Thanks to Lodrina for her work on the Threat Hunting and Malware Analysis sections. This will be her last week, I can’t thank her enough for the assistance as the workload for the blog has just gone through the roof.

With everything in life at the moment I don’t think the summaries will be coming back any time soon, which is a shame because I learn a lot by writing them. But for now, the extra day/s of unpaid work getting through everything means I’m not spending time on the things that matter more. As always, thanks to those who give a little back for their support! Really means a lot that they want to keep this service going 🙂

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  iOS Forensics: HFS+ file system, partitions and relevant evidences
  
  
• Atropos4n6
  • Windows 10 Artifacts of Google Drive’s Native App Usage
  • Windows 10 Artifacts of Google Drive’s Usage via Mozilla Firefox and Google Chrome
  • Windows 10 Artifacts of Dropbox’s Native App Usage
    
    
• Cellebrite
  • How Android Bluetooth Connections Can Determine If The Hands of a Driver Were On The Wheel During An Accident
  • Cellebrite BlackLight – the Solution for APFS Snapshots
  • How to Use iOS Bluetooth Connections to Solve Crimes Faster
    
    
• Chris Vance at ‘D20 Forensics’
  • iOS – The Tile Strikes Back
  • iOS – Tile App Part 2: Custom Artifact Boogaloo
    
    
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  PNG and Hidden Pixels
  
  
• Elcomsoft
  • Setting Up Restricted Internet Connection for iPhone Extraction
  • Extracting iPhone File System and Keychain Without an Apple Developer Account
    
    
• James Duffy
  • Speed > Security – Apple’s Approach To iOS Data Security
  • Photo.sh – Analysing The Locked iPhone – Apple Photos Shared Albums
    
    
• JBrown
  Sending TLN Output to Sof-Elk
  
  
• Jesse Spangenberger at Cyber Fēnix Tech
  iOS Forensics: Data hidden within Map Cache Files
  
  
• Ari Apedaile at LMG Security
  Office 365 Tools for Digital Forensics Still Scarce Since the Magic Unicorn Tool’s Untimely Demise
  
  
• Marco Fontani at Amped
  What’s in Your Past? A Guide to Spotting Traces of Double JPEG Compression With Amped Authenticate (Part 2)
  
  
• Mary Ellen Kennel at ‘What’s A Mennonite Doing In Manhattan?!’
  SANS SOF-ELK CheatSheet
  
  
• Peter Stewart
  Memlabs Memory Forensics Challenges – Lab 2 Write-up

THREAT INTELLIGENCE/HUNTING

• A major report on TA413 and Sepulcher malware from Michael Raggi and the Proofpoint Threat Research Team
  Chinese APT TA413 Resumes Targeting of Tibet Following COVID-19 Themed Economic Espionage Campaign Delivering Sepulcher Malware Targeting Europe
  
  
• Adam at Hexacorn
  Certulitis – one tool that keeps on giving
  
  
• Sujit Ghosal at Awake Security
  Hunting for Goddi – Uncovering MITRE ATT&CK Discovery Tactics & Techniques
  
  
• Bricata
  No data? No hunt. Top tips to ensure a successful threat hunting environment
  
  
• Cyrill Brunschwiler at Compass Security Blog
  101 for lateral movement detection
  
  
• Alex Orleans at CrowdStrike
  Who Is PIONEER KITTEN?
  
  
• Brian P. Mohr at CyberMohr
  GCIA and Sentinel
  
  
• Dragos
  MITRE ATT&CK Evaluations for ICS: Detecting XENOTIME Activity
  
  
• Joost Jansen at Fox-IT on detecting obfuscated PS
  Machine learning from idea to reality: a PowerShell case study
  
  
• Graham Cluley with an ebook (regisration required)
  Free ebook: Aligning cyber skills with the MITRE ATT&CK framework
  
  
• Rob Wright for TechTarget at H-11 Digital Forensics
  The Uber data breach cover-up: A timeline of events
  
