Jason Jordaan, one of my FOR308 coauthors, has shared his thoughts about our class. You can take the class with Jason at DFIRCON in November!

• Why should you take the FOR308: Digital Forensics Essentials? We answer this question and more.
• Building a House on Sand – Why Foundational Knowledge and Skills in Digital Forensics are Crucial

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Cellebrite
  • Converting Unified Logs – A Great Disturbance In The Force
  • Ask the Expert: How to Use Cellebrite BlackLight to Find Actionable Intelligence
  • Cellebrite Announces The Launch Of The Digital Intelligence Readiness Navigator
  • The Digital Intelligence Readiness Navigator – An Online Tool to Manage Digital Investigations
  • How SD Card Data Impacts Digital Investigations
    
    
• Chris at AskClees
  Timelining using SQLite Write Ahead Logs
  
  
• Joshua James at Digital Forensic Science
  HFS+ Header trivia
  
  
• Forensics Matters
  Forensics timeline using plaso log2timeline for Windows
  
  
• Vishva Vaghela at Hacking Articles
  Forensic Investigation : Prefetch File
  
  
• James Smith at DFIR Madness
  • Answers to the Case of the Stolen Szechuan Sauce (Case001)
  • Case 001 PCAP Analysis
    
    
• Jesse Spangenberger at Cyber Fēnix Tech
  Geolocation: A Look at Sensorvault
  
  
• Magnet Weekly CTF writeups
  • Doug Metz at Baker Street Forensics
    Magnet CTF:
    Question 1 Solution Walk-Through
  • Joshua James atDigital Forensic Science
    Magnet CTF Week 1 – Timestamps of doom
  • Jon Baumann at Ciofeca Forensics
    Magnet CTF Week 1: No Tools Required
  • Kevin Pagano at Stark 4N6
    Magnet Weekly CTF (Week 1) – Hosts File
  • Korstiaan Stam at Cloud Response
    Write-up Magnet Weekly CTF
  • Peter Stewart
    Magnet Weekly CTF – Week 1 – Mapping the Digits
  • Zach Stanford
    Magnet Weekly CTF Challenge Week #1
    
    
• Oxygen Forensics
  Zoom Data Extraction in Oxygen Forensic Detective
  
  
• Peter Stewart
  Memlabs Memory Forensics Challenges – Lab 4 Write-up
  
  
• Robert Graham at Errata Security
  • Yes, we can validate leaked emails
  • No, that’s not how warrantee expiration works
  • No, font errors mean nothing in that NYPost article
    
    
• Chrome Evolution
  Check out @_RyanBenson’s Tweet
  
  
• Ryan Benson at dfir.blog
  New “Media History” File Added to Chrome
  
  
• TheHexNinja
  Capturing Windows Memory
  
  
• iOS13&14 Photos.sqlite queries
  Check out @Scott_Kjr’s Tweet

THREAT INTELLIGENCE/HUNTING

• @dtmsecurity
  Code execution via the Windows Update client (wuauclt)
  
  
• 360 Total Security
  Secret-stealing Trojan active in Brazil releases the new framework SolarSys
  
  
• Bill Stearns at Active Countermeasures
  Why You Can’t Monitor a 1 GB Connection With a 1 GB Span Port
  
  
• Adam at Hexacorn
  Beyond good ol’ Run key, Part 129
  
  
• Roman Marshanski & Vitali Kremez at Advanced Intelligence
  “Front Door” into BazarBackdoor: Stealthy Cybercrime Weapon
  
  
• AWS Security
  How to automatically archive expected IAM Access Analyzer findings
  
  
• Ashwin Patil at Azure Sentinel
  Using Jupyter Notebook to analyze and visualize Azure Sentinel Analytics and Hunting Queries
  
  
• Borja Merino at BlackArrow
  Attackers Abuse MobileIron’s RCE to deliver Kaiten
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2020-10-12 – Excel spreadsheet macro pushes Lokibot
  • 2020-10-17 – My Patreon mistake
  • 2020-10-16 – TA551 (Shathak) Word docs push IcedID
  • 2020-10-12 – Excel spreadsheet macro pushes Lokibot
    
    
• Check Point Software
  • Ransomware: How to Avoid the Dangerous Wave of Attacks
  • Notice the unnoticed: Threat Hunting by SandBlast Agent
    
