Our first (non-beta) run of the FOR308 class is running this week with Jason Jordaan at DFIRCON, very exciting!
Why did you developed the SANS FOR308:Digital Forensics Essentials course?

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Brett Shavers at DFIR Training
  Arsenal’s Bypass Data Protection API (DPAPI)
  
  
• Cellebrite
  • How to Use Cellebrite Physical Analyzer’s New Image Classification Feature
  • Stopping criminal activity in prisons with digital intelligence technology
    
    
• D-Virus
  Análisis forense sobre archivos EnCase7 v2 (EX01)
  
  
• Elcomsoft
  • Extracting the iPhone: (No) Tools Required?
  • May the [Brute] Force Be with You!
  • The Forensic View of iMessage Security
  • Five Hundred Posts
    
    
• Hacking Articles
  • Forensic Investigation: Shellbags
  • Memory Forensics: Using Volatility Framework
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  Quarantine and the quarantine flag
  
  
• Jon Baumann at Ciofeca Forensics
  • Cellebrite CTF 2020: Juan Mortyme
  • Cellebrite CTF 2020: Introduction
  • Cellebrite CTF 2020: Rene Gade
    
    
• Joshua James at Digital Forensic Science
  Custom artifact creation
  
  
• Magnet Forensics CTF write ups
  • Magnet CTF: Question 3 Solution Walk-Through
  • Write-up Magnet Weekly CTF
  • Magnet CTF Week 3 – The case of the spoiled S. Cargo
  • Magnet Weekly CTF (Week 3) – Motion Photos
  • Magnet Weekly CTF – Week 3 – Cargo Hold
    
    
• Maxim Suhanov
  The NT kernel can ignore your hardware clock during the boot
  
  
• MuSecTech
  • New Directions
  • An Intro to Live Response, Targeted Collections, and Triage
    
    
• Robert Graham
  hunter-dkim
  
  
• Rory Wagner
  FAT32 File Carving
  
  

THREAT INTELLIGENCE/HUNTING

• Secureworks
  Azure Sentinel: Microsoft’s SIEM for the cloud and on-premises
  
  
• Paul Schnackenburg at 4sysops
  Azure Sentinel: Microsoft’s SIEM for the cloud and on-premises
  
  
• Alex Verboon at ‘Anything about IT’
  Deploying Defender ASR – Block persistence through WMI event subscription
  
  
• Awake Security
  Threat Hunting for Avaddon Ransomware
  
  
• Azure Sentinel articles
  • Expanding Microsoft Teams Log Data in Azure Sentinel
  • It’s Here: Announcing the Investigation Insights Workbook
    
    
• Cofense
  • Purchase Order Phishing, the Everlasting Phishing Tactic
  • The Ryuk Threat: Why BazarBackdoor Matters Most
    
    
• Bianca Soare at Heimdal Security
  WannaCry Ransomware Explained
  
  
• Johnny Shaw
  Process Herpaderping
  
  
• Jorge Orchilles at Scythe
  SCYTHE Presents: Active Directory Attacks with Kerberoasting
  
  
• Koen Van Impe
  • Analyse Linux (syslog, auditd, …) logs with Elastic
  • A walkthrough of Watcher
    
    
• Adam Pennington at MITRE ATT&CK
  Bringing PRE into Enterprise
  
  
• Brittany Barbehenn, Doel Santos and Brad Duncan at Palo Alto Networks
  Threat Assessment: Ryuk Ransomware and Trickbot Targeting U.S. Healthcare and Public Health Sector
  
  
• Red Canary
  • Testing adversary technique variations with AtomicTestHarnesses
  • A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak
    
    
• Tim Medin at Red Siege Information Security
  Detecting Kerberoasting
  
  
• RiskIQ
  • RiskIQ Has Released Its Corpus of Infrastructure and IOCs Related to Ryuk Ransomware
  • What a Custom OceanLotus SSL Certificate Can Tell Us About Their Windows C2 Operations
    
