As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• ThinkDFIR
  Metaspike CTF – Week 6 – “HODL onto your timestamps”
  
  
• AbdulRhman Alfaifi at U0041
  Exploring Windows Artifacts : LNK Files
  
  
• Anatoly Tykushin at Group IB
  The source of everything: forensic examination of incidents involving source code leaks
  
  
• Brian Maloney
  Your AV is Trying to Tell You Something: AVMan.log/Daily AV Log
  
  
• Cellebrite
  • Overview of Parsed Data in Cellebrite Physical Analyzer
  • Collecting Data from Encrypted Phones
    
    
• Chad Anderson and Barry Rellis at DomainTools
  How to Not Give a Scam
  
  
• Oleg Afonin at Elcomsoft
  iOS Recovery Mode Analysis: Reading iOS Version from Locked and Disabled iPhones
  
  
• Inaugural Issue of the Journal of Cyber Forensics and Advanced Threat Investigations
  Vol 1, No 1-3 (2020)
  
  
• Joshua Hickman at ‘The Binary Hick’
  iOS 14 + macOS Big Sur = Lots of Images
  
  
• Magnet Forensics
  The Lesser Talked About Messaging Apps
  
  
• Nasreddine Bencherchali
  • Forensics Artifacts — Symantec EDR “localdatastore” Folder
  • Finding Forensic Goodness In Obscure Windows Event Logs
    
    
• Oxygen Forensics
  Dating Apps Forensics
  
  
• Peter Stewart
  • Crowdstrike AdversaryQuest CTF – Much Sad
  • Crowdstrike AdversaryQuest CTF – The Proclamation
    
    
• Bob Rudis
  Extracting Heart Rate Data (Two Ways!) from Apple Health XML Export Files Using R (a.k.a. The Least Romantic Valentine’s Day R Post Ever)
  
  
• Ryan Benson at dfir.blog
  Keystroke Flow from Chrome Omnibox
  
  
• Secure N0thing
  CyberDefenders – HoneyPot PCAP Analysis
  
  
• Justin Vaicaro at TrustedSec
  Who Left the Backdoor Open? Using Startupinfo for the Win
  
  
• Yulia Samoteykina at Atola
  Imaging partitions of a RAID array
  
  

THREAT INTELLIGENCE/HUNTING

• Emre Tinaztepe at Binalyze
  Start triage with already set YARA rules for SUNBURST
  
  
• Microsoft Security Response Center
  Microsoft Internal Solorigate Investigation – Final Update
  
  
• Adam at Hexacorn
  • Yet another secret of hosts file
  • DownLOLoloaders
    
    
• Adepts of 0xCC
  One thousand and one ways to copy your shellcode to memory (VBA Macros)
  
  
• Advanced Intelligence
  • Maltego+Andariel a Force Multiplier For DarkWeb & Botnet Investigations
  • Cyber Exploration: The Geostrategic Quest of APT Groups in LATAM
    
    
• Blue Team Blog
  My thoughts on using the MITRE ATT&CK framework for SIEM detection’s
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2021-02-12 – Qakbot (Qbot) infection with Cobalt Strike
  • 2021-02-17 – Pcap and malware for an ISC diary (Trickbot gtag rob13)
  • 2021-02-01 thru 2021-02-18 – Quick post: 46 malicious emails
  • 2021-02-19 – Mensagem “Pascholotto” empurra malware
  • 2021-02-09 – Quick post: Hancitor infection with Cobalt Strike
    
    
• Brendan Marshall at “Engineering… for Security”
  Agent7 – An security agent that doesn’t suck (I hope)
  
  
• CERT-FR
  Sandworm intrusion set campaign targeting Centreon systems
  
  
• Cisco’s Talos
  • Masslogger campaigns exfiltrates user credentials
  • Kasablanka Group’s LodaRAT improves espionage capabilities on Android and Windows
    
    
• Jurgen at Correlated Security
  10 Major API Log Collection Challenges for Threat Detection in a Cloud-Native World
  
  
• Darkdefender
  The Zeek-Cut Cheat Sheet
  
  
• Michael Barclay and Jon Hencinski at Expel
  Attack trend alert: REvil ransomware
  
  
• Gerald Auger at Simply Cyber
  Learn EDR Tech FREE (LimaCharlie Changes the Game)
  
  
• Melissa at Sketchymoose’s Blog
  Hack the Box: Looking at a Basic Shell
  
  
• Microsoft 365 Security
  Hunting for anomalies with time-series analysis
  
  
• Microsoft Security
  6 strategies to reduce cybersecurity alert fatigue in your SOC
  
  
• Rifqi Ardia Ramadhan at MII Cyber Security
  Threat Hunting with Jupyter Notebook: Excessive Usage of FTP User Scenario
  
  
• Erik Hjelmvik at Netresec
  Targeting Process for the SolarWinds Backdoor
  
  
• Palo Alto Networks
  • WatchDog: Exposing a Cryptojacking Campaign That’s Operated for Two Years
  • IronNetInjector: Turla’s New Malware Loading Tool
    
