As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Geri at ‘4n6 Ninja’
  Sharing is Caring – An Overview of Shared Albums in iOS
  
  
• Atropos4n6
  Has the user logged into this account, or not? (Google Chrome’s Web Data-Part 2)
  
  
• Bryan Ambrose at Data Digitally
  • Video and Image Analysis – Authentication
  • Microsoft Teams artifacts and chat logs
    
    
• Alex Caithness at CCL
  Hang on! That’s not SQLite! Chrome, Electron and LevelDB
  
  
• Chris Vance at ‘D20 Forensics’
  iOS 14 – Tracking App Clips in iOS 14
  
  
• Oleg Afonin at Elcomsoft
  iOS 14 Forensics: What Has Changed Since iOS 13.7?
  
  
• Jeenali Kothari at Hacking Articles
  Digital Forensics: An Introduction (Part 2)
  
  
• James Smith at DFIR Madness
  • Case 001 – The Stolen Szechuan Sauce
  • Forensic Artifacts Rundown
  • Building a DFIR Analysis Fort
    
    
• Lorie Hermesdorf
  ProtonMail
  
  
• Joachim Metz at Open Source DFIR
  Testing digital forensic data processing tools
  
  
• Oxygen Forensics
  Data extraction from Samsung devices based on Exynos chipsets
  
  
• Peter Stewart
  Memlabs Memory Forensics Challenges – Lab 3 Write-up
  

THREAT INTELLIGENCE/HUNTING

• Alex Verboon at ‘Anything about IT’
  MTP Advanced Hunting – Public free E-Mail services
  
  
• Amnesty International
  German-made FinSpy spyware found in Egypt, and Mac and Linux versions revealed
  
  
• Anton Chuvakin
  • Can We Have “Detection as Code”?
  • Chronicle Detect is Here
  • Posts From Beyond The Grave: How To Impress / Annoy An Analyst During A Briefing
    
    
• Azure Sentinel
  • What’s New: PowerShell+Azure Sentinel notebooks to supercharge your hunting and investigations!
  • What’s new: The new Azure Sentinel Notebooks experience is now in public preview!
    
    
• Rustam Mirkasymov and Oleg Skulkin at Group-IB
  Big Game Hunting: Now in Russia
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2020-09-24 – FedEx-themed malspam with links for Dridex
  • 2020-09-25 – Traffic Analysis Exercise – Trouble Alert
    
    
• Nick Mavis at Cisco’s Talos
  New Snort, ClamAV coverage strikes back against Cobalt Strike
  
  
• Keith J. Jones at Corelight
  Give me my stats!
  
  
• CrowdStrike
  Double Trouble: Ransomware with Data Leak Extortion, Part 1
  
  
• Curtis Brazzell
  One Part Steganography, Four Redirectors, and a Splash of C2!
  
  
• Nir Chako at CyberArk
  Your Network Through the Eyes of a Hacker
  
  
• Max Heinemeyer at Darktrace
  Fast and stealthy malware attempts to steal public data from government organization
  
  
• David Rowe at SecFrame
  Bloodhound in Docker in a Browser. Oh My
  
  
• Guillaume Couchard, Qimin Wang, and Thiam Loong Siew at F-Secure
  Catching Lazarus: Threat Intelligence to Real Detection Logic – Part One
  
  
• Derek Manky at Fortinet
  Threat Intelligence is the Lifeblood of Active Security
  
  
• Vijay at Hacking Articles
  Threat Hunting: Velociraptor for Endpoint Monitoring (Part 2)
  
  
• Kate at 360 Total Security
  APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries  — HpReact campaign
  
  
• Kevin Beaumont at DoublePulsar
  In the wild exploitation of ZeroLogon detected over the internet on honeypot.
  
  
• Olaf Hartong at Falcon Force
  FalconFriday — Process injection and malicious CPL files — 0xFF03
  
  
• Picus Security
  • MITRE ATT&CK T1064 Scripting
  • Hackers’ Favourite Scripting Languages Part 1: MITRE ATT&CK T1064 Scripting Technique
    
    
• Susannah Clark at Red Canary
  Nothing to hide: seeking out rootkits
  
  
• Noushin Shabab at Securelist
  Looking for sophisticated malware in IoT devices
  
  
• Luis Francisco Monge at Security Art Work
  • Threat hunting: cazando sin salir de casa (I)
  • Threat hunting: cazando sin salir de casa (II)
    
    
• SentinelOne
  • Revisiting the Pyramid of Pain | Leveraging EDR Data to Improve Cyber Threat Intelligence
  • APTs and Defending the Enterprise in an Age of Cyber Uncertainty
    
    
• Leo Pitt at SpecterOps
  Are You Docking Kidding Me?
  
  
• Hans Lakhan at TrustedSec
  Azure Account Hijacking using mimikatz’s lsadump::setntlm
  
  
• Takahiro Haruyama and Omar Elgebaly at VMware Carbon Black
  Detecting Threats in Real-time With Active C2 Information
  
  

UPCOMING EVENTS

• Cellebrite
  • Physical Analyzer basics: Setting up translations and creating UFED Reader reports
  • Learn all about phone extractions and stand to win a USD50 Amazon gift voucher!
    
