As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Bill Stearns at Active Countermeasures
  Where Do I Put My Zeek Sensor?

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  How to extract forensic artifacts from Linux swap

• Atropos4n6
  Are you sure you extract all the available Volume Serial Numbers (VSNs) that reside in the Windows 10 Event Log “Microsoft-Windows-Partition%4Diagnostic.evtx”?

• Blue Team Blog
  SIEM – Use Case Writing Guide

• Heather Mahalik at Cellebrite
  Upgrade from NULL: detecting iOS wipe artifacts

• Christiaan Beek
  Investigating the use of VHD files by cybercriminals

• Brian Carrier and Brian Moran at Cyber Triage
  How to Beat Ransomware in 2021: Key Questions that Make or Break Your Response

• Garry Dukes at DME Forensics
  Feature Fridays – Multiple Sources

• Elcomsoft
  • Forensically Sound Cold System Analysis
  • iOS Extraction Without a Jailbreak: iOS 9 through iOS 13.7 on All Devices
  • The Evolution of iOS Acquisition: Jailbreaks, Exploits and Extraction Agent
  • Elcomsoft vs. Hashcat Part 3: Attacks, Costs, Performance and Extra Features
  • The ABC’s of Password Cracking: The True Meaning of Speed

• Harry Senior at F-secure
  sysdiag-who?

• Forensic Focus
  After SQLite, What Next? A Must-Read Primer On LevelDB

• Gabriele Zambelli at ‘Forense nella Nebbia’
  Let’s combine EvtxEcmd with LogonTracer

• James Smith at DFIR Madness
  Case 001 AutoRuns Analysis

• Magnet Forensics Weekly CTF
  • Magnet Weekly CTF Challenge Week 8
  • Magnet Weekly CTF Challenge Week 9
  • Magnet Weekly CTF: Question 8 Solution Walk Through
  • Magnet CTF Week 8 – Persistence in plain sight
  • Magnet CTF Week 8: Short Side Quest
  • Magnet Weekly CTF (Week 8) – PHP Cluster
  • Magnet Weekly CTF – Week 8

• Sarah Edwards at Mac4n6
  APOLLO v1.4 – Now with ‘Gather’ Function from iOS/macOS and updates to iOS14 and macOS 11 modules

THREAT INTELLIGENCE/HUNTING

• 360 Netlab
  DNS data mining case study – skidmap

• Jordan Drysdale at Black Hills Information Security
  Azure Sentinel Quick-Deploy with Cyb3rWard0g’s Sentinel To-Go – Let’s Catch Cobalt Strike!

• Brad Duncan at Malware Traffic Analysis
  • 2020-12-03 – Pcap and malware for an ISC diary (traffic analysis quiz)
  • 2020-12-03 – TA551 (Shathak) Word docs with Italian template send Ursnif (Gozi/ISFB) with Pushdo

• BushidoToken
  The Game of Attribution

• Max Heinemeyer at Darktrace
  Darktrace’s Cyber AI Analyst investigates Sodinokibi (REvil) ransomware

• Annie Ballew at Huntress Labs
  Rapid Response: TrickBoot

• Intel 471
  Steal, then strike: Access merchants are first clues to future ransomware attacks

• Jorge Orchilles at Scythe
  SCYTHE Presents: Attack Infrastructure: Red Teams vs. Malicious Actors

• Kevin Beaumont at DoublePulsar
  Trickboot — defending against and monitoring for UEFI firmware tampering

• lab52
  Exploiting APT data for fun and (no) profit

• Microsoft Security
  • Zerologon is now detected by Microsoft Defender for Identity
  • Threat actor leverages coin miner techniques to stay under the radar – here’s how to spot them

• Netresec
  Capturing Decrypted TLS Traffic with Arkime

• Olaf Hartong at Falcon Force
  FalconFriday — RPC Service creation & SharpRDP — 0xFF08

• Pat at pat_h/to/file
  Hunting Koadic Pt. 2 – JARM Fingerprinting

• Recorded Future
  • Tibet and Taiwan Targeted in Spearphishing Campaigns Using MESSAGEMANIFOLD Malware
  • Egregor Ransomware, Used in a String of High-Profile Attacks, Shows Connections to QakBot

• Red Canary
  • Validating Microsoft Defender for Endpoint alerts
  • Yellow Cockatoo: Search engine redirects, in-memory remote access trojan, and more

• SANS Internet Storm Center
  • Traffic Analysis Quiz: Mr Natural, (Thu, Dec 3rd)
  • Detecting Actors Activity with Threat Intel, (Fri, Dec 4th)
  • Is IP 91.199.118.137 testing Access to aahwwx.52host.xyz?, (Sat, Dec 5th)
  • Quick Tip: Using JARM With a SOCKS Proxy, (Sun, Nov 29th)

• Securelist
  • APT annual review: What the world’s threat actors got up to in 2020
  • What did DeathStalker hide between two ferns?
  • The chronicles of Emotet
  • Cyberthreats to financial organizations in 2021

