Last week, the Forensic 4Cast awards were held at the end of the virtual DFIR Summit. Congratulations to all the winners, as well as everyone nominated. Everyone nominated should really pat themselves on the back for a job well done, it’s quite an achievement!
- Thanks to the DFIR Community, Cellebrite Wins Multiple Times at Forensics 4:cast Awards
- Magnet Forensics is Proud to Once Again Take Home Two Forensic 4:cast Awards!
Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections. Come join her Monday the 27th at Life has no Ctrl + Alt + Del
LC – Congrats to Phill, Kathryn, and Jason on the first run of their Digital Forensics Essentials Course!
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Arman Gungor at Metaspike
Dates in Hiding Part 3 — Gmail Message ID and Thread ID Timestamps - Cellebrite
- DFIR_300
Unsupported Artifacts and How to Deal with them - Vladimir Katalov at Elcomsoft
Downloading iOS 13 and iOS 14 iCloud Backups - James Duffy
An Introduction To The Google Reverse Geocoding API - Oxygen Forensics
Collecting macOS artifacts with Oxygen Forensic® KeyScout - Peter Stewart
- SalvationData
Computer Forensics: Sneak Peak of SalvationDATA’s Industry-leading Corrupted/Failed SSD Recovery Solution — SRS SSD Forensic Recovery System - Jared Barnhart guested posted on Mac4n6
Follow-on to DFIR Summit Talk: Lucky (iOS) 13: Time To Press Your Bets (via @bizzybarney) - Yogesh Khatri at ‘Swift Forensics’
KTX to PNG in Python for iOS snapshots
THREAT INTELLIGENCE/HUNTING
- Matthew Green sharing Velociraptor goodness
Windows IPSEC for endpoint quarantine - Zach Stanford shares solid threat hunting basics
How to start Threat Hunting (even if your team is small!) - Binary Defense
Russian Cybercriminal Group Attempts to Steal COVID-19 Vaccine Research - Blue Team Blog
IPS vs IDS – An Overview - Check Point Software
How scammers are hiding their phishing trips in public clouds - Check Point Software (registration wall)
Cyber Attack Trends: 2020 Mid-Year Report - Erik Cabrera at Crypsis Group
Discovering Hidden Rules: Business Email “Crypsis” - Daniel Miessler
Reverse Threat Modeling for Pursuing Attribution - Max Heinemeyer at Darktrace Blog
The resurgence of the Ursnif banking trojan - Chris Brook at Digital Guardian
What is Threat Intelligence? - Seth Goodwin, Daniel Stepanic, Justin Ibarra, and Andrew Pease at Elastic
Detection rules for SIGRed vulnerability - Annie Ballew at Huntress Labs
Huntress Service: External Recon - InfoSec matters
Modern Honey Network – Extract Threat Intel - US Department of Justice
wo Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research - Kevin Beaumont at DoublePulsar
Detecting DNS CVE-2020–1350 exploitation attempts in Azure Sentinel - Kirtar Oza
- Microsoft Azure Sentinel articles
- Mike at “CyberSec & Ramen”
Detecting Shapes In Office Documents - Neil Fox
Mimikatz usage & detection - Nextron Systems
Web Proxy Event Analysis Cheat Sheet - Palo Alto Networks
OilRig Targets Middle Eastern Telecommunications Organizations and Adds Novel C2 Channel with Steganography to Its Inventory - Penetration Testing Lab
Lateral Movement – Services - Tony Lambert at Red Canary
Connecting Kinsing malware to Citrix and SaltStack campaigns - Cedric Owens at Red Teaming with a Blue Team Mentality
A Brief Look At 2 IdaaS Attack Paths - Sucuri Blog
- Tenable
Copy-Paste Compromises: Threat Actors Target Telerik UI, Citrix, and SharePoint Vulnerabilities (CVE-2019-18935) - Roberto Rodriguez at Threat Hunters Forge
Extending the Exploration and Analysis of Windows RPC Methods Calling other Functions with Ghidra… - Phil Rowland at TrustedSec
Azure Automation – Getting Started With Desired State Configurations - Trustedsignal
Meterpreter’s Migrate: Detection and Investigation with memtriage and memdumppe - Martin Rakhmanov at Trustwave SpiderLabs
ASUS Router Vulnerable to Fake Updates and XSS (CVE-2020-15498 & CVE-2020-15499) - Chad Loeven at VMRay
Decoding the Verizon DBIR Report: An Insider’s Look Beyond the Headlines
UPCOMING WEBINARS/CONFERENCES
- Jessica Hyde at Magnet Forensics
Tips & Tricks // Custom Artifacts - Cellebrite
- Scythe
PRESENTATIONS/PODCASTS
- Alexis Brignoni
- Forensic Lunch
Forensic Lunch 7/24/20 - Jessica Hyde at Magnet Forensics
Magnet Forensics Presents: Cache Up – Ep.8 – Alexis Brignoni - Kevin Ripa at SANS
- Belkasoft
- Cellebrite
- Cellebrite Podcasts
- Episode 4: Carved From Unallocated – The Value of Using Your Own Solid Test Data to Aid Investigations
- Using Artifact Examiner (ArtEx) To Investigate An Artifact On A Device
- Walk-through of the Cellebrite Physical Analyzer plug-in – Minidump For Targeted App Analysis
- Episode 7: I Beg to DFIR – The Value of Health Data for Investigations
- CyberwarCon
CYBERWARCON 2019 – The Secret Life of Sandworms - Lee Whitfield at Forensic 4cast
Just Forensics, Mercifully - HITBLockDown002
HITBLockDown002 - Lee Reiber at Mobile Forensic Investigations
Oxygen Forensics Episode 119 - Matthew Toussain
The C2 Matrix | Golden Age of C2 - SANS Institute
MALWARE
- While I was away, Emotet came back… some now with GIF payloads?!
