As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Heather Mahalik at Cellebrite
  How To Isolate And Filter Volume Shadow Copies In Cellebrite Blacklight
  
  
• Chris Hogan
  Digital Forensic Efficiencies and Effectiveness with AWS and Open Source
  
  
• Elcomsoft
  • Breaking Intuit Quicken and QuickBooks Passwords in 2021
  • Protecting iMessage Communications
    
    
• Forensic Focus
  • Research Roundup: Communicating Uncertainty In Digital Forensics Results
  • Automated Control Logic Forensics In Industrial Control Systems
    
    
• Jeenali Kothari at Hacking Articles
  Comprehensive Guide on FTK Imager
  
  
• Jon Baumann at Ciofeca Forensics
  Cellebrite CTF 2020: Ruth Langmore
  
  
• Kirtar Oza
  UserAssist — with a pinch of Salt — As an “Evidence of Execution”
  
  
• Magnet Forensics CTF
  • Magnet CTF: Question 4 Solution Walk-Through
  • Magnet CTF Week 4 – GUIDSWAP and drop
  • Magnet CTF Week 4: Back on the Horse Again
  • Magnet Weekly CTF (Week 4) – Phishing for GUIDs
  • Magnet Weekly CTF – Week 4 – Animals That Never Forget
    
    
• MuSecTech
  Building a Collection Tool – Part I
  
  
• Nasreddine Bencherchali
  A Deep Dive Into Windows Scheduled Tasks and The Processes Running Them
  
  
• Nik Alleyne at ‘Security Nik’
  Beginning File System Forensics – learning about the disk and the Master Boot Record (MBR)
  
  
• Oxygen Forensics
  A quick guide to our device extraction methods
  
  
• Samuel Kimmons at Recon InfoSec
  Endpoint Logging For The Win!
  
  
• The DFIR Report
  Ryuk Speed Run, 2 Hours to Ransom
  
  
• Nixintel at ‘We are OSINTCurio.us’
  Ten Minute Tip: Image Geolocation – Part 1
  
  

THREAT INTELLIGENCE/HUNTING

• Bill Stearns at Active Countermeasures
  Threat Hunting False Positives
  
  
• Vitali Kremez at Advanced Intelligence
  Anatomy of Attack: Inside BazarBackdoor to Ryuk Ransomware “one” Group via Cobalt Strike
  
  
• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  CobaltStrikeScan: identify CobaltStrike beacons in processes memory
  
  
• Anton Chuvakin
  On Threat Detection Uncertainty
  
  
• Azure Sentinel
  • SOC Prime O365 rules and more now offered free, exclusively to Azure Sentinel users
  • Guided UEBA Investigation Scenarios to empower your SOC
    
    
• Bandar Alanazi
  Detecting the CVE-2020–1472 (Zerologon) attacks
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2020-11-04 – Quick post: Recent Hancitor activity
  • 2020-11-06 – Possible Agent Tesla (AgentTesla)
    
    
• Oliver Rochford at Brim Security’s Knowledge Funnel
  Hunting Emotet with Brim and Zeek
  
  
• BushidoToken
  One persistent Phish
  
  
• Check Point Research
  • Who’s Calling? Gaza and West-Bank Hackers Exploit and Monetize Corporate VoIP Phone System Vulnerability Internationally
  • Ransomware Alert: Pay2Key
    
    
• Mihaela Gaman at CrowdStrike
  Seeing Malware Through the Eyes of a Convolutional Neural Network
  
  
• DeTTECT
  v1.4.2
  
  
• Alfie Champion, and James Coote at F-secure
  Using and detecting C2 printer pivoting
  
  
• Vladimir Unterfingher at Heimdal Security
  The Picture of a Modern-day Highwayman – RobbinHood Ransomware
  
  
• Jon Hencinski
  What’s Lateral Movement?
  
