensics 20.0 Beta 2
  • Viewer Component
    

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!