Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  Windows Forensic Analysis: some thoughts on RDP related Event IDs

• Heather Mahalik at Cellebrite
  How to View Chat Conversations in Cellebrite Physical Analyzer

• Vladimir Katalov at Elcomsoft
  checkra1n & unc0ver: How Would You Like to Jailbreak Today?

• James Duffy
  • Beta Portal For Donators
  • ZPET – A Non-Technical Overview
  • ZPET Release-Ready Presentation

• Trey Amick at Magnet Forensics
  macOS & iOS Photos Support with Magnet AXIOM

• Mattia Epifani at Zena Forensics
  Checkra1n Era – Ep 6 – Quick triaging (aka from the iPhone to APOLLO, iLEAPP and sysdiagnose in 6 minutes)

• Maxim Suhanov
  Check out Maxim’s tweet on last access timestamps

• MVS CTF Writeups!
  • #MVS2020CTF Write-Up (Memory)
  • #MVS2020CTF Write-Up (Egg Hunt)
  • #MVS2020CTF Write-up (Android)
  • Magnet Virtual Summit 2020 CTF (Egg Hunt)
  • Magnet Virtual Summit 2020 CTF (iOS)
  • Magnet Virtual Summit 2020 CTF (Memory)
  • Magnet Virtual Summit 2020 CTF (Android)
  • Magnet Virtual Summit 2020 CTF – Memory Analysis Write-up
  • Magnet Virtual Summit 2020 CTF — Egg Hunt
  • Magnet Virtual Summit 2020 CTF — Memory
  • Magnet Virtual Summit 2020 CTF — Windows

• Patrick J. Siewert at Pro Digital Forensic Consulting
  Beyond Location Data In Cellular Records Analysis

• Sarah Edwards at Mac4n6
  • Analysis of Apple Unified Logs: Quarantine Edition [Entry 10] – You down with TCC? Yea, you know me! Tracking App Permissions and the TCC APOLLO Module
  • Analysis of Apple Unified Logs: Quarantine Edition [Entry 11] – AirDropping Some Knowledge

• Zach Stanford
  • Just Another List of PowerShell Commands
  • Can you track processes accessing the camera and microphone?

• Pieces0310
  A barrier for Mobile Forensics – Samsung Secure Folder – Pieces0310
  

THREAT INTELLIGENCE/HUNTING

• Matt at ‘Bit of Hex’ hunts around with LNKs and C2 channels via YouTube
  YouTube is my C2

• Adam at Hexacorn
  • A few more anti-sandbox tricks…
  • FridaTrace++ – quick & dirty API monitor

• Alex Verboon at ‘Anything about IT’
  Advance your Microsoft Defender ATP hunting skills using the Atomic execution framework

• AlienVault Security Essentials Blog
  • Stories from the SOC- SSH Brute Force Authentication Attempt
  • Threat hunting explained

• ANSSI
  Active Directory Checkpoints

• Vesselin Tzvetkov at AWS Security
  How to perform automated incident response in a multi-account environment

• Ben Bornholm at HoldMyBeer
  Generating CommunityIDs with Sysmon and Winlogbeat

• Bogdan Botezatu, Janos Gergo Szeles, and Ruben Andrei Condor at Bitdefender Labs
  Banking Trojan Metamorfo Hijacks Trusted Apps to Run Malware

• Dani Wood at Cybereason
  Why Not Detect Every TTP in the MITRE ATT&CK Framework?

• Jon Hencinski, Mor Kenane and Peter Silberman at Expel
  Spotting suspicious logins at scale: (Alert) pathways to success

• Haboob
  Hunting Red Team Activities with Forensic Artifacts

• Raj Chandel at Hacking Articles
  • Credential Dumping:LAPS
  • Domain Persistence AdminSDHolder

• Jagaimo Kawaii at Lab52
  Mustang Panda Recent Activity: Dll-Sideloading trojans with temporal C2 servers

• Dominic Chell at MDSec
  Detecting and Advancing In-Memory .NET Tradecraft

• Doel Santos and Alex Hinchliffe at Palo Alto Networks
  Threat Assessment: Hangover Threat Group

• Sandor Tokesi at Forensics Exchange
  How (not) to log DNS traffic

• Jose Llopis at ‘Security Art Work’
  SigmaShooter (V): DFIR con SigmaShooter

• Sekoia
  Le DBIR du monde d’avant

• Gayathri Anbalagan at ZScaler
  New Campaign Abusing StackBlitz Tool to Host Phishing Pages

UPCOMING WEBINARS/CONFERENCES

• Cellebrite
  • Introducing UFED Physical Analyzer 7.33- Leveraging Actionable Intelligence to advance investigations
  • Nothing to see here? I beg to DFIR. – Episode 5: The Importance of KnowledgeC and How it Can Impact Your Investigations
  • Life has No Ctrl+Alt+Del