  
• Hacking Articles
  • Incident Response: Windows Account Logon and logon Events
  • Threat Hunting: Velociraptor for Endpoint Monitoring
  • Data Exfiltration using Linux Binaries
    
    
• John Hammond at Huntress Labs
  Hiding in Plain Sight || Part 2
  
  
• Jorge Orchilles at Scythe
  SCYTHE Presents: #ThreatThursday – SpeakUp
  
  
• bats3c at Jumpsec Labs
  Pwning Windows Event Logging with YARA rules
  
  
• Kirtar Oza
  Windows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 4] —…
  
  
• Charlie Klein at Logz.io
  Using Private Threat Intelligence Feeds on Hidden Security Attacks with Logz.io
  
  
• MDSec
  • I Like to Move It: Windows Lateral Movement Part 1 – WMI Event Subscription
  • FireWalker: A New Approach to Generically Bypass User-Space EDR Hooking
  • Massaging your CLR: Preventing Environment.Exit in In-Process .NET Assemblies
    
    
• Menasec
  Hunting Local Accounts and Groups Changes using Sysmon
  
  
• Yanlong Ma, Genshen Ye, Ye Jin at Netlab
  In the wild QNAP NAS attacks
  
  
• Paraflare
  • Webshell Hunting – Part 1
  • Webshell Hunting – Part 2
  • Webshell Hunting – Part 3: Hunting for Web Shells
    
    
• Steven Greenwalt at DFDR and Shane Welcher at Red Canary
  After detection: teaming up to shut down a web server attack
  
  
• Richard Bejtlich at TaoSecurity
  The FBI Intrusion Notification Program
  
  
• Sandfly Security
  Getting In The Fight
  
  
• Fred Donovan at Security Intelligence
  Under Attack: How Threat Actors are Exploiting SOCKS Proxies
  
  
• Jim Walter at SentinelOne
  The BLINDINGCAN RAT and Malicious North Korean Activity
  
  
• JJ Thompson, Joe Levy, Mat Gangwer, Ross McKerchar, and Russell Humphries at Sophos News
  A real-world guide to Threat Detection and Response: Part 1
  
  
• redheadontherun on Medium
  Using VirusTotal API v3 Data to Detect Malicious Activity — Part 1
  
  
• Yusuf Arslan Polat at Threat Intelligence.blog
  OpBlueRaven: Unveiling Fin7/Carbanak – Part II : BadUSB Attacks
  
  
• Paul Miguel Babon at Trend Micro
  Tricky ‘Forms’ of Phishing
  
  
• VTO
  VTO Tips & Tricks: Removing RF shields

UPCOMING WEBINARS/CONFERENCES

• Belkasoft
  • WhatsApp Forensics with Belkasoft Evidence Center
  • Webinar: Benefits of Remote Forensics
    
    
• Cellebrite
  • Episode 9: I Beg to DFIR – Whatchu talkin about, Willis? I ain’t got no data here…or do I?
  • Overcoming digital data barriers at the border and beyond
    
    
• Elan at DFIR Diva
  DFIR Related Events for Beginners – September, 2020
  
  
• Patrick Horgan at Griffeye
  Welcome to an introduction to Analyze DI for UK investigators
  
  
• Magnet Forensics
  Virtually Together
  
  
• Open Source Digital Forensics Conference
  OSDFCon
  
  
• Splunk
  • Boss of the NOC at .conf20
  • Boss of the SOC V at .conf20

PRESENTATIONS/PODCASTS

• Jessica Hyde at Magnet Forensics
  Magnet Forensics Presents: Cache Up – Ep.14 – James Duffy
  
  
• Kevin Ripa at SANS
  • Episode 109: The TWO Serial Numbers of a USB Device – Part 4
  • Episode 110: The Volume Serial Number
  • Episode 111: The difference between ‘possible’ and ‘probable’.
    
