Mobile Forensics Cheatsheet Mobile devices track vast amounts of user activity—often a goldmine of forensic evidence: – Device information – Application usage – Bluetooth and Wi-Fi connections – …and other events, often paired with timestamps Our cheatsheet categorizes these records and maps them to exact locations in iOS and Android extractions. Download Belkasoft’s free cheatsheet for mobile system artifacts

Sponsored by Belkasoft

As always, thanks to those who give a little back for their support!

FORENSIC ANALYSIS

• Belkasoft
  AI-Powered Picture Analysis with BelkaGPT
  
  
• Oleg Afonin at Elcomsoft
  Looks Can Lie: Is That Really an NVMe Drive?
  
  
• Adam Hachem at Hexordia
  • 2026 MSAB CTF: Android Questions
  • 2026 MSAB CTF: iOS Questions
    
    
• Kevin Pagano at Stark 4N6
  BDC – More Battery Temps & Charging Stats for iOS
  
  
• System Weakness
  Tracking LockBit Through Memory Forensics.
  

THREAT INTELLIGENCE/HUNTING

• Andres Ramos at Arctic Wolf
  CVE-2025-32975: Arctic Wolf Observes Exploitation of Quest KACE Systems Management Appliance
  
  
• Armis
  Nation-State Attacks Hit Machine Speed: Key Takeaways of the 2026 Armis Cyberwarfare Report and What it Means for Security Teams
  
  
• ASEC
  • February 2026 APT Attack Trends Report (South Korea)
  • Winos4.0 malware disguised as KakaoTalk installation file
  • Attack case against MS-SQL server installing ICE Cloud scanner (Larva-26002)
  • 복호화 가능성이 존재하는 Green Blood 랜섬웨어 분석
    
    
• Aurelien Chalot at Sensepost
  From flat networks to locked up domains with tiering models
  
  
• Avertium
  CTA Campaign Assessment: The Iran Conflict – Global Cyber Operations Risk
  
  
• CJ Moses at AWS
  Amazon threat intelligence teams identify Interlock ransomware campaign targeting enterprise firewalls
  
  
• Christine Barry at Barracuda
  Sandworm: Russia’s global infrastructure wrecking crew
  
  
• Rebecca Harpur at BlackFog
  LotAI: How Attackers Weaponize AI Assistants for Data Exfiltration
  
  
• Brad Duncan at Malware Traffic Analysis
  • 2026-03-12: Files for an ISC diary (SmartApeSG ClickFix pushes Remcos RAT)
  • 2026-03-17: Seven days of scans and probes and web traffic hitting my web server
    
    
• Brian Krebs at ‘Krebs on Security’
  Feds Disrupt IoT Botnets Behind Huge DDoS Attacks
  
  
• Censys
  • NetSupport Manager: Tracking Dual-Use Remote Administration Infrastructure
  • Hunting Cameras in the Dark: Finding Internet Cameras Before Adversaries Do
  • ResidentBat: Belarusian KGB Android Spyware at Internet Scale
  • Vshell: A Chinese-Language Alternative to Cobalt Strike 
  • Odyssey Stealer: Inside a macOS Crypto-Stealing Operation
    
    
• CERT-AGID
  Sintesi riepilogativa delle campagne malevole nella settimana del 14 – 20 marzo
  
  
• Check Point
  16th March – Threat Intelligence Report
  
  
• Cisco’s Talos
  • Transparent COM instrumentation for malware analysis
  • Everyday tools, extraordinary crimes: the ransomware exfiltration playbook
    
    
• CloudSEK
  • Opportunistic threat actors using Ramadan coupon as a lure to target retail store customers in Middle East
  • MacSync Stealer: SEO Poisoning and ClickFix-Based macOS Malware Delivery Chain
    
    
• Cobi Aloia and Mark Deomampo at Cofense
  LiveChat Abuse: How Phishers Are Exploiting SaaS Support Tools to Steal Sensitive Data
  