    
• Daniel Frank and Lior Rochberger at Cybereason
  VB2020: Anchor, Bazar, and the Trickbot Connection
  
  
• TrustedSec
  Discord Hangouts – Windows File System
  
  

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  Parse iTunes Backups with iLEAPP
  
  
• Forensic Focus’ interview with Lodrina
  Podcast: Lodrina Cherne On Diversity In Digital Forensics
  
  
• Kevin Ripa at SANS
  • Episode 117: Don’t Assume I Know What You Know
  • Episode 118: Weird Keyboard Characters
  • Episode 119: Artifacts Are Not There for You
    
    
• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.17 – Shelly Giesbrecht
  
  
• Basis Technology
  • Customizing Rosette Entity Extractor Demo of Rosette to Remove PII
  • Happy Holidays from Renzik – OSDFCon 2019 – Brian Carrier
    
    
• BlackPerl
  Use Autopsy for Insider threat detection | Employee found guilty -Digital Forensics Case Study
  
  
• Cellebrite
  • iCloud Production Series: Part1 – Working with Data
  • iCloud Production Series: Part2 – Decryption on Windows
  • iCloud Production Series: Part3 – Decrypting on MacOS
  • iCloud Production series: Part4  – Processing and Investigating
  • Importing Berla’s .ivx vehicle report
  • MacOS Keychain Processing
  • Creating a portable case within BlackLight is as simple as a few easy clicks.
  • Ask the Expert with iNPUT-ACE: How Video Evidence Enhances the Digital Intelligence Workflow
  • Avoiding the “Gotchas” while Triaging and Imaging a Mac
  • Apollo Integration
  • Parsing Airdrop Artifacts
  • Windows Memory Artifacts
  • Wi-Fi Information
  • Volume Shadow Copies in Windows (VSC)
  • Windows User Assist
  • Top Contacts
  • Unlock and Add Bitlocker protected evidence
  • Changes to the Evidence Status Window
  • Windows Prefetch & Superfetch
  • Tear Off Feature
  • System Logs
  • Windows Shellbags
    
    
• Detections Podcast
  Season 3 Episode 2: Detections Job Series: Dangerous Mind with Ali on Insecurity
  
  
• Santosh Khadsare
  Youtube Videos on Digital Forensics
  
  
• Down the Security Rabbithole Podcast
  DtSR Episode 413 – TPA SOCs and Stuff
  
  
• Mark Baker at iNPUT-ACE
  Auto Save Feature
  
  
• Jorge Orchilles
  Emulating Adversaries via Attack Chains
  
  
• Lee Reiber’s Forensic Happy Hour
  Oxygen Forensics Episode 128
  
  
• MSAB
  MSAB Online on-demand Mobile Forensics Training
  
  
• Neil Fox
  #8 How to Manually Unpack Emotet Malware
  
  
• Ryan Benson at dfir.blog
  Video of “Extract & Visualize Data from URLs using Unfurl” Posted
  
  
• SANS
  • Keynote: A DFIRent side of DFIR: Forensicating for Black Lives & Other Social Justice Issues
  • Building a Pipeline for Secure Virtual Machines in AWS | SANS Cloud Security Summit 2020
  • SANS Live Online Testimonial Compilation
  • Put a Lid on Those AWS S3 Buckets | SANS Cloud Security Summit 2020
  • Doing Cloud in China | SANS Cloud Security Summit 2020
  • Lessons Learned from Cloud Security Incidents, Past and Present  | SANS Cloud Security Summit 2020
  • The Value of Commercial Threat Intelligence Sources | STAR Webcast
    
    

MALWARE

• Alex Turing and Hui Wang at 360 Netlab
  Ghost in action: the Specter botnet
  
  
• Jaeson Schultz and Matt Valites at Cisco’s Talos
  The Internet did my homework
  
  
• Click All the Things!
  • zLoader XLM Update: Macro code and behavior change
  • dridex maldoc: The unholy union of VBA and XLM
    
    
• Corey O’Connor at CyberArk
  Prehistoric Security Controls: Deconstructing the Jurassic Park Insider Threat Incident
  
  
• Cyborg Security
  • An Anatomy of the Actors behind the Largest Ever Magecart Attack
  • Cyborg Security Splunk App – Threat Feed, Hunt & Detections
    
    
• Naivenom at ‘Follow The White Rabbit’
  Introducción al Reversing – 0x0B Shellcode básica
  
  
• Heimdal Security
  • Sodinokibi Ransomware 101: Origin, Victims, Prevention Strategies
  • Virus vs. Worm: What’s the Difference?
    
