The voting for the 2022 Forensic 4Cast Awards has been opened. Thank you everyone that nominated this website, please make sure to cast your votes below!
2022 Forensic 4:cast Awards – Voting is now OPEN

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Blackhold
  Volcado de memoria con LiME y análisis con Volatility
  
  
• Blake’s R&D
  A Begginers All Inclusive Guide to ETW
  
  
• Daddycocoaman
  Dumping RSA Certificates with Volatility (Part 2)
  
  
• Derek Eiri
  Using X-Ways Forensics to Review and Report on Internet Browser Activity
  
  
• Digital Forensics Myanmar
  eCDFP Module (5) File System Analysis (Part-7)  (NTFS File System Analysis)
  
  
• Vladimir Katalov at Elcomsoft
  Full File System and Keychain Acquisition: What, When, and How
  
  
• Forensafe
  Windows Network Interfaces
  
  
• Kevin Pagano at Stark 4N6
  Magnet User Summit 2022 CTF – Linux
  
  
• Md. Abdullah Al Mamun
  USB Pen Drive Forensic Investigation
  
  
• Oxygen Forensics
  Support for Virtual Machines in Oxygen Forensic® Detective
  
  
• Scott Koenig at ‘The Forensic Scooter’
  Vehicle and iPhone Speed Comparison
  
  
• SOC Fortress
  Windows Registry Forensic Analysis using Chainsaw, Wazuh Agent and Sigma Rules
  

THREAT INTELLIGENCE/HUNTING

• Bill Stearns at Active Countermeasures
  Packet Loss, or “Why Is My Sniffer Dropping Packets?”
  
  
• Anomali
  Anomali Cyber Watch: API Hammering Confuses Sandboxes, Pirate Panda Wrote in Nim, Magecart Obfuscates Variable Names, and More
  
  
• Shoko Nakai at APNIC
  Investigating DNS abuse in Japan
  
  
• Nathan Vail at AT&T Cybersecurity
  Stories from the SOC – Detecting internal reconnaissance
  
  
• Atomic Matryoshka
  From the User Perspective – Emotet Phish
  
  
• Avertium
  How the Tables Have Turned – Russia vs. Ukraine Part Three
  
  
• BleepingComputer
  • Clever phishing method bypasses MFA using Microsoft WebView2 apps
  • LockBit 3.0 introduces the first ransomware bug bounty program
    
    
• Brad Duncan at Malware Traffic Analysis
  • 2022-06-27 – TA578 IcedID (Bokbot) with DarkVNC and Cobalt Strike
  • 2022-06-27 – obama194 Qakbot with DarkVNC and Cobalt Strike
    
    
• BushidoToken
  Overview of Russian GRU and SVR Cyberespionage Campaigns 1H 2022
  
  
• CERT-AGID
  • Rilevata una nuova tecnica utilizzata dal malware sLoad per eludere i controlli sulle estensioni dei file contenuti negli archivi ZIP inviati via PEC
  • Sintesi riepilogativa delle campagne malevole nella settimana del 25 giugno – 1 luglio 2022
    
    
• Check Point Research
  27th June – Threat Intelligence Report
  
  
• Christophe Tafani-Dereeper
  MitM at the Edge: Abusing Cloudflare Workers
  
  
• Cisco’s Talos
  • De-anonymizing ransomware domains on the dark web
  • Threat Source newsletter (June 30, 2022) — AI voice cloning is somehow more scary than deepfake videos
    
    
• Bernard Brantley at Corelight
  The evidence bank: leveraging security’s most valuable asset
  
  
• CrowdStrike
  • Detecting and Mitigating NTLM Relay Attacks Targeting Microsoft Domain Controllers
  • Falcon OverWatch Elite in Action: Tailored Threat Hunting Services Provide Individualized Care and Support
  • Tales from the Dark Web: How Tracking eCrime’s Underground Economy Improves Defenses
  • How CrowdStrike’s Machine Learning Model Automation Uses the Cloud to Maximize Detection Efficacy
    
    
• Cybereason
  • What are the Legal Implications from a Ransomware Attack?
  • Not All XDR is Created Equal
  • Security Telemetry Evolution: The Year of the In-Memory Graph?
    