    
• ClearSky Cyber Security
  Operation Quicksand
  
  
• Ben Reardon at Corelight
  Zeek Community activates to detect a “Bad Neighbor” (CVE-2020-16898)
  
  
• CyCraft Technology Corp
  Taiwan Government Targeted by Multiple Cyberattacks in April 2020
  
  
• Nicolas Fischbach at Forcepoint
  Shifting Gears from IOCs to IOBs
  
  
• Hacking Articles
  • Fast Incident Response and Data Collection
  • SIEM Lab Setup: AlienVault
    
    
• Intel 471
  Criminals posing as ‘Lazarus Group’ threatened Travelex: 20 bitcoin or we launch a DDoS
  
  
• Jorge Orchilles at Scythe
  SCYTHE Presents: #ThreatThursday – APT41
  
  
• Jumpsec Labs
  • Pwning Windows Event Logging with YARA rules
  • Defending Your Malware
    
    
• Gedalyah Reback at Logz io
  5 Things to Know When Choosing Open Source SIEM Tools
  
  
• Malwarebytes Labs
  Silent Librarian APT right on schedule for 20/21 academic year
  
  
• MDSec
  • I Like to Move It: Windows Lateral Movement Part 3: DLL Hijacking
  • Covert Web Shells in .NET with Read-Only Web Paths
    
    
• Nasreddine Bencherchali
  What is the “DLLHOST.EXE” Process Actually Running
  
  
• Proofpoint
  Agile Threat Actors Pivot from COVID-19 to Voter Registration Themes in Phishing Lures
  
  
• Red Canary
  • Detection validation: going atomic on false negatives
  • Catching Taurus malware with behavioral analytics and Microsoft alerts
    
    
• Cedric Owens at ‘Red Teaming with a Blue Team Mentaility’
  A Look At Python-less Office Macros for macOS
  
  
• Redheadontherun
  Detecting Cobalt Strike by Fingerprinting Imageload Events
  
  
• Joshua Wright at SANS
  Red Team Tactics: Hiding Windows Services
  
  
• Security Art Work
  • Sandbox evasion: Identificando Blue Teams
  • Threat hunting (V): cazando sin salir de casa. Jupyter Notebooks
    
    
• Sekoia
  Analysis and detection of MITM phishing attacks bypassing 2FA: O365 use case
  
  
• Sean Gallagher at Sophos
  They’re back: inside a new Ryuk ransomware attack
  
  
• Luke Leal at Sucuri
  Magento Phishing Leverages JavaScript For Exfiltration
  
  
• Rachel Cipkins at Trail of Bits
  Osquery: Using D-Bus to query systemd data
  
  
• Trickbit disruption?
  • Recent Trickbot disruption operation likely to have only short-term impact
  • That was quick: Trickbot is back after disruption attempts
  • Trickbot disrupted
  • Trickbot and the Context of Cyber Warfare
  • ESET takes part in global operation to disrupt Trickbot
    
    
• Rik Van Duijn at Zolder
  Honeytokens using Azure Keyvaults

UPCOMING EVENTS

• Acelab
  ACE Lab at the International Data Recovery and Digital Forensics Events
  
  
• ActiveCountermeasures
  Training: Cyber Threat Hunting w/ Chris Brenton – October Session (4-Hours)
  
  
• Belkasoft
  USB Forensics with Belkasoft
  
  
• Cellebrite
  • Closing the Intelligence Gaps Within And Beyond Prison Walls With DI
  • Cellebrite Launches “Connect” Global Virtual Summit Series
    
    
• MSAB
  What’s New in XEC
  
  
• Scythe
  SCYTHE Presents: SCYTHE Updates: Purple Team Programming
  
  
• TrustedSec
  Hacking Livestream on Twitch!

