As always, thanks to those who give a little back for their support!

---

Voting for the annual Forensic 4cast Awards has opened! Thank you Lee for your tireless efforts yet again. Congratulations to everyone that was nominated for an award, and thank you everyone for nominating this website as one of the “Resource of the Year” finalists, against very worthy competition.

Of course, I’d be happy to take home another win, but it’s great to get the feedback that people are still finding this project useful.
2021 Forensic 4:cast Awards – Voting is now OPEN

FORENSIC ANALYSIS

• Mike Williamson
  Taking a gander at iOS apps on an M1 Mac
  
  
• Cellebrite
  How to Collect Device Data when a Mobile Device Management Solution is Present
  
  
• Chris Vance at ‘D20 Forensics’
  iOS / macOS – Tracking Downloads from Safari Without Downloads
  
  
• Alexandros Vasilaras, Evangelos Dragonas, and Dimitrios Katsoulis
  USB Forensics – Recover more Volume Serial Numbers (VSNs) with the Windows 10 Partition/Diagnostic Event Log
  
  
• Rodrigo Sagastegui at DME Forensics
  Finding the Best Recovery Workflow in DVR Examiner 3
  
  
• Vladimir Katalov at Elcomsoft
  Hey Dude, Where Is My iCloud Data?
  
  
• Forensafe
  • Investigating Windows Cortana
  • Investigating Thumbs.db
  • Investigating Box
  • ArtiFast Lite
  • Investigating Box Sync
    
    
• Kevin Pagano at Stark 4N6
  • Magnet Virtual Summit 2021 CTF – Chromebook
  • Magnet Virtual Summit 2021 CTF – Hunt!
  • Magnet Virtual Summit 2021 CTF – iPhone
  • Magnet Virtual Summit 2021 CTF – Mac
  • Magnet Virtual Summit 2021 CTF – Google Takeout
    
    
• Oxygen Forensics
  Capture RAM using Oxygen Forensic® KeyScout
  
  
• Michael Savitz at Palo Alto Networks
  What Can You Learn From a “Wiped” Computer with Digital Forensics?
  
  
• Rory Wagner
  Cipher
  
  
• Talal Salman
  command line and windows forensics. (doc)
  
  

THREAT INTELLIGENCE/HUNTING

• Bill Stearns at Active Countermeasures
  The Difference Between Watching Alerts and Threat Hunting
  
  
• Adam at Hexacorn
  • Excellent Conversions (and downloads)
  • A story about Procmon (no, not that one – its misbehaving client)
    
    
• Anomali
  • Anomali Cyber Watch: Bizzaro Trojan Expands to Europe, Fake Call Centers Help Spread BazarLoader Malware, Toshiba Business Reportedly Hit by DarkSide Ransomware and More
  • Threat Intelligence Platforms Help Organizations Overcome Key Security Hurdles
    
    
• Anton Chuvakin
  A SOC Tried To Detect Threats in the Cloud … Your Won’t Believe What Happened Next
  
  
• Joaquin Manuel Rinaudo and Vesselin Tzvetkov at AWS Security
  How to import AWS IoT Device Defender audit findings into Security Hub
  
  
• Ben Martin at Sucuri
  WooCommerce Credit Card Swiper Hides in Plain Sight
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2021-05-24 – TA551 (Shathak) Word docs push IcedID (Bokbot)
  • 2021-05-24 – Quick post: Hancitor infection with Ficker Stealer and Cobalt Strike
    
    
• Check Point Research
  • 24th May – Threat Intelligence Report
  • Melting Ice – Tracking IcedID Servers with a few simple steps
  • Uyghurs, a Turkic ethnic minority in China, targeted via fake foundations
  • Check Point Research: Asia Pacific experiencing a 168% year on year increase in cyberattacks in May 2021
    
    
• Cisco’s Talos
  • Elizabethan England has nothing on modern-day Russia
  • Threat Roundup for May 21 to May 28
    
    
• ClearSky Cyber Security
  Attributing CryptoCore Attacks Against Crypto Exchanges to LAZARUS (North Korea)
  