    
• Cyble
  • Bahamut Android Malware returns with New Spying Capabilities
  • The Role of Initial Access in the Ecology of Cybercrime
  • Iran’s Steel production impacted by Cyberattack
  • PennyWise Stealer: An Evasive Infostealer leveraging YouTube to infect users
  • Xloader Returns with New Infection Technique
    
    
• Cyfirma
  Keksec and EnemyBot – From Edgy Teenagers To Serious Cybercriminals
  
  
• Dray Agha
  Blue Team Notes
  
  
• Nate Warfield at Eclypsium
  Know Your Enemy and Yourself: A Deep Dive on CISA KEV
  
  
• Myles Satterfield, Brian Bahtiarian and Tucker Moran at Expel
  Detecting Coin Miners with Palo Alto Networks NGFW
  
  
• Flashpoint
  • Skimming, Shimming, and Threat Intel: The Relevance of Physical Fraud in Today’s Threat Landscape 
  • Killnet, Kaliningrad, and Lithuania’s Transport Standoff With Russia
  • Detection, Isolation, and Negotiation: Improving Your Ransomware Preparedness and Response
    
    
• Shunichi Imano, James Slaughter, and Fred Gutierrez at Fortinet
  Ukraine Targeted by Dark Crystal RAT (DCRat)
  
  
• Shane Huntley at Google Threat Analysis Group
  Countering hack-for-hire groups
  
  
• Group-IB
  • We see you, Gozi
  • Fat Cats
    
    
• Rachel Bishop at Huntress
  All in a Day’s Work: Fighting Log4Shell with Process Insights
  
  
• Joakim Kennedy at Intezer
  YTStealer Malware: “YouTube Cookies! Om Nom Nom Nom”
  
  
• Olesia Klevchuk at Barracuda
  Threat Spotlight: Malicious HTML attachments
  
  
• JPCERT/CC
  • What’s happening in Ukraine on the Internet? – Data from Shodan Trends
  • TSUBAME Report Overflow (Jan-Mar 2022)
    
    
• Kostas
  Threat Hunting Series: What Makes a Good Threat Hunter
  
  
• Karen Sprenger at LMG Security
  Top Takeaways from the 2022 Verizon Data Breach Report & How to Reduce Your Risks
  
  
• Lumen
  ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks
  
  
• Malwarebytes Labs
  Ransomware review: June 2022
  
  
• Mandiant
  • Burrowing your way into VPNs, Proxies, and Tunnels
  • Pro-PRC DRAGONBRIDGE Influence Campaign Targets Rare Earths Mining Companies in Attempt to Thwart Rivalry to PRC Market Dominance
    
    
• Marius Sandbu
  Microsoft Sentinel – Kusto queries for Killnet and geo lookup
  
  
• Michael Koczwara
  Follina CVE-2022–30190) Cobalt Strike C2 -Simple Analysis
  
  
• Microsoft Security
  • Using process creation properties to catch evasion techniques
  • Toll fraud malware: How an Android application can drain your wallet
    
    
• Elli at Misconfig
  • Azure Blob Container Threats & Attack
  • Azure Blob Container for Defenders
    
    
• MITRE-Engenuity
  • ATT&CK® Evaluations: Enterprise — Call for Participation with Turla
  • Google Cloud Platform Capabilities Mapped to MITRE ATT&CK®
    
    
• Michael Gorelik at Morphisec
  Ransomware Defense Insights From SANS
  
  
• Olaf Hartong at Falcon Force
  Microsoft Defender for Endpoint Internals 0x02 — Audit Settings and Telemetry
  
  
• Pluralsight-SORCERI
  Threat-Hunting-Resources
  
  
• Adam Crosser and Derya Yavuz at Praetorian
  Elevating Privileges with Authentication Coercion Using DFSCoerce
  
  
• Raphael Satter and Christopher Bing at Reuters
  How mercenary hackers sway litigation battles
  
  
• Tom Caiazza at Rapid7
  For Ransomware Double-Extorters, It’s All About the Benjamins — and Data From Healthcare and Pharma
  
  
• Red Alert
  Monthly Threat Actor Group Intelligence Report, May 2022 (KOR)
  
  
• Mitch Fentz at Rhino Security Labs
  CloudGoat detection_evasion Scenario:   Avoiding AWS Security Detection and Response
  
  
• S2W Lab
  • Evolution of LockBit to 3.0
  • Two Copycats of LockBit Ransomware: SolidBit and CryptOn
    
