As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Alexander Jäger
  Garmin .Fit file Forensics
  
  
• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  iOS Forensic: full disk acquisition using checkra1n jailbreak
  
  
• Heather Mahalik at Cellebrite
  Keyword Searching in Cellebrite BlackLight Content Search
  
  
• Cheeky4n6Monkey
  iOS14 Maps History BLOB Script
  
  
• Giuseppe Scalzi at Compass Security
  The “Volatility Triage App” for Splunk
  
  
• Danny Henderson Jr
  SANS Community CTF November — Network Challenge Write-Up
  
  
• Darkdefender
  Can you check if my computer’s been hacked?
  
  
• Elcomsoft
  • Extracting Evidence from iPhone Devices: Do I (Still) Need a Jailbreak?
  • Elcomsoft vs. Hashcat: Addressing Feedback
  • Elcomsoft vs. Hashcat Part 2: Workflow, Distributed and Cloud Attacks
  • Elcomsoft System Recovery: a Swiss Army Knife of Desktop Forensics
    
    
• Halkyn Security
  DFIR on a Shoestring – Incident response for less
  
  
• James Smith at DFIR Madness
  Mounting Case001 E01 Files
  
  
• Magnet Forensics Weekly CTF
  • Magnet Weekly CTF: Question 7 Solution Walk-Through
  • Magnet CTF Week 7 – Hadoop Node Networking
  • Magnet CTF Week 7: /etc/network/interfaces
  • Magnet Weekly CTF (Week 7) – IP Interfaces
  • Magnet Weekly CTF – Week 7 – Domains and Such
    
    
• Passware
  Extracting Passwords from the Acquired Windows Registry
  
  
• Amy Nguyen at Sumuri
  Big Sur, Big Changes
  
  
• The DFIR Report
  PYSA/Mespinoza Ransomware

THREAT INTELLIGENCE/HUNTING

• 360 Netlab
  DNSMon: 用DNS数据进行威胁发现
  
  
• Adam at Hexacorn
  Re-sauce, Part 3
  
  
• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  How to detect Cobalt Strike activities in memory forensics
  
  
• Andrew Skatoff at ‘DFIR TNT’
  Detecting Ransomware Precursors
  
  
• Ben Bornholm at HoldMyBeer
  Integrating Vault secrets into Jupyter Notebooks for Incident Response and Threat Hunting
  
  
• Liviu Arsene and Radu Tudorica at Bitdefender Labs
  TrickBot is Dead. Long Live TrickBot!
  
  
• Borja Merino at BlackArrow
  Hindering Threat Hunting, a tale of evasion in a restricted environment
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2020-11-24 – TA551 (Shathak) Word docs with English template push IcedID
  • 2020-11-23 – Quick post: Hancitor infection with Cobalt Strike
    
    
• Yihao Lim at Fire Eye Threat Research
  Election Cyber Threats in the Asia-Pacific Region
  
  
• John Hammond at Huntress Labs
  Tried and True Hacker Technique: DOS Obfuscation
  
  
• Chris Crowley and Josiah Smith at InQuest
  SOC-Class: Use Case Development
  
  
• Nicolas Bareil at ‘Just Another Geek’
  Decoding C2 Traffic in Python, or HOWTO eat 🍿 during an IR engagement?
  
  
• Dominic Chell at MDSec
  A Fresh Outlook on Mail Based Persistence
  
  
• Menasec
  How to Design Detection Logic – Part 1
  
  
• Mike at “CyberSec & Ramen”
  Dual Lingo: Japanese and English Titled LNK Files Targeting Businesses
  
  
• Suleyman Ozarslan at Picus Security
  The Most Used MITRE ATT&CK Technique: T1055 Process Injection
  
  
• Luis Francisco Monge at Security Art Work
  Threat hunting (VIII): cazando sin salir de casa. Creación de procesos (II)
  
  
• Telsy
  The double extortion technique: the Campari case
  
  
• Emiliano Martinez at VirusTotal
  Using similarity to expand context and map out threat campaigns
  

UPCOMING EVENTS

• AceLab
  A Video of the ACE Lab Webinar on Data Recovery for Beginners and Start-ups
  
  
• Andrea Lazzarotto
  ONIF Digital Forensics Webinar 2020 — 03/12/2020
  
  
• Basis Technology
  • Dec 2 – Identify Malware on Compromised Files and URLs Using the PolySwarm Autopsy Plugin
  • Dec 16 – Targeted Automation for Malware Analysis
  • Jan 6 – Supporting Digital Forensics Practitioners with Academic Research and Degree Programs
    
    
• Elan at DFIR Diva
  DFIR Related Events for Beginners – December, 2020
  
  
• AccessData
  Register For Webinar: What the Tech? Using AD Enterprise For Volatile Memory Analysis And Live System Searching
  