    
• Ryan Kovar at Splunk
  Ryuk and Splunk Detections
  
  
• Secureworks
  • Threat Intelligence CTF Walk-Through: 8Es_Rock OSINT Challenges
  • Threat Hunting as an Official Cybersecurity Discipline
    
    
• Security Onion
  Are You Seeing What I Am Netsyncing? Analyzing Netsync Activity with Security Onion 2
  
  
• Sophos
  • MTR Casebook: An active adversary caught in the act
  • Hacks for sale: inside the Buer Loader malware-as-a-service
    
    
• Cyberint
  njRAT Bulletin
  
  
• Jose Luis Rodriguez at Threat Hunters Forge
  Mapping ATT&CK Data Sources to Security Events via OSSEM ⚔️
  
  
• William Gamazo Sanchez, Aliakbar Zahravi, Elliot Cao, Cedric Pernet, Daniel Lunghi, Jaromir Horejsi, Joseph C Chen, and John Zhang at Trend Micro
  Operation Earth Kitsune: A Dance of Two New Backdoors
  
  
• Andrew Schwartz at TrustedSec
  • The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 1
  • The Tale of the Lost, but not Forgotten, Undocumented NetSync: Part 2
    
    
• WeLiveSecurity
  ESET Threat Report Q3 2020
  
  
• Sudeep Singh and Sahil Antil at ZScaler
  APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services
  
  

UPCOMING EVENTS

• Acelab
  Free Webinar on Data Recovery for Beginners and Start-ups: the Repeated Session
  
  
• Amped Software
  Register For Free Webinar: Getting Started With Video Evidence
  
  
• Belkasoft
  Learn Belkasoft X with Belkasoft’s CEO: Exclusively for Your Country
  
  
• Group IB
  CyberCrimeCon 2020
  
  
• Magnet Forensics
  • November 4 11:00AM EST // November 5th 11:00AM CET: Simplify Your Warrant Return Analysis
  • November 5 11:00AM EST // 11:00AM CET: Tips & Tricks: Using Magnet AXIOM for Triage On-Site
    
    
• Virus Bulletin
  VB2020 TIPS presentations: cybercrime in the DACH region and ransomware in LATAM
  
  

PRESENTATIONS/PODCASTS

• Lodrina Cherne at SANS
  Keynote: The Language of Equality | SANS BIPOC in Cybersecurity Forum 2020
  
  
• The Forensic Lunch with Dave Cowen and Matt Seyer
  Forensic Lunch 10/30/20
  
  
• Alexis Brignoni
  Analisis de dispositivo iOS & Android utilizando iLEAPP & ALEAPP
  
  
• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.22 – Ryan Benson
  
  
• Kevin Ripa at SANS
  • Episode 131: Encrytion – Part 7 – HashingII
  • Episode 132: Encryption – Part 8
  • Episode 133: Encryption – Part 9
    
    
• AccessData
  • Timelining Login Information from Windows Event Logs
  • FTK Features That Might Suprise You
    
    
• Basis Technology
  Cybersecurity Zero to Hero with CyberChef – OSDFCon 2019 – Jonathan Glass
  
  
• Black Hills Information Security
  BHIS | Talkin’ Bout News 2020-10-29
  
  
• Cellebrite
  • Consolidated Messages in Cellebrite Physical Analyzer
  • Imaging a Macintosh with T2 Security Chip
  • Revealing Files of Interest
  • Transform Your Border Agency With Digital Intelligence Solutions
  • Ask the expert: Cellebrite Physical Analyzer – Image classifications by Matt Goeckel
  • Image Classification in Cellebrite Physical Analyzer – Release Highlights
  • Selective File System in Cellebrite UFED
  • Accessing Public Data in Cellebrite UFED Cloud
  • Image Classification in Cellebrite Reader
    
