Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Cellebrite
  • If I Could Turn Back Time—A Closer Look at iOS Time Modifications
  • How to Conduct Keyword Searches With Cellebrite Physical Analyzer
  • How Turn-By-Turn Driving Directions Uncovered a Killer’s Lies

• Journal of Computers & Security
  Hooktracer: Automatic Detection and Analysis of Keystroke Loggers Using Memory Forensics

• Craig Ball at ‘Ball in your Court’
  It’s About Time!

• DFIR_300
  • #MVS2020CTF Write-Up (Windows)
  • #MVS2020CTF Write-Up (iOS)

• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Evaluating Truepic’s Inspect

• Elcomsoft
  • iOS Extraction Without a Jailbreak: Full iOS 10 Support
  • iOS, watchOS and tvOS Acquisition Methods Compared: Compatibility Notes

• JBrown
  Forensic Mounting of Disk Images using Ubuntu 20.04

• Kinga Kieczkowska
  AirDrop Forensics

• Mike Cohen at Velocidex
  • The Velociraptor Query Language Pt 1
  • The Velociraptor Query Language Pt 2

• MSAB
  • Raven: An Android Mobile Exploitation Kit in a portable package
  • XEC Director – A valuable tool in Frontline Forensics management

• Sarah Edwards at Mac4n6
  Extensive knowledgeC APOLLO Updates!
  

THREAT INTELLIGENCE/HUNTING

• Mark Mo on one of the most important things for any forensic discipline: documentation
  The importance of personal documentation

• Putting the Australian Cyber Security Centre advisory into context:
  • Trustwave SpiderLabs and JuicyPotato and other IOCs
    Copy-Paste Threat Actor in the Asia Pacific Region
  • VMware Carbon Black on behavioral detection
    Broad, Ongoing Cyberattacks Targeting Australia Underscore Need for Behavioral-Based Cybersecurity
  • ZScaler on the issues
    Targeted attacks on Australian Networks (ACSC Advisory) – Zscaler Coverage

• Gary Golomb at Awake Security
  The Internet’s New Arms Dealers: Malicious Domain Registrars

• Adam Reiger at Binary Defense
  Claire’s Hit With Magecart Attack

• Jordan Drysdale & Kent Ickler at Black Hills Information Security
  How To Deploy Windows Optics: Commands, Downloads, Instructions, and Screenshots

• Blue Team Blog
  How to detect and block Living off the Land attacks

• Check Point Research
  Office 365 Phishing Campaign Exploits Samsung, Adobe and Oxford Servers

• Brian Dye at Corelight
  Chocolate and Peanut Butter, Zeek and Suricata

• Andrew Pritchett at Expel
  How to create and maintain Jupyter threat hunting notebooks

• Raj Chandel at Hacking Articles
  • Kerberoasting and Pass the Ticket Attack Using Linux
  • Remote Code Execution Using Impacket
  • Abusing Kerberos Using Impacket

• John Ferrell at Huntress Labs
  Hiding In Plain Sight

• Jorge Orchilles at Scythe started a new blog series
  • SCYTHE Presents: #ThreatThursday – Buhtrap
  • SCYTHE Presents: #ThreatThursday – APT19
  • SCYTHE Presents: #ThreatThursday – APT33

• lucky-luk3
  Grafiki

• Microsoft
  • Using external data sources to enrich network logs using Azure storage and KQL
  • Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint

• Jamie Williams at MITRE ATT&CK
  Actionable Detections: An Analysis of ATT&CK Evaluations Data Part 2 of 2

• Rob Bone at Nettitude Labs
  Detecting PoshC2 – Indicators of Compromise

• Nik Alleyne at ‘Security Nik’
  Installing Zeek 3.1.4 on Ubuntu 20.04

• Ozan Unal at Medium
  Process Injection Techniques

• Red Alert Blog
  Activities of the SectorJ17 hacking group aimed at stealing user information

• Tony Lambert at Red Canary
  Keeping tabs on Blue Mockingbird

• Donald Allison at Secureworks
  How You Define “Incident” Can Have Unwanted Repercussions

• Adam G. Tomeo at Cisco Security
  Getting more value from your endpoint security tool #3: Querying Tips for Incident Investigation

• Tegar Purnama at MII Cyber Security
  Build AD Server with Kerberos dan Attacking Kerberos

• Martin Rakhmanov at Trustwave SpiderLabs
  Cisco WebEx Memory for the Taking: CVE-2020-3347

• Atinderpal Singh, Nirmal Singh, and Sahil Antil at ZScaler
  Targeted Attack Leverages India-China Border Dispute to Lure Victims