    
• SANS Internet Storm Center
  • My Paste Command, (Sun, Jun 26th)
  • More Decoding Analysis, (Sun, Jun 26th)
  • Encrypted Client Hello: Anybody Using it Yet?, (Mon, Jun 27th)
  • Possible Scans for HiByMusic Devices, (Tue, Jun 28th)
  • Case Study: Cobalt Strike Server Lives on After Its Domain Is Suspended, (Thu, Jun 30th)
  • It’s New Phone Day!  Time to migrate your MFA!, (Wed, Jun 29th)
  • YARA 4.2.2 Released, (Sat, Jul 2nd)
    
    
• Kristen Cotten, Christopher Peacock, and Jake Williams at Scythe
  SCYTHE Presents: Windows Telemetry Persistence
  
  
• Security Investigation
  • LockBit Ransomware Disturbed via Copyright Infringement Emails
  • Agent Tesla Spyware new TTPS – Detection & Response
  • SocGholish Malware on The Rise – Detection & Response
  • Bumblebee malware loader is now active in the wild – Detection & Response
  • Cutwail Malware Returns with New TTPS – Detection & Response
    
    
• Sekoia
  Raccoon Stealer v2 – Part 1: The return of the dead
  
  
• Sygnia
  Luna Moth: The Actors Behind the Recent False Subscription Scams
  
  
• Vishal Kamble at Symantec Enterprise
  Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem
  
  
• Tareq Alkhatib
  Petition: Hey Microsoft, help us detect LOLBAS usage!
  
  
• Team Cymru
  The Sliding Scale of Threat Actor Sophistication When Reacting to 0-day Vulnerabilities
  
  
• Telsy
  The Ryuk Ransomware
  
  
• Trend Micro
  • Conti vs. LockBit: A Comparative Analysis of Ransomware Groups
  • Black Basta Ransomware Operators Expand Their Attack Arsenal With QakBot Trojan and PrintNightmare Exploit
    
    
• Katrina Udquin at Trustwave SpiderLabs
  Interactive Phishing Mark II: Messenger Chatbot Leveraged in a New Facebook-Themed Spam
  
  
• VMware Security
  Lateral Movement in the Real World: A Quantitative Analysis
  

UPCOMING EVENTS

• Belkasoft
  A new BelkaCTF ‘Party Girl—MISSING’ starts on July 29 at 11am UTC/1pm CEST/7am EDT!
  
  
• Cellebrite
  Exclusive upgrades that will dramatically speed up investigations
  
  
• Cybereason
  Webinar July 14th 2022: Ransomware Labs
  
  
• Gerald Auger at Simply Cyber
  • Inverting SOC Analyst Burnout – More Fun, Less Stress
  • Let’s See What SandWorm APT Looks Like?
    
    
• Griffeye
  Webinar: Moving data between Cellebrite and Analyze DI
  
  
• SANS Institute
  Blueprint Podcast Live
  

PRESENTATIONS/PODCASTS

• Black Hills Information Security
  • AASLR: Atomic Red Team with Carrie Roberts
  • Talkin’ About Infosec News – 6/27/2022
  • Re-Edit | Getting Started in Blockchain Security and Smart Contract Auditing | Beau Bullock
    
    
• BlueMonkey 4n6
  Linux forensics – locations of interest – Magnet Forensics Quick Reference Guide
  
  
• Breaking Badness
  • 124. Patch Me If You Can
  • 125 . Nobody Makes Me HertzBleed My Own Blood
    
    
• Chris Dale
  Infosec Mentoring & Learning from ATT&CK Framework
  
  
• Digital Forensic Survival Podcast
  • DFSP # 331 – New Services
  • DFSP # 332 – Bash Histories
    
    
• InfoSec_Bret
  SA – SOC168-118 – Whoami Command Detected in Request Body
  
  
• John Hammond
  • BRUTEFORCING DOMAIN PASSWORDS (AD #05)
  • SOLANA Protocol Security Assessments (w/ HALBORN)
    
    
• John Hubbard at ‘The Blueprint podcast’
  A Mailbag Episode With John Hubbard
  
  
• Magnet Forensics
  • Parsing-Only Processing and Post-Process Carving in Magnet AXIOM
  • iOS “Find My” Artifacts Support in Magnet AXIOM and AXIOM Cyber
  • Targeted Location Profiles and Volatile Artifacts in Magnet AXIOM Cyber
    
    
• MalGamy
  Resolve APIs with Raccoon stealer
  
  
• NTCore
  Preview: Extended MalwareBazaar Support
  
  
• NVISO Belgium
  • NVISO SOAR For Fun & Profit Webinar # 1
  • NVISO SOAR For Fun & Profit Webinar # 2 – Deep dive into the Cortex XSOAR API
  • Hack Our Train Live Stream
    
