As always, thanks to those who give a little back for their support!
FORENSIC ANALYSIS
- Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
Linux Forensics: Memory Capture and Analysis - Heather Mahalik at Cellebrite
How To Use Cellebrite Physical Analyzer’s New Cloud Feature - Dany at Digitella
Wireshark for Network Forensics! - Deepak Kumar
Digital Forensics Corner 1 - Elcomsoft
- Jelle Vergeer at Fox-IT
Decrypting OpenSSH sessions for fun and profit - James Duffy
Snapchat – A False Sense Of Security? - Jon Baumann at Ciofeca Forensics
Cellebrite CTF 2020: Tony Mederos #WrongAnswersOnly - Magnet Weekly CTF
- Marco Fontani at Amped
How to Quickly Find Manipulated Objects With Amped Authenticate’s Shadows Filter - Mike Cohen
The Windows USN Journal - Peter Stewart
Memlabs Memory Forensics Challenges – Lab 5 Write-up - Veronica Schmitt at SANS
Unbreak My Heart: What I Learned About Building Better Medical Devices While Troubleshooting My Pacemaker - The DFIR Report
Cryptominers Exploiting WebLogic RCE CVE-2020-14882 - Ben Austin at VMware Carbon Black
Querying Windows Event Logs for Faster Investigation and Response
THREAT INTELLIGENCE/HUNTING
- AJ Nash at Anomali
Fortify Your Cyber Defense with the MITRE ATT&CK Framework - Mary Braden Murphy at Aon
See ya in S3! - Ashish Gahlot at Awake Security
Threat Hunting for REvil Ransomware - Azure Sentinel articles
- What’s new: Microsoft 365 Defender connector now in Public Preview for Azure Sentinel
- O365 & AAD Multi-Tenant Custom Connector – Azure Sentinel
- Hunting for Barium using Azure Sentinel
- Using Azure Data Explorer for long term retention of Azure Sentinel logs
- What’s new: Monitoring your Logic Apps Playbooks in Azure Sentinel
- Brad Duncan at Malware Traffic Analysis
- BushidoToken
Gathering Intelligence on the Qakbot banking Trojan - Check Point Research
Pay2Key – The Plot Thickens - Dragos
ICS Threat Activity on the Rise in Manufacturing Sector - Jeenali Kothari at Hacking Articles
Memory Forensics using Volatility Workbench - Hurricane Labs
- Huy at Security Tzu
Using Active Directory Replication Metadata for investigation purposes - Intel 471
Trickbot down, but is it out? - Jaron Bradley at The Mitten Mac
Detecting SSH Activity via Process Monitoring - Jumpsec Labs
Detecting known DLL hijacking and named pipe token impersonation attacks with Sysmon - Koen Van Impe
From threat intelligence to client scanning - Mike at “CyberSec & Ramen”
Quick Analysis of Well Traveled Threat Actor Targeting Asia Region - Carol Hildebrand at Netscout
Something Wicked This Way Comes - Eric Groce at Red Canary
Cover your bases: 5 common pitfalls that enable ransomware attacks - SpecterOps
- Rihopo
Incident Response において実施すべき調査(EDR vs FSA) - Sucuri
Code Comments Reveal SCP-173 Malware - ZScaler
UPCOMING EVENTS
- Cellebrite
RU New Opportunities Cellebrite - Tristan Oliver at Griffeye
Webinar: Smarter workflows for more efficient CSA investigations - Magnet Forensics
- SANS
Be a part of the HBCU Fall Classic Range Competition! - The Standoff
2020 in Ransomware: Tactics, Techniques and Procedures
PRESENTATIONS/PODCASTS
- Cache Up with Jessica Hyde
Magnet Forensics Presents: Cache Up – Ep.24 – Geraldine Blay - Kevin Ripa at SANS
- The Forensic Lunch with Dave Cowen and Matt Seyer
Forensic Lunch 11/13/20 Alexis Brigoni - AccessData
Ready, Set, Investigate! Why Forensic Investigators Love Quin-C 7.4 - Action Dan at LockBoxx
