Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Andrew Skatoff at ‘DFIR TNT’
  Find Evil in 5 Easy Steps – Part2

• stuxn3t at bi0s
  USB 2 – 2020 Defenit CTF

• Heather Mahalik at Cellebrite
  Find The Who, What, and Where With Chat View in Cellebrite Physical Analyzer

• Elcomsoft
  • iCloud Extraction Streamlined
  • iCloud Backups, Synced Data and End-to-End Encryption
  • Demystifying iOS Data Security
  • Jailbreaking Apple TV 4K
  • Apple Two-Factor Authentication: SMS vs. Trusted Devices
  • Researching Confide Messenger Encryption

• Howard Oakley at ‘The Eclectic Light Company’
  How to get more detail in the log

• Ian Whiffin at DoubleBlak
  Safari Favicons

• James Duffy
  • TV 4K Jailbreak Guide
  • The iOS KTX File Format – Explained.

• Kevin Pagano at Stark 4N6
  Magnet Virtual Summit 2020 CTF (Windows)

• Maxim Suhanov
  Trim and unallocated space

• NixIntel
  Using Hunchly With Elasticsearch and Kibana

• Theo Giovanna at Open Source DFIR
  Forensic Disk Copies in GCP & AWS

• Sarah Edwards at Mac4n6
  APOLLO and tvOS – It Just Works! (…and judges me for binging TV)

• Sumuri
  How to Check if Your Mac has a T2 Security Chip

• The Journal of Digital Forensics, Security and Law
  Journal of Digital Forensics, Security and Law: Vol. 15 : No. 1

• Yogesh Khatri at ‘Swift Forensics’
  Screentime Notifications in Catalina (10.15)

THREAT INTELLIGENCE/HUNTING

• Joe at Stranded on Pylos digs into the recent Executive Order on the US electric system
  Transforming the Threat Landscape and Avoiding Blind Spots

• Adam at Hexacorn
  FridaTrace++ – quick & dirty API monitor, Part 2

• Jeff LaCroix at AT&T Cybersecurity
  Stories from the SOC – detecting network anomalies with OTX

• Ben Bornholm at HoldMyBeer
  PoC: Using KSQL to enrich Zeek logs with Osquery and Sysmon data

• Binary Defense
  Intro to Threat Hunting

• Blackberry
  Threat Spotlight: Tycoon Ransomware Targets Education and Software Sectors

• Christophe Tafani-Dereeper
  Automating the provisioning of Active Directory labs in Azure

• Corelight
  • Detecting the New CallStranger UPnP Vulnerability With Zeek
  • Detecting GnuTLS CVE-2020-13777 using Zeek

• David Higgins at CyberArk
  Verizon DBIR 2020: Credential Theft, Phishing, Cloud Attacks

• Dani Wood at Cybereason
  What are Adversary Emulation Plans?

• Moshe Elias at Cymulate
  Integration with Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)

• Florian Roth
  Leverage is Key

• Frikkylikeme
  Integrating Shuffle with Virustotal and TheHive — Open Source SOAR part 3

• Raj Chandel at Hacking Articles
  • Domain Persistence: DC Shadow Attack
  • Evil-Winrm : Winrm Pentesting Framework
  • WinRM Penetration Testing
  • Credential Dumping: Domain Cache Credential

• Mark Mo
  • Single File Bias Test with Mimikatz
  • How to run Mimikatz on SharpHellsGate

• Microsoft Security
  • The science behind Microsoft Threat Protection: Attack modeling for finding and stopping evasive ransomware
  • Blue teams helping red teams: A tale of a process crash, PowerShell, and the MITRE ATT&CK evaluation

• Brian Donohue at Red Canary
  Test your visibility into the top 10 ATT&CK techniques

• SANS
  “Must Have” Free Resources for Open-Source Intelligence (OSINT)

• Scott Piper at ‘Summit Route’
  Denial of Wallet Attacks on AWS

• Jorge Orchilles at Scythe
  • #ThreatThursday – APT19
  • #ThreatThursday – Buhtrap

• Paul Diorio at Secureworks
  3 Guidelines for Interpreting the Results of the MITRE ATT&CK Evaluation

• Charles DeBeck at Security Intelligence
  How Threat Actors Are Adapting to the Cloud

• SentinelOne
  Email Reply Chain Attacks | What Are They & How Can You Stay Safe?