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  Decodificar fuentes de datos en Protobuf
  
  
• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep. 20 – Veronica Schmitt
  
  
• Kevin Ripa at SANS
  • Episode 126: Encryption – Part 2
  • Episode 127: Encryption – Part 3
    
    
• AccessData
  Cryptocurrency Crime Webinar
  
  
• Basis Technology
  Volatility 3 Public Beta: The Insider’s Preview – OSDFCon 2019
  
  
• Black Hills Information Security
  Infosec Mentoring | How to Find and Be a Mentor & Mentee | John Strand & Jason Blanchard | 1 Hour
  
  
• Breaking Badness podcast
  63. APT Comes Up For Malware
  
  
• Cellebrite
  • Ask the Expert: Cellebrite BlacKLight – Actionable Intel by Heather Mahalik
  • Connect 2020 Virtual Event
  • Apple Diagnostic Logs – Phones and More
  • Developer mode for Android acquisitions
    
    
• Detections Podcast
  • Season 3 Episode 4: Tales from the Bionic SOC Man with Mark Orlando
  • Season 3 Episode 5: How to Say the Sexy Yes
    
    
• Joshua James at DFIR.Science
  • DFS101: 7.1 How to recover data
  • DFS101: 7.2 Data recovery with Photorec
  • DFS101: 7.3 Data recovery with tsk_recover
  • DFS101: 7.4 Data Recovery – The Sleuth Kit
  • DFS101: 8.1 Location and meaning of data
  • DFS101: 8.2 How to start a new case in Autopsy 4
  • DFS101: 8.3 Processing and analysis of a disk image with Autopsy 4 default modules
  • DFS101: 8.4 How to use hfind from the command line
  • DFS101: 8.5 How to add a hash database to Autopsy 4
  • Python Programming 008 – Starting Projects
    
    
• Digital Forensic Survival Podcast
  • DFSP # 242 – Registry Persistence Part 2
  • DFSP # 243 – Stomping the Clock
    
    
• Gerald Auger at Simply Cyber
  SOC Analyst Interview Questions and Answers
  
  
• Lee Reiber’s Forensic Happy Hour
  Oxygen Forensics Episode 131
  
  
• LetsDefend
  • 1- LetsDefend QuickStart
  • 2- Dashboard
  • 3- Monitoring
  • 4- Log Management
  • 5- Case Management
  • 6- Endpoint Security
  • 7- Threat Intelligence
  • 8- Example Investigation
    
    
• Life has no CTRL ALT DEL with Heather Mahalik
  How SD Card Data Impacts Digital Investigations
  
  
• Magnet Forensics
  Magnet Weekly CTF Challenge Week #2
  
  
• Nuix
  Saving Nuix Enterprise Collection Center Data to Microsoft Azure
  
  
• Paraben Corporation
  • E3 Forensic Platform Computer Image Trial Walk Through
  • Using the E3 Viewer
  • E3 Platform Using Bookmark Tags
  • E3 Platform File & Document Viewer
    
    
• Richard Davis at 13Cubed
  Volatility 3 and WSL 2 – Linux DFIR Tools in Windows?
  
  
• SANS
  • Using COVID-19 to Exploit Fear, Uncertainty, and Doubt (FUD)
  • CyberWeek 2020 speaker slides
  • Human Aspects of Ransomware
    

MALWARE

• Jan Vojtěše at Avast Threat Labs
  FakeMBAM: Backdoor delivered through software updates
  
  
• Bitdefender Labs
  • MaMoCrypt Ransomware Decryption Tool
  • Interplanetary Storm Botnet Shows Signs of Anonymization-Purpose Proxy-for-Hire Infrastructure
    
    
• Ron Ben Yizhak at Deep Instinct
  Why Emotet’s Latest Wave is Harder to Catch than Ever Before – Part 2
  
  
• Vanja Svajcer and Caitlin Huey at Cisco’s Talos
  Lemon Duck brings cryptocurrency miners back into the spotlight
  
  
• Luke Roberts at F-secure
  Operationalising Calendar Alerts: Persistence on macOS
  
  
• Genevieve Stark, Andrew Moore, Vincent Cannon, Jacqueline O’Leary, Nalani Fraser, and Kimberly Goody at Fire Eye Threat Research
  FIN11: Widespread Email Campaigns as Precursor for Ransomware and Data Theft
  
  
• Follow The White Rabbit
  Introducción al Reversing – 0xF Keylogger
  
  
• Xiaopeng Zhang at Fortinet
  Deep Analysis – The EKING Variant of Phobos Ransomware
  
  
• Lenny Zeltser
  REMnux Tools List for Malware Analysis
  
  
• Mario Henkel
  Using CAPE Sandbox and FOG to analyze malware on physical machines
  
