We’re finishing up with Beta 2 for FOR308, and the course is scheduled to run next at DFIRCON in November. If you’re looking for an introductory DFIR class then look no further!

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• AbdulRhman Alfaifi at U0041
  Certutil Artifacts Analysis
  
  
• Atropos4n6
  Artifacts of Dropbox Usage on Windows 10 (Part 2)
  
  
• Belkasoft
  Find out what happened during a ransomware attack on computer
  
  
• Clint Marsden
  The core of all reporting
  
  
• Michal Rozin at Cellebrite
  Decrypting Databases Using RAM Dump – Health Data
  
  
• Chris at AskClees
  • New Blog!
  • When VM’s go wrong
    
    
• Chris Vance at ‘D20 Forensics’
  • iOS – The Files App
  • iOS – Files App Part Deux: Quick Images and A Chart!
    
    
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Connecting the iDOTs
  
  
• Michael Karsyan at Event Log Explorer blog
  How to display logons of non-domain users to the system
  
  
• Forensic Focus
  • Digital Forensics Standard-Setting: Summer 2020 Round-Up
  • MSAB & PenLink: Combining the Powers of Mobile Forensics
  • Dealing With The Data Deluge In Law Enforcement
  • Timelines In Digital Forensic Investigation: From Investigation To Court
  • White Paper – How MD-RED Recovers And Decrypts WhatsApp Data
    
    
• Hacking Articles
  • SIEM: Windows Client Monitoring with Splunk
  • USB Forensics: Detection & Investigation
  • I’m including this one, but please note there are a number of inaccuracies in the post. The Last Access time is not the last time that the file was accessed by a user, the “preserving” copy operations demonstrated seem to adjust the modified timestamp by 1 second in the screenshots, and by copying to a FAT file system they lose the time component of the Last Accessed timestamp, as shown in the screenshot. Caveat; I haven’t tested any of these utilities.
    Forensic Investigation: Preserve Time Stamp
    
    
• Jesse Spangenberger at Cyber Fēnix Tech
  iOS Forensics: iLEAPP updates
  
  
• Nik Alleyne at ‘Security Nik’
  • Beginning File System Forensics – Timeline analysis
  • Beginning File System Forensics – mounting and learning about the drive
  • Beginning File System Forensics – Acquiring Disk Image
    
    
• Oxygen Forensics
  • Support for Mediatek Devices in Oxygen Forensic® Detective
  • Huawei test point
    
    

• Sarah Edwards at Mac4n6
  Analysis of Apple Unified Logs [Entry 12] – Quick & Easy Unified Log Collection from iOS Devices for Testing
  

THREAT INTELLIGENCE/HUNTING

• Keith Chew at Active Countermeasures
  Malware of the Day – Asprox
  
  
• Adam at Hexacorn
  Beyond good ol’ Run key, Part 127 + TestHooks bonus
  
  
• Alex Verboon at ‘Anything about IT’
  Hunting for Local Group Membership changes
  
  
• Patrick Olsen and Brandon Hjella at Awake Security
  Threat Hunting to find Misconfigured Docker Exploitation
  
  
• Oleg Skulkin and Semyon Rogachev at Group-IB
  Lock Like a Pro: Dive in Recent ProLock’s Big Game Hunting
  
  
• Brad Duncan at Malware Traffic Analysis
  2020-09-08 – Trickbot gtag ono72
  
  
• BushidoToken
  • Intelligence & Analysis report: Attacks leveraging the Cloud
  • Fantastic APTs and Where to Find Them
    
    
• Stephen Burg at Cyberbit
  Training According to MITRE ATT&CK  Enterprise Framework
  
  
• Josh Campbell at Cyborg Security
  You Can Only Hunt What You Can See: Best Network Log Sources for Threat Hunting
  
  
• Didier Stevens
  Quickpost: Downloading Files With Windows Defender & User Agent String
  
  
• Jelle Vergeer at Fox-IT
  StreamDivert: Relaying (specific) network connections
  
  
• Jorge Orchilles at Scythe
  SCYTHE Presents: #ThreatThursday – PowerShell
  
  
• Kirtar Oza
  Windows Process Internals: A few Concepts to know before jumping on Memory Forensics [Part 5] — A…
  
  
• Malwarebytes Labs
  Malvertising campaigns come back in full swing
  
  
• Microsoft Security
  STRONTIUM: Detecting new patterns in credential harvesting
  