  
• CrowdStrike
  • From Scanner to Stealer: Inside the trivy-action Supply Chain Compromise
  • Tycoon2FA Phishing-as-a-Service Platform Persists Following Takedown
    
    
• Ctrl-Alt-Intel
  FancyBear Exposed: Major OPSEC Blunder Inside Russian Espionage Ops
  
  
• Cyble
  • AI-Assisted Phishing Campaign Exploits Browser Permissions to Capture Victim Data
  • Middle East Cyber Warfare Intensifies: Rising Attacks, Hacktivist Surge, and Global Risk Exposure 
  • AI-Powered Cyber Warfare: How Autonomous Attack Agents Are Changing the Threat Landscape
  • Inside Russia’s Shift to Credential-Based Intrusions: What CISOs Need to Know in 2026
  • North Korea’s Crypto Theft Operations: The Role of Lazarus Group in State-Sponsored Financial Warfare
    
    
• Cyfirma
  Weekly Intelligence Report – 20 March 2026
  
  
• Darktrace
  Darktrace Identifies Encryption in a World Leaks Ransomware Attack
  
  
• Detect FYI
  • Threat Hunting scenario: Catching emojis on Files and Email Subjects (+ KQL Queries)
  • Detection via Deception — Using your SIEM as a Free Deception Platform
  • Detection Logic Bugs: Abusable Gaps in Detection Coverage
  • How to Solve Tool Sprawl in the SOC
    
    
• Disconinja
  Weekly Threat Infrastructure Investigation(Week9,10)
  
  
• Dzianis Skliar
  Microsoft Graph API Attack Surface: OAuth Flows, Abused Endpoints, and What Defenders Miss
  
  
• Eclypsium
  New Malware Highlights Increased Systematic Targeting of Network Infrastructure
  
  
• Elastic Security Labs
  • Linux & Cloud Detection Engineering – Getting Started with Defend for Containers (D4C)
  • Linux & Cloud Detection Engineering – TeamPCP Container Attack Scenario
    
    
• FalconFeeds
  • WIPED IN 79 COUNTRIES: The Handala Hack Attack on Stryker Corporation
  • Iran’s FindFace Acquisition: The Architecture of a Digital Surveillance State
  • Cyber Islamic Resistance-Axis and the Iran-Israel Shadow War
  • Following the Money: The 82-Wallet Bitcoin Cluster Linked to Iran’s IRGC-CEC
    
    
• Flare
  • Bench.sh: How Threat Actors Repurpose a Legitimate Benchmarking Tool for Post-Exploitation Recon
  • The Seizure of Handala
    
    
• Gen
  • VoidStealer: Debugging Chrome to Steal Its Secrets
  • The Scam Ad Machine: Part II
    
    
• Genians
  Analysis of the Spear-Phishing and KakaoTalk-Linked Threat Campaign by the Konni Group
  
  
• Google Cloud Threat Intelligence
  • Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape
  • The Proliferation of DarkSword: iOS Exploit Chain Adopted by Multiple Threat Actors
    
    
• Nikolay Kichatov, Pietro Albuquerque, Michael Perugia at Group-IB
  Hasta la vista, Hastalamuerte: An Overview of The Gentlemen’s TTPs
  
  
• Hunt IO
  Iranian Botnet Exposed via Open Directory: 15-Node Relay Network and Active C2
  
  
• IC3
  Government of Iran Cyber Actors Deploy Telegram C2 to Push Malware to Identified Targets
  
  
• Infoblox
  Inside Keitaro Abuse: A Persistent Stream of AI-Driven Investment Scams
  
  
• InfoSec Write-ups
  • DLL Search Order Hijacking: Finding and Exploiting the Flaw
  • CTI Research: MuddyWater/Seedworm (Mango Sandstorm)
  • ATT&CK as a Working Tool: Theory and Hands-On Practical Usage
  • Infrastructure Pivoting: How CTI Analysts Expand From a Single IOC to a Full Attacker Network
  • Ploutus Malware: Uptick in ATM jackpotting incidents prompts FBI warning
    