UPCOMING WEBINARS/CONFERENCES

• Jessica Hyde at Magnet Forensics
  Taking A Byte of Out of Chromebook Analysis

• Cellebrite
  • Help to Understand Android Extractions
  • Join Us For “Nothing to see here? I beg to DFIR. – Episode 6: Digital Wellbeing and iOS Screentime – Do you feel like your phone is watching you? It is?”
  • Technical Webinar: 7.34 updates and an in depth look at Full-disk and File-based encryption
  • UFED Capabilities,​ iOS Malware and Extractions

• Palo Alto Networks
  Inside the Hunt

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  • Class 7 – DFIR Python Study Group
  • Class 8 – DFIR Python Study Group

• Forensic Lunch
  Forensic Lunch 6/19/20

• Jessica Hyde at Magnet Forensics
  • Magnet Forensics Presents: Cache Up Ep.2 – Mari DeGrazia
  • Magnet Forensics Presents: Cache Up Ep.3 – Mike Williamson

• Kevin Ripa at SANS
  • Episode 59: My iPhone is hacked!
  • Episode 58: Cellphone seizure process
  • Episode 60: How passwords get hacked
  • Episode 61: Selecting a bulletproof password
  • Episode 62: Creating wordlists for password cracking

• Black Hills Information Security
  Webcast: Linux Forensics Magical Mystery Tour With Hal Pomeranz

• Cellebrite
  • UFED introduced additional support for Qualcomm devices
  • Carved from Unallocated – Episode 3: 10 Common Mistakes Examiners Make in Digital Forensics
  • 6 Reasons Why You Need Cellebrite UFED Cloud  – #1
  • Phone Data Extractions Using the EDL Method – Scott Lorentz, Chief Forensic Analyst at Centex Technologies

• Detections Podcast
  Season 2 Episode 6: Non-tech InfoSec with Special Guest Kim Zetter

• Digital Forensic Survival Podcast
  DFSP # 226 – User Logons

• Hasherezade
  • PE-sieve release notes: process reflections
  • How to make a PE with no sections (using Crinkler)

• Jason Nickola at ‘Trust Me I’m Certified’
  Finding your strategy (and a little social engineering) for “what’s next” with O’Shea Bowens – Part 2

• John Hubbard at ‘The Blueprint podcast’
  • The Art of Blue Teaming
  • Shock to the System: Re-Evaluating Your Security Operations

• Jorge Orchilles at Scythe
  SCYTHE Presents: SCYTHE Demo with Jorge Orchilles

• Lee Reiber at Mobile Forensic Investigations
  Oxygen Forensics Episode 115

• OALabs
  IRC Botnet Reverse Engineering Part 2 – Analyzing Memory Structures with x64dbg and IDA PRO

• Rasta Mouse 
  • SharpC2 – Episode 5 [AgentCore]
  • SharpC2 – Episode 6 [Agent Metadata]
  • SharpC2 – Episode 7 [Server Modules & Agent CheckIn]

• RandoriSec & Friends
  [RandoriSec&Friends – Enlarge your toolkit] Tools for Cloud Examination – Thomas Chopitea

• SANS
  • Ghidra Quick Debut: SANS FOR610 Reverse Engineering Malware
  • Strategic Takeaways: Forging Compelling Narratives with Cyber Threat Intelligence – SANS CTI Summit
  • Stop Tilting at Windmills: 3 Key Lessons that CTI Teams Should Learn from the Past – SANS CTI Summit
  • The Threat Intelligence EASY Button with Chris Cochran – SANS CTI Summit
  • Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence – Keynote SANS CTI Summit
  • Threat Intelligence and the Limits of Malware Analysis with Joe Slowik – SANS CTI Summit 2020

• Tribe of Hackers Podcast
  Jake Williams, aka @MalwareJake

MALWARE

• Miles Kenyon at Citizen Lab in a joint report with Amnesty International review malware that targeted people working on freeing the Bhima Koregaon 11. Some of the people targeted were previously targeted in the NSO WhatsApp hack.
  Citizen Lab and Amnesty International Uncover Spyware Operation Against Indian Human Rights Defenders

• Securelist with a retrospective look at threats that come with explicit content
  Explicit content and cyberthreats: 2019 report

• Examining LoJack for laptops
  Absolute（绝对定位）软件安全事件分析

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  LinuxCheck: Linux information gathering tool

• Aneesh Dogra’s Blog
  Bypassing Syscall filters

• Adam Reiger at Binary Defense
  Ransomware Uses Pulse VPN Flaw to Spread

• Posts from Bitdefender Labs
  • BitterAPT Revisited: the Untold Evolution of an Android Espionage Tool
  • SSH-Targeting Golang Bots Becoming the New Norm