  
• Jorge Orchilles at Scythe
  SCYTHE Presents: #ThreatThursday – Ryuk
  
  
• Herbie Zimmerman at Lost in Security (and mostly everything else)
  2020-11-03 Node.JS QRAT
  
  
• Francesco Picasso at Zena Forensics
  MITRE Attack coverage based on detection rules
  
  
• Zhang Zaifeng at 360 Netlab
  360netlab上线域名IOC（威胁情报）评估标准及评估数据服务
  
  
• Nik Alleyne at ‘Security Nik’
  Continuing DLL Injection via CreateRemoteThread
  
  
• Henri Hambartsumyan at Falcon Force
  FalconFriday — DLL hijacking & suspicious unsigned files 0xFF06
  
  
• Proofpoint
  Persistent Actor Targets Ledger Cryptocurrency Wallets
  
  
• Ryan Campbell at ‘Security Soup’
  Quick Post: Spooky New PowerShell Obfuscation in Emotet Maldocs
  
  
• SANS
  SANS book: Practical Guide to Security in the AWS Cloud
  
  
• Xavier Mertens at SANS Internet Storm Center
  Did You Spot “Invoke-Expression”?, (Thu, Nov 5th)
  
  
• Nir Duan at Sayfer
  Detecting Dynamic Loading in Android Applications With /proc/maps
  
  
• Securelist
  APT trends report Q3 2020
  
  
• Luis Francisco Monge at Security Art Work
  Threat hunting (VII): cazando sin salir de casa. Creación de procesos
  
  
• Joe at Stranded on Pylos
  The Enigmatic Energetic Bear
  
  
• Strategic Cyber
  Cobalt Strike 4.2 – Everything but the kitchen sink
  
  
• Denis Sinegubko at Sucuri
  CSS-JS Steganography in Fake Flash Player Update Malware
  
  
• Teri Radichel
  Scanners lead to scammers
  
  
• Cyberint
  • Prilex Brazilian Threat Group
  • Cerberus is Dead, Long Live Cerberus?
    
    
• Threat Hunting
  • keep Your Credentials Safe: Hunting Spraykatz with Sysmon
  • getting to know threat hunting tools and their uses (Part 1)
    
    
• Roger Park at VMware Carbon Black
  Countering a Home Invasion: Modernizing Threat Hunting Best Practices
  
  
• Steven Adair and Thomas Lancaster at Volexity
  OceanLotus: Extending Cyber Espionage Operations Through Fake Websites
  
  
• WMC Global
  Office 365 Phishing Uses Image Inversion to Bypass Detection
  
  

UPCOMING EVENTS

• Acelab
  ACE Lab Organised a Free Webinar for Data Recovery Engineers and Digital Forensics Experts in France
  
  
• Basis Technology
  Webinar: Exploring the Wonders of Timesketch and Jupyter
  
  
• Cellebrite
  • Review of Digital Forensics Highlights for 2020
  • Digital Investigation Solutions for Mac & Windows: A Forensic Workshop
  • Cellebrite Launches “Connect” Global Virtual Summit Series
    
    
• Elan at DFIR Diva
  DFIR Related Events for Beginners – November, 2020
  
  
• Magnet Forensics
  • November 9 12:00PM GMT: Magnet AXIOM Cyber Demo
  • November 12 11:00AM EST: Tips & Tricks: Looking at the Source Data to Support an Artifact
  • November 16 1:00PM EST: Remote Early Case Assessment for Consultants – a Demo of Project Turbo and an Interactive Discussion with the Magnet Idea Lab
    
    
• Nuix
  Exclusive fireside chat with Nuix Chief Scientist David Sitsky
  
  
• Basis Technology
  Open Source Digital Forensics Conference (#OSDFCon)
  
• Paolo Dal Checco at Studio d’Informatica Forense
  Bitcoin e analisi forense
  
  

PRESENTATIONS/PODCASTS

• Kevin Ripa at SANS
  • Episode 134: Encryption – Part 10
  • Episode 135: Encryption – Part 11
  • Episode 136: Encryption – Part 12
    