  
• Ben Reardon at Corelight
  Detecting CVE-2021-31166 – HTTP vulnerability
  
  
• CrowdStrike
  • Falcon Complete Disrupts Malvertising Campaign Targeting AnyDesk
  • DarkSide Pipeline Attack Shakes Up the Ransomware-as-a-Service Landscape
    
    
• Cybereason
  • Record Setting $40M Ransom Paid to Attackers
  • Ransomware Trends: Six Notable Ransomware Attacks from 2021
    
    
• Cyberint
  New SMS Phishing Campaigns Target Retail Customers
  
  
• Kent Backman at Dragos
  Lessons Learned from Telemetry Analysis of DarkSide Affiliate Exfiltration Operations
  
  
• DS4N6
  • [BLOG]  Getting Started With DAISY, by  David Contreras
  • [BLOG]  Threat Hunting with AI – Part 3 – T1053.005 / Scheduled Tasks In-Depth, by  Jess Garcia
  • [BLOG]  Threat Hunting with AI – Part 4 – T1053.005 / Scheduled Tasks Anomaly Detection with an Autoencoder, by  Jess Garcia
    
    
• Eclypsium
  May Firmware Threat Report
  
  
• Anthony Randazzo at Expel
  Cloud attack trends: What you need to know and how to stay resilient
  
  
• Farsight Security
  New COF2MISP import module for MISP enables Threat Hunters to improve Cybersecurity Investigations
  
  
• Fire Eye Threat Research
  • Crimes of Opportunity: Increasing Frequency of Low Sophistication
    Operational Technology Compromises
  • Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse
    Secure VPN Devices
    
    
• Flashpoint
  Investigating Hydra: Where Cryptocurrency Roads All Lead to Russia and Go Dark
  
  
• Matthew Brennan at Huntress
  Cobalt Strikes Again: An Analysis of Obfuscated Malware
  
  
• Avigayil Mechtinger at Intezer
  Wrapping Up a Year of Infamous Bazar Campaigns
  
  
• Jorge Orchilles at Scythe
  • SCYTHE Presents: Introducing the Purple Team Maturity Model
  • SCYTHE Presents: Threat Thursday – Conti Ransomware
    
    
• Yuma Masubuchi at JPCERT/CC
  Attacks Embedding XMRig  on Compromised Servers
  
  
• LIFARS Cybersecurity
  Lemon Duck Hacking Group Adopts Microsoft Exchange Server Vulnerabilities in New Attacks
  
  
• Amr Thabet at MalTrak
  COM Objects P.1: The Hidden Backdoor in Your System
  
  
• Malwarebytes Labs
  • Falsifying and weaponizing certified PDFs
  • Threat spotlight: Conti, the ransomware used in the HSE healthcare attack
  • SolarWinds attackers launch new campaign
    
    
• Matthew Warner at Blumira
  Verizon’s DBIR 2021 Highlights Threat Detection and Response
  
  
• Menasec
  Hunting for Suspicious Usage of Background Intelligent Transfer Service (BITS)
  
  
• Microsoft Security
  • New sophisticated email-based attack from NOBELIUM
  • Breaking down NOBELIUM’s latest early-stage toolset
    
    
• Matthew Delman at Morphisec
  Security News in Review: SolarWinds Threat Group Launches New Phishing Campaign
  
  
• Nasreddine Bencherchali
  • Understanding & Detecting C2 Frameworks — Ares
  • Understanding & Detecting C2 Frameworks — TrevorC2
    
    
• Aaron Greetham at NCC Group Research
  Detecting Rclone – An Effective Tool for Exfiltration
  
  
• Carol Hildebrand at Netscout
  Triple-Extortion Tactics on the Rise for Ransomware Gangs
  
  
• Ray Canzanese at Netskope
  Cloud and Threat Report: Gone Phishing
  
  
• Patrick Wardle at ‘Objective-See’
  All Your Macs Are Belong To Us
  
  
• Penetration Testing Lab
  Dumping RDP Credentials
  
  
• PhishLabs
  Q1 2021 Threat Trends & Intelligence Report
  
  
• Selena Larson And Matthew Mesa at Proofpoint
  BazaFlix: BazaLoader Fakes Movie Streaming Service
  