  
• Jose Luis Rodriguez at MITRE ATT&CK
  Defining ATT&CK Data Sources, Part I: Enhancing the Current State
  
  
• Olaf Hartong at Falcon Force
  FalconFriday — Detecting Certutil and suspicious code compilation- 0xFF02
  
  
• Ariel Zelivansky at Palo Alto Networks
  The Challenge of Persistence in Containers and Serverless
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, July 2020
  
  
• Red Canary
  Breaking down a breach with Red Canary’s incident handling team
  
  
• Cedric Owens at ‘Red Teaming with a Blue Team Mentality’
  Purple Team Candidates for Modern Tech Environments
  
  
• redheadontherun
  Using VirusTotal API v3 Data to Detect Malicious Activity — Part 2
  
  
• Phil Stokes at SentinelOne
  Coming Out of Your Shell: From Shlayer to ZShlayer
  
  
• Robert McArdle at Trend Micro
  The Life Cycle of a Compromised (Cloud) Server
  

UPCOMING EVENTS

• CFATI’21
  IEEE CCNC 2021 WKSHPS: 2nd International Workshop on Cyber Forensics & Advanced Threat Investigations in Emerging Networks

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  How to contribute to a Github wiki page
  
  
• Jessica Hyde at Magnet Forensics
  Magnet Forensics Presents: Cache Up – Ep.15 – Devon Ackerman
  
  
• Kevin Ripa at SANS
  • Episode 112: Who Supports You?
  • Episode 113: Size vs Size on Disk-Part 1
    
    
• Brianna Drummond & Laura Hernandez share mobile reverse engineering research
  Diana Initiative 2020 – Brianna Drummond & Laura Hernandez – College Students “Driving” Digital Crash Reconstruction
  
  
• Black Hills Information Security
  Webcast: When Worlds Collide: OSS Hunting & Adversarial Simulation
  
  
• Cellebrite
  • Hidden Items in Cellebrite Physical Analyzer
  • UFED 7.36 capabilities & Handling Huawei Backup and Google Takeout [ON DEMAND]
  • Simplifying Your Digital Evidence Workflow
    
    
• Chris Sienko at the Cyber Work podcast
  Get started in computer forensics: Entry-level tips, skills and career paths
  
  
• CQURE Academy
  CQ Hacks: CQPrefetchParser
  
  
• CyberDefenders
  DetectionLabELK Elastic SIEM Detection Walkthrough
  
  
• Digital Forensic Survival Podcast
  DFSP # 238 – Bash Attacks
  
  
• Lee Reiber’s Forensic Happy Hour
  Oxygen Forensics Episode 126
  
  
• Life has no ctrl alt del
  • Cellphone Records: How to Get Started, Where to Look, and How to Extract Data
  • Introduction to the Digital Forensics Essentials SANS Course
  • Setting Expectations For Mobile Extractions on Android Devices
  • “Sharks with Laser Beams” Using Multi-pass Laser Technology to Find Data
    
    

• MSAB
  • Mapping SQLite Databases in XAMN
  • How to Use the Screen Capture Option in XAMN
    
    
• Neil Fox
  #7 Intro to Analysing Malware Using x32dbg
  
  
• Richard Davis at 13Cubed
  Getting Started with Plaso and Log2Timeline – Forensic Timeline Creation
  
  
• SANS
  • Becoming the Adversary: Creating a Defensive Lab to Understand the Offense
  • What the DLL is happening? A practical approach to identifying SOH -Frank McClain – SANS DFIR Summit
  • Captain’s Log: Take your application log analysis from Starfleet to Star Fleek – SANS DFIR Summit
    
    
• The Cyber5
  Episode 23: Using Automation for Stronger Cyber Threat Intelligence, Red Team, and Blue Team Collaboration
  
  
• Tribe of Hackers Podcast
  Dave Kennedy, aka @HackingDave
  
  
• VTO
  Decontamination of Electronic Devices Explained
  
  

MALWARE

• Rolf Rolles at Möbius Strip Reverse Engineering
  An Exhaustively-Analyzed IDB for ComRAT v4
  
  
• Erik Pistelli at Cerbero Suite
  Malicious Windows Link with Embedded Microsoft Cabinet
  
