As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Belkasoft
  Media files forensics with Belkasoft X
  
  
• Heather Mahalik at Cellebrite
  • Part 1: Walk-Through of Answers to the 2021 CTF – Investigating Heisenberg’s Android Device
  • Part 2: Walk-Through of Answers to the 2021 CTF – Marsha’s PC
    
    
• Dan Maunz at Cisco
  New Nexus Forensic Guide
  
  
• Dr. Brian Carrier at Cyber Triage
  Cyber Triage on Azure: DFIR in the Cloud
  
  
• Digital Forensics Myanmar
  • Forensics Disk Decrypt
  • eCDFP (Data Acquisition) (Part-2)
  • AFP-Fast Check , Ocelli Project (Google Map, Satellite Image)
  • Twitter Bots and Facebook Page
  • eCDFP (Data Acquisition) (Part-3)
  • Social Media Verification
  • eCDFP (Data Acquisition) (Part-3) (Finished)
    
    
• Dr. Neal Krawetz at ‘The Hacker Factor Blog’
  Beyond the Skyline
  
  
• Elcomsoft
  • Protecting Linux and NAS Devices: LUKS, eCryptFS and Native ZFS Encryption Compared
  • Digital Triage Forensics: Write-Blocking, Verifiable Disk Imaging
  • The Five Ways to Recover iPhone Deleted Data
  • Apple Watch Forensics: More on Adapters
    
    
• Erik Hjelmvik at Netresec
  Open .ETL Files with NetworkMiner and CapLoader
  
  
• Robert Graham at Errata Security
  Debunking: that Jones Alfa-Trump report
  
  
• Forensafe
  • Investigating WinRAR
  • Investigating System Information
    
    
• Ian Whiffin at DoubleBlak
  Message Reactions
  
  
• Nicole Fishbein at Intezer
  Conducting Digital Forensics Incident Response (DFIR) on an Infected GitLab Server
  
  
• Karlo Licudine at AccidentalRebel
  • Cyber Corp Case 2 Writeup – Part 1
  • Cyber Corp Case 2 Writeup – Part 2
  • Cyber Corp Case 2 Writeup – Part 3
    
    
• Magnet Forensics
  Anatomy of a Workplace Harassment Investigation
  
  
• Alexander Jäger at Open Source DFIR
  Use EVTX files on VirusTotal with Timesketch and Sigma (Part1)
  
  
• Oxygen Forensics
  Extraction of locked LG devices in Oxygen Forensic® Detective
  
  
• Security Onion
  • Quick Malware Analysis: SquirrelWaffle, Qakbot, and CobaltStrike pcap from 2021-10-04
  • Quick Malware Analysis: SystemBC and CobaltStrike pcap from 2021-02-01
  • Quick Malware Analysis: Pascholotto Email and Malware pcap from 2021-02-19
  • Quick Malware Analysis: October 2021 Forensic Challenge – Part 1 of 3
  • Quick Malware Analysis: October 2021 Forensic Challenge – Part 3 of 3
  • Quick Malware Analysis: October 2021 Forensic Challenge – Part 2 of 3
    
    
• The DFIR Report
  From Zero to Domain Admin
  
  
• ZecOps
  How iOS Malware Can Spy on Users Silently
  

THREAT INTELLIGENCE/HUNTING

• Anomali
  Anomali Cyber Watch: Russian Intelligence Targets IT Providers, Malspam Abuses Squid Games, Another npm Library Compromise, and More
  
  
• Blackberry
  • Threat Thursday: Karma Ransomware
  • Hunter Becomes Hunted: Zebra2104 Hides a Herd of Malware
    
    
• CERT-FR
  Rapport Menaces Et Incidents Du Cert-fr
  
  
• Check Point Research
  • 1st November – Threat Intelligence Report
  • Mekotio Banker Returns with Improved Stealth and Ancient Encryption
  • CPR alerts crypto wallet users of massive search engine phishing campaign that has resulted in at least half a million dollars being stolen
    
    
• Cisco’s Talos
  • Microsoft Exchange vulnerabilities exploited once again for ransomware, this time with Babuk
  • Threat Roundup for October 29 to November 5
    
    
• Eric Loui and Josh Reynolds at CrowdStrike
  CARBON SPIDER Embraces Big Game Hunting, Part 2
  
  
• Curated Intelligence
  Tracking the planet with Pulsedive
  
  
• Cybereason
  What Are the Most Common Attack Vectors for Ransomware?
  