    
• Phil Cobley and Adam Firman at ‘Forensics Reformatted’
  Episode 2: Community Platform Plans
  
  
• Rapid7
  [The Lost Bots] Season 2, Episode 1: SIEM Deployment in 10 Minutes
  
  
• SANS
  • FOR585 Course Animation:  Potential Crime Scene iPhone and Android
  • FOR585 Course Animation: IMEI vs GSM
  • FOR585 Course Animation: How WAL Gets Populated Initial State
  • FOR585 Course Animation: Solid State Memory Properties
    
    
• SANS Cloud Security
  • 2022 CloudSecNext Etan & Bailey
  • 2022 CloudSecNext Paul Schwarzenberger
  • Cloud Security Architecture, Automation, and Identity
  • Reducing Cloud Attack Surface in AWS via Service Control Policies in a Multi-Account Environment
  • GitHub Actions: Protecting Your CI from Attackers
    
    
• SANS Institute
  • Keynote: The Journey to Inclusion
  • Panel | Dear Neurotypicals: What We Wish Co-Workers and Managers Knew
  • Learning to Heal: How Neurodivergent Adults Can Recover from Years of Educational Trauma
    
    
• The Defender’s Advantage Podcast
  Threat Trends: An Interview with the Danish Tech Ambassador
  
  
• Vishal Thakur
  FIRSTCON Workshop
  

MALWARE

• Any.Run
  3 Ways to Analyze Geo-Targeted Malware
  
  
• Arch Cloud Labs
  Bulk Analysis of Cobalt Stirke’s Beacon Configurations
  
  
• ASEC
  • ASEC Weekly Malware Statistics (June 13th, 2022 – June 19th, 2022)
  • New Info-stealer Disguised as Crack Being Distributed
  • ASEC Weekly Malware Statistics (June 20th, 2022 – June 26th, 2022)
  • Case of Attack Exploiting AnyDesk Remote Tool (Cobalt Strike and Meterpreter)
  • I Don’t Want to Receive Any Unnecessary Information!
    
    
• Blackberry
  • BlackBerry Prevents Yashma Ransomware
  • Feds Knock RSocks Off: Another Big Botnet Bites the Dust
  • Threat Spotlight: Eternity Project MaaS Goes On and On
  • Threat Thursday: China-Based APT Plays Auto-Updater Card to Deliver WinDealer Malware
    
    
• CISA
  Alert (AA22-181A) #StopRansomware: MedusaLocker
  
  
• Cleafy
  Revive: from spyware to Android banking trojan
  
  
• Cofense
  Ransomware: Proactive Phishing Detection to Mitigate Risk
  
  
• Cryptax
  • Unpacking a JsonPacker-packed sample
  • Androscope
    
    
• Alberto Segura and Rolf Govers at Fox-IT
  Flubot: the evolution of a notorious Android Banking Malware
  
  
• Isabelle Quinn at InQuest
  GlowSand
  
  
• Maldroid
  android-malware-samples
  
  
• Gustavo Palazolo at Netskope
  Emotet: Still Abusing Microsoft Office Macros
  
  
• Pete Cowman at Hatching
  Raccoon v2 and Other Detection Updates
  
  
• petikvx
  • Hydracrypt Ransomware
  • Eternity Ransomware
  • Solidbit Ransomware
    
    
• Joseph Edwards at ReversingLabs
  Smash-and-grab: AstraLocker 2.0 pushes ransomware direct from Office docs
  
  
• Pierre Delcher at Securelist
  The SessionManager IIS backdoor
  
  
• Ax Sharma at Sonatype
  python-dateutils—A Cryptominer in Disguise Targeting Windows, Linux, macOS
  
  
• William Burgess at With Secure
  Spoofing Call Stacks To Confuse EDRs
  
  
• Sahil Antil and Sudeep Singh at ZScaler
  Return of the Evilnum APT with updated TTPs and new targets
  
  
• بانک اطلاعات تهدیدات بدافزاری پادویش
  Exploit.Win32.CVE-2022-30190.a
  

MISCELLANEOUS

• Adam at Hexacorn
  • This post mentions many file extensions
  • Da Li’L World of DLL Exports and Entry Points, Part 5
  • DriverPack – Clean PDB paths
    
    
• Adrian at ‘Agood cloud’
  Thehive5 Webhooks
  
  
• Erica Mixon at Blumira
  Best Free and Open Source SIEMs
  
  
• Cassie Doemel at AboutDFIR
  AboutDFIR Site Content Update 7/2/22
  
  
• Didier Stevens
  Quickpost: Cracking PDF Owner Passwords
  
  
• Forensic Focus
  • Exploring Detego’s Multiple Deployment Options
  • Towards a Working Definition and Classification for Automation in Digital Forensics
  • Uncovering Windows Registry Data and the Latest Mac Artifacts
  • What Can You Tell Us About Your Password? A Contextual Approach
    
    
• Kristian Lars Larsen at Data Narro
  What is Possible with Remote Digital Forensics?
  
