Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

Both of us are getting ready for the DFIR Summit this July, join us! Lodrina is keynoting the Solutions Track, and I’ll be there for the first beta of FOR308 Digital Forensics Essentials.

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Blackbag Technologies
  What Can I Recover from a BFU Extraction?

• Bluesmoke4n6
  Get your red Solo cup:  It’s time for a little Houseparty

• Barak Goldberg at Cellebrite
  How to Find User Activity Using the Digital Wellbeing Native App

• Cheeky4n6Monkey
  Recovering and Replaying Garmin Voice Instructions

• Elcomsoft
  • Full File System Extraction for iOS 13.3.1, 13.4 and 13.4.1
  • Clearing Confusion About our Password Recovery Tools
  • iOS Jailbreaks, SSH, and root Password
  • Full File System and Keychain Acquisition with unc0ver jailbreak: iOS 13.3.1 to 13.5

• Forensicator
  Parsing iOS Camera Roll using Python

• James Duffy
  • Extracting Sensitive User Data From The iPhone rootFS
  • The Not-So-Modern Booting Of An Unsigned Version Of iOS – 64 Bit
  • FDE, SEP & Passcodes.. My iDevice Data Is Safe, Right?
  • ZPET – The iOS Deep Digger Project -Development Part 1
  • ZPET – The iOS Deep Digger Project – Development Part 2

• Mail Xaminer
  • Skype Forensic Analysis for In-depth Investigation
  • Outlook Express Email Forensics – Explore DBX File Email Header
  • Live Memory Forensics to Detect Malicious Activities

• Theo Giovanna and hacktobeer at Open Source DFIR
  Introducing Libcloudforensics

• Praeterforensis
  Geodata & Mobile Telephony Artifacts in 3rd-Party Android Apps: Recreating User Travel Patterns

• SalvationData
  [Case Study] Mobile Forensics: Forensic Data Extraction from Android Devices Using ADB (Android Debug Bridge) Part I

• Sandfly Security
  Using Elasticsearch and Kibana to Investigate Suspicious Linux Activity with Sandfly

THREAT INTELLIGENCE/HUNTING

• New Twitter handle for NSA and a new blog post too
  Exim Mail Transfer Agent Actively Exploited by Russian GRU Cyber Actors

• Zhang Zaifeng at Network Security Research Lab at 360
  Look at NTP pool using DNS data

• Adam at Hexacorn with daily updates this week
  • How to con your host?
  • I present you Splunk panel data
  • Detect me not
  • Genuine Anti-sandbox trick
  • Updated 3R (RegRipper Ripper) (RR v3.0)
  • My first encounter with Frida
  • Windows API\tparsed\teasily
  • Feed the children, feed them well

• Josh Gomez at AT&T Cybersecurity
  Stories from the SOC – System compromise with ateral movement

• The Threat Research Team at Anomali
  Weekly Threat Briefing: Data Breach, Ransomware, Spyware, and More

• Troy Kent at Awake Security
  Encrypted Traffic Analysis: Encrypted DNS – Privacy, Security and the SOC (Part 3)

• Juan Andres Guerrero-Saade with Christiaan Beek at Epic Turla – The Lost Reports
  SysInTURLA

• Britton Manahan at Expel
  Obfuscation, reflective injection and domain fronting; oh my!

• Falcon Force
  • Reducing your Office 365 attack surface
  • Graphing MITRE ATT&CK via Bloodhound

• Raj Chandel at Hacking Articles
  • Abusing Microsoft Outlook 365 to Capture NTLM
  • Lateral Movement: Pass the Cache
  • Credential Dumping: DCSync Attack
  • Lateral Movement: Pass the Ticket Attack

• Andy Ratcliffe at InfoSec matters
  Squid Proxy with SOF-ELK Part 2 Analysis

• Mark Baggett
  The SANS SEC504 Windows Cheat Sheet Lab

• NSA
  Sandworm Actors Exploiting Vulnerability In Exim Mail Transfer Agent

• Scott Piper at ‘Summit Route’
  Client Side Monitoring

• Alex Burinskiy at SentinelOne (Registration required)
  macOS Threat Hunting & Incident Response eBook | Intro By Alex Burinskiy

• Rootsecdev
  Hardening Azure Active Directory from Attacks and insider threats

• Jason Lang at TrustedSec
  Automating a RedELK Deployment Using Ansible
  

UPCOMING WEBINARS/CONFERENCES

• Jessica Hyde at Magnet Forensics
  Magnet Forensics Presents: Cache Up

• Cellebrite
  • New capabilities by UFED 7.32 & UFED 733 and Handling OEM Phones
  • Cellebrite Virtual Connect 2020
  • Digital investigation for Windows and Mac

• Matt McFadden and Lexi Michaels at Blackbag Technologies
  Trust But Verify: Digital Artifact Edition

• Kevin from Cyber Social Hub
  #DFIR Mixology

• Magnet Forensics
  AXIOM Cyber Interactive Training: Remote Acquisition Tips & Tricks with AXIOM Cyber