  
• William Thomas at Cyjax
  Cyjax research sees TeamTNT added to Mitre ATT&CK framework
  
  
• Oakley Cox at Darktrace
  Living off the Land: How hackers blend into your environment
  
  
• EclecticIQ
  Ransomware 3 – Countering the Ransomware Threat When There Is No Silver Bullet
  
  
• Emanuele De Lucia
  The BigBoss Rules: Something about one of the Uroburos’ RPC-based backdoors
  
  
• Flashpoint
  • From Ransomware to DDoS: Guide to Cyber Threat Actors—How, Why, and Who They Choose to Attack
  • BlackMatter Ransomware Announces Its End, Leaving the Question of When—Not if—Its Operators Will Resurface
    
    
• Andrey Zhdanov at Group-IB
  The Darker Things
  
  
• Jack Crook at ‘DFIR and Threat Hunting’
  Measuring User Behavior
  
  
• Malwarebytes Labs
  • Lessons from a real-life ransomware attack
  • This Steam phish baits you with free Discord Nitro
  • BlackMatter ransomware group announces shutdown. But for how long?
  • Wanted! US offers $10m bounty for ransomware kingpins
    
    
• Marcus Edmonson at ‘Data Analytics & Security’
  Detecting mshta in a Home Lab
  
  
• Microsoft 365 Security
  Revisiting Constrained Delegation
  
  
• Frank Duff at MITRE-Engenuity
  Introducing ATT&CK Evaluations Trials: First Up, Deception
  
  
• Nathali Cano at Scythe
  SCYTHE Presents: Simplifying the MITRE ATT&CK Framework
  
  
• Didier Stevens at NVISO Labs
  Cobalt Strike: Using Process Memory To Decrypt Traffic – Part 3
  
  
• Pete Cowman at Hatching
  MacOS, TA505 and Other Family Detections
  
  
• Selena Larson, Sam Scholten and Timothy Kromphardt at Proofpoint
  Caught Beneath the Landline: A 411 on Telephone Oriented Attack Delivery
  
  
• Red Siege Information Security
  Attacking SAML implementations
  
  
• RiskIQ
  The Vagabon Kit Highlights ‘Frankenstein’ Trend in Phishing
  
  
• Dean Parsons at SANS
  ICS Threat Hunting: “They’re Shootin’ at the Lights!” – PART 2
  
  
• SANS Internet Storm Center
  • Sysinternals: Autoruns and Sysmon updates, (Sun, Oct 31st)
  • Video: Phishing ZIP With Malformed Filename, (Sun, Oct 31st)
  • Revisiting BrakTooth: Two Months Later, (Mon, Nov 1st)
  • October 2021 Forensic Contest: Answers and Analysis, (Thu, Nov 4th)
  • Xmount for Disk Images, (Thu, Nov 4th)
  • Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory, (Sat, Nov 6th)
  • Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory, (Sun, Nov 7th)
    
    
• Javier Bachiller at Security Art Work
  Purple Team ¿Pero esto que és? (Parte II). Threat Intelligence
  
  
• Security Investigation
  • Windows Management Instrumentation Attacks – Detection & Response
  • Most Common Windows Event IDs to Hunt – Mind Map
  • Finding the Evil in TLS 1.2 Traffic – Detecting Malware on Encrypted Traffic
    
    
• Scott J Roberts
  Getting Started with Synapse
  
  
• Nick Tausek at Swimlane
  Building Best-of-Both-Worlds Automation and Threat Intel With Swimlane and VirusTotal – Part One
  
  
• Symantec Enterprise
  BlackMatter: New Data Exfiltration Tool Used in Attacks
  
  
• Team Cymru
  Webinject Panel Administration: A Vantage Point into Multiple Threat Actor Campaigns
  
  
• Erin Sindelar at Trend Micro
  Ransomware Negotiation Scenarios: What to Expect
  
  
• Vicente Díaz at VirusTotal
  Automate and Augment Case Management, Threat Intelligence and Enrichment
  
  
• Zolder B.V.
  Detecting MFASweep using Azure Sentinel
  

UPCOMING EVENTS

• Lior Div and Sam Curry at Cybereason
  Webinar November 18th: Anatomy of a Ransomware Attack
  
  
• Dave Gruber, Doug Cahill, and James Campbell at Cado Security
  Traditional DFIR Methods = Not Fit For Cloud
  
  
• Elan at DFIR Diva
  DFIR Related Events for Beginners – November, 2021
  
  
• Magnet Forensics
  Rapid Triage for Mac with Magnet OUTRIDER
  
  
• Securizame
  Noticias Securízame – Eventos Y Formación De Noviembre 2021
  

PRESENTATIONS/PODCASTS

• Archan Choudhury at BlackPerl
  Windows Forensics Analysis, Memory Forensics- Part1, Diwali GiveAway
  
  
• Belkasoft
  Dealing with encryption—10th episode of BelkaTalk on DFIR
  
  
• Black Hills Information Security
  • BHIS – Talkin’ Bout [infosec] News 2021-11-01
  • BHIS | How to Share Your Knowledge with Others – Jason Blanchard
  • Webcast: How to Share Your Knowledge with Others
    
    
• Breaking Badness
  101. Ransomware and Malware and Justice, Oh My!
  
