As always, thanks to those who give a little back for their support!

Also I’ll be delivering a SANS @Mic talk this Wednesday, 17 February at 1PM AEDT (2AM UTC, sorry!). The talk is aimed at people new to the field, talking about how to get started learning about digital forensics by testing and experimenting. You can register here

FORENSIC ANALYSIS

• Andrea Fortuna at ‘So Long, and Thanks for All the Fish’
  How to perform a digital forensic analysis using only free tools
  
  
• Brett Shavers
  The forensic process begins before processing forensics begins
  
  
• Brian Maloney
  Your AV is Trying to Tell You Something: process.log
  
  
• Dirk Pawlaszczyk and Christian Hummert
  Making the Invisible Visible – Techniques for Recovering Deleted SQLite Data Records
  
  
• Inversecos
  Forensic Analysis of AnyDesk Logs
  
  
• Jamie Sharpe at Nullable Truth
  • CSV (siː ɛs viː)
  • CSV – SQLite Extraction and Conversion
    
    
• Jeremiah Bess at ‘Network Security Ninja’
  Microsoft Teams Logs for Activity
  
  
• Kevin Pagano at Stark 4N6
  Chrome Network Action Predictor, Preloading all your Webpages
  
  
• Kevin Stokes at KPMG
  A new type of User access log
  
  
• MII Cyber Security
  • Digital Forensic Artifact of TeamViewer Application
  • Using Jupyter Notebook for Analyzing access.log file — Directory Brute-force Case Study
    
    
• Secure N0thing
  TryHackMe – Forensics Room
  
  
• Patricia Cifuentes at Security Art Work
  Kroll Artifact Parser and Extractor (KAPE) – I: Introducción
  
  
• Sumuri
  How to Image an Apple Silicon Mac with RECON ITR Live
  
  
• Mike Cohen at Velocidex
  Digging for files with Velociraptor
  
  

THREAT INTELLIGENCE/HUNTING

• 360 Netlab
  DNSMon: using DNS data to produce threat intelligence (3)
  
  
• Keith Chew at Active Countermeasures
  Malware of the Day – Attack Vectors: TeamViewer
  
  
• Adam at Hexacorn
  Misre-presentation host
  
  
• Alex Verboon at ‘Anything about IT’
  Collecting AzureAD User Authentication Method Information
  
  
• Andrew Hay
  Jupyter Notebook for crt.sh Queries
  
  
• Gage Mele, Winston Marydasan, and Yury Polozov at Anomali
  Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies
  
  
• Azure Sentinel
  • Using NXLog to enhance Azure Sentinel’s ingestion capabilities
  • Bring Remediation Steps into Azure Sentinel
  • Automatically disable On-prem AD User using a Playbook triggered in Azure
  • Migrating QRadar offenses to Azure Sentinel
    
    
• Brad Duncan at Malware Traffic Analysis
  • 2021-02-08 – Traffic analysis exercise – AscoLimited
  • 2021-02-09 – Files for an ISC diary (phishing email)
    
    
• BushidoToken
  Using a Discord server as a Personal CTI Dashboard
  
  
• Check Point Research
  • Domestic Kitten – An Inside Look at the Iranian Surveillance Operations
  • After Lightning Comes Thunder
  • Of Kittens and Princes:  the latest updates on two Iranian espionage operations
    
    
• Tom Simpson, Tom Henry, and Seb Walla at CrowdStrike
  Blocking SolarMarker Backdoor
  
  
• Cybereason
  Attacker Tries to Poison Florida City’s Water Supply
  
  
• Mike Talon at Cymulate
  Double-Extortion Attacks on the Rise
  
  
• Joe Slowik at DomainTools
  Visibility, Monitoring, and Critical Infrastructure Security
  
  
• Gus Serino at Dragos
  Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack
  
  
• Hannah Suarez
  • Setting up OpenVPN Logging – including YAML Config Snippets
  • YAML Config Snippet for HyperV Audit Logging Event Locations
  • The Importance of NTP (Network Time Protocol) in Logging and Auditing
    
    
• InfoSec Write-ups
  Evade AVs/EDR with Shellcode Injection
  
  
• Scythe
  SCYTHE Presents: Our Founder and CEO Bryson Bort breaks down the Florida water treatment facility attack.
  