PRESENTATIONS/PODCASTS

• Alexis Brignoni is running a Python study group and schooling us all on WAL files
  • Class 1 – DFIR Python Study Group
  • Don’t forget the WAL files!!!
  • Class 2 – DFIR Python Study Group

• Dave Cowen and Matt Seyer
  Forensic Lunch 5/29/20

• Kevin Ripa at SANS
  • Episode 42: Do you know what that web page is serving?
  • Episode 43: Peculiarities of imaging a solid state drive
  • Episode 44: Event Log Forensic Goodness
  • Episode 45: Logon/Log Off Event Logs
  • Episode 46: Wireless Networks Event Logs
  • Episode 47: Oalerts Event Logs

• Black Hills Information Security
  • Webcast: Kerberos & Attacks 101
  • How to Hunt for Jobs like a Hacker

• BlackBag Technologies
  • BlackBag Tip of the Day: Keychain Processing
  • BlackBag Tip of the Day: iCloud Production Processing and Investigating
  • BlackBag Tip of the Day: Decrypting the iCloud Production on MacOS
  • BlackBag Tip of the Day: Decrypting the iCloud Production on Windows
  • BlackBag Tip of the Day: Parsing AirDrop Artifacts
  • BlackBag Tip of the Day: Working with iCloud Production Data

• Digital Forensic Survival Podcast
  DFSP # 223 – Apple Meta

• Down the Security Rabbithole Podcast
  DtSR Episode 396 – Verizon DBIR 2020 Analysis

• Lee Reiber at Mobile Forensic Investigations
  Oxygen Forensics Episode 112

• Magnet Forensics
  From the Training Team: Forensic Fundamentals (AX100)

• SANS
  • STAR Webcast:  Threat Hunting and the Rise of Targeted eCrime Intrusions
  • FOR585: Smartphone Forensics In-Depth update
  • FOR585: Smartphone Forensics In-Depth course poster update

• Nina Alli and Beau Woods at White Hats and Lab Coats
  Episode 15 – Digital Forensics in Healthcare – Najla Lindsay

• Yogesh Khatri and Alexandra Cartwright
  macOS Forensics: The Next Level – Taming the T2 Chip & More

MALWARE

• Eli Salem, Lior Rochberger, and Assaf Dahan of the Nocturnus team at Cybereason reclassify Valak as an infostealer
  Valak: More than Meets the Eye

• Josh Stroschein at 0xevilc0de
  Maldoc uses template injection for macro execution

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  Niles: a simple telegram bot template for Heroku

• Andreas Klopsch at ‘Malware and Stuff’
  Examining Smokeloader’s Anti Hooking technique

• Ivan Pisarev at Blog Group-IB
  IcedID: When ice burns through bank accounts

• Brad Duncan at Malware Traffic Analysis has posted some additional packet captures for analysis
  • 2020-05-27 – COVID19-themed Word doc pushes IcedID (Bokbot)
  • 2020-05-27 – Malspam –> password-protected zip –> Word doc –> Valak –> IcedID (Bokbot)
  • 2020-05-08 – Quick post: Trickbot (gtag chil13) infection in AD environment
  • 2020-05-29 – Quick post: Qabkot (Qbot) spx129 malspam – 82 examples

• Guillermo Taibo at CrowdStrike
  Weaponized Disk Image Files: Analysis, Trends and Remediation

• Darknet (Also, lol)
  Quasar RAT – Windows Remote Administration Tool

• Alvaro Muñoz with others at GitHub Security Lab
  The Octopus Scanner Malware: Attacking the open source supply chain

• Huseyin Rencber on Banking Malware
  Banka Domaini Taklit Edilerek Gönderilen Malware İncelemesi

• Herbie Zimmerman at Lost in Security (and mostly everything else)
  2020-05-27 Netwire Malspam

• Pieter Arntz at Malwarebytes Labs
  Maze: the ransomware that introduced an extra twist

• Born at Nullteilerfrei
  Zloader String Obfuscation

• Or10n at oR10n Labs
  Reverse Engineering the Mustang Panda PlugX Loader

• Brad Duncan at Palo Alto Networks
  Goodbye Mworm, Hello Nworm: TrickBot Updates Propagation Module

• Matthew Berninger at Rapid7
  The Masked SYNger: Investigating a Traffic Phenomenon

• Robert Halar and Barbara Drašković at ReversingLabs Blog
  Spying on SpyNet

• SANS Internet Storm Centre Handler Diaries
  • Wireshark 3.2.4 Released, (Sun, May 24th)
  • Zloader Maldoc Analysis With xlm-deobfuscator, (Sun, May 24th)
  • Seriously, SHA3 where art thou?, (Tue, May 26th)
  • Frankenstein’s phishing using Google Cloud Storage, (Wed, May 27th)
  • Flashback on CVE-2019-19781, (Thu, May 28th)
  • YARA v4.0.1, (Sat, May 30th)