  
• Cellebrite
  • How to Leverage the Timeline Graph View in Cellebrite Physical Analyzer
  • Walkthrough of Parsing Cryptocurrency Applications in Cellebrite Physical Analyzer
  • Pain Points When Parsing Apps from iOS and Android Devices
    
    
• Cloud Security Podcast by Google
  EP41 Beyond Phishing: Email Security Isn’t Solved
  
  
• Joshua I. James at DFIRScience
  • Is this the fastest way to analyze Android?
  • WIN $100 – November DFIRDev Competition: How to submit an entry – fork and commit to GitHub
    
    
• Didier Stevens
  • Phishing ZIP With Malformed Filename
  • Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
    
    
• Digital Forensic Survival Podcast
  DFSP # 298 – Mac Forensics with SUMURI
  
  
• Dump-Guy Trickster
  Introduction to Invoke-DetectItEasy PowerShell Module
  
  
• Hasherezade
  HollowsHunter detecting ShellcodeFluctuation PoC
  
  
• InfoSec_Bret
  Intel 101 – Part 03 – FINAL
  
  
• Justin Tolman at AccessData
  FTK Feature Focus – Episode 28 – Mac Artifacts in System Summary
  
  
• Magnet Forensics
  • Putting Your DFIR Lab in the Cloud: Lessons Learned
  • Tips & Tricks // Analyzing Vehicle Data with Berla iVe
  • Investigate Malware & Ransomware with Speed and Efficiency
  • Tips & Tricks // Remote Agents and the Agent Status Dashboard
    
    
• Nuix
  2021 Nuix APAC Partner Awards
  
  
• Paraben Corporation
  • Using DP2C for Data Collection and Data Triage
  • Installation DP2C to Drive
  • Using P2Xplorer Pro Image Mounting
    
    
• Ryan Tick
  Automated triage collection at scale in AWS
  
  
• SANS
  • AC3 Threat Sightings: El Poder de la Observación
  • Hunting backdoors in Active Directory Environment
  • Compose Your Hunts With Reusable Knowledge and Share Your Huntbook With the Community
  • Hunting and Scoping A Ransomware Attack
  • Full Scholarship Cybersecurity Training With SANS
  • The 14 Absolute Truths of Security
  • Vulnerabilities and reports and metrics, oh my!
  • CISSP Cram Session
  • Cleaning Up Our Cyber Hygiene
    
    
• Security Onion
  Security Onion on Security Weekly Episode 717
  
  
• Virus Bulletin
  VB2021 localhost videos available on YouTube
  
  
• Watson Infosec
  ElasticXDR 7.15.1 Overview
  
  
• Zeek in Action
  • Zeek in Action, Video 7, Capture Loss Statistics
  • Zeek In Action, Video 8, Installing Zeek From Scratch
    

MALWARE

• 0xdf hacks stuff
  • Flare-On 2021: known
  • Flare-On 2021: PetTheKitty
    
    
• Martin Chlumecký at Avast Threat Labs
  DirtyMoe: Deployment
  
  
• Harsh Patel and Zachary Bailey at Cofense
  Spooky Ransomware Steals Past SEGs in Under 15 Minutes
  
  
• Cyber Geeks
  A detailed analysis of the STOP/Djvu Ransomware
  
  
• Shaul Vilkomir-Preisman at Deep Instinct
  Understanding the Windows JavaScript Threat Landscape
  
  
• Xiaopeng Zhang at Fortinet
  Deep Dive into a Fresh Variant of Snake Keylogger Malware
  
  
• Igor Skochinsky at Hex Rays
  Igor’s tip of the week #63: IDA installer command-line options
  
  
• Dmitry Melikov at InQuest
  Adults Only Malware Lures
  
  
• Johannes Bader
  Analysing TA551/Shathak Malspam With Binary Refinery
  
  
• LockBoxx
  Notes on Keyloggers
  
  
• Mahmoud Morsy
  • IOCs 1_11_2021
  • Phishing Attacks 1_11_2021
  • Phishing Attacks 6_11_2021
    
