We’ve set a date for Beta 2 of our FOR308 class. Come join Kat and I for a week of Digital Forensic Essentials at a discounted price.
Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections.
One post worth checking out is Lee Whitfield’s DFIR For Good post. I say this for a couple of reasons; some folks can’t afford DF services and may be treated unjustly because of it, but also so that people think about the impact that their work has regardless.
As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Alexis Brignoni at ‘Initialization Vectors’
Update on Discord forensic artifacts for iOS & Windows - Jessica Hyde at Magnet Forensics
Chromebook Data Locations - Abhiram Kumar
- Cellebrite
Wildlife Trafficking Kingpin Nabbed Through Digital Intelligence Found On Mobile Phones - Craig Wilson at Digital Detective
Binary-Coded Decimal Timestamps - Dr. Neal Krawetz at ‘The Hacker Factor Blog’
Count on it - Elcomsoft
- Forensicator
I can’t remember my password! (dfchallenge.org CTF Write-Up) - Shubham Sharma at Hacking Articles
Forensic Investigation: Windows Registry Analysis - John Lukach at Cloud 4n6ir
Getting Started – Snapshot 4n6ir Imager for Docker - Oxygen Forensics
WhatsApp data extraction via OxyAgent - Peter Stewart
DFA/CCSC Spring 2020 CTF – Wireshark – network.pcapng Write-up - Daniel Chen at Polito
Enhancing Digital Forensics with X-Ways X-Tensions: Metadefender Plugin - Christian Vrescak at SANS
Making the Most Out of WLAN Event Log Artifacts - Sumuri
RAM Imaging with Recon ITR
THREAT INTELLIGENCE/HUNTING
- Andrew Pease at HuntOps
8/02/2020 – Securing the Elastic Stack in RockNSM - AT&T Cybersecurity
Stories from the SOC: Compromised account detected - Azure Sentinel articles
Secure your Calls- Monitoring Microsoft TEAMS CallRecords Activity Logs using Azure Sentinel - Black Hills Information Security
How To: Applied Purple Teaming Lab Build on Azure with Terraform (Windows DC, Member, and HELK!) - BlackArrow
Hindering threat hunting, PlugX style - Blue Team Blog
Active Directory – Security Hardening, Auditing and Detection Rules - Blumira
- Rachel Scobey at CrowdStrike
How to Use RiskIQ to Enrich Detections with Internet Intelligence - Cyborg Security
- Darktrace Blog
Phishing from the inside: Microsoft 365 account hijack - Elastic
Collecting and analyzing Zeek data with Elastic Security - Hacking Articles
Comprehensive Guide on Unrestricted File Upload - Jorge Orchilles at Scythe
- Journey Notes
Threat Spotlight: Malicious accounts in business email compromise - LIFARS Cybersecurity Blog – LIFARS, Your Cyber Resiliency Partner
OilRig APT’s Innovative Backdoor Creates a Pipeline for Data Exfiltration - Mike at “CyberSec & Ramen”
JPCert’s Log Analysis Training - Mike at ØSecurity
Discussion on Domain Credential Extraction - NVISO Labs
EDR: an overview of visibility improvements and economic benefits - Picus Security
MITRE ATT&CK T1086 PowerShell - Riccardo Ancarani at ‘Red Team Adventures’
Hunting for Skeleton Key Implants - Robert M. Lee
Should Governments Actively Defend Private Sector Networks? - Rootdevsec
- Security Intelligence
Threat Hunting Techniques: A Quick Guide - SentinelOne
Ransomware Prevention | Practical Steps to Reducing Your Attack Surface - SpecterOps
Covenant v0.6 - The DFIR Report
Dridex – From Word to Domain Compromise - Threat Hunters Forge
- Sergio Caltagirone at Threat Intel Academy
Combining the Diamond Model, Kill Chain, and ATT&CK - TrustedSec
Malicious Macros for Script Kiddies - trustedsignal
Hunting injected processes by the modules they keep - Trustwave SpiderLabs
Microsoft Teams Updater Living off the Land
UPCOMING WEBINARS/CONFERENCES
- Belkasoft
Belkasoft Announces the Launch of a New DFIR Product - Elan at DFIR Diva
DFIR Related Events for Beginners – August, 2020 - The upcoming Flare-On CTF
Announcing the Seventh Annual Flare-On Challenge
PRESENTATIONS/PODCASTS
- Alexis Brignoni
- Jessica Hyde at Magnet Forensics
Magnet Forensics Presents: Cache Up – Ep.10 – Jessica Hyde - Kevin Ripa at SANS
- Episode 91: Case study on an incorrect conclusion in a criminal case-Part 1
- Episode 92: Case study on an incorrect conclusion in a criminal case-Part 2
- Episode 93: Case study on an incorrect conclusion in a criminal case-Part 3
- Episode 94: The Internet is Broken. Let’s Fix It – Part 1
- Episode 95: The Internet is Broken. Let’s Fix It – Part 2
- Check out what’s going on at the Def Con Blue Team Village and Biohacking Village this weekend including highlights from incident response and securing medical devices
DEFCON 2020 Safe Mode - Belkasoft
Webinar: eDiscovery with Belkasoft Evidence Center - Heather Mahalik at Cellebrite
Carving for deleted data within databases can uncover additional artifacts for your investigation. - CQURE Academy
[Black Hat USA 2020] Paula’s and Mike’s Arsenal Session – CQForensic: The Efficient Forensic Toolkit - Peter Ingebrigtsen at CrowdStrike
Reducing the Attack Surface with Custom Indicators of Attack - Detections Podcast
Season 2 Episode 13: CTF Time or Not? That is the Question - Digital Forensic Survival Podcast
DFSP # 233 – New Scheduled Tasks - John Hubbard at ‘The Blueprint podcast’
Empowering Security Researchers Around the World! - Lee Reiber at Mobile Forensic Investigations
Oxygen Forensics Episode 121 - MSAB
XAMN 102 – Next Steps from Extraction to Reporting - Neil Fox
#5 Malware Analysis Using a Cuckoo Sandbox - Richard Davis at 13Cubed
Introduction to Cyber Triage – Fast Forensics for Incident Response - SANS
- What’s New in REMnux v7
- SANS Class Prep Intro – What to complete prior to class
- SANS Class Prep – Systems Requirements
- SANS Class Prep – Downloading your course materials
- SANS Class Prep – Mounting an ISO file in Windows
- SANS Class Prep – Mounting an ISO file in macOS
- SANS Class Prep – Slack Setup & Install
MALWARE
- 0xdf hacks stuff
Jar Files: Analysis and Modifications - Active Countermeasures
Malware of the Day – Magnitude - Brad Duncan at Malware Traffic Analysis
- Click All the Things!