CCDC Blue Team Prep - Basis Technology
Exploring the Wonders of Timesketch and Jupyter - Blackhat 2020
Blackhat 2020 - Black Hills Information Security
- Vulnerability Management | The SOC Age Or, A Young SOC Analysts Illustrated Primer | John Strand
- Memory Forensics | The SOC Age Or, A Young SOC Analysts Illustrated Primer | John Strand
- Overlapping Fields of View| The SOC Age Or, A Young SOC Analysts Illustrated Primer | John Strand
- Server Analysis | The SOC Age Or, A Young SOC Analysts Illustrated Primer | John Strand
- Lateral Movement | The SOC Age Or, A Young SOC Analysts Illustrated Primer | John Strand
- Endpoint Analysis | The SOC Age Or, A Young SOC Analysts Illustrated Primer | John Strand
- “False Positives” | The SOC Age Or, A Young SOC Analysts Illustrated Primer | John Strand
- Egress Traffic Analysis | The SOC Age- Or, A Young SOC Analysts Illustrated Primer | John Strand
- Talkin’ About Infosec News – 10/26/2020
- Talkin’ About Infosec News – 11/09/2020
- Talkin’ About Infosec News – 11/11/2020
- Breaking Badness podcast
66. Whiskey Business - Cellebrite
- Cyber Work podcast
- Digital Forensic Survival Podcast
DFSP # 247 – Startup Locations - Jason Nickola at ‘Trust Me I’m Certified’
The Power of Mind Over Matter with Jessica Hyde - Lee Reiber’s Forensic Happy Hour
Oxygen Forensics Episode 134 - Magnet Forensics
- NTCore
In-Depth Obfuscated VBA Analysis - Paraben Corporation
- 6 Keys for Smartphone Investigations Webinar with Amber Schroader
- Investigating Facebook with the E3 Forensic Platform
- Cloud Data Methods for Capture Webinar
- Digital Data Triage Computers & Smartphones-Webinar
- Digital Investigations for Private Investigators Webinar
- Paraben Remote Imaging Webinar & Demo
- SANS
- Hunting Immaturity Model | 2020 Threat Hunting & Incident Response Summit
- LOCKED OUT! Detecting, Preventing, & Reacting to Human Operated Ransomware
- Cleveland Clinic Best Practices On Securing Unmanaged and IoT Devices
- Unbreak my Heart – Lessons learned for building better medical devices while troubleshooting my pace
- Applying Fraud Detection Techniques to Hunt Adversaries
- New Five Day Security Culture Course | MGT521 | SANS Institute
- Sumuri
Sequential Processing with RECON LAB: Artifact Timeline - Ted Smith at ‘X-Ways Forensics Video Clips’
Video 62 – Support for the btrFS Linux Filesystem in X-Ways Forensics 20.1 - The Cyber5
Episode 32: Consuming Intelligence for Cyber Insurance - The Many Hats Club
Ep. 73, Cyber Expert Advice (with Robert Pritchard)
MALWARE
- Lawrence Abrams at Bleeping Computer
Alleged source code of Cobalt Strike toolkit shared online - 360 Netlab
Quick update on the Linux.Ngioweb botnet, now it is going after IoT devices - Adam at Hexacorn
- Jan Rubín at Avast Threat Labs
Password stealer in Delphi? Meh… (2/2) - Erik Pistelli at Cerbero
Video: In-Depth Obfuscated VBA Analysis - Cisco’s Talos
Threat Roundup for November 6 to November 13 - Colin Hardy
Wrangle with Hangul – Analysis of a malicious hwp document - Adrian Kress at Compass Security
Evading Static Machine Learning Malware Detection Models – Part 2: The Gray-Box Approach - Cyber And Ramen
Quick Analysis of Well Traveled Threat Actor Targeting Asia Region - Stephen Eckels at Fire Eye Threat Research
WOW64!Hooks: WOW64 Subsystem Internals and Hooking Techniques - Igor Skochinsky at Hex Rays