    
• DFIR.Science
  • DFS101: 10.1 RAM Acquisition and Analysis
  • DFS101: 10.2 Forensic Memory Acquisition in Windows – FTK Imager
  • DFS101: 10.3 Forensic Memory Acquisition in Linux – LiME
  • DFS101: 10.4 Digital Forensic Memory Analysis – strings, grep, and photorec
  • DFS101: 10.5 Digital Forensic RAM Analysis – Volatility
  • Python Programming 009 – Dictionaries
    
    
• Digital Forensic Survival Podcast
  DFSP # 245 – Fetch and Execute
  
  
• Ashwin Patil
  GrayHat – Blue Teaming with KQL
  
  
• Jorge Orchilles at Scythe
  SCYTHE Presents: Episode 2: Digital Empathy in the Customer Experience (Guest Shawn M Bowen)
  
  
• Lee Reiber’s Forensic Happy Hour
  Oxygen Forensics Episode 133
  
  
• Life has no CTRL ALT DEL
  • Qualcomm Live: A Quick Look Under the Hood
  • Capture the Flag with Matt Goeckel
    
    
• Magnet Forensics
  • Magnet Weekly CTF Challenge Week 4
  • Slacking on insider threats? Investigative and monitoring approaches to use within Slack to locate bad actors
  • Tips & Tricks: Download Your Data
  • Data Leak Investigations
    
    
• Matthew Toussain
  PowerShell | The 3 Key Cmdlets
  
  
• MSAB
  Webinar: The Ecosystem of Mobile Forensics  integrated solutions to scale up your investigations
  
  
• Nothing to See Here? I Beg to DFIR
  Episode 10: iBeg to DFIR – Capture the Flag
  
  
• Nuix
  Responding to Threat Intelligence Using Nuix Adaptive Security
  
  
• Paraben Corporation
  • Image Analysis for Money & Gambling Images
  • Processing Slack Data in E3
  • Searching with Emoji in E3 Forensic Platform
  • Viewing Gmail Data in E3
  • Analysis of exFAT data in E3
    
    
• SANS
  • Raising the Tide: Driving Improvement in Security By Being a Good Human | 2020 THIR Summit
  • Big Game Hunting: Major FIN threat joins the targeted ransomware-as-a-Service (RaaS) scene
  • STAR Webcast: Spooky RYUKy: The Return of UNC1878
  • From One Sec Guy to the Team that Saved the CISO’s Day | Threat Hunting & Incident Response Summit
  • Public Speaking: Feel the Fear and Do it Anyway | BIPOC in Cybersecurity Forum 2020
    
    
• Sumuri
  • Sequential Processing with RECON LAB: Super Timeline
  • UPDATING YOUR RECON ITR
    
    
• Ted Smith at ‘X-Ways Forensics Video Clips’
  Video 61 – Rebuilding RAID0…with LVM!
  
  
• The Cyber5
  Episode 30: The State of the Cyber Threat Intelligence Market
  
  

MALWARE

• 360 Core Security
  北非狐（APT-C-44）攻击活动揭露
  
  
• Ruben Andrei Condor at Bitdefender Labs
  An Overview of WMI Hijacking Techniques in Modern Malware
  
  
• Bar Block at Deep Instinct
  The Hasty Agent:  Agent Tesla Attack Uses Hastebin
  
  
• Cisco’s Talos
  Cisco Talos Advisory on Adversaries Targeting the Healthcare and Public Health Sector
  
  
• Colin Hardy
  Unlocking Excel 4.0 Macro Malware
  
  
• Maranda Cigna at Cybereason
  Ryuk Ransomware: Mitigation and Defense Action Items
  
  
• Fire Eye Threat Research
  • Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser
  • Welcome to ThreatPursuit VM: A Threat Intelligence and Hunting Virtual Machine
    