    
• Presenting tips from John Strand at BHIS on YouTube
  • How to Present: Secrets of a Retired SANS Instructor | John Strand | 1 Hour
  • How to Present Secrets of a Retired SANS Instructor | John Strand | Bonus Track
    
    
• Breaking Badness podcast
  59. Tesla Ransomware Safe
  
  
• Cellebrite
  • Heather Mahalik shows you how to detect hidden images on iOS
  • Steps for loading Facebook Takeout into Cellebrite Physical Analyzer.
  • Heather Mahalik answers iOS13 FAQs
  • DB Viewer Highlights – Cellebrite Physical Analyzer has a database viewer that is simply to use
    
    
• CQURE Academy
  • Webinar Replay – Forensics and Prevention in the New Reality by Paula J
  • How to Recover Corrupted EVTX Log Files and Extract Information
    
    
• Digital Forensic Survival Podcast
  DFSP # 237 – Attack Shimming
  
  
• Lee Reiber at Mobile Forensic Investigations
  • Oxygen Forensics Episode 124
  • Oxygen Forensics Episode 125
    
    
• SANS
  STAR Webcast: Becoming the Adversary: Creating a Defensive Lab to Understand the Offense
  
  
• Sumuri
  SUMURI’s Intel and AMD: Choose Your Own Adventure
  
  
• This Month In 4n6
  This Month In 4n6 – August – 2020
  
  
• Velocidex Enterprises
  The Velociraptor Offline Collector

MALWARE

• In my last week sorting through malware and threat hunting links, I get to give a shout out to my colleagues at Cybereason including Tom Fakterman with research on the PyVil RAT.
  No Rest for the Wicked: Evilnum Unleashes PyVil RAT
  
  
• Keith Chew at Active Countermeasures
  Malware of the Day – Comfoo
  
  
• Rolf Rolles at Möbius Strip Reverse Engineering
  An Exhaustively-Analyzed IDB for ComRAT v4
  
  
• Cisco Talos
  • Quarterly Report: Incident Response trends in Summer 2020
  • Salfram: Robbing the place without removing your name tag
  • Threat protection: The WastedLocker ransomware
    
    
• Cofense
  • Avaddon Ransomware Joins Data Exfiltration Trend
  • Message Quarantine Campaign with Overlying Potential
    
    
• Luca Ebach at cyber.wtf
  Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers
  
  
• Cyberwise with a report from Ali Rıza Şahinkaya, Can Atakan Işık and Rıdvan Ethem Canavar (direct link to 47 page PDF)
  Cerberus Banking Trojan Analysis
  
  
• Karsten Hahn at G Data Security
  DLL Fixer leads to Cyrat Ransomware
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #05: Highlight
  
  
• Matan Kubovsky at Illusive Networks
  MITRE Shield Tactics Confirm that Deception Is Essential
  
  
• Shusei Tomonaga at JPCERT/CC
  Malware Used by Lazarus after Network Intrusion
  
  
• LIFARS Cybersecurity Blog
  DeathStalker: A threat group utilizing unique methods
  
  
• Mario Henkel
  Decrypting AgentTesla strings and config
  
  
• MikeCyberSec
  • Introduction to Malware Analysis
  • MA-01 — Emerging Malware Analysis News/Intel
  • MA-02 — WindowsAPI Library
    
    
• NETSCOUT
  Bank Thwarts Merciless DDoS Attack
  
  
• NVISO Labs
  • Epic Manchego – atypical maldoc delivery brings flurry of infostealers
  • Backdooring Android Apps for Dummies
    
    
• Palo Alto Networks
  • Cybersquatting: Attackers Mimicking Domains of Major Brands Including Facebook, Apple, Amazon and Netflix to Scam Consumers
  • Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa
    
    
• Patrick Wardle at ‘Objective-See’
  Apple Approved Malware
  
  
• Axel F. at Proofpoint
  A Comprehensive Look at Emotet’s Summer 2020 Return
  
  
• SANS Internet Storm Center
  • Malicious Excel Sheet with a NULL VT Score: More Info, (Sat, Aug 29th)
  • Python and Risky Windows API Calls, (Wed, Sep 2nd)
  • Exposed Windows Domain Controllers Used in CLDAP  DDoS Attacks, (Tue, Sep 1st)
  • Finding The Original Maldoc, (Mon, Aug 31st)
  • A blast from the past – XXEncoded VB6.0 Trojan, (Fri, Sep 4th)
    