    
• Malwarebytes Labs
  • Credit card skimmer evades Virtual Machines
  • Trojan Source: Hiding malicious code in plain sight
    
    
• Marco Ramilli
  CONTI Ransomware: Cheat Sheet
  
  
• Marcus Edmonson at ‘Data Analytics & Security’
  To Catch a Hacker in My Home Lab – Atreides
  
  
• mr.d0x
  Malapi
  
  
• Red Alert
  Threat Actor targeted attack against Finance and Investment industry
  
  
• Aaron Gdanski and Limor Kessem at Security Intelligence
  From Thanos to Prometheus: When Ransomware Encryption Goes Wrong
  
  
• Pedro Tavares at Segurança Informática
  Troystealer malware analysis
  
  
• Dennis Schwarz at ZScaler
  Spike in DanaBot Malware Activity
  

MISCELLANEOUS

• Marco Fontani at Amped
  Summing Up: How Do I Convert, Play, Enhance, Annotate, and Export Video Evidence With a Single Tool?
  
  
• Amina Zilic at Binalyze
  The Tenth Step to Forensic Readiness: Legal review
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 11/6/21
  
  
• Cellebrite
  India’s DFIR Community Turns To Digital Intelligence Technology To Solve Their Toughest Cases
  
  
• Paul Lee, Yuri Kramarz and Martin Lee at Cisco’s Talos
  The features all Incident Response Plans need to have
  
  
• Joshua I. James at DFIRScience
  What job opportunities does digital forensics give me?
  
  
• Michael Karsyan at Event Log Explorer blog
  Setting up Windows to read events from remote computers over a local network.
  
  
• Faith Opiyo at CyberSecFaith
  Building my Home Lab part 4: deploying the domain controller and endpoints
  
  
• Forensic Focus
  • Todd Shipley on the Dark Net, and the Importance of Relationship-Building for Investigations
  • PRNU Based Verification of Multi-Camera Smartphones
  • How to Use Variable Motion Deblurring in Amped FIVE
  • Get your dedicated FREE trial of Binalyze AIR up and running in just 2 mins!
  • Work Smarter, Not Harder — Optimize Your System for Faster Forensic Processing
  • Register For Webinar: Launching Binalyze Forensic Investigation Suite
  • Towards Deep Fake Video Detection Using PRNU Based Method
    
    
• Josh Moulin
  Creating a Digital Forensic Capability
  
  
• Anne Campbell at Barracuda
  Don’t pay the ransom: A three-step guide to ransomware protection
  
  
• Kevin Pagano at Stark 4N6
  Forensics StartMe Updates (11/1/2021)
  
  
• Magnet Forensics
  Meet the Magnet Forensics’ Training Team: Sean Boero
  
  
• Amelia Albanese at Palo Alto Networks
  Australia’s Response to the Rise of Ransomware
  
  
• Tami Smith at ‘Pro Digital Forensic Consulting’
  Popular Case Studies in Digital Forensics
  
  
• Brittany Roberts at ADF
  The Ultimate Checklist for Buying a Digital Forensics Tool
  
  
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — October 31 to November 6
  
  
• SANS
  • SEC275 + GFACT Bundle Promotion 2021
  • I Want to Help Prevent Crime From Happening in the First Place’
  • SANS National Capture-the-Flag Tournament’s for the Beneswiss Region
    
    
• Doug Burks at Security Onion
  New Security Onion 2 Training Available: Practical Analysis with Security Onion 2!
  

SOFTWARE UPDATES

• Berla
  iVe Software v3.3.1 Release
  
  
• Brim
  v0.27.0
  
  
• Didier Stevens
  • New Tool: cs-extract-key.py
  • Update: 1768.py Version 0.0.9
    
    
• Elcomsoft
  Elcomsoft System Recovery 8.0 – a forensically sound field analysis tool with write-blocking disk imaging
  
  
• F-Response
  F-Response 8.3.1.8 Released – Updates to Collect, Classic, and Windows 11
  
  
• Mike Cohen at Velocidex
  Velociraptor 0.6.2 Release
  
  
• Alisha Cales at Paraben Corporation
  • Data Triage and Acquisition Tool Free to All
  • Fall into new evidence with E3 Forensic Platform 3.1
    
    
• Regipy
  2.2.2
  
  
• Ahmed Khlief at Shells.Systems
  APT-Hunter V2.0 : More than 200 use cases and new features
  
  
• Velociraptor
  Release 0.6.2
  
  
• Xways
  • X-Ways Forensics 20.3 SR-8
  • X-Ways Forensics 20.4 Beta 4
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!