#DailyDFIR 85: ICYMI Unfurl can expand short links from: bit[.]ly bitly[.]com j[.]mp bit[.]do buff[.]ly goo[.]gl is[.]gd ow[.]ly t[.]co tinyurl[.]com Unfurl uses APIs when possible and 301 headers when not; it will not contact link destinations. #DFIR #opsec https://t.co/uY237xSeHu

#DailyDFIR 84: Get some great #DFIR training focused on Linux for free! Thanks @hal_pomeranz! (torrent): https://t.co/H5vXaLru0u #DFIR #Linux https://t.co/CnAVl11aDh

#DailyDFIR 83: In #DFIR we talk about vetting our tools often with a focus on accuracy. As this nice investigative post by @MwOsint shows that's not the only aspect of a tool worth digging into... https://t.co/H3nybOJax3

#DailyDFIR 82: @phillmoore's "This Week in 4n6" is a fantastic roundup of #DFIR info. If you aren't getting it via RSS or email you should: https://t.co/RgPpABlhQ5 I find the short summaries of the linked resources helpful in trying to keep up in this ever-changing industry.

#DailyDFIR 81: Try to build a parser from scratch for an artifact (any artifact!). It doesn't matter how simple or complicated it is or if other parsers already can do it; it really is a fantastic learning process. #DFIR #Python https://t.co/k42d3FqDss

#DailyDFIR 80: I use my collection of #DFIR #OSINT #RE & #Python RSS feeds daily to (try to) keep up with the rapid changes in our fields. This "starter pack" resource from @bunsofwrath12 is a great way to kickstart your own RSS collection! https://t.co/UPPk5U4hww

#DailyDFIR 79: @ArsenalRecon's Arsenal Image Mounter got an update and it can do (even more!) cool stuff. Great tool; both free and paid versions! It looks very helpful for those dealing with BitLocker-protected volumes. https://t.co/yyZF5EMiS2 #DFIR

#DailyDFIR 78: One thing I like about Unfurl is how its basic parsers (like url base64 & timestamp) work on a wide range of URLs. For example I haven't done any research or customization for @amazon but this long URL still Unfurls nicely: https://t.co/sBQFzHSg4k #DFIR https://t.co/VaJ8I5ruxx

#DailyDFIR 76: @trailofbits released a new @osquery table for NTFS change journal events! The USN journal has been a favorite evidence source for me since I learned about it from @HECFBlog; there is so much good #DFIR stuff there! https://t.co/Rqa4UYjF9W

#DailyDFIR 75: Slides and video are posted from @iamevltwin's "Exploring macOS with APOLLO" from #OBTS 3.0! Some great Sunday #DFIR reading/viewing https://t.co/ah8dgVeM5H https://t.co/myaQ8hv83g

#DailyDFIR 74: If you're going to rip off someone's work maybe don't pick @nixintel? First thought: "I have a very particular set of skills. Skills I have acquired over a very long career. Skills that make me a nightmare for people like you." #DFIR #OSINT https://t.co/wl0mzYDzOR

#DailyDFIR 73: Make your #DFIR-life easier for Android analysis! Let @AlexisBrignoni and @SwiftForensics know what you would find helpful so they can add it! https://t.co/DaRVN7tTHp

#DailyDFIR 72: "Objective by the Sea" (Mac Security Conference) is streaming live! What a great #DFIR thing to do while you stay inside away from everyone ;) https://t.co/PMH9AuHeli

#DailyDFIR 71: We use & love timestamps in #DFIR but with that comes a duty to really understand what they mean. This can be difficult when moving files across filesystems; this post discusses collecting evidence from an iOS device. Thanks @B1N2H3X @reccetech @forensicmike1! https://t.co/mwWsbU9xlx

#DailyDFIR 70: This is a nice article by @hackerfactor looking at Telegram. I like his descriptions of encryption (or lack thereof) & the ramifications along with what he has inferred about the app through testing. https://t.co/aqrbBWFNBS #DFIR