    
• Intel 471
  Handala Threat Group
  
  
• Thijs Xhaflaire at Jamf
  GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer
  
  
• Roy Paz at LayerX
  Poisoned Typeface: How Simple Font Rendering Poisons Every AI Assistant, And Only Microsoft Cares
  
  
• Lookout
  Attackers Wielding DarkSword Threaten iOS Users
  
  
• Microsoft Security
  • Help on the line: How a Microsoft Teams support call led to compromise
  • When tax season becomes cyberattack season: Phishing and malware campaigns using tax-related lures
  • CTI-REALM: A new benchmark for end-to-end detection rule generation with AI agents
    
    
• MII Cyber Security
  • Attacking Kerberos 2: Roasting Attacks
  • Finding the “Quiet” Compromise with Long Tail Analysis : The Rarest Thing in Your Logs Might Be the…
  • Threat Hunting & Detection Engineering: The Batman & Robin of Modern SOC
    
    
• Ryan LaSalle at Nisos
  DPRK IT Worker Fraud: Hiring an Insider Threat
  
  
• OpenSourceMalware
  Four Arms, One Monster: GlassWorm Invades GitHub, NPM, VS Code and PyPI
  
  
• Palo Alto Networks
  • Iranian Cyber Threat Evolution: From MBR Wipers to Identity Weaponization
  • Boggy Serpens Threat Assessment
  • Analyzing the Current State of AI Use in Malware
    
    
• Picus Security
  • T1071.001 Web Protocols in MITRE ATT&CK Explained
  • T1059.013 Container CLI/API in MITRE ATT&CK Explained
  • T1071.002 File Transfer Protocols in MITRE ATT&CK Explained
  • T1071.003 Mail Protocols in MITRE ATT&CK Explained
  • What Is Fileless Malware?
  • T1219.001 IDE Tunneling in MITRE ATT&CK Explained
  • T1071.005 Publish/Subscribe Protocols in MITRE ATT&CK Explained
  • T1071.004 DNS in MITRE ATT&CK Explained
  • T1219.002 Remote Desktop Software in MITRE ATT&CK Explained
  • T1219.003 Remote Access Hardware in MITRE ATT&CK Explained
  • T1547.001 Registry Run Keys/Start Up Folder in MITRE ATT&CK Explained
    
    
• Rachel Rabin, Anna Akselevich, and Stanislav Silberberg at Proofpoint
  CursorJack: weaponizing Deeplinks to exploit Cursor IDE
  
  
• Push Security
  The Stryker breach didn’t match the playbook. That shouldn’t be a surprise.
  
  
• Rapid7
  The Attack Cycle is Accelerating: Announcing the Rapid7 2026 Global Threat Landscape Report
  
  
• Raymond Roethof
  Microsoft Orphaned Agents Identities: The hidden identity debt in your Entra tenant
  
  
• Recorded Future
  • 2025 Identity Threat Landscape Report: Inside the Infostealer Economy: Credential Threats in 2025
  • 2025 Year in Review: Malicious, Infrastructure
    
    
• Red Canary
  • AI and browser threats stand out in the 2026 Threat Detection Report
  • Intelligence Insights: March 2026
    
    
• ReliaQuest
  Casting a Wider Net: ClickFix, Deno, and LeakNet’s Scaling Threat
  
  
• Robin Dost at Synaptic Systems
  Observed Telegram Bot Naming Patterns in Recent MuddyWater Malware Activity
  
  
• SANS Internet Storm Center
  • IPv4 Mapped IPv6 Addresses, (Tue, Mar 17th)
  • /proxy/ URL scans with IP addresses, (Mon, Mar 16th)
  • Interesting Message Stored in Cowrie Logs, (Wed, Mar 18th)
  • Scans for “adminer”, (Wed, Mar 18th)
  • GSocket Backdoor Delivered Through Bash Script, (Fri, Mar 20th)
    