  
• Aaron Wells at Rapid7
  Kill chains: Part 1→Strategic and operational value
  
  
• Recorded Future
  • Who is DarkSide—The Group Behind the Colonial Pipeline Breach?
  • Disrupting Adversary Behavior with Recorded Future and MITRE ATT&CK
    
    
• RiskIQ
  MobileInter: A Popular Magecart Skimmer Redesigned For Your Phone
  
  
• V3ded
  Abusing LNK “Features” for Initial Access and Persistence
  
  
• SANS Internet Storm Center
  • Uncovering Shenanigans in an IP Address Block via Hurricane Electric’s BGP Toolkit, (Tue, May 25th)
  • All your Base are…nearly equal when it comes to AV evasion, but 64-bit executables are not, (Thu, May 27th)
  • Malicious PowerShell Hosted on script.google.com, (Fri, May 28th)
  • Spear-phishing Email Targeting Outlook Mail Clients , (Sat, May 29th)
    
    
• Secureworks
  USAID-Themed Phishing Campaign Leverages U.S. Elections Lure
  
  
• Brett Hawkins at Security Intelligence
  Applying the Invisibility Cloak: Obfuscate C# Tools to Evade Signature-Based Detection
  
  
• Amitai Ben Shushan Ehrlich at SentinelLabs
  From Wiper to Ransomware | The Evolution of Agrius
  
  
• Phil Stokes at SentinelOne
  When Apple Admits macOS Malware Is A Problem – It’s Time To Take Notice
  
  
• Askar at Shells.Systems
  Unveiling DNSStager: A tool to hide your payload in DNS
  
  
• Peter Mackenzie at Sophos
  What to expect when you’ve been hit with Avaddon ransomware
  
  
• Andrew Brandt at Sophos
  A new ransomware enters the fray: Epsilon Red
  
  
• SpecterOps
  • The Attack Path Management Manifesto
  • Saving Your Access
    
    
• Trend Micro
  • TeamTNT Targets Kubernetes, Nearly 50,000 IPs Compromised in Worm-like Attack
  • DarkSide on Linux: Virtual Machines Targeted
    
    
• Damien Cash, Josh Grunzweig, Matthew Meltzer, Sean Koessel, Steven Adair, and Thomas Lancaster at Volexity
  Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns
  
  

UPCOMING EVENTS

• Cellebrite
  • Remote Data Collections by Cellebrite
  • Learn about the Latest Updates for Cellebrite Digital Intelligence Solutions
    
    
• Jason Blanchard at Black Hills Information Security
  The Most Meta-Presentation on Presenting, Using Science and Stuff w/ Jason Blanchard (1-Hour)
  
  
• John Hubbard at SecHubb
  SANS Blue Team Summit 2021 – Free Cyber Security Conference!
  
  

PRESENTATIONS/PODCASTS

• Cache Up with Jessica Hyde
  Magnet Forensics Presents: Cache Up – Ep.52 – Adam Belsher
  
  
• AhmedS Kasmani
  Analysis of ICEID Malware Installer DLL
  
  
• Archan Choudhury at BlackPerl
  INCIDENT RESPONSE TRAINING FREE || My SOC Secret || Day 6
  
  
• Black Hat
  The Evolution of Ransomeware
  
  
• Black Hills Information Security
  • BHIS | Talkin’ Bout News 2021-05-24
  • Is This Thing On?
  • BHIS | Getting Started in Pentesting The Cloud: Azure | Beau Bullock (1-Hour)
  • Backdoors & Breaches LIVE – 5/19/2021
    
    
• Breaking Badness podcast
  87. A Sad State of Ransomware
  
  
• Bret Witt
  • SOC142 EventID: 89 (Multiple HTTP 500 Response) [April 18, 2021, 1 p.m.]
  • SOC116 EventID: 49 (DNS Hijacking Detected) [Feb. 6, 2021, 12:42 p.m.]
    