• Griffeye
  Webinar: Using AI to detect CSA content in images and videos

• Magnet Forensics
  • Tips and Tricks//Piece the Story Together with OS, Memory, and Other Artifacts
  • AXIOM Interactive Training
  • Magnet Free Tools – MAGNET Custom Artifact Generator, MAGNET Web Page Saver, and MAGNET Encrypted Disk Detector

• ReversingLabs
  Reversing 2020

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  • Class 3 – DFIR Python Study Group
  • Class 4 – DFIR Python Study Group
  • Category Icons and HTML tags

• Jessica Hyde at Magnet Forensics
  Magnet Forensics Presents: Cache Up – Ep.1 – Brett Shavers

• Kevin Ripa at SANS
  • Episode 49: Detecting Time Manipulation
  • Episode 48: Remote Desktop Protocol Event Logs
  • Episode 50: Lies my computer told me…
  • Episode 51: Lies My Computer Told Me-LNK Files
  • Episode 52: The invisible files – Jumplists

• Black Hills Information Security
  • Webcast: How to Hunt for Jobs like a Hacker
  • Active Defense & Cyber Deception – Part 1
  • Active Defense & Cyber Deception – Part 2
  • Active Defense & Cyber Deception – Part 3
  • A Blue Team’s Perspective on Red Team Hack Tools

• Cellebrite
  • Introducing the New Cellebrite UFED Cloud
  • Ask the Expert: How to View Chats in Physical Analyzer by Heather Mahalik – Part I
  • A review of App Genie settings to ensure you are getting the most data
  • How to conduct OCR searched in Cellebrite Pathfinder (Analytics)
  • What is BFU? How can you leverage it?
  • Recovering deleted photos from iOS devices in Physical Analyzer
  • Enrichments (associations) can assist in your investigations. Learn what this means.
  • FBE vs FDE – What are the differences and how does this impact your extraction?
  • Learn how to redact data from extractions to report only data you have consent/authority
  • The “Go to” feature in Physical Analyzer
  • Filters and Actions in Physical Analyzer
  • How to properly ingest GrayKey extractions into Physical Analyzer
  • An overview of the different iOS exttractions and how they impact you
  • Advanced Keyword Searching in Physical Analyzer
  • Don’t let multimedia files overwhelm you
  • App Insights provide an in-depth look at application data on digital devices
  • How to properly remove iTunes encryption without overwriting a backup
  • Easy ways to view chat messages in Physical Analyzer
  • Proper searching in Physical Analyzer can help you identify location data of interest
  • Plug-ins –  A way to extract additional information from digital media.
  • Redaction within Physical Analyzer ensures controls which data is included in examiner’s report
  • Update alert – the methods have changed for loading data into Physical Analyzer
  • Source information is the key to validation – Make sure you can follow the source
  • Make sure your settings are configured to show you the most data within Physical Analyzer Timeline.
  • Cellebrite Frontliner  – Collecting with confidence on the frontline
  • Life Has No CTRL+ALT+Delete

• Chris Crowley
  SOC-Class – Build & Operate a Security Operation Center

• Detections Podcast
  Season 2 Episode 4: Job Series: Incident Response Consulting

• Digital Forensic Survival Podcast
  DFSP # 224 – Conhost Forensics

• Jason Nickola at ‘Trust Me I’m Certified’
  Finding your strategy (and a little social engineering) for “what’s next” with O’Shea Bowens – Part 1

• Lee Reiber at Mobile Forensic Investigations
  Oxygen Forensics Episode 113

• Trey Amick at Magnet Forensics
  Acquiring and Analyzing Data from Lyft & Uber in Magnet AXIOM

• OALabs
  IRC Botnet Reverse Engineering Part 1 – Preparing Binary for Analysis in IDA PRO

• Richard Davis at 13Cubed
  What’s In .DS Store for You? – macOS Forensics

• The Incident Response Podcast
  Getting back to basics, IR 101 – Episode 013

• This Month In 4n6
  This Month In 4n6 – May – 2020

MALWARE

• Check out Rico’s walkthrough for the Cyber Security Challenge Germany CTF
  CSCG – Writeup for the ‘Intro to Reversing’ challenges

• Adam Chester at XPN
  Hiding your .NET – COMPlus_ETWEnabled

• Joe Security
  New evasive VBS samples spot

• Brad Duncan at Malware Traffic Analysis
  • 2020-05-28 – Traffic analysis exercise – Catbomber
  • 2020-06-03 – Valak (Soft_sig: mad29) infection with IcedID (Bokbot)

2020-06-03 – Malspam pushing Dridex

• Danus Minimus
  Zero2Auto – Netwalker Walk through

• Deriving Cyber Threat Intelligence and Driving Threat Hunting
  PebbleDash – Lazarus / HiddenCobra RAT

• Nikolaos Pantazopoulos and Stefano Antenucci at Fox-IT
  In-depth analysis of the new Team9 malware family

• James Haughom and Stefano Ortolani at Lastline Labs
  Evolution of Excel 4.0 Macro Weaponization

• Hossein Jazi and Jérôme Segura at Malwarebytes Labs
  New LNK attack tied to Higaisa APT discovered