    
• David Greenwood at Sekoia
  UEBA in the Real World: Catching Intrusions That Don’t Look Like Intrusions
  
  
• Phil Stokes at SentinelOne
  Building an Adversarial Consensus Engine | Multi-Agent LLMs for Automated Malware Analysis
  
  
• Simone Kraus
  How Kinetic Strikes Opened the Door to Cyber and Influence War
  
  
• Socket
  • GlassWorm Sleeper Extensions Activate on Open VSX, Shift to GitHub-Hosted VSIX Malware
  • Trivy Under Attack Again: Widespread GitHub Actions Tag Compromise Exposes CI/CD Secrets
  • CanisterWorm: npm Publisher Compromise Deploys Backdoor Across 29+ Packages
    
    
• SOCRadar
  Ransomware 3.0: The Autonomous Threat That Changed Everything
  
  
• Sophos
  Android devices ship with firmware-level malware
  
  
• Spur
  Detect Remote Worker Fraud Without Friction
  
  
• Stairwell
  • How to Prove Incident Containment: Evidence of Absence for Incident Response and the Board
  • Stop Renting Your Own Malware Data Back: The Economics of Private Threat Intelligence
  • Why Crowdsourced Threat Intel Leaks Your Advantage (And What to Do Instead)
  • You Cannot Detect What You Did Not Keep: Why File Retention Is the Missing Security Control
  • Continuous Malware Intelligence: Replacing Retro Hunts With Hindsight in Real Time
    
    
• Step Security
  • Malicious Polymarket Bot Hides in Hijacked dev-protocol GitHub Org and Steals Wallet Keys
  • Malicious npm Releases Found in Popular React Native Packages – 130K+ Monthly Downloads Compromised
  • bittensor-wallet 4.0.2 Compromised on PyPI – Backdoor Exfiltrates Private Keys
  • Trivy Compromised a Second Time – Malicious v0.69.4 Release
    
    
• Sublime Security
  Advanced fake Zoom installer used for delivering malware · Blog · Sublime Security
  
  
• Omer Kidron and Matan Naftali at Sygnia
  One Commit Away from Theft: When Supply Chain Attacks Hit the Crypto Ecosystem
  
  
• Symantec Enterprise
  • New Malware Targets Users of Cobra DocGuard Software
  • Libyan Oil Refinery Among Targets in Long-running Likely Espionage Campaign
    
    
• Sysdig
  • Detecting CVE-2026-3288 & CVE-2026-24512: Ingress-nginx configuration injection vulnerabilities for Kubernetes
  • CVE-2026-33017: How attackers compromised Langflow AI pipelines in 20 hours
    
    
• Will Thomas at Team Cymru
  The Beast Returns: Analysis of a Beast Ransomware Server
  
  
• The Hunter’s Ledger
  ZeroTrace Multi-Family MaaS Operation — Open Directory Exposure at 74.0.42.25
  
  
• Third Eye intelligence
  From Missiles to Malware — Part 2 Defending Against the Handala Campaign
  
  
• ThreatFabric
  Perseus: DTO malware that takes notes
  
  
• Trellix
  • Getting Roasted? Trellix Helix sees through AS-REP Attack
  • Dark Web Roast February 2026 Edition
    
    
• Trend Micro
  • Web Shells, Tunnels, and Ransomware: Dissecting a Warlock Attack
  • Ransomware Spotlight: Agenda
  • From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA
  • Copyright Lures Mask a Multi‑Stage PureLog Stealer Attack on Key Industries
    
    
• nyxgeek at TrustedSec
  Full Disclosure: A Third (and Fourth) Azure Sign-In Log Bypass Found
  