  
• LockBoxx
  Bootcamp #25: Alert Quality Review
  
  
• Magnet Forensics
  • Standardizing Your Collections With Targeted Location Profiles in AXIOM Cyber
  • iOS “Find My” Artifacts Support in Magnet AXIOM and AXIOM Cyber
  • Digital Evidence Processing: Parsing-Only Processing and Post-Process Carving
  • Digital Forensics Tools: The Ultimate Guide (2022)
    
    
• MSAB
  MSAB & GRAYSHIFT – TECHNOLOGY ALLIANCE PARTNERSHIP
  
  
• Maxime Thiebaut at NVISO Labs
  Enforcing a Sysmon Archive Quota
  
  
• Susannah Clark Matt at Red Canary
  Choose wisely: Why every word matters in infosec
  
  
• Richard Frawley at ADF
  • What is Forensic Triage for Smartphones?
  • Cybercrime: What It Is and How To Stay Safe
  • Software and Hardware Tool to Stabilize Crime Scenes: All You Need to Know
    
    
• Ryan Campbell at ‘Security Soup’
  Weekly News Roundup — June 26 to July 2
  
  
• Salvation DATA
  • 4 Hidden Issues With an Improvised In-House Digital Forensic Lab
  • Working With Video Evidence: 8 Challenges in Law Enforcement
    
    
• SANS
  • SANS 2022 Security Awareness Report
  • Instructor Spotlight: John Terbush
  • Month of PowerShell: 5 Tips for Getting Started with PowerShell
  • Month of PowerShell – Embracing the Pipeline
  • Month of PowerShell: Abusing Get-Clipboard
  • Month of PowerShell – Working with the Registry
    
    
• Damian Durrant at tcdi
  Avoiding Unexpected Cost Explosions in eDiscovery
  
  
• TCM Security
  Practical Windows Forensics
  
  
• Yulia Samoteykina at Atola
  Q&A about Atola imagers at GPEC and Forensics Europe Expo
  

SOFTWARE UPDATES

• Alexis Brignoni
  • ALEAPP 2.0.09
  • iLEAPP v1.17.6
    
    
• Amped
  Amped Authenticate Update 25108: Introducing Annotations, Improved Report, and more…
  
  
• Arsenal
  HBIN Recon v1.0.0.57
  
  
• Cellebrite
  Cellebrite Launch of Physical Analyzer Ultra Series Transforms Industry Standard for Digital Data Examination
  
  
• Cellebrite
  Now Available: Cellebrite Endpoint Inspector 1.4
  
  
• Cyber Triage
  Cyber Triage 3.3.0
  
  
• Daddycocoaman
  Introducing Dumpscan
  
  
• Didier Stevens
  • Update: cut-bytes.py Version 0.0.15
  • Update: format-bytes.py Version 0.0.14
    
    
• eCrimeLabs
  MISP Purge Events tool v.0.1 released
  
  
• Yamato Security
  Hayabusa v1.4.1 🦅
  
  
• IntelOwl
  v4.0.0: New Revamped GUI!
  
  
• Magnet Forensics
  • AXIOM Cyber 6.3: Building and Refining Incident Response Capabilities
  • Magnet AXIOM 6.3: Take Control of Evidence Processing
    
    
• Malwoverview
  Malwoverview 5.0.3
  
  
• MemProcFS-Analyzer
  MemProcFS-Analyzer v0.3
  
  
• Ninoseki
  Mihari v4.7.2
  
  
• MISP
  Sizing your MISP instance
  
  
• Regipy
  2.6.0
  
  
• Rizin Organization cutter
  v2.1.0
  
  
• Sandfly Security
  Sandfly Linux File Entropy Scanner Updated
  
  
• Xways
  • X-Ways Forensics 20.5 SR-3
  • X-Ways Forensics 20.6 Beta 1
    
    
• YARA
  YARA v4.2.2
  

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!