  
• Mehmet Ergene
  Detecting Threats with Process Tree Analysis without Machine Learning
  
  
• Microsoft Security
  • Web shell attacks continue to rise
  • A playbook for modernizing security operations
    
    
• Olaf Hartong
  FalconFriday — Masquerading; LOLBin file renaming— 0xFF0C
  
  
• Teemu Herttua at OUSPG
  Honeypots — Easy and Insightful
  
  
• Matthew Berninger at Rapid7
  Talkin’ SMAC: Alert Labeling and Why It Matters
  
  
• Justin Schoenfeld at Red Canary
  Catch me if you code: how to detect process masquerading
  
  
• SetodaNote
  Microsoft Defender Antivirus を無効化する
  
  
• Stranded on Pylos
  Water, Water Everywhere – But Nary a Hacker to Blame
  
  
• Strategic Cyber
  Learn Pipe Fitting for all of your Offense Projects
  
  
• Flynn Weeks at The What2Log Blog
  The Struggle is Real: Log Volume
  
  
• Alfredo Oliveira and David Fiser at Trend Micro
  Threat Actors Now Target Docker via Container Escape Features
  
  
• Adam Todd at TrustedSec
  Group Policy for Script Kiddies
  
  

UPCOMING EVENTS

• Belkasoft
  • Accelerating your digital forensic investigation with Belkasoft X
  • BelkaDay Europe 2021
    
    
• Cellebrite
  • Part 1, Fundamentals Matter: How to Maximize your Digital Collection Efforts with Cellebrite UFED
  • Part 2, Fundamentals Matter: Understanding the Available Extraction Methods & Offerings
    
    
• KPMG
  Road to New Reality – Automating Incident Response in the Cloud
  
  
• Magnet Forensics
  • Enterprise Pulse
  • February 16 8:00AM/12:00PM ET: Malware And More: A Look Into Windows Memory
  • February 17 11:00AM ET: Methodology for Testing Forensic Hypothesis and Finding Truth
  • February 18 11:00AM ET: Tips & Tricks // Simple AXIOM Features That Improve Case Efficiency
    
    
• MSAB
  XAMN Investigates: Part One
  
  
• Semantics21
  LASERi-X 2.1 Release Webinar
  
  

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.37 – Jay Sasportas
  
  
• Kevin Ripa at SANS
  • Episode 169: Apple Forensics: Magic Keystrokes – Single User Mode key
  • Episode 170: Apple Forensics: Magic Keystrokes – Recovery Mode key
  • Episode 171: Apple Forensics: Magic Keystrokes – Target Disk Mode key
    
    
• Archan Choudhury at BlackPerl
  INCIDENT RESPONSE TRAINING FREE || Course Outline || Day 0
  
  
• Black Hills Information Security
  Talkin’ About Infosec News – 2/8/2021
  
  
• Breaking Badness podcast
  75. Russian Roulette
  
  
• Bret Witt
  • SOC107 EventID: 48 (Privilege Escalation Detected) [Jan. 31, 2021, 4:20 p.m.]
  • SOC111 EventID: 46 (Traffic to Malware Domain) [Jan. 31, 2021, 4:15 p.m.]
    