    
• AccessData
  Batch, Please! Why Legal Teams are Loving Quin-C 7.4
  
  
• Black Hills Information Security
  Talkin’ About Infosec News – 10/21/2020
  
  
• Breaking Badness podcast
  65. Not Just A Ryuk
  
  
• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.23 – Rob Duhart
  
  
• Cellebrite
  • Episode 11: I Beg to DFIR – A Review of the 1st Cellebrite CTF
  • Ask the Expert: VSC (Volume Shadow Copy) in Cellebrite BlackLight –   by Heather Mahalik
  • Cellebrite Capture The Flag Follow-Up – Our Experts Review The Questions And Answers
  • Examining databases in Cellebrite Physical Analyzer
    
    
• Chris Sienko at the Cyber Work podcast
  BAHAMUT: Uncovering a massive hack-for-hire cyberespionage group
  
  
• Detections Podcast
  Season 3 Episode 8: The “Hubb” of Security with John Hubbard
  
  
• DFIR.Science
  • DFS101: 11.1 Mobile Device Investigations
  • DFS101: 11.2 Mobile Device Acquisition
    
    
• Digital Forensic Survival Podcast
  DFSP # 246 – Investigation Lifecycle
  
  
• Gerald Auger – Simply Cyber
  Lets Play ThreatGen Cybersecurity Simulation
  
  
• Magnet Forensics
  • Simplify Your Warrant Return Analysis
  • Magnet Weekly CTF Challenge Week 5
  • All Your Case Data in Magnet AXIOM: Analytics
    
    
• Radware
  Radware Threat Researchers Live: Bots, Botnets & Gaming
  
  
• SANS
  • Building a Hunting Program at a Global Scale | 2020 Threat Hunting & Incident Response Summit
  • Hunting Powershell Obfuscation with Linear Regression | Threat Hunting & Incident Response Summit
  • Unbreak my Heart – Lethal Forensicating Saves Lives
  • Machine Learning Meets Regex Rule Engine
  • #BuildYourBrand: Blogging & Podcasting Your Way to Leadership | BIPOC in Cybersecurity Forum 2020
  • Panel: You Got a Job in Cybersecurity!… Now What?!
  • Authentic at Work: Bringing Your Whole Self to Work in Infosec & Tech | Christina Morillo
  • Panel: Good on Paper: Packaging Your Skills and Experience
    
    
• Sumuri
  Getting Started with RECON LAB
  
  
• The Hey, Heather Podcast
  Heather Mahalik
  
  
• Ryan Benson at dfir.blog
  “Cache Up” with Ryan Benson
  
  
• This Week In 4n6
  This Month In 4n6 – October – 2020
  
  
• DFRWS USA 2020
  Check out @_RyanBenson’s Tweet
  

MALWARE

• Adam at Hexacorn
  Memory buffers for… initiated
  
  
• Assaf Dahan, Lior Rochberger, Daniel Frank and Tom Fakterman at Cybereason
  Back to the Future: Inside the Kimsuky KGH Spyware Suite
  
  
• Fire Eye Threat Research
  • Live off the Land? How About Bringing Your Own Island? An Overview of UNC1945
  • In Wild Critical Buffer Overflow Vulnerability in Solaris Can Allow
    Remote Takeover — CVE-2020-14871
    
    
• 0xdf hacks stuff
  • Flare-On 2020: Aardvark
  • Flare-On 2020: crackinstaller
  • Flare-On 2020: break
    
    
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #14: Comments in IDA
  
  
• LIFARS Cybersecurity
  What is Fileless Malware? How Does it Work?
  
  
• Malwarebytes Labs
  • Maze ransomware gang announces retirement
  • QBot Trojan delivered via malspam campaign exploiting US election uncertainties
    
    
• Michael Gorelik at Morphisec
  Agent Tesla: A Day in a Life of IR
  
  
• Ashwin Vamshi at Netskope
  Leaky Chats: Accidental Exposure and Malware in Discord Attachments
  
  
• One Night in Norfolk
  TinyPOS and ProLocker: An Odd Relationship
  
  
• Ryan Tracey and Drew Schmitt at Palo Alto Networks
  When Threat Actors Fly Under the Radar: Vatet, PyXie and Defray777
  
  
• Patrick Wardle at Objective-See
  Adventures in Anti-Gravity
  
  
• Süleyman Özarslan at Picus Security
  The Zerologon Vulnerability — How to Test it… Safely!
  