  
• Vectra AI
  • How Attackers Establish Persistence in Hybrid Environments by Lucie Cardiet
  • What the Stryker Incident Reveals About Handala’s Attack Playbook by Lucie Cardiet
    
    
• Jakub Souček at WeLiveSecurity
  EDR killers explained: Beyond the drivers
  
  
• Rami McCarthy at Wiz
  Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack
  

UPCOMING EVENTS

• Black Hills Information Security
  BHIS – Talkin’ Bout [infosec] News 2026-03-23
  
  
• Cellebrite
  Advanced Digital Investigations in Africa: Unlocking the Evidence Hidden in Every Device
  
  
• Cyber Triage
  Investigating Evasion: How to Find What the Alert Missed
  
  
• Magnet Forensics
  Mobile Unpacked S4:E3 // Deducing the duplications: Understanding duplicated data in file systems
  
  
• SANS
  2026 Threat Landscape: Turning Threat Intelligence into Analytic Advantage
  

PRESENTATIONS/PODCASTS

• Alexis Brignoni
  Digital Forensics Now Podcast S3 – 3
  
  
• Ayush Anand
  Detect SSH -R Pivoting Before Ransomware Hits
  
  
• Black Hat
  • Black Hat USA 2025 | Ransomware, Tracking, DoS, and Data Leaks on Xiaomi Electric Scooters
  • Black Hat USA 2025 | I’m in Your Logs Now, Deceiving Your Analysts and Blinding Your EDR
    
    
• BlueMonkey 4n6
  Magnet Virtual Summit – Capture The Flag – Feb 2026 – Android walk through
  
  
• Cellebrite
  • Meet Cellebrite Genesis
  • Tip Tuesday: Join Us at the JUSTYS
    
    
• Cloud Security Podcast by Google
  EP267 AI SOC or AI in a SOC? Cutting Through Hype, Pricing Models, and SIEM Detection Efficacy with Raffy Marty
  
  
• Cyberwox
  Cyber Threat Hunting at Scale: 4 Principles from the Trenches (Amazon Security Engineer)
  
  
• Dr Josh Stroschein
  02 – Exploring the Reverse Shell Source Code and API Breakdown
  
  
• Huntress
  Your Hidden Competition: Inside the Business of Modern Cybercrime
  
  
• John Hammond
  Bloodhound OpenGraph
  
  
• Magnet Forensics
  • Mobile Minute Episode 16: Magnet One Case Stream: Now included with Magnet Graykey
  • Signals in the noise: Five years of enterprise DFIR trends and what comes next
  • Bridging the air gap: Accelerating mobile forensics in secure, offline labs
    
    
• Monolith Forensics
  Updating Audit Item Statuses in Monolith Forensics
  
  
• Mossé Cyber Security Institute
  • Root Cause Analysis – Part 1: Introduction
  • Root Cause Analysis – Part 2: Methodology
  • Root Cause Analysis – Part 3: Training Scenario
  • Root Cause Analysis – Part 4: Best Practices
    
    
• MyDFIR
  Cybersecurity SOC Analyst Lab – Malicious Browser Extension (FakeGPT)
  
  
• Parsing The Truth: One Byte at a Time Podcast
  S1 E43: Karen Read 1-3: Jessica Hyde Testimony Part 2
  
  
• Richard Davis at 13Cubed
  Mac Imaging Made Easy with Fuji
  
  
• SentinelOne
  LABScon25 Replay | Your Apps May Be Gone, But the Hackers Made $9 Billion and They’re Still Here
  
  
• Team Cymru
  • Duaine Labno on Digital Investigations and Corporate Threat Intelligence
  • Intune Wipers, Veeam RCEs, and DPRK’s $800M IT Empire
  • Video #1008 Cymru Vicent Passaro Pt 2 V1
    
    
• THE Security Insights Show
  The “AI” Security Insights Show Episode 287 – Principal Cloud Advocate April Gittens. If AI is so smart, then why aren’t Robots doing our dishes!
  