  
• Mario Henkel
  Decrypting NanoCore config and dump all plugins
  
  
• Sergei Shevchenko at Prevasio
  A Router Honeypot for an IRC Bot
  
  
• Robert Simmons at ReversingLabs
  Excel 4.0 Macros
  
  
• Ryan Campbell at ‘Security Soup’
  Quick Post: Analysis of a BokBot (IcedID) Maldoc
  
  
• SANS Internet Storm Centre Handler Diaries
  • Office: About OLE and ZIP Files, (Mon, Sep 7th)
  • Recent Dridex activity, (Thu, Sep 10th)
  • What’s in Your Clipboard?  Pillaging and Protecting the Clipboard, (Fri, Sep 11th)
  • Office Documents with Embedded Objects, (Sat, Sep 12th)
    
    
• Securelist
  An overview of targeted attacks and APTs on Linux
  
  
• ShellCode Run
  Check out @LloydLabs Tweet
  
  
• Sophos
  Faking it: the thriving business of “fake alert” web scams
  
  
• Trend Micro
  • Exposed Docker Server Abused to Drop Cryptominer, DDoS Bot
  • War of Linux Cryptocurrency Miners: A Battle for Resources
  • Purple Fox EK Relies on Cloudflare for Stability
    
    
• Shivang Desai at ZScaler
  TikTok Spyware

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 9/7/2020
  
  
• Amped
  A Guide to Video Exporting Options In Amped Replay
  
  
• Mark Stone at AT&T Cybersecurity
  What is Incident Response?
  
  
• Jason Alvarez
  Catching Flies with Honeypots
  
  
• Ariel Watson at Cellebrite
  Computer Access Use Case: Cellebrite BlackLight Simplifies the Search for Indicators of Compromise at International Bank
  
  
• Chris Corde at VMware Carbon Black
  VMware Carbon Black First to Block Hidden Malicious Commands in Obfuscated Scripts
  
  
• Ohad Zaidenberg at CTI League
  CTI-League makes this year’s WIRED25!: People Who Are Making Things Better
  
  
• Craig Ball at ‘Ball in your Court’
  The Perfect Preservation Letter: A New Guide
  
  
• Didier Stevens
  Quickpost: dig On Windows
  
  
• Elan at DFIR Diva
  My Cover6 Solutions Summer Cyber Camp Experience
  
  
• Oleg Afonin at Elcomsoft
  It’s Hashed, Not Encrypted
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #06: IDA Release notes
  
  
• Jump ESP, jump!
  My WHCD exam experience
  
  
• Magnet Forensics
  • Deploying AXIOM Cyber Mac Agents via Command Line
  • Introducing the Magnet Forensics Discord Server
    
    
• MantaRay Forensics
  VirusShare Hash Sets Q3 2020
  
  
• Matt C. A. Smith
  Cracking a password-protected ZIP file with fcrackzip
  
  
• Nik Alleyne at ‘Security Nik’
  Just a few days left to register for my upcoming SANS SEC582 Mastering TShark Packet Analysis class and get a Free copy of “Hack and Detect” or “Mastering TShark Network Forensics”
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — August 30 to September 5
  
  
• ThinkDFIR
  Quick Post: Disk Images for Test Environment
  
  
• Pieces0310
  Beware of the encrypted VM – Pieces0310
  
  

SOFTWARE UPDATES

• iLEAPP
  v1.5.3-newtest: Merge pull request #79 from forensicmike/master
  
  
• Acelab
  The PCIe NVMe/AHCI Adapter for Apple Macbook SSD Is in Stock Now!
  
  
• Amped
  Amped Replay Update 18163: Introducing Assisted Tracking for Automatic Spotlighting and Redaction, Plus More Supported Video Formats
  
  
• Brim
  v0.17.0
  
  
• Cellebrite
  New decoding support for Facebook data
  
  
• Ciphey
  🧍 The Human Checker 🧍
  
  
• Eric Zimmerman
  ChangeLog
  
  
• ExifTool
  ExifTool 12.06
  
  
• MISP
  MISP 2.4.131 released (improvements, bug fixes and major update to JavaScript dependencies)
  
  
• Autopsy
  Autopsy 4.16 Release Highlights
  
  
• The Sleuth Kit
  The Sleuth Kit 4.10.0 was released
  
  
• YARP
  1.0.31
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!