    
• Cyber Security Interviews
  #113 – Julian Waits: Diversity of Thought
  
  
• Detections podcast
  Sudoodleadoo
  
  
• Digital Forensic Survival Podcast
  DFSP # 260 – Learn from the Red Team
  
  
• Gerald Auger at Simply Cyber
  Cybersecurity Analyst Interview Q&A
  
  
• Magnet Forensics
  • Tips & Tricks // Tips & Tricks // Rebuilt Desktops
  • How to Create Templates for Exporting Load Files
  • Magnet AXIOM Cyber
    
    
• Neil Fox
  #12 How to Install Ghidra on Windows
  
  
• Paraben Corporation
  • Processing Windows System Data
  • Processing TigerConnect App
  • Windows Registry Examination Enhancements
  • Automate the iOS Encrypted Backup Option in E3
  • Process iOS Health Data in E3
  • Processing Facebook Messenger on iOS
  • Android Logical Imaging with ADB Backup
    
    
• SANS
  • SANS ICS & Dragos host webcast series to strengthen the Industrial Control Systems Community
  • Part 2: Rekt Casino Hack – Weak Security Program, Unprotected Systems, and Poor Detection & Response
    
    

MALWARE

• 0day in {REA_TEAM}
  Reversing With Ida From Scratch (P34)
  
  
• 0xthreatintel
  Uncovering SUPERNOVA Malware
  
  
• 360 Netlab
  Rinfo Is Making A Comeback and Is Scanning and Mining in Full Speed
  
  
• Ali Aqeel
  • Dridex Malware Analysis
  • Dridex Malware Analysis [8 Feb 2021]
  • Dridex Malware Analysis [10 Feb 2021]
    
    
• BushidoToken
  Latest wave of Cerberus targets English-speaking users
  
  
• CISA
  • AR21-039A: MAR-10318845-1.v1 – SUNBURST
  • AR21-039B: MAR-10320115-1.v1 – TEARDROP
    
    
• Colin Hardy
  Building a Malware Lab – Software, Hardware, Tools and Tips for Effective Malware Analysis
  
  
• Radu Vlad at CrowdStrike
  Press #1 to Play: A Look Into eCrime Menu-style Toolkits
  
  
• Dimitris Kolotouros and Marios Levogiannis at GRNET CERT
  Reverse engineering Emotet – Our approach to protect GRNET against the trojan
  
  
• Xiaopeng Zhang at Fortinet
  • New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part I
  • New Bazar Trojan Variant is Being Spread in Recent Phishing Campaign – Part II
    
    
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #26: Disassembly options 2
  
  
• John Hammond
  Decoding & Deobfuscating VBScript – Malware Analysis
  
  
• Apurva Kumar and Kristin Del Rosso at Lookout
  Lookout Discovers Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict
  
  
• Malwarebytes Labs
  Malvertising campaign on PornHub and other top adult brands exposes users to tech support scams
  
  
• Mark Mo
  Bypass AV/EDR with Safe Mode?
  
  
• Morphisec
  • Long Live, Osiris; Banking Trojan Targets German IP Addresses
  • Egregor Ransomware Adopting New Techniques
    
    
• Mike Harbison at Palo Alto Networks
  BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech
  
  
• SANS Internet Storm Center
  • Quickie: tshark & Malware Analysis, (Mon, Feb 8th)
  • Agent Tesla hidden in a historical anti-malware tool, (Thu, Feb 11th)
  • Phishing message to the ISC handlers email distro, (Wed, Feb 10th)
  • AgentTesla Dropped Through Automatic Click in Microsoft Help File, (Fri, Feb 12th)
  • Using Logstash to Parse IPtables Firewall Logs, (Sat, Feb 13th)
    
    
• Sebdraven
  Babuk is distributed packed
  
  
• Tony Lambert at “Where DFIR Meets IT”
  Analyzing an Empire macOS PKG Stager
  
  
• Avinash Kumar, Aditya Sharma, and Abhay Kant Yadav at Zscaler
  Discord CDN: A Popular Choice for Hosting Malicious Payloads
  
  

MISCELLANEOUS

• Josh Stroschein at 0xEvilC0de
  How-To: Installing Oledump in Windows
  
  
• Andrew Rathbun at AboutDFIR
  AboutDFIR Content Update 2/11/2021
  
  
• Belkasoft
  Belkasoft X review by Alan Jeffries (D3 Forensics Limited)
  