    
• Cellebrite
  • Ask the Expert: How CBFL Solidify the Partnership with Cellebrite Premium Users by Dan Embury
  • Simplify Your Fleet Management with Cellebrite Commander
  • How To Input your CDRs into an Existing Template – CDR Template Editor Series, Part 1
  • Tapping into the Mind of a Digital Investigator
    
    
• Cisco’s Talos
  Talos Takes Ep. #55: How Transparent Tribe could evolve in the future
  
  
• Cyber Secrets
  • CSI Linux 2021 2 Beta Update V2 (5/23/2021)
  • CSI Linux 2021.2 – Start a Case and Case Management Update
    
    
• Cyberspatial
  How To Pass a Cyber Security Cert in 5 DAYS (No books…)
  
  
• Day Cyberwox
  • Cybersecurity Homelab: Configuring Pfsense [Firewall & Network Segmentation]
  • Cybersecurity Homelab: Configuring Security Onion [Security Monitoring, Log Management & IDS]
  • Cybersecurity Homelab: Configuring Kali Linux
  • Cybersecurity Homelab: Introduction [Topology & Project Scope]
    
    
• Detection: Challenging Paradigms
  Episode 9: Andy Robbins
  
  
• Digital Forensic Survival Podcast
  • DFSP # 274 – Powershell Revisited
  • DFSP # 275 – dotNET
    
    
• Gerald Auger at Simply Cyber
  What Happens When you Run Atomic Red Team on an EDR Protected Server?
  
  
• Hurricane Labs
  SOC Talk: IoT and Security
  
  
• John Hubbard
  • AJ Yawn: Cloud, Compliance and Automating Security
  • How the Encrypted Client Hello TLS Extension (ECH) Works (and How it Impacts Security Operations)
    
    
• Magnet Forensics
  Magnet Virtual Summit recordings
  
  
• Magnet Forensics
  Pulling Unified Audit Logs from Office 365 Environments Using Magnet AXIOM Cyber
  
  
• Neil Fox
  #13 Getting Started With Using Ghidra
  
  
• Paraben Corporation
  • Smartphone Data Triage Acquisition
  • Windows Registry Review with E3
  • Paraben Supporting Universities
    
    
• Richard Davis at 13Cubed
  Introduction to MFTECmd – NTFS MFT and Journal Forensics
  
  
• SANS Institute
  • Cloud Security Begins with the Shared Responsibility Model – SANS New to Cyber Summit
  • Healthcare Lightning Summit – SANS Institute
    
    

MALWARE

• 360 Netlab
  Analysis report of the Facefish rootkit
  
  
• Alex “Jay” Bălan at Bitdefender Labs
  A Note from the Bitdefender Labs Team on Ransomware and Decryptors
  
  
• Chuong Dong
  MountLocker Ransomware
  
  
• CISA
  MAR 10339794-1.v1 – Cobalt Strike Beacon
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #41: Binary file loader
  
  
• Saket Upadhyay at InfoSec Write-ups
  5 Step Pre-built Malware Analysis Lab
  
  
• Dmitry Melikov at InQuest
  PSChain
  
  
• John Hammond
  Phishing Document “Invitation” – HackTheBox Cyber Apocalypse CTF
  
  
• Mahmoud Morsy
  • IOCs 23_5_2021
  • Phishing Attacks 24_5_2021
  • Phishing Attacks 25_5_2021
  • Phishing Attacks 26_5_2021
  • Phishing Attacks 27_5_2021
    
    
• Joshua Dunn at Open Threat Research
  Malware Analysis Series – Part 2, How to Isolate our Homelab with Network Segmentation
  
  
• Ajaya Neupane and Stefan Achleitner at Palo Alto Networks
  Using AI to Detect Malicious C2 Traffic
  
  
• Fedor Sinitsyn and Yanis Zinchenko at Securelist
  Evolution of JSWorm ransomware
  
  
• VinCSS
  [RE022] Part 1: Quick analysis of malicious sample forging the official dispatch of the Central Inspection Committee
  
  
• Shivang Desai at ZScaler
  Zscaler Protections Against Flubot Banking Malware
  
  

MISCELLANEOUS

• Holli Hagene at AccessData
  What Is Ransomware?
  