    
• Dwight Hohnstein at SpecterOps
  Malware Development Pt. 1: Dynamic Module Loading in Go
  
  
• Krasimir Konov at Sucuri Blog
  Using assert() to Execute Malware in PHP 7 Environments
  
  
• The DFIR Report
  NetWalker Ransomware in 1 Hour
  
  
• Justin Vaicaro at TrustedSec
  SMS Phish – An Incident Walkthrough
  
  
• Matthieu Faou and  Alexandre Côté Cyr at ESET WeLiveSecurity
  KryptoCibule: The multitasking multicurrency cryptostealer

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  • AboutDFIR Content Update 9/2/2020
  • Introducing the AboutDFIR LinkedIn Page!
  • Join Devon Ackerman on Cache Up

•  
• CISA released vulnerability disclosure guidance this week but what does that mean in practice? Duo shares some thoughts
  
  
• Adrian at ‘Agood cloud’
  Using TheHive4 webooks to create Microsoft Teams cards via Nodered
  
  
• Brett Shavers
  • Should you improve your DFIR skills on your personal time?
  • The imminent closure of Patreon, aka: Why I Now Use My Own Platform
  • How do you know if your DFIR case will be an amazing case or a case from hell?
    
    
• Chris Sanders
  New Book: Intrusion Detection Honeypots
  
  
• Forensic Focus
  • Digital Forensic Evidence And Artifacts: Recent News And Research
  • How To Bulk Tag Evidence With Nuix Investigate
  • COVID Fraud Is A Crisis Within A Crisis
  • Case Study: Digital Evidence Confirms Players In Major Bitcoin Heist
  • Qualifying A Digital Forensic Expert In Court (Voir Dire)
    
    
• Mark Baker at Input Ace
  The People v. Hung Tran
  
  
• Richard Frawley at ADF
  • How to Prepare a Digital Evidence Collection Key | Digital Forensics
  • How to Prepare a Multiple Digital Evidence Collection Keys | Forensics
    
    
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — August 30 to September 5

SOFTWARE UPDATES

• iLEAPP
  Tile App Geolocation from logs
  
  
• Brim
  v0.16.0-hotfix
  
  
• Ciphey
  v5.3.3: Merge pull request #332 from Ciphey/disable-nested
  
  
• Didier Stevens
  Update: oledump.py 0.0.53
  
  
• Elcomsoft
  iOS Forensic Toolkit 6.50: jailbreak-free extraction without an Apple Developer Account
  
  
• Kaspersky Lab
  The Catcher in the YARA — predicting black swans
  
  
• F-Response
  F-Response v 8.0.1.69 Released
  
  
• MSAB
  XRY 9.1.2 – Checkm8 extraction and BFU acquisition for iOS
  
  
• NirBlog
  Open .etl log files of Windows 10 Update with FullEventLogView tool
  
  
• OpenText
  What’s new in OpenText EnCase Forensic and OpenText Endpoint Investigator 20.3
  
  
• radare2
  Release 4.5.1
  
  
• SalvationData
  • [Software Update] Computer Forensics: DRS V18.7.3.318 New Version Release for Better User Experience!
  • [Software Update] DVR Forensics: VIP 2.0 V20.0.1.1151 New Version Released for Better User Experience!
    
    
• Sekoia
  Intégrations MISP et CORTEX pour SEKOIA.IO
  
  
• Velociraptor
  Release 0.4.9
  
  
• Xways
  • X-Ways Forensics 20.0 SR-2
  • X-Ways Forensics 20.1 Preview 1b

And that’s all for the week! If you think we’ve missed something, or want us to cover something specifically hit us up through the contact page or on the social pipes!