#DailyDFIR 121: Parsing the $MFT from an NTFS volume? @joachimmetz dives into the details of parsing the challenges and edge cases to be aware of: https://t.co/iFqiOdmE4m #DFIR

#DailyDFIR 120: Did you hear @aarontpeterson talk about Turbinia on the Forensic Lunch & want to learn more? Resources: Forensic Lunch: https://t.co/Nh4eSiLFBo Blog Post: https://t.co/pr6WRpdB1e Code lab: https://t.co/QgsV8MVhIe GitHub: https://t.co/hx5tZScLfo #DFIR

#DailyDFIR 119: Want a test file for a #DFIR tool but don't want to use one you've created (for privacy/other reasons)? The Plaso test_data & the dfirlabs "specimens" may have what you need: https://t.co/Pcli2LPS1v https://t.co/RJra22Mmie Many app & file system artifacts!

#DailyDFIR 117: If you are looking to learn mobile forensics @mattiaep's "Build Your Own Methodology" post/presentation has a fantastic collection of tools books scripts blogs and references: https://t.co/jJg0jqnXpM Bookmark & revisit later too so much good stuff #DFIR

#DailyDFIR 116: Lots of good stuff this week in @phillmoore's This Week in 4n6; check it out! It's a great way to keep up with all the new content being created for #DFIR https://t.co/xuwoX9jJSs

#DailyDFIR 115: Some of @Google's #DFIR team will be on @HECFBlog's forensic lunch talking about our open source forensic tools! It's going to be packed with people tools & knowledge: https://t.co/Wa3ifEP5RY It's 90 min from NOW (at 8am Pacific / 11am Eastern) Don't miss it!

#DailyDFIR 114: Playing an online CTF? I created a Python notebook & write-up showing how I answered questions in the @MagnetForensics #CTF using open source tools: Plaso Timesketch Colab / #Python Blog: https://t.co/gqxATPnacm Notebook: https://t.co/nj9EMUuzd2 #DFIR

#DailyDFIR 113: @matt0177 is starting a blog series on using #Python & #AWS for OSINT. The first post covers AWS setup & image (photo) analysis: https://t.co/BnnIwy9Qw1 I've found #OSINT & #DFIR to be complementary; often a bit of one can make the other much more effective.

#DailyDFIR 112: @iamevltwin is starting a new blog series on Apple Unified Logs! These logs are not straightforward so if you do any Mac investigations be sure to check it out. First two posts: https://t.co/t6rwC5RhQQ https://t.co/iXA4WpccMH #DFIR #mac4n6

#DailyDFIR 111: Unfurl 3D was released on April 1st but it's not (completely) a joke. It works just like normal Unfurl & can parse the same things. https://t.co/EYBtXGqohl It also pairs nicely with your pew-pew dashboard if you need something shiny. #DFIR #VR #Python https://t.co/LK0YAzC1u7

#DailyDFIR 109: I saw a Google query string parameter (gs_ssp) I didn't recognize so I put it in Unfurl. Unfurl parsed it as b64zipprotobuf! It's really fun to see the tools you've made function as you hoped (helping me find new things). https://t.co/USlfyRzkAb #DFIR https://t.co/wJqtZ04wb4

#DailyDFIR 108: Have you wanted to learn mobile forensics but your excuse was no test data? Not any more! @josh_hickman1 just posted iOS 13 images to go along with his Android ones (& all have detailed documentation!): https://t.co/eMJToK5ggW https://t.co/LTvA0Ue4JL #DFIR

#DailyDFIR 107: Unfurl can now parse Magnet links! Magnet links are often used for P2P file sharing in place of .torrent files. They can contain a lot of information! https://t.co/xflvyDWHyo #DFIR https://t.co/LQlLrjBuy6

#DailyDFIR 105: Dave Cowen (@HECFBlog) is back to daily blogging and he's been experimenting with the AWS EBS Block API. If you do #DFIR in #AWS be sure to check out his posts and stay tuned for more: https://t.co/YujHayV6UV https://t.co/FjBZqe4QYK #DFIR #Python