    
• 0xdf hacks stuff
  • Flare-On 2020: Fidler
  • Flare-On 2020: garbage
  • Flare-On 2020: wednesday
  • Flare-On 2020: report.xls
  • Flare-On 2020: TKApp
  • Flare-On 2020: CodeIt
    
    
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #13: String literals and custom encodings
  
  
• Intezer
  TrickBot or Treat 2.0
  
  
• OA LABS
  Intezer x UnpacMe Integration
  
  
• Rapid7
  2021 Detection and Response Planning, Part 3: Why 2021 Is the Year for SOC Automation
  
  
• SANS Internet Storm Center
  • Video: Pascal Strings, (Sun, Oct 25th)
  • Excel 4 Macros: “Abnormal Sheet Visibility”, (Mon, Oct 26th)
  • SMBGhost – the critical vulnerability many seem to have forgotten to patch, (Wed, Oct 28th)
  • Quick Status of the CAA DNS Record Adoption, (Fri, Oct 30th)
  • More File Selection Gaffes, (Sat, Oct 31st)
    
    
• SentinelLabs
  • Misusing msvsmon and the Windows Remote Debugger
  • Anchor Project for Trickbot Adds ICMP
    
    
• VirusTotal
  VirusTotal += Gridinsoft
  
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 10/31/2020
  
  
• Abuse CH
  Moving Forward
  
  
• Adam at Hexacorn
  The Alexiou Principle
  
  
• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  Digital Forensic Basics: an analysis methodology flow chart
  
  
• Brett Shavers
  An expert is just one page in a book ahead of you
  
  
• Intel 471
  Alleged REvil member spills details on group’s ransomware operations
  
  
• Jason Ostrom
  Building Azure Cyber Ranges for Learning and Fun
  
  
• Kristian Lars Larsen at Data Narro
  Wisconsin Supreme Court asked to consider limits on police use of mobile phone data
  
  
• Magnet Forensics
  DFIR Consultants: Apply to Test Out Project Turbo!
  
  
• Mike at ØSecurity
  Volatility 3 Framework (v 2.0.0-beta.1) Requirements
  
  
• Oxygen Forensics
  Making everything recognizable with new OCR module in Oxygen Forensic® Detective
  
  
• Richard Bejtlich at TaoSecurity
  Security and the One Percent: A Thought Exercise in Estimation and Consequences
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — October 25 to October 31
  
  
• Ryan Chapman
  New Website!
  
  
• Security Onion
  • Security Onion Essentials training available now for FREE!
  • Docker Hub Rate Limits Effective November 1, 2020
    
    

SOFTWARE UPDATES

• Arsenal Recon
  Introducing Arsenal Image Mounter v3.3.134 and DPAPI Bypass
  
  
• Aurora Incident Response
  v0.6.5
  
  
• Amped
  Amped FIVE Update 18800: Introducing Chain Folders, Assisted Annotation Tracking and Protected PDF Reports
  
  
• Cellebrite
  Now Available Cellebrite Physical Analyzer and Cellebrite UFED Cloud 7.39
  
  
• Cyber Triage
  Cyber Triage 2.14: Upload Your DFIR Artifacts to S3
  
  
• Eric Zimmerman
  ChangeLog
  
  
• ExifTool
  ExifTool 12.09
  
  
• Hex Rays
  IDA Pro 7.5 SP3 released
  
  
• JPCERT/CC
  LogonTracer v1.5 Released
  
  
• Microsoft Threat Intelligence Center
  MSTICPy 0.8.8 Release
  
  
• Paraben Corporation
  New Version 2.7 Release
  
  
• Security Onion
  Security Onion 2.3.2 now available!
  
  
• Target
  Halogen
  
  
• TheHive Project
  New releases for TheHive and Cortex: Elasticsearch 7 support and security fixes.
  
  
• TZWorks
  Oct 2020 build (package)
  
  
• Ulf Frisk released MemProcFS version
  Version 3.5
  
  
• USB Detective
  Version 1.6.1 (10/28/2020)
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!