Igor’s tip of the week #15: Comments in structures and enums - David Ruiz at Malwarebytes Labs
RegretLocker, new ransomware, can encrypt Windows virtual hard disks - Arnold Osipov at Morphisec
The introduction of the Jupyter InfoStealer/Backdoor - Ashwin Vamshi at Netskope
Here Comes TroubleGrabber: Stealing Credentials Through Discord - Palo Alto Networks
- SANS Internet Storm Center
- Traffic Analysis Quiz: DESKTOP-FX23IK5, (Wed, Nov 11th)
- How Attackers Brush Up Their Malicious Scripts, (Mon, Nov 9th)
- Quick Tip: Extracting all VBA Code from a Maldoc, (Sun, Nov 8th)
- Preventing Exposed Azure Blob Storage, (Thu, Nov 12th)
- Exposed Blob Storage in Azure, (Thu, Nov 12th)
- Old Worm But New Obfuscation Technique, (Fri, Nov 13th)
- Securelist
- The BlackBerry Research and Intelligence Team
The CostaRicto Campaign: Cyber-Espionage Outsourced - Tilden Swans
Android Quickie: TrustedWallet Impersonation - Trend Micro
An Old Joker’s New Tricks: Using Github To Hide Its Payload - Martin Smolár at WeLiveSecurity
Hungry for data, ModPipe backdoor hits POS software used in hospitality sector - WMC Global
Phishing Exfiltration Method: Email
MISCELLANEOUS
- Naomi Goddard at Active Countermeasures
Getting Started on Contributing to RITA - Adam at Hexacorn
Where all the Cyber Tooth Fairies go? - Autopsy
Autopsy 4.17 Highlights (Summary, iLEAPP, & HEIC) - Belkasoft
iOS 14-14.2 are supported for 7 and 7+ models - Brett Shavers
- Cellebrite
- Dragos
Highlights of the Dragos Industrial Security Conference 2020 - Forensic Focus
- James Duffy
Check out @J_duffy01’s Tweet - John Lukach at Cloud 4n6ir
465,003,293,531,714,000,000,000,000,000 - Kaspersky Lab
Recapping the GReAT AMA - Magnet Forensics
- Simon Crawley at MSAB
Leveraging Cloud Computing Provision to solve problems in digital forensics - MuSecTech
- Nextron Systems
THOR Forensic Lab License Features - Olga Milishenko at Atola
How to benefit from the range of sources and targets in Atola TaskForce - Amber Schroader at Paraben Corporation
Securing Smartphones a Digital Forensic Perspective - Richard Bejtlich at TaoSecurity
New Book! The Best of TaoSecurity Blog, Volume 3 - Ryan Campbell at ‘Security Soup’
Weekly News Roundup — November 8 to November 14 - SANS
SANS Healthcare Security Resources - Silicon Shecky
The One About Chained Exploits and Pentest Results - Threat Hunting SE
computer forensic investigation tools (part 1)
SOFTWARE UPDATES
- Adam at Hexacorn
DeXRAY 2.23 update - Amped
DVRConv Update 18959: New Formats, New Codec Variations and Increased Date and Time Decoding - ANSSI DFIR-ORC
v10.0.16 - Brim
v0.19.0 - Didier Stevens
Update: translate.py Version 2.5.10 - Eric Zimmerman
ChangeLog - ExifTool
ExifTool 12.10 - Passware
Passware Kit Forensic 2020 From Passware - Magnet Forensics
Measure, Act, and Report on Lab Insights with New Dashboards in Magnet AUTOMATE 2.5 - MISP
MISP 2.4.134 released (new import extractor for the event report, various improvements and fixes) - OpenText
What’s new in Encase eDiscovery CE 20.4 - OSForensics
V8.0 build 1002 9th November 2020 - Oxygen Forensics
Oxygen Forensic® Detective v.13.1 - Regipy
1.7.1: Merge pull request #110 from mkorman90/bump-versions - TheHive Project
It’s now time for TheHive 4 to get an update: TheHive 4.0.1 is out! - Velociraptor
Release 0.5.2 - Xways
And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!
This Week In 4n6 