  
• SANS Internet Storm Center
  • Emotet -> Qakbot -> more Emotet, (Tue, Nov 3rd)
  • AV Cleaned Maldoc, (Mon, Nov 2nd)
  • Rediscovering Limitations of Stateful Firewalls: “NAT Slipstreaming”  ? Implications, Detections and Mitigations , (Fri, Nov 6th)
  • Cryptojacking Targeting WebLogic TCP/7001, (Sat, Nov 7th)
    
    
• Fedor Sinitsyn and Vladimir Kuskov at Securelist
  RansomEXX Trojan attacks Linux systems
  
  
• Karsten Hahn at G Data
  Babax stealer rebrands to Osno, installs rootkit
  
  
• Phil Stokes at SentinelLabs
  Resourceful macOS Malware Hides in Named Fork
  
  
• Gabor Szappanos at Sophos
  A new APT uses DLL side-loads to “KilllSomeOne”
  
  
• Telsy
  Trying not to walk in the dark woods; A way out of the Maze;
  
  
• Tilden Swans
  Android Quickie: Joker Anime
  
  
• Gerardo Fernández And Vicente Diaz at VirusTotal
  Keep your friends close; keep ransomware closer
  
  

MISCELLANEOUS

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 11/7/2020
  
  
• Chris Long
  Installing Detectionlab On Esxi
  
  
• Danny Henderson Jr
  The “Graduate Certificate Program” Experience with SANS Technology Institute
  
  
• Jimmy Schroering at DME Forensics
  Quality Assurance – Part 2
  
  
• Forensic Focus
  • Forensic Focus Content Survey 2020
  • 25 Days, 25 Questions: Part 4 – Lab And Tool Standards
  • Fighting Child Exploitation With Digital Forensics
  • Shahar Tal, VP Research, Cellebrite
    
    
• Jason Wilkins at ‘Noob to Pro Forensics’
  My Review of the National White Collar Crime Center’s (NW3C) DF330 course – Advanced Digital Forensics Analysis (ADFA- Mobile I)
  
  
• Rick Whittington at Magnet Forensics
  Five Reasons Why I Stopped Fighting the Cloud
  
  
• OSCartography at Objective-See
  Property List Parsing Bug(s)
  
  
• ADF
  • Define Files to Collect Digital Evidence
  • 5 ICAC Investigation Best Practices
    
    
• Aviva Zacks at Safety Detectives
  Interview With Amber Schroader – Paraben
  
  
• SANS
  • Junior Cybersecurity Professionals:  From Surviving to Thriving
  • Public Speaking:  Feel the Fear and Do It Anyway
  • SANS Cybersecurity Management Curriculum
  • NEW SANS MGT433: Managing Human Risk Course
    
    
• Brandon Lee at 4sysops
  Stellar Converter for EDB: Convert Exchange database (EDB) mailboxes into PST file format
  
  
• Teri Radichel
  Sharing cybersecurity ideas
  
  
• Wes Lambert
  securityonion-velociraptor
  
  
• John Patzakis at X1
  Compelling Case Study for Remote eDiscovery Collection in a High-Stakes Litigation
  
  

SOFTWARE UPDATES

• Autopsy
  autopsy-4.17.0
  
  
• Binalyze
  Version 2.4.6
  
  
• Didier Stevens
  1768 K
  
  
• Elcomsoft
  Advanced Intuit Password Recovery 3.11 breaks Quicken 2020 and QuickBooks 2021 passwords
  
  
• Eric Zimmerman
  ChangeLog
  
  
• MSAB
  Upgraded XRY 9.2.1 and XAMN 5.2.1 now available
  
  
• OSForensics
  V8.0 build 1001 3rd November 2020
  
  
• SANS Internet Storm Center
  Wireshark 3.2.8 and 3.4.0 Released, (Sun, Nov 1st)
  
  
• Xways
  X-Ways Forensics 20.1 Preview 10
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!