    
• pat_h/to/file
  Using eBPF to uncover in-memory loading
  
  
• Gavin Matthews at Red Canary
  Introducing Red Canary CWP Shell Activities
  
  
• Riccardo Ancarani at ‘Red Team Adventures’
  Random Notes on Task Scheduler Lateral Movement
  
  
• RiskIQ
  Threat Hunting in a Post-WHOIS World
  
  
• SANS
  • Shining some light on Solarwinds and ICS
  • Rekt Casino Revisited: Transformational Series Part 2
  • List of Resource Links from Open-Source Intelligence Summit 2021
    
    
• Phil Stokes at SentinelLabs
  20 Common Tools & Techniques Used by macOS Threat Actors & Malware
  
  
• Melvin Langvik at TrustedSec
  Front, Validate, and Redirect
  
  

UPCOMING EVENTS

• Basis Technology
  • RecuperaBit: Present and Future of NTFS Reconstruction
  • Computer Autopsies: Use Free Forensic Software
  • Cyber Triage Demo Webinar
    
    
• Belkasoft
  The state of the art in iOS forensics
  
  
• Magnet Forensics
  • February 22-26 (Various times across three time zones): Enterprise Pulse: An Industry Speaker Series
  • February 24 11:00AM ET: MacOS Forensics: The Next Level – Taming The T2 Chip & More
  • February 25 11:00AM ET: Tips & Tricks // Decrypting Application Data Using the iOS Keychain and GrayKey
    
    
• Paraben Corporation
  13th Annual PFIC DFIR Conference September 15-16
  
  
• Sophos
  Sophos Threat Hunting Academy webinar series is now open
  
  

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.38 – Daryl Pfeif
  
  
• Kevin Ripa at SANS
  • Episode 172: Apple Security: The Firmware Password
  • Episode 173: Apple Security: Gatekeeper
  • Episode 174: Apple Security: System Integrity Protection
    
    
• Archan Choudhury at BlackPerl
  INCIDENT RESPONSE TRAINING FREE || Pillars of Security Operations || Day 1
  
  
• Black Hat
  Automate Security Incident Response: Minimize Risk and Downtime from Cyber Security Threats.
  
  
• Black Hills Information Security
  Talkin’ About Infosec News – 2/17/2021
  
  
• Bret Witt
  • SOC120 EventID: 52 (Phishing Mail Detected – Internal to Internal) [Feb. 7, 2021, 4:24 a.m.]
  • SOC118 EventID: 51 (Internal Port Scan Activity) [Feb. 6, 2021, 3:40 p.m.]
    
    
• Cellebrite
  • iOS Location Artifacts Explained
  • New Built-in Content Search Feature in Cellebrite Physical Analyzer
  • “Text View” – A new viewing feature in Cellebrite Physical Analyzer
  • Native messages & Instant messages in Cellebrite Physical Analyzer
  • Keyword lists in Cellebrite Physical Analyzer 7.42
  • Ask the Expert: Overview of Parsed Data in Cellebrite Physical Analyzer by Heather Mahalik
    
    
• Chris Sienko at the Cyber Work podcast
  Malware analyst careers: Getting hired and building your skills
  
  
• Cisco’s Talos
  Talos Takes Ep. #41: The tl;dr of Snort 3
  
  
• Cyber Security Interviews
  #114 – Chloé Messdaghi: How Can We Do Better
  
  
• Demux
  DVR Examiner – Getting Started
  
  
• Detection: Challenging Paradigms
  Episode 3: Chris Long
  
  
• Detections podcast
  10 Things I Hate About Government Security w/Peter Franklin
  
  
• Didier Stevens
  tshark & Malware Analysis
  
  
• Digital Forensic Survival Podcast
  DFSP # 261 – Wincore Processes Revisited part 2
  
  
• Life has no CTRL ALT DEL with Heather Mahalik
  iOS Location Artifacts Explained
  
  
• Magnet Forensics
  • Methodology for Testing Forensic Hypothesis and Finding Truth
  • Tips & Tricks // Simple AXIOM Features That Improve Case Efficiency
    
    
• Richard Davis at 13Cubed
  The ABCs of WMI – Finding Evil in Plain Sight
  
  
• SANS
  • Threat Intel for Everyone: Writing Like A Journalist To Produce Clear, Concise Reports | CTI Summit
  • The Joy of Threat Landscaping | SANS CTI Summit 2021
  • Part 3: Rekt Casino Hack – Feeble Security Culture Disconnected from Business Objectives
    
    

MALWARE

• 0xthreatintel
  • Internals of AVE_MARIA Malware
  • How to unpack SManager APT tool?
    