• Brad Duncan at Malware Traffic Analysis
  • 2020-06-12 – Qakbot (Qbot) spx139 infection with ZLoader
  • 2020-06-10 – Ursnif (Gozi/IFSB) infection with Ursnif variant
  • 2020-06-15 – Lokibot infection
  • 2020-06-17 – Qakbot (Qbot) spx142 infection
  • 2020-06-16 – Qakbot (Qbot) spx142 infection
  • 2020-06-16 – Trickbot gtag ono47 infection
  • 2020-06-18 – Qakbot (Qbot) spx143 infection
  • 2020-06-18 – Password-protected XLS files push ZLoader

• Updates from the Cisco Talos blog
  • Quarterly report: Incident Response trends in Summer 2020
  • Beers with Talos Ep. #84: Mid-career advancement in cyber security

• Jamie at Click All the Things!
  zloader: VBA, R1C1 References, and Other Tomfoolery

• Noah Mizell and Kyle Duncan at Cofense
  Practice Makes Perfect

• Joe Slowik at Dragos
  EKANS Ransomware Misconceptions and Misunderstandings

• Evan Kohlmann at Flashpoint
  Iraq Threat Update: June 2020

• Val Saengphaibul and Fred Gutierrez at Fortinet
  Global Malicious Spam Campaign Using Black Lives Matter as a Lure

• Karsten Hahn at G Data Security
  New Java STRRAT ships with .crimson ransomware module

• Avigayil Mechtinger at Intezer
  ELF Malware Analysis 101: Linux Threats No Longer an Afterthought

• Christine Barry at Journey Notes
  Emotet emerges as a leader in Malware-as-a-Service

• 喜野 孝太(Kota Kino) at JPCERT/CC
  Evolution of Malware LODEINFO

• Alexander Eremin at Kaspersky Lab
  How Trojans steal gaming accounts

• Hossein Jazi and Jérôme Segura at Malwarebytes Labs
  Multi-stage APT attack drops Cobalt Strike using Malleable C2 feature

• James Haughom at MalwareDisciple
  • Evolution of Excel 4.0 Macro Weaponization
  • IQY + Paradise Ransomware

• Melissa at Sketchymoose’s Blog
  What are Maldocs Up To These Days?

• Michael Gorelik at Morphisec
  CrystalBit / Apple Double DLL Hijack — From fraudulent software bundle downloads to an evasive miner raging campaign

• Ladislav Baco at MWLab
  • Hunting for Blue Mockingbird samples
  • Memory Acquisition on Synology NAS
  • XMRig-based CoinMiners spread by Blue Mockingbird Group

• Dominik Reichel and Esmid Idrizovic at Palo Alto Networks
  AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations

• SANS Internet Storm Center
  • Sextortion to The Next Level, (Tue, Jun 16th)
  • YARA’s BASE64 Strings, (Sun, Jun 14th)
  • HTML based Phishing Run, (Mon, Jun 15th)
  • Pi Zero HoneyPot , (Sat, Jun 20th)
  • Sigma rules! The generic signature format for SIEM systems., (Fri, Jun 19th)

• Denis Legezo at Securelist
  Microcin is here

• Pavel Asinovsky at Security Intelligence
  Ginp Malware Operations are on the Rise, Aiming to Expand in Turkey

• Michael Myngerbayev at SentinelLabs
  A Click from the Backyard | Analysis of CVE-2020-9332, a Vulnerable USB Redirection Software

• Xinran Wu and Sean Gallagher at Sophos News
  New Bundlore adware targets MacOS with updated Safari extensions

• Bogdan Vennyk on Medium
  How to avoid falling down the rabbit hole while analyzing malware

• The DFIR Report
  The little ransomware that couldn’t (Dharma )

• VMRay
  Malware Analysis Spotlight: Phishing Site Spread through SMS

• AC at VMware Carbon Black
  TAU Threat Analysis: Relations to Hakbit Ransomware

• WeLiveSecurity at ESET published two lengthy whitepapers this week:
  • Dominik Breitenbacher and Kaspars Osis on aerospace attacks (28 page PDF)
    Operation In(ter)ception: Aerospace and military companies in the crosshairs of cyberspies
  • Zuzana Hromcová and Anton Cherepanov targeting Eastern Europe (62 page PDF)
    Digging up InvisiMole’s hidden arsenal

• Xavier Mertens at /dev/random
  When NTP Kills Your Sandbox

• Yet Another Security Blog
  Further Evasion in the Forgotten Corners of MS-XLS

• COVID actor related news:
  • Cisco Talos
    Updates to Snort setup guides
  • CrowdStrike
    We Stop. So You Can Go.
  • Security Intelligence
    Chaos Engineering and Security: Upgrading Simulation Exercises For More Dynamic Threat Environments
  • Trustwave SpiderLabs
    TrickBot Disguised as COVID-19 Map