• Arnold Osipov at Morphisec
  Ursnif/Gozi Delivery — Old School Excel Macro 4.0 Utilization Uptick and the OCR Heuristics Bypass

• nullteilerfrei
  String Obfuscation in the Hamweq IRC-bot

• Didier Stevens at NVISO Labs
  Tampering with Digitally Signed VBA Projects

• Jaron Bradley at Objective-See
  Tiny SHell Under the Microscope

• Robert Simmons at ReversingLabs
  Retread Ransomware

• SANS Internet Storm Centre Handler Diaries
  • Suspending Suspicious Domain Feed / Update to Researcher IP Feed, (Thu, Jun 4th)
  • Polish malspam pushes ZLoader malware, (Thu, Jun 4th)
  • Stackstrings, type 2, (Mon, Jun 1st)
  • XLMMacroDeobfuscator: An Update, (Mon, Jun 1st)
  • Windows 10 Built-in Packet Sniffer – PktMon, (Sun, May 31st)
  • Not so FastCGI!, (Fri, Jun 5th)

• Jim Walter at SentinelLabs
  NetWalker Ransomware: No Respite, No English Required

• Denis Sinegubko at Sucuri
  Evasion Tactics in Hybrid Credit Card Skimmers

• Tilden Swans
  • Android Analysis: update-google.apk
  • Malware Traffic Analysis

• Ford Qin at TrendMicro
  New Tekya Ad Fraud Found on Google Play

• Brian Baskin at VMware Carbon Black
  TAU Threat Analysis: Medusa Locker Ransomware

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 6/2/2020

• Cyberscoop
  This matters more: How cyber pros are confronting racism in their own ranks, and beyond

• SANS Internet Storm Center
  Cyber Security for Protests, (Fri, Jun 5th)

• Adrian at Agood cloud
  Book Review: Defensive Security Handbook

• Stephan Simon at Binary Defense
  What is YARA? Get to know this malware research tool

• Blue Team Blog
  • Mental Health In The Cybersecurity Industry
  • Learn SIEM For Free

• Brett Shavers
  You do not want to work in DFIR.

• Carlos Cajigas at ‘Mash That Key’
  Installing a Velociraptor Server on Ubuntu 18.04

• Cellebrite
  • Why Cellebrite Deserves Your Vote in the 2020 Forensic 4:Cast Awards
  • Cellebrite Guardian—The Smart Solution for Case Management
  • 2020 Global Handset Market by Region & Its Impact on Future Forensics Investigations

• Corelight
  Corelight’s Online CTF

• Digital Corpora
  SQLite Forensic Corpus

• Elan at DFIR Diva
  DFIR Related Events for Beginners – June, 2020

• Christa Miller at Forensic Focus
  Following Up: When Digital Forensics Vendors Hire Research Talent, Where Does It Leave Research?

• Mail Xaminer
  • Best Ever Search Options for Precise Email Investigation
  • Know How to Convert Netscape Mail to Outlook PST File?
  • OCR Reader Technology to Extract Textual Data from Image
  • Advanced Forensic Data Analytics Feature – MailXaminer Tool
  • Understanding All About Email Spoliation

• Malwarebytes Labs
  • Sodinokibi ransomware gang auctions off stolen data
  • Coronavirus campaigns lead to surge in malware threats, Labs report finds

• Jasmine Elnadeem at MSAB
  Success or failure in a murder case can depend on deleted text messages

• Nik Alleyne at ‘Security Nik’
  Mastering TShark Network Forensics – Moving from Zero to Hero

• NIST
  NIST to Digital Forensics Experts: Show Us What You Got

• Rationale
  Compile The Sleuth Kit on Linux

• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — May 31 to June 6

• Sandfly Security
  Splunk App for Sandfly Agentless Intrusion Detection for Linux Now Available

• Jesús Gómez at Security Art Work
  Orientaciones para armar un buen informe

• Sumuri
  How to Change Mac’s Startup Security Settings to Allow Booting with RECON IMAGER

• Mandi Ross and John Patzakis at X1
  How to Implement an Effective eDiscovery Search Term Strategy

SOFTWARE UPDATES

• AccessData
  FTK Imager version 4.3.1.1

• Berla
  iVe Software v2.6.2 Release

• Cellebrite
  Cellebrite Software Updates: Version 7.34 Now Available

• Cloudy forensics
  Introducing Cado Host — A free tool to collect forensic artefacts from compromised systems

• Cyber Triage
  Cyber Triage 2.13: Offline Malware Scanning Now Available

• Didier Stevens
  add-admin: Tiny EXE To Add Administrative Account

• GetData
  06 June 2020 – 5.2.2.9622

• Griffeye
  Release of Analyze 20.1

• Mac_apt
  20200602

• Magnet Forensics
  Magnet AXIOM 4.1 is Here to Help You Get to the Evidence Faster and With More Efficiency

• MISP
  MISP 2.4.126 released (Spring release edition)

• MSAB
  Secure your digital evidence automatically from Telegram with XRY Photon

• Velociraptor
  Release 0.4.4
  

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!