#DailyDFIR 104: @JoakimSchicht from @ArsenalRecon did a very detailed technical dive into the Office Document Cache: https://t.co/5BHf364Cv5 If edit and version history for #Microsoft Office docs is relevant to your investigation definitely check this out. #DFIR

#DailyDFIR 103: I'm excited about the return of @HECFBlog's Sunday Funday! I have learned a lot from reading everyone's responses to past ones. I think this week's challenge (looking for Microsoft Teams artifacts) is also spot-on: https://t.co/BKQowJAx1A #DFIR

#DailyDFIR 102: Some Unfurl graphs get a little big... https://t.co/18ykVCAa6v There's a lot parsed out here but I'm sure there's more it could do! I see lots of potential IDs that would make great Unfurl parsers (you know if anyone is looking for things to do ). #DFIR https://t.co/1HAaIZDyCa

#DailyDFIR 101: Looking for some #DFIR fun this weekend? Check out @FoxtonForensics's challenge! Their last one was a lot of fun. These generally have a browser forensics focus which I love. https://t.co/Z4egiEilEz

#DailyDFIR 100: Phones are constantly changing and becoming more secure; it's becoming even more important to be resourceful & work with what you have. #TBT post: "Visualizing activity from an encrypted iPhone backup using only metadata" https://t.co/LaM2KNgHC3 #DFIR #Python https://t.co/QgPfpWHJYW

#DailyDFIR 99: Have a #protobuf you want to decode? Unfurl can now do it! https://t.co/CLlGkedU5r It can parse protobufs standalone (just put an encoded one in) or if it finds them in URLs. Thanks to @SwiftForensics for his helpful post & sharing his test file! #DFIR #Python https://t.co/M2p8DKPJeB

#DailyDFIR 98: There's so much to remember in #DFIR. Why not use this poster-sized cheat sheet to help out? Lots of great references for #mobile4n6! https://t.co/L3JiyRLd9p

#DailyDFIR 97: @13CubedDFIR (by @davisrichardg) is a fantastic set of #DFIR walkthrough videos. Check out the latest one featuring @AlexisBrignoni's iLEAPP: https://t.co/Ij2XNRDRCw #DFIR

#DailyDFIR 96: I mostly show Unfurl with URLs but it can parse individual strings as well. I often drop a number in Unfurl to see if it's a timestamp & what format it is: https://t.co/p81tm0BARi Tip: Hover over the link to see the timestamp format. #DFIR https://t.co/cJvpMQcl6l

#DailyDFIR 95: The forensics team at @Google has launched the "Open Source DFIR" blog & the first post is "Processing at Scale": https://t.co/fAvHtqTLHM Check it out and let us know if there's anything you'd like to see! (all things open source #DFIR not just Google-related)

#DailyDFIR 94: Check out this great thread of #DFIR resources meetups trainings CTFs and videos! There is so much good stuff here. If you are at home looking for ways to up your #DFIR game definitely check this out. Thanks @phillmoore! https://t.co/3tC2P8NkGD

#DailyDFIR 92: Unfurl has been a fun tool but I've heard you: it's boring. This update to Unfurl will change all that! https://t.co/vy1NPjz9GZ It's 2020; we deserve some "Minority Report"-style forensics in VR! #DFIR #VR #DFIRin2DisObsolete https://t.co/sNLeOZR4kP

#DailyDFIR 91: @BlakDouble digs into the standard iOS Mail app: https://t.co/FEwy1ZMUWd I couldn't agree more with the conclusion: "I always find it interesting looking into aspects of a device that you think you already understand and finding out new things." #DFIR #iOS

#DailyDFIR 89: Interested in figuring out what exactly a Chrome extension does? Here are a trio of posts for your Sunday #DFIR reading: https://t.co/7BpBxguyfU by @th3_protoCOL https://t.co/1PhsZQKoMD by @sk3tchymoos3 https://t.co/CFTRqM8vN4 by @crxpert #DFIR #Chrome

#DailyDFIR 88: More great features for ALEAPP by @SwiftForensics. He and @AlexisBrignoni have been cranking out a lot of great new parsers! https://t.co/RxjiYzLDsD

#DailyDFIR 86: Hey look more #DailyDFIR! I'm looking forward to checking out these videos and hope to learn some new #DFIR things. https://t.co/u4AHd6Orch