  
• Sherry Torres and Eric Oldenburg at Griffeye
  Webinar: A powerful approach for discovering video evidence
  
  
• Magnet Forensics
  • December 1 10:00AM CET: On-Scene Triage with Magnet OUTRIDER 2.0
  • December 2 11:00AM AEDT/December 4 10:00AM GMT: Simplify Your Investigations: Investigating and Containing Cyber Attacks with OSINT and AXIOM
  • December 2 11:00AM ET: Performing Linux Forensic Analysis & Why You Should Care
  • December 3 11:00AM ET: Tips and Tricks // Processing Memory Images
    
    
• MSAB
  XAMN Investigates: Part One
  
  
• ADF
  Best 2021 Law Enforcement Conferences in North America | United States
  
  
• SANS
  Good News: SANS Virtual Summits Will Be FREE for the Community in 2021
  
  
• Studio d’Informatica Forense
  ONIF Digital Forensics Webinar 2020
  
  
• X1
  Effective Social Media Collection in a Dynamic Environment

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.26 – Lynita Hinsch
  
  
• Kevin Ripa at SANS
  • Episode 143: Encryption – Part 19 – Diffie Hellman Key Exchange 2
  • 3MinMax – Episode 144: Encryption – Part 20 – Diffie Hellman Key Exchange 3
    
    
• OSDFCon
  • Effectively Using RegRipper 3.0, Harlan Carvey, OSDFCon 2020
  • Go for Launch: Getting Started with Practical APOLLO Analysis, Sarah Edwards, OSDFCon 2020
  • Detection and Tracking of Forged Digital Images on Social Media using Forensically, OSDFCon 2020
  • Autopsy’s Year in Review, Brian Carrier, OSDFCon 2020
  • Open Source Mobile Forensics using Python, Alexis Brignoni, OSDFCon 2020
  • Putting Together the RDPiece, Brian Moran, OSDFCon 2020
  • Linux Forensics for IoT: Hello World, Joseph Mccormack, Austin Grupposo, OSDFCon 2020
  • Investigating Windows Subsystem for Linux (WSL) Endpoints, Asif Matadar, OSDFCon 2020
  • Using Past Data to Determine Relevance in Autopsy, Brian Carrier, OSDFCon 2020
  • Lightning Talks 2020
    
    
• Breaking Badness podcast
  68. Let’s Doc Turkey
  
  
• Cellebrite
  • Ask the Expert: New Cellebrite Premium iOS Forensic Extraction Capabilities by Guy Rutenberg
  • Identity Lookup Service in Cellebrite Physical Analyzer.
    
    
• Detections Podcast
  • Season 3 Episode 9: Fraud and Code-lusion
  • Season 3 Episode 10: Bend It Like Lady SecItUP
  • Season 3 Episode 11: The Hard One to Name
    
    
• DFIR.Science
  • DFS101: 13.2 Keeping up to date with digital forensics
  • DFS101: 13.1 Research and the future of cybercrime investigation
    
    
• Digital Forensic Survival Podcast
  DFSP # 249 – Linux Fileless Attacks
  
  
• Life has no CTRL ALT DEL with Heather Mahalik
  DFIR Legal Hot Topics
  
  
• Magnet Forensics
  • Tips & Tricks // Using Community Created Custom Artifacts in AXIOM
  • Ransomware: Build Up Your Ransomware Defenses Using Law and Technology
    
    
• MSAB
  Guide to the Categories Filter In XAMN
  
  
• SANS
  • A Tale of Two Hunters: Practical Approaches for Building a Threat Hunting Program
  • SANS DFIR Presenta Nuevos Webcasts en Español
  • New Tools for Your Threat Hunting Toolbox
  • Open NDR and the Great Pendulum | 2020 Threat Hunting & Incident Response Summit
    
    
• Sumuri
  • SUMURI: How does Apple’s M1 chipsets impact on imaging macs?SUMURI GIVES BACK this Thanksgiving 2020
    
    

MALWARE

• 360 Netlab
  Blackrota, a heavily obfuscated backdoor written in Go
  
  
• Arch Cloud Labs
  Tracking Cryptocurrency Miners in The Homelab
  
  
• Matthew Fulmer at Deep Instinct
  Ryuk Ransomware: The Deviance is in the Variance
  
  
• Check Point Research
  • Enter WAPDropper – An Android Malware Subscribing Victims To Premium Services By Telecom Companies
  • Bandook: Signed & Delivered
    
    
• Chuong Dong
  RegretLocker
  
  
• Lior Rochberger at Cybereason
  Cybereason vs. Egregor Ransomware
  
  
• Vladimir Unterfingher at Heimdal Security
  Ryuk Ransomware – Untangling a Convoluted Malware Narrative
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #17: Cross-references 2
  