  
• The Weekly Purple Team
  Is MotW Bypass Possible in 2026?
  
  
• Three Buddy Problem
  The greatest APT hunter of all time, Apple’s exploit kit problem, Microsoft FedRAMP mess
  

MALWARE

• Aikido
  • Glassworm Strikes Popular React Native Phone Number Packages
  • fast-draft Open VSX Extension Compromised by BlokTrooper
  • GlassWorm Hides a RAT Inside a Malicious Chrome Extension
  • TeamPCP deploys CanisterWorm on NPM following Trivy compromise
    
    
• BI.Zone
  Forbidden Hyena adopts BlackReaperRAT in AI-powered campaigns
  
  
• Raul Vasile Bucur and Silviu Stahie at Bitdefender
  Windsurf IDE Extension Drops Malware via Solana Blockchain
  
  
• Paula Januszkiewicz at CQURE Academy
  CQURE Hacks #75: NTFS Forensics – Recovering Deleted Files and Analyzing MFT Records
  
  
• Karsten Hahn at G Data Software
  Sweet Minecraft Mods – The Dark Tale of SugarSMP Scam, Malware & Extortion
  
  
• Rahul Ramesh at Howler Cell
  Reverse Engineering .NET AOT Malware: A Guide to Trace the Multi-Stage Attack Chain with Binary Ninja
  
  
• Praveen Babu at K7 Labs
  Fake Telegram Malware Campaign: Analysis of a Multi-Stage Loader Delivered via Typosquatted Websites
  
  
• Lotan Sery at Koi Security
  GlassWorm Hits MCP: 5th Wave with New Delivery Techniques
  
  
• Aayush Tyagi at McAfee Labs
  AI Wrote This Malware: Dissecting the Insides of a Vibe-Coded Malware Campaign
  
  
• Pierre-Henri Pezier at Nextron Systems
  RegPhantom Backdoor Threat Analysis
  
  
• Moshe Siman Tov Bustan and Nir Zadok at OX Security
  OpenClaw Developers Targeted in Crypto-Wallet Phishing Attack
  
  
• Axel Zengers at Plausible Deniablility
  • Beyond the Wiper — What Unit42’s Iran Analysis Misses
  • Nothing but dotnet when we shoot
    
    
• Securelist
  • Free real estate: GoPix, the banking Trojan living off your memory
  • The SOC Files: Time to “Sapecar”. Unpacking a new Horabot campaign in Mexico
    
    
• Sathwik Ram Prakki at Seqrite
  Operation GhostMail: Russian APT exploits Zimbra Webmail to Target Ukraine State Agency
  
  
• Shubho57
  • Analysis of Batch File leads to DonutLoader
  • Analysis of an DLL file (could be attributed to Mustang Panda)
    
    
• Tim Blazytko
  Building a Pipeline for Agentic Malware Analysis
  
  
• Zhassulan Zhussupov
  • MacOS malware persistence 5: cron jobs. Simple C example
  • MacOS malware persistence 6: PAM module injection. Simple C example
    
    
• Muhammed Irfan V A at ZScaler
  Technical Analysis of SnappyClient
  
  
• Блог Solar 4RAYS
  ClayRat: что это было?
  

MISCELLANEOUS

• Andrea Fortuna
  Introducing DFIR Toolkit: Privacy-First DFIR utilities that run entirely in your browser
  
  
• Brett Shavers
  • If you suck at your DFIR job, AI is going to take it.
  • A Practical Map of the DFIR Internet: Marketplaces, FAQs, and Fire Exits – DFIR Training
  • 56% are either likely to leave DFIR within 12 months or unsure if they’ll stay.
    