2020-08-05: Update on zloader XLM code - Cofense
GuLoader Rises as a Top Malware Delivery Mechanism in Phishing - Colin Hardy on YouTube
Bashing LOLSnif – Defeating Anti-Analysis Techniques to get real IOCs - Cyber And Ramen
JPCert’s Log Analysis Training - FireEye Threat Research
Bypassing MassLogger Anti-Analysis — a Man-in-the-Middle Approach - Flashpoint
Flashpoint Hunt Team Insights into Zeppelin Ransomware - Fortinet
Keeping Up With the Performance Demands of Encrypted Web Traffic - G Data Security
How Malware Gets a Free Pass - Ed Miles and Justin Warner at Gigamon
Parental Monitoring Gone Bad — Analysis of an Unassuming Mobile Threat - Kaspersky Lab
Fake e-mail scanner - Kyle Cucci at SecurityLiterate
- LIFARS Cybersecurity Blog – LIFARS, Your Cyber Resiliency Partner
Phishing for Office 365 logins using Google Cloud Services - Lost in Security (and mostly everything else)
2020-07-31 Deobfuscating IcedID Macro Script - NVISO Labs
Debugging DLL’s – 3 techniques to help you get started - Patrick Wardle
The Art Of Mac Malware - Patrick Wardle at Objective-See
Office Drama on macOS - Radware
When You Get Breached, So Do Your Customers - SANS Internet Storm Center
- Powershell Bot with Multiple C2 Protocols, (Mon, Aug 3rd)
- Small Challenge: A Simple Word Maldoc, (Sun, Aug 2nd)
- TA551 (Shathak) Word docs push IcedID (Bokbot), (Fri, Aug 7th)
- A Fork of the FTCode Powershell Ransomware, (Thu, Aug 6th)
- Traffic Analysis Quiz: What’s the Malware From This Infection?, (Wed, Aug 5th)
- Scanning Activity Include Netcat Listener, (Sat, Aug 8th)
- Securelist (10 page PDF)
Incident Response Analyst Report 2019 - Sophos News
The realities of ransomware: Five signs you’re about to be attacked - Sucuri Blog
- Thomas Roccia’s Fifty Shades of Malware series:
- va_start research
How I Compile Reverse Engineering Exercises For Maximum Learning And Minimum Noise - WeLiveSecurity
Stadeo: Deobfuscating Stantinko and more
###MISCELLANEOUS
- Andrew Rathbun at AboutDFIR
- AT&T Cybersecurity
Digital signatures security explained - Yulia Samoteykina at Atola
Imaging RAID 5 array with Atola TaskForce - Santosh Khadsare at Digital Forensics (4N6) Blog
Emergency Download Mode (EDL) - Elan at DFIR Diva
My Experience With the SANS FOR500 Course and the GCFE Exam - Forensic Focus
- Forensic Horizons
All the pieces matter: Finding the best digital forensic expert - Kevin Pagano at Stark 4N6
My First SANS DFIR Summit Experience - Magnet Forensics
- All Your Case Data in Magnet AXIOM: Pt 1 — Why It Matters
- All Your Case Data in Magnet AXIOM: Pt 2 — Bringing in Mobile Data
- All Your Case Data in Magnet AXIOM: Pt 3 — Bringing in Computer Data
- All Your Case Data in Magnet AXIOM: Pt 4 — Bringing in Cloud Data
- All Your Case Data in Magnet AXIOM: Pt 5 — Integrated Analysis & Reporting
- More Efficient Mobile Workflows Now in Magnet AUTOMATE 2.3
- Amber Schroader at Paraben Corporation
Setting up a Digital Forensic Lab Part 2 - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — August 2 to August 8 - SANS
- Tetra Defense
Stronger Together: Meet Cindy Murphy
SOFTWARE UPDATES
- iLEAPP
Sysdiagnose, tar.gz, & locations category additions - Abdulaziz Alwashmi
MasterParser - OMENScan
AChoir v4.4a - Binalyze
Version 2.3.7 (Preview) - Chapin Bryce
chickadee - Ciphey
New Ciphers - Costas K
- Elcomsoft
iOS Forensic Toolkit 6.30: jailbreak-free iOS 9 support, user data extraction - JPCERT
v1.4.2 - Hussien Yousef
LokiX Platform OVA v1.0 - Maxim Suhanov
1.0.7 - Ryan Benson at dfir.blog
New Unfurl Version Released - Sandfly Security
Sandfly 2.7.0 – Mitre ATT&CK Tags, Enhanced Linux Stealth Rootkit De-Cloaking and SCTP Backdoor Detection - SpecterOps
Persistent JXA - MemProcFS
Version 3.3 - Xways
X-Ways Forensics 20.0 Beta 8
And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!
This Week In 4n6 