• Soji256
  Advanced Persistent Threat Groups

• Roberto Rodriguez at ‘Threat Hunters Forge’
  Community Evaluating Free Telemetry   Following the ATT&CK Evals Methodology ⚔️

• Christopher Paschen at TrustedSec
  Abusing Windows Telemetry for Persistence

UPCOMING WEBINARS/CONFERENCES

• Cellebrite
  • Weds June 17th: Getting Your Start in DFIR on Life has No Ctrl+Alt+Del
  • How to Minimize Company Risk During Employee Departures
  • New capabilities by UFED 7.34 and Introduction to Blackbag – A Cellebrite Company

• James Yeager at CrowdStrike
  Sneak Peek: 2020 Fal.Con for Public Sector Virtual Cybersecurity Conference

• Trey Amick and Drew Roberts at Magnet Forensics
  Register For Webinar: Thwarting Mac T-2 Encryption & SIP With AXIOM Cyber Remote Acquisition

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  • Class 5 – DFIR Python Study Group
  • Class 6 – DFIR Python Study Group
  • Vote for iLEAPP in the Forensic:4cast Awards 2020!!!

• Forensic Lunch
  Forensic Lunch 6/12/20

• Kevin Ripa at SANS
  • Episode 53: Volume Shadow Copy-Part 1
  • Episode 54: Volume Shadow Copy-Part 2
  • Episode 55: Volume Shadow Copy-Part 3
  • Episode 56: They hid their data in webcache! Part 1
  • Episode 57: They hid their data in webcache! Part 2

• Black Hills Information Security
  Webcast: A Blue Team’s Perspective on Red Team Hack Tools

• Alexandre Borges at Blackstorm Security
  Handling advanced threats

• Detections Podcast
  Season 2 Episode 5: Black Lives Matter, Trump Law, and are MSSPs right for you?

• Digital Forensic Survival Podcast
  DFSP # 225 – Mobile Device Attacks

• John Hubbard at SANS
  Introducing Blueprint

• Lee Reiber at Mobile Forensic Investigations
  Oxygen Forensics Episode 114

• MSAB
  XAMN 101 – Too Much Data, Too Little Time master

• Paraben Corporation
  • Using Paraben’s Link2 with E3:DS Data (FREE Tool)
  • Processing iOS Encrypted Backups

• The Many Hats Club
  Ep. 66, The state of online training (with James Hadley)

MALWARE

• oR10n Labs takes a detailed look at a clipboard data stealer 📎
  Reverse Engineering a Simple Clipboard Stealer

• Brad Duncan at Malware Traffic Analysis
  • 2020-06-09 – Pcap and malware for an ISC diary (ZLoader)
  • 2020-06-08 – Quick post: IcedID (Bokbot)
  • 2020-06-08 – Quick post: Qakbot (Qbot) spx135
  • 2020-06-10 – Quick post: Trickbot gtag gi6 in AD environment
  • 2020-06-09 – Quick post: Valak infection with IcedID (Bokbot)
  • 2020-06-12 – Traffic analysis exercise – Frank-n-Ted (What’s going on?)

• Check Point Research
  GuLoader? No, CloudEyE.

• Israel Barak at Cybereason
  Cybereason’s Newest Honeypot Shows How Multistage Ransomware Attacks Should Have Critical Infrastructure Providers on High Alert

• Danus Minimus
  Zero2Auto – Initial Stagers – From one Email to a Trojan

• Aamir Lakhani at Fortinet
  Evolution of Cyber Threats in OT Environments

• Andreas Klopsch at G Data Security
  Harmful Logging – Diving into MassLogger

• Malwarebytes Labs
  Honda and Enel impacted by cyber attack suspected to be ransomware

• Ryan Campbell at ‘Security Soup’
  Analysis of Valak Maldoc

• SANS Internet Storm Centre Handler Diaries
  • “Must Have” Free Resources for Malware Analysis
  • Job application-themed malspam pushes ZLoader, (Wed, Jun 10th)
  • Translating BASE64 Obfuscated Scripts, (Mon, Jun 8th)
  • Malicious Excel Delivering Fileless Payload, (Fri, Jun 12th)
  • Mirai Botnet Activity, (Sat, Jun 13th)

• Costin Raiu at Securelist
  Looking at Big Threats Using Code Similarity. Part 1

• Jason Reaves at SentinelLabs
  Valak Malware and the Connection to Gozi Loader ConfCrew

• The DFIR Report
  Lockbit Ransomware, Why You No Spread?