    
• Cellebrite
  • Cellebrite Changes the Investigative Game with the Launch of Genesis, the Groundbreaking Agentic AI Solution for Making Our World Safer
  • Guardian Cloud Platform IRAP Assessment: What Australian Investigators Need to Know
  • Cellebrite Launches Guardian Investigate, the AI-Powered Nerve Center that Revolutionizes How Investigative Teams Close Cases
  • From Weeks to Minutes: How Agentic AI Is Transforming Digital Investigations
  • Why iOS Jailbreaking IsOver — And What That Means forSecurity Teams
  • Will iOS 26 Cause Your MobileApp to Fail PCI Compliance?
  • Future of Mobile Security TestingTools: The Latest New Corellium Products
    
    
• Daniel Koifman
  My book, “A Dance of Red and Blue” is out!
  
  
• Detections Wiki
  Event catalog update: 17 March 2026
  
  
• Josibel Mendoza at DFIR Dominican
  DFIR Jobs Update – 03/16/26
  
  
• Doug Metz at Baker Street Forensics
  A Study in DFIR: Open-Source, Enterprise, and the Art of Analysis
  
  
• Forensic Focus
  • Digital Forensics Jobs Round-Up, March 16 2026
  • GMDSOFT Tech Letter Vol19.App Artifact Analysis: Text Input Records
  • JeongKyun Park, Information Security Student And Independent Developer, Korea Cyber University
  • UPCOMING WEBINAR – Mastering Triage: Intro To ADF Pro
  • Digital Forensics Round-Up, March 18 2026
  • Introducing Aid4Mail: Closing Email Evidence Gaps for Investigators
  • Rob Fried On New Challenges In Digital Forensics
  • Forensic Focus Digest, March 20 2026
    
    
• Howard Oakley at ‘The Eclectic Light Company’
  Explainer: Disk images
  
  
• Magnet Forensics
  • Magnet One Case Stream: A new transformative workflow amplifying critical work
  • 숨겨진 데이터의 실체: Full File System추출을 통해 드러난 정보들
  • A checklist for building a private-sector digital forensics lab 
  • Why human validation matters—and why fear doesn’t help 
  • We’re holding AI to a standard to which we’ve never held humans
  • Shrinking the digital evidence haystack
    
    
• Matthew Plascencia
  Phones Everywhere: How to Catch Them
  
  
• MISP
  • Who Uses MISP
  • Setting up UniqueSignal in MISP
    
    
• TobyG at sentinel.blog
  Sentinel-As-Code: The 2026 Update
  

SOFTWARE UPDATES

• Alexandre Borges
  Malwoverview 8.0.0
  
  
• Arkime
  v6.1.0: Only show “Only Data Nodes” on EsNodes Stats tab (#3807)
  
  
• Compass Security
  From Enumeration to Findings: The Security Findings Report in EntraFalcon
  
  
• Didier Stevens
  Update: oledump.py Version 0.0.85
  
  
• Digital Sleuth
  winfor-salt v2026.5.4
  
  
• k1nd0ne
  VolWeb v3.16.0
  
  
• Kevin at Stark 4N6
  Arc2Lite v2.0.0 – Combined Script
  
  
• Lethal-Forensics
  MacOS-Analyzer-Suite v1.2.0
  
  
• Mazars Tech
  AD_Miner v1.9.0
  
  
• MISP
  • MISP-STIX 2026.3.13 Released
  • MISP v2.5.35: Decomposed Event Views, Overmind UI Enhancements, Security Hardening and MISP-STIX major update
    
    
• OpenCTI
  • 6.9.28
  • 7.260318.0
    
    
• Phil Harvey
  ExifTool 13.53
  
  
• PowerForensics
  PowerForensics Ecosystem
  
  
• radare2
  6.1.2
  
  
• Xways
  • X-Ways Forensics 21.6 SR-7
  • X-Ways Forensics 21.7 SR-2
  • X-Ways Forensics 21.8 Preview 4
    

And that’s all for the week! If you think I’ve missed something, or want me to cover something specifically hit me up through the contact page or on the social pipes!