A vigilante is sabotaging the Emotet botnet by replacing malware payloads with GIFs- Blumira
Detect and Protect Against the Return of Emotet Malware - Brad Duncan at Malware Traffic Analysis
2020-07-20 – Data Dump: Emotet with Trickbot - Click All the Things!
Emotet (2017-07-21): Still Making Use of Userforms - Kevin Beaumont at DoublePulsar
Emotet being hijacked by another actor - VMRay
Malware Analysis Spotlight: The Return of Emotet
- Blumira
- 0day in {REA_TEAM} with a challenge
[Z2A] Custom sample 1 challenge write-up - 0xEvilC0de
Reversing Data Structures with Ghidra: Structures - 360 Total Security Blog
New variant of Phobos ransomware is coming - Abdallah Elshinbary
- Active Countermeasures
Malware of the Day – Taidoor - Brad Duncan at Malware Traffic Analysis
2020-07-20 – Word docs with macros for IcedID (Bokbot) - Bridgit Sullivan at Advanced Intelligence
Inside “Phobos” Ransomware: “Dharma” Past & Underground - Cisco Talos
Prometei botnet and its quest for Monero - CrowdStrike
Attackers Are Trying to Take a Bite Out of the Apple - FireEye Threat Research
Unique Threats to Operational Technology and Cyber Physical Systems - Follow The White Rabbit
Unpacking NetWalker ransomware - Intezer
What is Zero Trust Execution? Definition, Adoption & More - Jiří Vinopal
Check out @vinopaljiri’s Tweet - Kaspersky Lab
MATA: A multiplatform malware framework - Lost in Security (and mostly everything else)
2020-07-17 ZLoader Malspam (Excel 4 Macros) - Malware, meet Mr Poke and Mr Stick
x64bg Tips and tricks - Malwarebytes Labs
Chinese APT group targets India and Hong Kong using new variant of MgBot malware - MrT4ntr4’s Blog
Solving Java Reversing Challenges – Noverify’s Java Crackme 3 - Netskope
Leaky Helpdesk – Accidental Exposure of Zendesk Attachments - oR10n Labs
Reverse Engineering the New Mustang Panda PlugX Downloader - Palo Alto Networks
- PC’s Xcetra Support
PowerShell Steganography - Radware
Cracking Passwords and Taking Over User Accounts - Rapid7
Rapid7 Releases 2020 NICER Report - SANS Internet Storm Center
- Scanning Activity for ZeroShell Unauthenticated Access, (Sun, Jul 19th)
- Sextortion Update: The Final Final Chapter, (Mon, Jul 20th)
- Couple of interesting Covid-19 related stats, (Tue, Jul 21st)
- A few IoCs related to CVE-2020-5092, (Wed, Jul 22nd)
- Simple Blacklisting with MISP & pfSense , (Thu, Jul 23rd)
- Compromized Desktop Applications by Web Technologies, (Fri, Jul 24th)
- Cracking Maldoc VBA Project Passwords, (Sun, Jul 26th)
- Securelist from Kaspersky
- SentinelLabs
- Telsy
Turla / Venomous Bear updates its arsenal: “NewPass” appears on the APT threat scene - Thomas Roccia
Fifty Shades of Malware Strings - Trustedsignal
Analyzing an Instance of Meterpreter’s Shellcode - Trustwave SpiderLabs
Lockscreen Ransomware Phishing Leads To Google Play Card Scam - VMware Carbon Black
TAU Threat Discovery: Cryptocurrency Clipper Malware Evolves - WeLiveSecurity
MISCELLANEOUS
- Cybereason is hosting a CTF
Need a Boost? Stretch Your Skills with the Cybereason Summer CTF! - Andrew Rathbun at AboutDFIR
AboutDFIR Content Update 7/23/2020 - Black Hills Information Security
We Have Built a Cyber Range! - Chris Sanders
- Cyber Arms
Cheap Security Lab Training with Raspberry Pi 4, Docker & Kali Linux - Didier Stevens
Cracking VBA Project Passwords - Forensic Focus
- Jason Wilkins at ‘Noob to Pro Forensics’
Walk, don’t run! - Marco Fontani at Amped
File Management, Exporting and Backup in Amped Replay - Matt at ‘Bit of Hex’
WSL2, Docker, & CyberChef - Mike Dickinson at MSAB
Mobile forensics – It doesn’t always stop with the software - Nextron Systems
- Richard Frawley at ADF
Best Mobile Device Investigator Settings for Evidence Collection | MDI - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — July 19 to July 25 - StealthBay
Autopsy– A Forensic Analysis Tool - John Patzakis at X1
Another Criminal Conviction Overturned Due to Failure to Authenticate Social Media Evidence
SOFTWARE UPDATES
- iLEAPP
v.1.2 - Airbus CERT
etl-parser v1.0.1 - Amped
Amped Authenticate Update 17658: Brand New Shadows Filter, Improved Source Camera Identification, Spanish and Vietnamese Support, and More - Cellebrite
Sharing Cellebrite BlackLight Case Data has Never Been Easier - Didier Stevens
Update: oledump.py 0.0.52 - Elcomsoft
Elcomsoft Phone Breaker 9.61 adds iOS 14 support, fixes iCloud backups - Eric Zimmerman
ChangeLog - Lenny Zeltser
Version 7 of the REMnux Distro Is Now Available - Manabu Niseki
v2.3.8 - Metaspike
Forensic Email Collector (FEC) Changelog - OpenText
What’s new in EnCase eDiscovery Cloud Edition (CE) 20.3 - YARP
1.0.29
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 