• Antonio Villalón at Security Art Work
  • Explotando datos de APT for fun and (no) profit (I): adquisición y procesamiento
  • Explotando datos de APT for fun and (no) profit (III): análisis (no tan) simple
  • Explotando datos de APT for fun and (no) profit (II): análisis simple
  • Explotando datos de APT for fun and (no) profit (IV): conclusiones

• Cyberint
  IcedID Stealer Man-in-the-browser Banking Trojan

• Yoroi
  Shadows From the Past Threaten Italian Enterprises

UPCOMING EVENTS

• AceLab
  Closed Free Webinar: the PC-3000 Tools for Digital Forensics

• MD5
  VFC Webinar

• Magnet Forensics
  Submit to the Magnet Virtual 2021 Call for Papers (CFP)

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.27 – Aaron Sparling

• Kevin Ripa at SANS
  • Episode 145: Encryption – Part 21 – Diffie Hellman Alternate Depiction
  • Episode 146: RAM Collection Conundrum
  • Episode 147: Keep Your Forensic Computer Clean

• Black Hills Information Security
  • Talkin’ About Infosec News – 11/30/2020
  • Webcast: Pretty Little Python Secrets – Episode 2 – Python Development & Packaging as Beautiful as a Poem
  • Pretty Little Python Secrets Ep 2 | Python Development & Packaging as Beautiful as a Poem | Marcello

• Bret Witt
  • letsdefend.io – SOC106 EventID 17 (VIP)
  • SOC105 EventID 16 (VIP)
  • SOC104 – EventID 15 (VIP)
  • SOC14 Event 14 (Malware Detected) (VIP)
  • SOC105 EventID 20 (Threat Intel) (VIP)
  • Microsoft Security Adventure
  • SOC104 EventID 21 (Malware Detected) (VIP)

• Cellebrite
  • Ask the Expert: Using Content Search In Cellebrite BlackLight by Heather Mahalik
  • Tip of the Day: Reprocessing Cases in Cellebrite BlackLight
  • Media Classification in Cellebrite Physical Analyzer
  • How to Use Chat Capture in Cellebrite Responder

• Didier Stevens
  • oledump Indicators
  • Decrypting With translate.py

• Digital Forensic Survival Podcast
  DFSP # 250 – Network Triage Part 1

• Forensic Focus
  Podcast: Doug Brush On Careers In Digital Forensics

• Lee Reiber’s Forensic Happy Hour
  Oxygen Forensics Episode 136

• Martin Schmiedecker
  A Primer on Incident Response

• Neil Fox
  • #9 Intro to Stack Memory (Theory)
  • #10 Stack Memory (Practical Malware Analysis)

• SANS
  • Ask Us (Almost) Anything About Threat Hunting & Incident Response | 2020 THIR Summit
  • Leveraging Beacon Detection Techniques to Identify Anomalous Logons | 2020 THIR Summit
  • SANS Foundations – What’s James Lyne’s favorite part of the new course – Interview with the author
  • SANS Foundations – How do you balance theory and practical? – An Interview with James Lyne
  • SANS Foundations – How did you pick the course topics?  An interview with the Author, James Lyne

• This Month In 4n6
  This Month In 4n6 – November – 2020

• Velocidex Enterprises
  Velociraptor hunting at scale

• John Patzakis at X1
  Relativity Highlights Its X1 Integration for ESI Collection

MALWARE

• Josh Stroschein at 0xEvilC0de
  • Maldoc Workshop at Hack-in-the-Box CyberWeek (UAE)
  • Reverse Engineering with Ghidra – Calling Conventions
  • Emotet Maldoc Analysis – Embedded DLL and CertUtil for Base64 Decoding

• 0xthreatintel
  • Backpedaling emotet Dropper Banking Trojan Ramnit.
  • Anubis Malware Internals
  • Reversing Newly Featured TrickBot [TrickBoot]

• Vanja Svajcer and Adam Pridgen at Cisco’s Talos
  Xanthe – Docker aware miner

• Jamie at ‘Click All the Things!’
  zloader: Simpler XLM and hidden encoded strings

• Cyber Geeks
  Dissecting APT21 samples using a step-by-step approach

• Eclypsium
  TrickBot Now Offers ‘TrickBoot’: Persist, Brick, Profit

• James T. Bennett at Fire Eye Threat Research
  Using Speakeasy Emulation Framework Programmatically to Unpack Malware

• Rotem Kerner at Fortinet
  Leaking Browser URL/Protocol Handlers

• Karsten Hahn at G Data Security
  IceRat evades antivirus by running PHP on Java VM

• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #18: Decompiler and global cross-references

• Jamie Hankins at Kryptos Logic
  Automated string de-gobfuscation

• Hasherezade and Jérôme Segura at Malwarebytes Labs
  German users targeted with Gootkit banker or REvil ransomware

• Prevasio
  Operation “Red Kangaroo”: Industry’s First Dynamic Analysis of 4M Public Docker Container Images

• Proofpoint
  Geofenced NetWire Campaigns

• SANS Internet Storm Center
  Decrypting PowerShell Payloads (video), (Mon, Nov 30th)

• Shimon Brathwaite at Secjuice
  A Short Guide to Malware

• Phil Stokes at SentinelLabs
  APT32 Multi-stage macOS Trojan Innovates on Crimeware Scripting Technique