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 6/16/2020

• Mark Spencer at Arsenal Recon
  Quick Tour of New Features in Arsenal Image Mounter v3.2.126

• Vitaliy Mokosiy at Atola
  Q&A during the Interpol Digital Forensics Expert Group 2020

• Adrian at ‘Agood cloud’
  • Adding Thehive Case Data to Splunk
  • Book Review: Operator Handbook Search. Copy. Paste. L33t 😉

• Marco Fontani at Amped
  What Is “Better”? Understanding the Differences Between Amped FIVE or Amped Replay vs Consumer Video Players

• Belkasoft
  Whitepaper: Six Naïve Methods of Concealing Digital Evidence, and How to Deal with Them

• Blue Team Blog
  Common Cybersecurity Analyst Interview Questions (And how to answer them)

• Brett Shavers at DFIR.Training
  What’s New at DFIR Training?

• Vince Stoffer at Corelight
  The light shines even brighter: Updates to Corelight’s Encrypted Traffic Collection

• DFRWS Rodeo Archive
  • DFRWS Rodeo 2019
  • DFRWS Rodeo 2018
  • DFRWS Rodeo 2017

• Didier Stevens
  FalsePositive GitHub Repository

• Digital Forensics Challenge
  Digital Forensics Challenge

• Tyler Schlect at DME Forensics
  A Birthday of Sorts – and one more thing…

• Forensic Focus
  • XAMN 101 – Too Much Data, Too Little Time
  • Register For Webinar: How To Quickly Process All Your Videos (And Audio) For Release In Amped FIVE
  • How To Perform A Full Filesystem Checkm8 Extraction On iPhone 8 With MD-NEXT
  • BlackBag Launches Self-Paced Online Training for Apple® Forensic Investigations
  • Navigating Digital Investigations In 2020 Using BlackLight And MacQuisition

• James Duffy
  • The Mysterious Apple DCSD Cable, Demystified.
  • Project Oxygen  – iOS Virtualisation. Automated.
  • Modern Activation Bypass Utilities. Secure? Yes & No

• Liam Smith
  • Building An Incident Response And Forensics Homelab — PT1: Workstation And File Storage
  • Building A Incident Response And Forensics Homelab — PT2: Autopsy and Central Repository…

• Magnet Forensics
  • Scale Up Existing Resources and Processes with Magnet AUTOMATE 2.2
  • Integrate Any Acquisition Tool in Magnet AUTOMATE 2.2 with Watch Folders

• Mail Xaminer
  • Ultimate Way to Perform Mozilla Thunderbird Email Forensics
  • Tags and Privileged Files – MailXaminer
  • Everything You Should Know About Opera Mailbox Forensics

• Manta0101
  Forensics-Decision-tree

• Mission Darkness
  TitanRF™ Faraday Fabric Testing Explained

• Oxygen Forensics
  E01 import now in Oxygen Forensic® Detective!

• Jay Godbole at Rapid7
  Unlocking the Power of Macro Authentication: Part One

• Bret Peters at ADF
  Law Enforcement Conferences | Choose Training and Events by Type

• Michael Hoffman
  Reflecting on my journey with SANS

• Santosh Khadsare
  • SOLID STATE DEVICES (SSD) FORENSICS (PART I)
  • SOLID STATE DEVICES (SSD) FORENSICS (PART II)
  • Free Course on Digital Forensics (#DFIR)
  • India’s Top 20 Digital Forensics Professionals

• David Thejl-Clayton at Security Distractions
  TF-CSIRT – Whats it all about?

• Amy Nguyen at Sumuri
  Solutions to Software Update Error Message in RECON IMAGER

• Ted Smith at ‘X-Ways Forensics Video Clips’
  Video 60 – New Export Options and new XWF_OpenItem flags

• Trent Greenwood at VMware Carbon Black
  Court Ruling on Forensic Data Breach Reporting Flying Under the Radar

SOFTWARE UPDATES

• Digital Detective
  NetAnalysis® v2.12 and HstEx® v4.12 Released

• Elcomsoft
  iOS Forensic Toolkit 6.20: filling the gaps

• Eric Zimmerman
  ChangeLog

• GetData
  19 June 2020 – 5.2.2.9660

• Hex Rays
  IDA Pro 7.5 SP1 released

• mac_apt
  20200620

• dfir_ntfs file system parser
  1.0.6

• MISP
  MISP 2.4.127 released (decay updates release edition)

• Xways
  X-Ways Forensics 20.0 Beta 4b
  

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!