Forensic Blogs

An aggregator for digital forensics blogs

by

Overview of Content Published in July

Here is an overview of content I published in July:

Blog posts:

Update: base64dump.py Version 0.0.12 Tampering With Digitally Signed VBA Projects Quickpost: curl Update XORSearch Version 1.11.4 Update: oledump.py Version 0.0.51 Cracking VBA Project Passwords ndisasm 2.15 stdin Bug Fix Update: oledump.py 0.0.52 Update: zipdump.py Version 0.0.20 Update: InteractiveSieve 0.9.1 Update: pecheck.py Version 0.7.11

YouTube videos:

Defective USB Cable Testing a Defective USB Cable Measuring a Defective USB Cable Cracking Maldoc VBA Project Passwords

Videoblog posts:

YARA’s BASE64 Strings Defective USB Cable Testing a Defective USB Cable Measuring a Defective USB Cable Cracking Maldoc VBA Project Passwords

SANS ISC Diary entries:

Wireshark 3.2.5 Released CVE-2020-5902 F5 BIG-IP Exploitation Attempt CVE-2020-5902: F5 BIG-IP RCE Vulnerability Maldoc: VBA Purging Example VBA Project Passwords Zone.Identifier: A Couple Of Observations ndisasm Update 2.15 Cracking Maldoc VBA Project Passwords Analyzing Metasploit ASP .NET Payloads

by

Overview of Content Published in June

Here is an overview of content I published in June:

Blog posts:

add-admin: Tiny EXE To Add Administrative Account Update: translate.py Version 2.5.8 FalsePositive GitHub Repository VBA Purging

YouTube videos:

YARA’s BASE64 Strings

Videoblog posts:

Maldoc Analysis With xlm-deobfuscator SANS@MIC – Maldocs: a bit of blue, a bit of red

SANS ISC Diary entries:

XLMMacroDeobfuscator: An Update Translating BASE64 Obfuscated Scripts YARA’s BASE64 Strings ISC Handler Series: SANS@MIC – Maldocs: a bit of blue, a bit of red Comparing Office Documents with WinMerge Video: YARA’s BASE64 Strings Sysmon and Alternate Data Streams

NVISO blog posts:

Tampering with Digitally Signed VBA Projects

by

FalsePositive GitHub Repository

As I’m fed up with Google’s false positives on some of my tools on DidierStevens.com, I’m moving them to a new GitHub repository: FalsePositives.

FYI, here is their User Agent String:

Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US) AppEngine-Google; (+http://code.google.com/appengine; appid: s~virustotalcloud)