  
• SANS Internet Storm Center
  • Analyzing MSG Files With plugin_msg_summary, (Sun, Oct 11th)
  • More TA551 (Shathak) Word docs push IcedID (Bokbot), (Wed, Oct 14th)
  • Nested .MSGs: Turtles All The Way Down, (Mon, Oct 12th)
  • Traffic Analysis Quiz: Ugly-Wolf.net, (Fri, Oct 16th)
  • Nicely Obfuscated Python RAT , (Wed, Oct 14th)
  • CVE-2020-5135 – Buffer Overflow in SonicWall VPNs – Patch Now, (Sat, Oct 17th)
    
    
• Ivan Kwiatkowski, Pierre Delcher, Félix Aime at Securelist
  IAmTheKing and the SlothfulMedia malware family
  
  
• Trend Micro
  VirusTotal Now Supports Trend Micro ELF Hash
  
  
• Gerardo Fernández and Vicente Diaz at VirusTotal
  Tracing fresh Ryuk campaigns itw
  
  
• Zero2Automated
  Interactive Analysis with ANY.RUN
  

MISCELLANEOUS

• AboutDFIR
  AboutDFIR Content Update 10/16/2020
  
  
• Jimmy Schroering at DME Forensics
  Quality Assurance
  
  
• Yi Jiang at Dropbox
  Search Files Using the Dropbox API
  
  
• Vladimir Katalov at Elcomsoft
  Everything You Wanted to Ask About Cracking Passwords
  
  
• Forensic Focus
  • How To Capture Data Via Mobile And Cloud Storage Using Logicube’s Premier Forensic Falcon-NEO
  • Telling Digital Stories: Making Forensic Evidence Persuasive
  • The Auxtera Project Now Open To Volunteer Submissions
  • Upcoming Webinar: Exploring New Features with BlackLight 10.2
  • Buddy Tidwell, Senior Vice President of Global Training, Cellebrite
  • Register For Webinar: Performing An Extraction On A Huawei Device Running A Kirin Chipset
  • James Eichbaum, Global Training Manager, MSAB
    
    
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #11: Quickly creating structures
  
  
• James Duffy
  ZPET, C++ & Encouraging Community-Generated Improvements
  
  
• Ken Pryor
  Where the heck have I been?
  
  
• LockBoxx
  Offense Informs Defense
  
  
• MISP
  Event Report – A convenient mechanism to edit, visualize and share reports
  
  
• Brittany Roberts at ADF
  What is NW3C? National White Collar Crime Center | Digital Forensics
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — October 4 to October 17
  
  
• Aviva Zacks of Safety Detective
  Interview With Vladimir Katalov – ElcomSoft
  
  
• SANS
  • New SANS Five Day Security Culture Course
  • Building an Information Security Program Post-Breach Part III
  • Defense Spotlight: Finding Hidden Windows Services
  • Installing the REMnux Virtual Appliance for Malware Analysis
    
    
• Michael Kavka at ‘Silicon Shecky’
  Passing the Cert – SANS Notes and thoughts
  
  
• Teri Radichel
  Cybersecurity Book Review: Sandworm
  

SOFTWARE UPDATES

• ALEAPP
  Paths list option
  
  
• iLEAPP
  Enhanced photos.sqlite query & paths list option
  
  
• Acelab
  The PC-3000 Portable III Now Supports the Silicon Motion SM2258XT SSDs!
  
  
• Adam at Hexacorn
  DeXRAY 2.22 update
  
  
• Binalyze
  Version 2.4.3
  
  
• Ciphey
  Affine, Ascii Shift, ROT47, UUdecoder added + more
  
  
• Didier Stevens
  Update: translate.py version 2.5.9
  
  
• Eric Zimmerman
  ChangeLog
  
  
• ExifTool
  ExifTool 12.08
  
  
• Florian Roth
  Raccine
  
  
• Mail Xaminer
  Email Recovery in Cyber Forensics – A Complete Guide
  
  
• MISP
  MISP 2.4.133 released ()
  
  
• OMENScan
  AChoirX
  
  
• Passware
  Passware Kit 2020 v4 Now Available
  
  
• Microsoft
  Sysinternals
  
  
• Timesketch
  20201015-pre
  
  
• Timesketch
  20201015: Bugfix for label aggregation
  
  
• Winpmem
  Release 4.0 RC1
  
  
• Xways
  X-Ways Forensics 20.1 Preview 8
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!