• Luke Leal at Sucuri
  Obfuscation Techniques in MARIJUANA Shell “Bypass”

• Vit Sembera at Trend Micro
  From Geost to Locker: Monitoring the Evolution of Android Malware Obfuscation

• Virus Bulletin
  • VB2020 presentation: Evolution of Excel 4.0 macro weaponization
  • VB2020 presentation & paper: Advanced Pasta Threat: mapping threat actor usage of open-source offensive security tools
  • VB2020 presentation: Behind the Black Mirror: simulating attacks with mock C2 servers

• Vicente Díaz at VirusTotal
  VirusTotal += BitDefender Falx

• Matthieu Faou at WeLiveSecurity
  Turla Crutch: Keeping the “back door” open

• Shivang Desai at ZScaler
  Among Us Imposter on Google Play

MISCELLANEOUS

• Jessica Hyde at Magnet Forensics
  Ways to Share in DFIR

   

• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 12/5/2020

   

• AccessData
  Exterro Acquires AccessData to Form the Leading Enterprise Legal GRC Software Platform across Data Privacy, Forensics and e-Discovery

   

• AceLab
  The PC-3000 Mobile is Now Available for Purchase!

   

• Adam at Hexacorn
  • csrss.exe and its manifests
  • FaaS for noobs

     

• Marco Fontani at Amped
  Change Frame Rate and Convert Frame Rate: Which One Should You Use in Your Case?

   

• AWS
  Amazon EC2 Mac Instances

   

• Belkasoft
  Belkasoft partners with Passware

   

• Belkasoft reviews
  • Belkasoft X review by Santosh Khadsare
  • Belkasoft Evidence Center X – trial license
  • Brett Shavers’ review of Belkasoft X

     

• Brim Security’s Knowledge Funnel
  • Visualizing IP Traffic with Brim, Zeek and NetworkX
  • Running Brim and ZQD in server/client mode

     

• Cellebrite
  • Battling the Narcotics Crisis With Cellebrite Pathfinder
  • Cellebrite Announces Industry’s First All-In-One Solution For Data Triage & Collection from Windows & Apple Computers
  • Chat Capture – A New Way to Quickly Capture Chat Data
  • Leading Experts Discuss The Right Way to Share Data

     

• Dany at Digitella
  Reflecting on This Semester: Overcoming Impostor Syndrome and My Passion for DFIR

   

• Brian Moran
  Welcome to the DFIRFit Blog

   

• Elan at DFIR Diva
  The Free Training Page Got a Makeover

   

• Forensic Focus
  • How To Use UFED Physical Analyzer 7.33
  • How To Build A Contact Tracing App On Nuix Software
  • Charles Kline, Product Manager, Nuix

     

• Howard Oakley at ‘The Eclectic Light Company’
  Is Big Sur’s system volume sealed?

   

• Kevin Pagano at Stark 4N6
  StartMe Up (Forensic Edition)

   

• Mike Williamson at Magnet Forensics
  Signal Backups – A Q&A Session with Magnet Artifacts

   

• Mark Mo
  Infosec Tool List Update December 2020

   

• Metaspike
  Welcome to the Email Forensics CTF!

   

• Greg Smith at Mobile & Technology Exploration
  Metrics & CISO Series (2)

   

• Passware
  Passware Powers Decryption in the New Belkasoft X

   

• Luis Martinez at Persistent 4n6
  Peer-me a Connection Reset

   

• ADF
  • Digital Forensics and Philanthropy Time on #GivingTuesday Pledge 1%
  • Using Philanthropy to Protect Children and Help Stop Human Trafficking

     

• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — November 29 to December 5

   

• Security Onion
  Security Onion 2 Fundamentals for Analysts & Admins – Virtual Training – February 2021

   

• Lesley Carhart
  Ask Lesley: “I want to hire more diverse senior people”

   

SOFTWARE UPDATES

• ANSSI DFIR-ORC
  v10.1.0-rc3

• Apache Tika
  Release 1.25 – 11/25/2020

• Belkasoft
  Belkasoft X Update

• Brim
  v0.20.0

• Cellebrite
  A New Way to Capture Chat Data From Android Applications With UFED and Cellebrite Responder 7.40

• Ciphey
  Gzip + Braille (grade 1)

• Didier Stevens
  • Update: oledump.py Version 0.0.56
  • Update: emldump.py Version 0.0.11

• Elcomsoft
  iOS Forensic Toolkit 6.60: jailbreak-free extraction for iOS 9.0 through 13.7

• Eric Zimmerman
  ChangeLog

• ExifTool
  ExifTool 12.12

• iNPUT-ACE
  iNPUT-ACE Version 2.6.1

• mac_apt
  20201205

• OSForensics
  V8.0 build 1004 4th December 2020

• SalvationData
  [Product Launch] The Efficient and Powerful SQLServer Database Repair Tool-DBR for SQLServer Released Now!

• Isobuster
  IsoBuster 4.7 Beta released

• TheHive Project
  TheHive4py 1.8.0 is hot off the press

• Velociraptor
  Release 0.5.3

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!