  
• Marco Fontani at Amped
  How Can I Play an Unplayable Video From a CCTV Surveillance System?
  
  
• Yulia Samoteykina at Atola
  Multi-launch of hashing, wiping and diagnostics in TaskForce
  
  
• Craig Ball at ‘Ball in your Court’
  Ten Tips for Better ESI Expert Reports
  
  
• Tim Helming at DomainTools
  Indicators Over Cocktails: Exporting Indicators from Iris
  
  
• Doug Metz at Baker Street Forensics
  Adding SIFT and REMnux to your Windows Forensics environment
  
  
• Vladimir Katalov at Elcomsoft
  The Inception of Elcomsoft Phone Breaker
  
  
• Forensic Focus
  • Amped FIVE Now With Variable Motion Deblurring, Freeze Frame And Keyframe Tracking
  • Research Roundup: Micro Analysis To Macro Implications In Digital Forensics
  • Digital Forensics Challenge 2021 (DFC 2021)
  • Reducing Digital Investigation Cost With DRONE
    
    
• Rishi Dhamija at InfoSec Write-ups
  Getting Started With WireShark Part-1|Begginers Tutorial for wireShark|Protocol Analysis Using…
  
  
• LIFARS Cybersecurity
  Threat Hunting vs Digital Forensics – What Are They? Do You Need Both?
  
  
• Marina Hirschberger at NVISO Labs
  Going beyond traditional metrics: 3 key strategies to measuring your SOC performance
  
  
• Eric Kuehn at Professionally Evil Insights
  The Best Way to Capture Traffic in 2021
  
  
• SANS
  • Why security certifications are crucial
  • Managing Human Risk: Start with the Risks
  • Ethical Phishing –The Slippery Slope With Employee Deception
  • What certification do I need?
    
    
• SANS ICS
  Check out @SANSICS’s Tweet
  
  
• Sarah Banks at Corelight
  World’s first 100G Zeek sensor
  
  
• Pieces0310
  Checkra1n on Linux – Pieces0310
  
  

SOFTWARE UPDATES

• ACELab
  A new software version of the PC-3000 Ver. 6.9.9, Data Extractor / Data Extractor RAID Edition Ver. 5.12.5, PC-3000 SSD Ver. 2.10.2 has been released
  
  
• McAfee Advanced Threat Research
  DarkSide-Config-Extract
  
  
• Apache Tika
  Release 2.0.0-BETA
  
  
• Belkasoft
  What’s new in Belkasoft X v.1.7
  
  
• Cellebrite
  Now Available: Cellebrite UFED and Cellebrite Responder 7.45
  
  
• Ciphey
  Clean up colours & make Ciphey more friendly
  
  
• Costas K
  Windows 10 Live Information viewer (x64)
  
  
• Didier Stevens
  Update: base64dump.py Version 0.0.14
  
  
• Digital Detective
  • What’s New in HstEx® v5
  • What’s New in NetAnalysis® v3
    
    
• Eric Zimmerman
  ChangeLog
  
  
• Erik Hjelmvik at Netresec
  CapLoader 1.9 Released
  
  
• Fernando Tomlinson
  Invoke-SRUMDump
  
  
• Foxton Forensics
  Browser History Examiner — Version History
  
  
• IntelOwl
  maintenance and stability release
  
  
• JPCERT
  LogonTracer v1.5.4
  
  
• Metaspike
  Remote Authenticator v1.2.0 for macOS
  
  
• MSAB
  New Release: XRY 9.4.3 with Added Security Bypass Support for Samsung
  
  
• Tiander Turpijn at Azure Sentinel
  Azure Sentinel PowerShell Module Az.SecurityInsights has been released to GA!
  
  
• Ulf Frisk
  MemProcFS Version 4.0
  
  
• Xways
  X-Ways Forensics 20.3 Beta 1
  
  
• YARA
  v4.1.1
  
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!