libfsapfs is a library and tools by Joachim Metz to access the Apple File System (APFS). Source code is available at GitHub.

Eric Zimmerman has released another amazing tool – VSCMount. Now we have “a simple way to mount Volume Shadow Copies from the command line without having to do much of anything except provide the drive letter to where the VSCs are and where you want the VSCs to be mounted to.” Learn more about it here.

In this post Harlan Carvey shows that most known methods used for forensicating Volume Shadow copies no longer work with Windows 10 – images. According to the author, “only vss.exe in conjunction with Arsenal Image Mounter” seems to work well.

Anbox is a container-based approach to boot a full Android system on a regular GNU/Linux system like Ubuntu. In other words: Anbox will let you run Android on your Linux system without the slowness of virtualization. Learn more about the tool here.

Imaginary C2 is a python tool which aims to help in the behavioral (network) analysis of malware. Imaginary C2 hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs. Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads. Learn more about the tool here.

Blazescan is a Linux webserver malware scanning and incident response tool, with built in support for cPanel servers, but will run on any Linux based server. You can learn more about the tool and download it here.

A new version of the most popular forensic timelining tool, Plaso, has been released. Here is the list of noteworthy updates: A parser for the Windows 10 User Timeline database Changes to the Chrome history parser Plugins for Google Hangouts and Kodi Support for lz4 compressed systemd journal events You can learn more and download the new version here.

Brett Shavers has published his cheat sheet on how to you X-Ways Forensics. If you still haven’t checked it, it’s the best time to do it. You can find the cheat sheet here.

ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files (Word, Excel, PowerPoint, Publisher, etc). See the authors’ article “Using VBA Emulation to Analyze Obfuscated Macros“, for real-life examples of malware deobfucation with ViperMonkey. You can download the tool and learn more about it here.

PhishPhinder is a tool for locating and purging messages in O365. You can learn more about how to use this PowerShell script and download it here.