    
• Arch Cloud Labs
  Tracking Cryptocurrency Malware In The Homelab – Pt 2
  
  
• Check Point Research
  ApoMacroSploit : Apocalyptical FUD race
  
  
• Cyber_00011011
  Understand Shellcode with CyberChef
  
  
• Tom Fakterman at Cybereason
  Cybereason vs. NetWalker Ransomware
  
  
• Asaf Gilboa at Deep Instinct
  Lsass Memory Dumps are Stealthier than Ever Before – Part 2
  
  
• Karsten Hahn at G Data Security
  New version adds encrypted communication
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #27: Fixing the stack pointer
  
  
• Hansindu Maniyangama at “InfoSec Write-ups”
  Identify Malware Threats: Malware Terminology (Part 1: Viruses and Worms)
  
  
• Intezer
  • ELF Malware Analysis 101: Part 3 – Advanced Analysis
  • New Feature: Get More Context for your Analysis with TTPs
    
    
• John Hammond
  • FREE STUFF? TryHackMe – “The Great Escape”
  • Is THIS a VIRUS? Finding a Remcos RAT – Malware Analysis
    
    
• Kota Kino at JPCERT/CC
  Further Updates in LODEINFO Malware
  
  
• Neil Fox
  Zero2auto review, 0x01 algorithms
  
  
• Tony Lambert at Red Canary
  Clipping Silver Sparrow’s wings: Outing macOS malware before it takes flight
  
  
• SANS Internet Storm Center
  • Video: tshark & Malware Analysis, (Sun, Feb 14th)
  • Securing and Optimizing Networks: Using pfSense Traffic Shaper Limiters to Combat Bufferbloat, (Mon, Feb 15th)
  • More weirdness on TCP port 26, (Tue, Feb 16th)
  • The new “LinkedInSecureMessage” ?, (Wed, Feb 17th)
  • Malspam pushing Trickbot gtag rob13, (Wed, Feb 17th)
  • Dynamic Data Exchange (DDE) is Back in the Wild?, (Fri, Feb 19th)
  • Quickie: Extracting HTTP URLs With tshark, (Sat, Feb 20th)
    
    
• Soji256
  How to permanently disable Microsoft Defender Antivirus on Windows 10
  
  
• Sophos
  • What to expect when you’ve been hit with Conti ransomware
  • Conti ransomware: Evasive by nature
  • A Conti ransomware attack day-by-day
    
    
• VinCSS
  [RE020] ElephantRAT (Kunming version): our latest discovered RAT of Panda and  the similarities with recently Smanager RAT
  
  
• Gerardo Fernández at VirusTotal
  When you go fighting malware don´t forget your VT plugins
  
  

MISCELLANEOUS

• Jessica Hyde at Magnet Forensics
  Twitter for #DFIR Professionals
  
  
• Brent Sleeper at Agari
  DKIM vs. SPF:  Do I Need Them Both?
  
  
• Amped
  • Announcing Subscriptions and Bundles for all Products
  • Low Frame Rate: If You Don’t See It, It Doesn’t Mean It Didn’t Happen
    
    
• Bryan Ambrose at Data Digitally
  February 19, 1971 – The First Warrant Is Issued to Search a Computer Storage Device
  
  
• Joseph at Computer Forensics Lab
  What the client should expect when engaging a computer forensic expert to investigate a computer hack
  
  
• Danny Child
  Blue Team Labs Online Private Beta Testing
  
  
• Forensic Focus
  • A Comprehensive Walkthrough Of Counter UAV Analysis
  • Introducing MD-VIDEO: How To Review Analyzed Results
  • Live Webinar: The Rise Of At-Desk Review During The COVID Pandemic
    
    
• iNPUT-ACE
  Is Cell Phone Video Admissible in Court?
  
  
• Richard Bejtlich at TaoSecurity
  Digital Offense Capabilities Are Currently Net Negative for the Security Ecosystem
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — February 14 to February 20
  
  
• SANS
  Instructor Spotlight: My-Ngoc Nguyen
  
  
• Harry Taheem at StealthBay
  Review of SANS FOR 508 & Winning the CTF Coin
  
  
• Jérôme Leonard at TheHive Project
  Compatibility issues with Elasticsearch update
  
  

SOFTWARE UPDATES

• Belkasoft
  Belkasoft X v. 1.3: A Super-Release Featuring Android and iOS Acquisition
  
  
• Cutaway Security
  Install ICS Tools – Linux
  
  
• CyberChef
  v9.27.3
  
  
• Elcomsoft
  Elcomsoft iOS Forensic Toolkit 6.71: extended Recovery mode support and plenty of bugfixes
  
  
• Eric Zimmerman
  ChangeLog
  
  
• Event Log Explorer
  Event Log Explorer 5 beta 2
  
  
• ExifTool
  ExifTool 12.19
  
  
• Metaspike
  Forensic Email Collector (FEC) Changelog
  
  
• MISP
  MISP 2.4.139 released (Quality of life and bugfix release)
  
  
• Open Source DFIR
  Plaso 20210213 released
  
  
• OSForensics
  V8.0 build 1007 17th February 2021
  
  
• X-ways
  • X-Ways Forensics 20.1 SR-6
  • X-Ways Forensics 20.2 Beta 1
    
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!