#DailyDFIR 69: Do you use strings.exe on files to try to get an idea of what's in them? Use @FireEye's FLOSS (FireEye Labs Obfuscated String Solver) instead. It's a drop-in replacement for strings that handles deobfuscation. https://t.co/Gr3R6Xro94 #DFIR @williballenthin

#DailyDFIR 68: Today was the start of Daylight saving time in the US. Except not all of the US. In those parts that did shift an hour each timezone shifted at local 2am so the shift was staggered across the county. What I'm trying to say here is: Log everything in UTC #DFIR

#DailyDFIR 67: Check out @josh_hickman1's talk from DFRWS US 2019 - "Android Auto And Google Assistant How Google Encourages Hands-Free Motoring". There's lots of good stuff in it and I always love seeing anyone talk about protobufs! https://t.co/GdBWF9Oje8 #DFIR

#DailyDFIR 66: Nice talk by @B1N2H3X at DFRWS EU 2019 on #DFIR for ChromeOS discussing what it is what information can be present and challenges: Chrome Nuts And Bolts: ChromeOS / Chromebook Forensics https://t.co/Z73B5P6Sgg #DFIR #Chrome

#DailyDFIR 65: Publicly-released case studies in #DFIR are rare. @ArsenalArmed's "Odatv" report is a great one and it even has some evidence attached so you can follow along! https://t.co/zFkNwroKMJ #DFIR #tbt

#DailyDFIR 64: This is a fun read. I'm sure getting that vague notification from a three-letter agency feels the same whether you are gov mil or private... I wish I had a helicopter to ferry me around during my #DFIR wild goose chases. https://t.co/7Yg1gEkGwf

#DailyDFIR 63: Right now "Automate the Boring Stuff with Python Programming" is free with code FEB2020FREE2 on Udemy. The book is a hands-on intro to Python great if you are looking to start coding: https://t.co/gMQstsWv2Y #DFIR #Python

#DailyDFIR 62: @4n6ist is starting a blog series on MSSQL forensics based on experience in the 2019 Digital Forensics Challenge (https://t.co/x0IFcr9EKo). https://t.co/SzKqKkbBQa If you ever need to recover deleted records from MSSQL this is a good place to start.

Continuing on the topic of writing in #DFIR: #DailyDFIR 61: @lennyzeltser has a one-page cheat sheet of writing tips. It's a great reference to keep handy and has general advice for sentences and paragraphs as well as specifics for emails and reports. https://t.co/Jswf9UoFug https://t.co/kPSEw5DIMm

#DailyDFIR 60: It doesn't matter how good your #DFIR analysis is if your "client" can't understand your findings. @Google has free technical writing courses. Take advantage of them: https://t.co/3cz36itoVg PS: #DFIR blogging is great for showcasing your skills for employers.

#DailyDFIR 59: I've updated Unfurl to handle the new v2 "ved" parameter from #Google URLs. https://t.co/U8MhXz3ErJ Here's the blog post on veds explaining differences & how to parse (including the new type): https://t.co/HqnumPxVDZ #DFIR https://t.co/QCUds9KClJ

#DailyDFIR 56: Some perspectives on "Pattern of Life" analysis techniques applications and issues by @christammiller featuring @iamevltwin and @AlexisBrignoni: https://t.co/rRo2ZU2ZUb https://t.co/myaQ8hv83g #DFIR

#DailyDFIR 55: The MDSec blog (https://t.co/BzF2dtRXXL) has articles heavy on technical details. It's Red Team focused but defenders benefit from understanding how attacks work too. Two recent macOS articles I liked: https://t.co/oTUnicUSHc https://t.co/9lnqDyTBJy #DFIR

#DailyDFIR 54: Here's a pair of collaborative posts on #Android artifacts from @josh_hickman1 & @AlexisBrignoni for your Sunday #DFIR reading : https://t.co/jcen85Olo8 https://t.co/pj5KYq6lFN #DFIR

#DailyDFIR 53: Take a look at this thread and the linked resources in it. Some very sharp people talking about detection in #DFIR and the "#Detectrum" https://t.co/yaFoC7237M