    
• Herbie Zimmerman at ‘Lost in Security’
  2020-09-22 Deobfuscating Emotet Script
  
  
• Malwarebytes Labs
  • Taurus Project stealer now spreading via malvertising campaign
  • Sandbox in security: what is it, and how it relates to malware
    
    
• Microsoft Security
  Microsoft Security—detecting empires in the cloud
  
  
• Karlo Zanki at ReversingLabs
  Taidoor – a truly persistent threat
  
  
• SANS Internet Storm Center
  • Slightly broken overlay phishing, (Mon, Sep 21st)
  • Analysis of a Salesforce Phishing Emails, (Sun, Sep 20th)
  • Malicious Word Document with Dynamic Content, (Wed, Sep 23rd)
  • Party in Ibiza with PowerShell, (Thu, Sep 24th)
    
    
• Andrew Brandt, Fraser Howard, and Andrew O’Donnell at Sophos
  Email-delivered MoDi RAT attack pastes PowerShell commands
  
  
• Sucuri
  • Phishing Page Targets AT&T’s Employee Multi-Factor Authentication
  • Malicious One-Liner Using Hastebin
  • Magento Credit Card Stealing Malware: gstaticapi
    
    
• Tilden Swans
  Using what we built (APK Analysis)
  
  
• Trend Micro
  • Cybercriminals Distribute Backdoor With VPN Installer
  • The Evolution of Malicious Shell Scripts
    
    
• Vishal Thakur
  Grinju Malware: Anti-analysis (on steroids) | Part 1
  
  
• Viral Gandhi at ZScaler
  Joker Playing Hide-and-Seek with Google Play
  
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 9/24/2020
  
  
• Adam at Hexacorn
  RTF…M
  
  
• Ben Bornholm at HoldMyBeer
  Compile Suricata v5.0.3 with PF_RING v7.6.0 on Ubuntu 20.04
  
  
• Cellebrite
  UTXO vs Wallet-to-Wallet Tracing in Bitcoin Investigations
  
  
• Ian Stevenson at Cyan Forensics
  Cyan Forensics partners with Susteen to deliver rapid scanning of smartphones
  
  
• Santosh Khadsare
  Writing a Digital/Cyber Forensic Report
  
  
• Kai Thomsen at Dragos
  Handling Incidents in ICS – Getting to the Root of the Problem
  
  
• Forensic Focus
  • MD-Explorer – Separately Executable And Portable MD-RED’s Viewer Program
  • HTCIA Conference: September 28 – October 2
  • How To Find Location Data From Pictures In XAMN
  • How To Use The Magnet Web Page Saver
  • DFRWS Virtual USA 2020: Recap
    
    
• Griffeye
  Serving those who protect is more important now than ever
  
  
• Hex Rays
  Igor’s tip of the week #08: Batch mode under the hood
  
  
• Lifars
  • What is incident response readiness assessment?
  • Communication During Incident Response
    
    
• Magnet Forensics
  • Using Magnet AUTOMATE to Audit and Validate Tools
  • Introducing AFF4-L Support in Magnet AXIOM Cyber
  • AFF4-L Support, Portable Case Updates and More in Magnet AXIOM 4.5
  • Magnet Weekly CTF Challenge
    
    
• Mail Xaminer
  Let Us Know How to Conduct Workplace Investigation: Dig In Here!
  
  
• Whitney Champion at Recon InfoSec
  Securing Your Velociraptor Deployment
  
  
• Richard Frawley at ADF
  Stealth Counterterrorism Operations: Best DOMEX Site Exploitation Tool
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — September 20 to September 26
  
  

SOFTWARE UPDATES

• AccessData
  AccessData Announces the Release of New Quin-C User Interface
  
  
• Belkasoft
  Belkasoft Evidence Center 9.9 is Updated
  
  
• Brim
  v0.18.0
  
  
• Cooper Quintin at EFF
  Introducing “YAYA”, a New Threat Hunting Tool From EFF Threat Lab
  
  
• DME Forensics
  Download DVR Examiner 2.9.2
  
  
• Oxygen Forensics
  Oxygen Forensic Detective 13.0 Offers Samsung Exynos Dump And OCR Section
  
  
• rtfsig
  Initial public release
  
  
• Griffeye
  Release of Analyze 20. 3
  
  
• Magnet Forensics
  • New in Magnet AUTOMATE 2.4: Enhanced Case Auditing & Validation Capabilities
  • Improved Searching Functionality in Magnet AXIOM 4.5
    
    
• Malwoverview
  Malwoverview 4.2
  
  
• Maxim Suhanov
  1.0.8
  
  
• Microsoft Threat Intelligence Center
  MSTICPy 0.8.0 Release
  
  
• MISP
  MISP 2.4.132 released (security fix CVE-2020-25766 and bugs fixed)
  
  
• Netresec
  NetworkMiner 2.6 Released
  
  
• Oxygen Forensics
  Oxygen Forensic® Detective v.13.0
  
  
• SalvationData
  [Product Launch]The Efficient and Powerful MySQL Database Repair Tool-DBR Official Released Now!
  
  
• Sandfly Security
  Sandfly 2.7.2 – Performance Update
  
  
• TZWorks
  Sept 2020 build (package)
  
  
• Velociraptor
  Release 0.5.0
  
  
• Xways
  • X-Ways Forensics 20.0 SR-5
  • X-Ways Forensics 20.1 Preview 5
    
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!