  
• Cocktail Forensics
  • Forensic Laptop Refresh: Linux Edition
  • Forensic Laptop Refresh: Windows Edition
  • Forensic Laptop Refresh: Mac Edition
    
    
• DFRWS
  DFRWS Rodeo 2020
  
  
• Didier Stevens
  Quickpost: oledump.py plugin_biff.py: Remove Sheet Protection From Spreadsheets
  
  
• DME Forensics
  • DVR Examiner 3.0 is coming!
  • Meet Liza
    
    
• Doug Metz at Baker Street Forensics
  Getting Started with a PowerShell Menu
  
  
• Forensic Focus
  • A Springboard To Digital Forensics Research In 2021
  • Cooperation  Between Academia And Law Enforcement: Challenges And Opportunities
  • Nuix And Forensic Analytics Ltd Announce Global Technology Alliance
  • Grayshift Introduces Android Support On GrayKey
  • Patrick Siewert On Push-Button Forensics And Communicating Results To Non-Experts
  • Adapting Corporate Investigations Within A Pandemic
  • Detego Digital Forensics: The True Industry First All-In-One Solution – Since 2018
  • Tom Cross, VFC Sales Manager, MD5
    
    
• LIFARS Cybersecurity
  Importance Of Log Policy And Log Retention: What To Log And How Long You Should Keep It?
  
  
• Julien Richard at Luatix
  OpenCTI and SSO (Single Sign On)
  
  
• Magnet Forensics
  • Better Data Makes Lab Management Decisions Easier with AUTOMATE
  • Persistence with the Magnet AXIOM Cyber Agent
    
    
• Marco Fontani at Amped
  Perspective: Size Comparison May Be Tricky
  
  
• Shaun Sutcliffe at MSAB
  Five reasons why Mobile Forensics Training is fundamental
  
  
• Oxygen Forensics
  New Facial and Image Categorization Can Now Identify Faces Wearing Masks
  
  
• Paraben Corporation
  • Mobile Fast Track Training Now Online
  • 20 Years Leading Mobile Forensics
    
    
• Jason Downey at Red Siege Information Security
  Networking Fundamentals Part I
  
  
• Richard Frawley at ADF
  Digital Forensics Age Detection | Best CSAM Investigator Tool | CEM
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — February 7 to February 13
  
  
• Security Onion
  Elastic License Changes and Security Onion
  
  
• setodaNote
  CyberChef のオペレーションめも
  
  
• Paolo Dal Checco at Studio d’Informatica Forense
  IISFA Memberbook 2021 – Digital Forensics
  
  
• Vitaλy
  Velociraptor + Okta
  
  

SOFTWARE UPDATES

• ANSSI DFIR-ORC
  • v10.0.17
  • v10.1.0-rc4
    
    
• Brim
  v0.24.0
  
  
• Cellebrite
  Workflow Aids: Digital Collector 3.1
  
  
• CyberChef
  v9.27.1
  
  
• Didier Stevens
  Update: oledump.py Version 0.0.59
  
  
• Eric Zimmerman
  ChangeLog
  
  
• ExifTool
  ExifTool 12.18
  
  
• IntelOwl
  fixes and version upgrades
  
  
• JPCERT
  LogonTracer v1.5.2
  
  
• mac_apt
  20210210
  
  
• Magnet Forensics
  • Introducing Magnet IGNITE™: A New Early Case Assessment Tool
  • New in AUTOMATE 2.7: Overview Dashboard and AUTOMATE REST API
    
    
• MISP
  MISP 2.4.138 released (Many improvements including CISA.gov AIS dynamic marking functionality, RSIT galaxy added)
  
  
• Oxygen Forensics
  Oxygen Forensic® Detective v.13.3
  
  
• Paraben Corporation
  E3 Forensic Platform 2.8 Release Data Galore!
  
  
• radare2
  5.1.1
  
  
• RecuperaBit
  Version 1.1.5
  
  
• Regipy
  1.8.2
  
  
• Semantics21
  Check out @Semantics21’s tweet
  
  
• Velociraptor
  Release 0.5.6
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!