• Dennis Schwarz
  • TA410: The Group Behind LookBack Attacks Against U.S. Utilities Sector Returns with New Malware
  • FlowCloud Version 4.1.3 Malware Analysis

• Ecular Xu and Joseph C. Chen at TrendMicro
  New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa

• Mateusz Lukaszewski at VMRay
  Threat Bulletin: RagnarLocker Ransomware

• VMware Carbon Black
  TAU Threat Analysis: Hakbit Ransomware

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 6/10/2020

• Darlene Alvar at Amped
  An Interview With Detective Steve Paxton From the Everett Police Department

• Anomali
  Weekly Threat Briefing: Data Breaches, Ransomware, Remote Code Vulnerabilities and More

• Brett Shavers
  • Facebook Spoofing: Your Reputation, Investigations, and Massive Data Collection
  • What’s New at DFIR Training?

• Cellebrite
  Simplify Digital Evidence Collection

• Digital Corpora
  • New Scenario Added! – 2019 Narcos
  • iOS 13

• Forensic Focus
  How To Extract Data From Samsung Galaxy S9 / Android 10 With MD-NEXT

• Formobile
  All Parties Moving Towards Mobile Forensic Improvements

• James Duffy
  Protect Your Mac With This One Weird Trick

• Magnet Forensics
  • Our Commitment to Equality and the Justice Sector
  • Free Mac & iOS Resources for the DFIR Community

• Mail Xaminer
  • Zoho Mail Forensics for Mailbox and Email Header Analysis
  • 100% Proven Solution to Perform Office 365 Email Forensics
  • EarthLink Forensics: Discovering & Examining Weak Links

• MantaRay Forensics
  MantaRay Forensics VirusShare Hash Sets 2020 Q2

• Oxygen Forensics
  Work with SQLite databases in the new File Viewer

• Phil Hagen at SANS
  Solving a Mailing List “Gap Spam” Problem

• Santosh Khadsare
  When can I be a Mentor in a niche field like Digital Forensics ?

• Sumuri
  TALINO Workstation in the news

• Julie Rockett at Swimlane
  The Role of Preparation and Process in Incident Response

• University of Warwick
  How Dashcams help and hinder forensics

• Bernardo Quintero at VirusTotal
  VirusTotal += Cynet

SOFTWARE UPDATES

• Brim
  v0.11.0

• Didier Stevens
  Update: translate.py Version 2.5.8

• Elcomsoft
  • Elcomsoft iOS Forensic Toolkit 6.10: jailbreaking all the way
  • ElcomSoft Phone Breaker 9.60 and Elcomsoft Phone Viewer 5.10 streamline iCloud data analysis

• Eric Zimmerman
  ChangeLog

• ExifTool
  ExifTool 12.00 (production release)

• Amped
  Amped Replay Update 16856 With Spotlight, Project Files Import/Export And Descriptions For Bookmarks

• GetData
  11 June 2020 – 5.2.2.9632

• Yogesh Khatri
  20200609

• Maxim Suhanov
  1.0.5

• Meta-Blue
  Meta-Blue

• Oxygen Forensics
  Oxygen Forensic® Detective v.12.5

• Ryan Benson at dfir.blog
  Hindsight is 2020

• Sigma
  sigmatools 0.17.0

• IsoBuster
  • IsoBuster 4.6 Beta released
  • IsoBuster 4.5 released

• TrustedSec
  Access Locked Files With TScopy

• Velociraptor
  Release 0.4.5

• Yogesh Khatri
  Deserializer
  

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!