  
• Kelsey Clark at Hurricane Labs
  Solving Garbage with Radare2
  
  
• Marco Ramilli
  Threat Actor: Unkown
  
  
• Proofpoint
  TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader
  
  
• Robert Giczewski
  • Trickbot tricks again
  • Trickbot tricks again [UPDATE]
  • Having fun with a Ursnif VBS dropper
    
    
• Ryan Cornateanu
  Genetic Analysis of CryptoWall Ransomware
  
  
• SANS Internet Storm Center
  • Quick Tip: Extracting all VBA Code from a Maldoc – JSON Format, (Sun, Nov 22nd)
  • Quick Tip: Cobalt Strike Beacon Analysis, (Mon, Nov 23rd)
  • The special case of TCP RST, (Tue, Nov 24th)
  • Live Patching Windows API Calls Using PowerShell, (Wed, Nov 25th)
  • Threat Hunting with JARM, (Fri, Nov 27th)
    
    
• Sebdraven
  Actor behind Operation LagTime targets Russia
  
  
• Jim Walter at SentinelLabs
  Egregor RaaS Continues the Chaos with Cobalt Strike and Rclone
  
  
• Talon
  [S2W LAB] Analysis of Clop Ransomware suspiciously related to the Recent Incident (English)
  
  
• Trend Micro
  • Analysis of Kinsing Malware’s Use of Rootkit
  • New MacOS Backdoor Connected to OceanLotus Surfaces
    
    

MISCELLANEOUS

• Autopsy
  #OSDFCon 2020, One for the Record Books
  
  
• Blaze’s Security Blog
  Blue Team Puzzle
  
  
• Craig Ball at ‘Ball in your Court’
  C’mon! Bates Numbering Native Production is Easy!
  
  
• Digital Corpora
  • DigitalCorpora has joined the AWS Open Data Sponsorship Program!
  • DigitalCorpora is now available on Amazon S3
    
    
• Santosh Khadsare
  Common ADB commands
  
  
• Forensic Focus
  • Vitaliy Mokosiy, CTO, Atola
  • Global Perspectives From Women In Digital Forensics
  • HTCIA International Conference And Expo 2020 – Recap
  • Research Roundup: Finding New Cultural And Technical Opportunities
  • Interactive Webinar And A Chance To Win Prizes From MSAB
  • Digital Intelligence Produces Crucial Clues To Trace Cryptocurrencies
    
    
• Hacking Articles
  • Linux For Beginners: A Small Guide
  • Password Dumping Cheatsheet: Windows
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  • Inside M1 Macs: Time and logs
  • Startup modes for M1 Macs
    
    
• iNPUT-ACE
  Police Training: 3 Important Courses for Video-Centric Investigations
  
  
• Intel 471
  Here’s what happens after a business gets hit with ransomware
  
  
• Jaco at ‘The Swanepoel Method’
  Everything You Wish Your Parents Told You About Emotet
  
  
• Kevin Pagano at Stark 4N6
  Getting GASF’ed with GIAC
  
  
• MuSecTech
  AChoirX – Why? Part I
  
  
• Nik Alleyne at ‘Security Nik’
  Troubleshooting HTTPS – SSH Connectivity to IBM QRadar with TShark
  
  
• Oxygen Forensics
  Wire app extraction
  
  
• Richard Frawley at ADF
  Mobile Preview: Fast Mobile Phone Forensic Triage | Digital Forensics
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — November 22 to November 28
  
  
• Semantics21
  S21 Auto-Categoriser for LASERi-X
  
  
• TheHive Project
  TheHive Project’s chat has a new home
  
  
• Andy Gill at ZeroSec
  Learning The [Defence] Ropes 101 – Splunk Setup & Config

SOFTWARE UPDATES

• Adam at Hexacorn
  Updated appid_calc.pl & dexray.pl
  
  
• ANSSI DFIR-ORC
  v10.1.0-rc2
  
  
• Berla
  • iVe Software v3.1 Release
  • iVe Mobile v3.1 Release
    
    
• Emre Tinaztepe at Binalyze
  Meet TimelineIR
  
  
• Cellebrite
  Now Available Cellebrite Physical Analyzer and Cellebrite UFED Cloud 7.40
  
  
• Didier Stevens
  Update: disitool.py Version 0.4
  
  
• DME Forensics
  DVR Examiner 2.9.3 is now available!
  
  
• Elcomsoft
  Elcomsoft System Recovery update: a Swiss army knife in desktop forensics
  
  
• Eric Zimmerman
  ChangeLog
  
  
• ExifTool
  ExifTool 12.11
  
  
• Costas K
  Windows 10 Live Information viewer
  
  
• Magdy Moustafa
  CapaExplorer
  
  
• Microsoft
  Sysinternals
  
  
• Philippe Lagadec
  oletools_dll v0.0.1-alpha
  
  
• Xways
  X-Ways Forensics 20.1 Beta 2b
  
  
• OSForensics
  V8.0 build 1003 25th November 2020
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!