• Trend Micro links to their whitepaper by Mayra Rosario Fuentes (67 page PDF)
  How the Cybercriminal Underground Has Changed in 5 Years

• Emiliano Martinez at VirusTotal Blog
  I did not know you could do X, Y, Z with VirusTotal

• Andrew Case at Volatility Labs
  When Anti-Virus Engines Look Like Kernel Rootkits

• ZScaler
  • New RAT Spread Through Macro-Based Documents Using AppLocker Bypass
  • ShellReset RAT Spread Through Macro-Based Documents Using AppLocker Bypass

• COVID-19, Coronavirus, and remote workforce threats:
  • CrowdStrike
    Lateral Movement Detection with a Remote Workforce
  • Ben Gross at Deep Instinct
    Aghast at Aggah: Teasing Security Controls with Advanced Evasion Techniques
  • G Data Security
    Dumping COVID-19.jar with Java Instrumentation
  • Eugene Kaspersky at Kaspersky Lab
    ATMs need quarantines too!
  • Yoroi
    Himera and AbSent-Loader Leverage Covid19 Themes
    

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 5/27/2020

• Action Dan at LockBoxx
  Red Teaming at NCCDC 2020

• Acelab
  New Features of the PC-3000 Portable III: 2-in-1 SD/mSD Card Reader Adapter and Extended Functionality of the Standalone Mode

• Marco Fontani at Amped
  Speed Matters! Amped Replay’s Smooth Playback Makes Playback Fluid Even for High-Resolution Videos

• Anton Chuvakin
  Modern Cyber Defense Books

• Belkasoft
  • Agent-based iOS acquisition is significantly improved in Belkasoft Evidence Center
  • iOS 13.5 acquisition is supported

• Cellebrite
  • How Digital Intelligence Is Helping Solve Child Exploitation Cases Faster
  • Digital Intelligence Proves Critical in Solving Child-Exploitation Case

• CrowdStrike
  The Human Element of Detection and Response

• Igor Mikhaylov at Cyber Forensicator
  Utilities go for launch!

• Didier Stevens
  AdHoc GitHub Repository

• Joshua James at Digital Forensic Science
  Notes on Installing an Autopsy Multi-user Cluster

• Forensic Focus
  • Forensic Focus Forum Round-Up
  • Forensic Focus Legal Update: The COVID-19 Edition
  • Illicit Image Investigations Part One: Making The World A Safer Place

• Foxton Forensics
  May Newsletter

• H-11
  Exporting your data from Google

• Vladimir Unterfingher at Heimdal Security
  Ten Open-Source EDR Tools to Enhance Your Cyber-Resilience Factor

• Howard Oakley at ‘The Eclectic Light Company’
  How to reveal ‘private’ messages in the log

• Lee Whitfield at Forensic 4cast
  Yet another Shameless Plug

• Magnet Forensics
  Thank You for an Unbelievable Magnet Virtual Summit!

• Mail Xaminer
  • Everything You Need to Know About Email Spoofing
  • Word Cloud Analysis – Text Data Visual Representation
  • Export Options of MailXaminer Forensics Tool

• David Ruiz at Malwarebytes Labs
  Coalition Against Stalkerware bulks up global membership

• Mike at ØSecurity
  • Password Analysis – LiveJournal
  • “Deleted” LiveJournal Accounts

• Oxygen Forensics
  Oxygen Forensic® Viewer: See it all, Wherever you are

• Red Canary
  A guide to evaluating EDR security tools

• Bret Peters at ADF
  New Self Paced DEI Online Training Class

• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — May 24 to May 30

• SANS
  • Mark Orlando Instructor Spotlight
  • Spiderfoot and the Dangers of Doxing

SOFTWARE UPDATES

• Acelab
  The new versions of PC-3000 Portable/Express/UDMA-E/SAS Ver. 6.7.18, Data Extractor/Data Extractor RAID Edition Ver. 5.10.11, PC-3000 SSD Ver. 2.8.5 are available!

• AChoir
  AChoir v4.4

• Eric Zimmerman at Binary Foray
  KAPE 0.9.2.0 released!

• Brim
  v0.10.0

• Brian Moran
  RDPieces

• Cado Live
  Introducing Cado Live — A Free Forensic Imaging Tool for the Cloud

• Didier Stevens
  New Tool: simple_ip_stats.py

• Elcomsoft
  • Elcomsoft Delivers Forensically Sound Extraction without a Jailbreak for Current iPhone Models and iOS Releases
  • Forensic Disk Decryptor 2.12 and System Recovery 7.04 Display File System Data, Expand VeraCrypt Support

• Mount Image Pro
  26 May 2020 – v7.1.2.1882

• Harlan Carvey
  Regripper 3.0

• mac_apt
  20200529

• OSForensics
  V7.1 build 1012 28th May 2020

• X-ways
  X-Ways Forensics 20.0 Beta 3
  

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!