RT @DfirDiva: TeePublic is having a Black Friday sale. Everything in my shop is up to 35% off. https://t.co/9EQsWK4yiv https://t.co/quZHzwd5aq

#DailyDFIR 333: @iamevltwin's APOLLO tool for iOS & macOS uses #Python & SQL queries to extract a ton of information. Sarah's #OSDFCon talk shows how to get started analyzing this data for user activity application usage & more! https://t.co/HkWhGJNfXH #DFIR #openSource

#DailyDFIR 332: Some nice #DFIR-related discounts on this list including: 010 Editor books from @nostarch many training courses and a lot more! https://t.co/r0jw2WXvOq

#DailyDFIR 330: @jaco_ZA has a post on the genesis evolution & future of #Emotet (complete with year-appropriate pop culture references): https://t.co/7BP9lYFuGh Easy to read & informative write-up about a complex and long-lived threat. Nice Jaco! #DFIR #Malware #infosec

#DailyDFIR 329: Chrome 87 is here with its typical slew of fixes & new behind-the-scenes features (including tab throttling & back/forward cache). I've updated my interactive "Chrome Evolution" page: https://t.co/EFjQ4e9vKr #DFIR #Chrome #Visualization #infosec https://t.co/LWDfbMtB47

#DailyDFIR 328: How about a double-dose of @brianjmoran? Brian is a great guy who is active in the #DFIR & #DFIRFit communities. Check out: Interview on #CacheUp: https://t.co/W3TOkaLShl OSDFCon talk on reconstructing RDP activity images: https://t.co/W3TOkaLShl #DFIR

#DailyDFIR 327: In this post @alexanderjaeger explores Garmin .Fit files including parsing them in #Python uploading to #Timesketch then analyzing the data with #Pandas: https://t.co/sGIaWSktuC Really puts the #DFIR in #DFIRFit!

#DailyDFIR 326: Every year as part of #OSDFCon there is a contest for new Autopsy modules. A compilation video of this year's submissions is available: https://t.co/8m8fW7nGis Lots of interesting ideas! Thanks to all the participants for their additions to #OpenSource #DFIR!

Still more on #DFIR for WSL! #DailyDFIR 325: In this video from @DFRWS USA 2020 Asif Matadar shows how to investigate malware on WSL endpoints: https://t.co/YpfeDoWcj6 #DFIR #Malware #WSL2

More on Windows Subsystem for Linux! #DailyDFIR 324: @sk3tchymoos3 has an article on what forensic artifacts are created when WSL is used: https://t.co/HUA3WPWUvf #DFIR #Linux #WSL

#DailyDFIR 323: Have a bunch of Sigma rules that you'd like to use on data you've collected into Timesketch? @alexanderjaeger has a write-up explaining how to get started: https://t.co/gDFLKhZPW0 #DFIR #Sigma #IOC

#DailyDFIR 322: #OSDFCon is tomorrow! It's online free and a great way to see what's new in the #OpenSource #DFIR world: https://t.co/fv3fWbLOco Good luck to all those presenting!

#DailyDFIR 321: Another great video from @13CubedDFIR this one on using Plaso within the Windows Subsystem for Linux (WSL): https://t.co/a8WHy9889S #DFIR

#DailyDFIR 320: Interested in what happened on a #Linux (or #macOS) system? The .bash_history file is a valuable artifact - but it has its quirks. Check out "You Dont Know Jack About .bash_history" by @hal_pomeranz: https://t.co/4yH0F3g1X9 I found it very helpful! #DFIR

#DailyDFIR 319: When I look at #SQLite DBs 3 tools I use often are: sqlite3 CLI DB Browser for SQLite (https://t.co/Hekxentu6g) #OpenSource cross-platform SQLite Expert (https://t.co/ip6W34tO3r) Free version/Windows only If you like a different one what is it? #DFIR

#DailyDFIR 319: When I look at #SQLite DBs 3 tools I use often are: sqlite3 CLI DB Browser for SQLite (https://t.co/Hekxentu6g) #OpenSource cross-platform SQLite Expert (https://t.co/ip6W34tO3r) Free version/Windows only If you like a different one what is it? #DFIR

#DailyDFIR 318: I'm seeing write-ups on #Malware hosted on #Discord but this is nothing new. Reminder that @Discord file attachments have an embedded timestamp (that tells when the file was uploaded) and Unfurl can parse that out for you: https://t.co/oFgrN4OxYh #DFIR #RE https://t.co/Qbj0OZCNL6

#DailyDFIR 318: I'm seeing write-ups on #Malware hosted on #Discord but this is nothing new. Reminder that @Discord file attachments have an embedded timestamp (that tells when the file was uploaded) and Unfurl can parse that out for you: https://t.co/oFgrN4OxYh #DFIR #RE https://t.co/Qbj0OZCNL6

#DailyDFIR 317: After reading @j_duffy01's post on @Snapchat for #iOS I was interested & looked at the #Android version (in @josh_hickman1's Android 11 image). It's different but still has protobufs in SQLite DBs. Unfurl can help with those! https://t.co/JpAy4Tx8mS #DFIR https://t.co/YjqYO3yDP4

#DailyDFIR 317: After reading @j_duffy01's post on @Snapchat for #iOS I was interested & looked at the #Android version (in @josh_hickman1's Android 11 image). It's different but still has protobufs in SQLite DBs. Unfurl can help with those! https://t.co/JpAy4Tx8mS #DFIR https://t.co/YjqYO3yDP4

#DailyDFIR 316: @j_duffy01 has a write-up on @Snapchat and what data can be extracted from the #iOS app: https://t.co/BH81Ni8Udw Nice analysis walkthrough touching on SQLite GUIDs timestamps & protobufs! #DFIR

#DailyDFIR 315: If you missed our talk on "Exploring the Wonders of Timesketch and Jupyter" yesterday (or want to watch it again at a slower speed we went through a lot) the recording is up! https://t.co/2ONWXOJerd We talked about using #Python to tackle a #DFIR challenge!

#DailyDFIR 314: iLEAPP & ALEAPP by @AlexisBrignoni (& others!) have been on a tear recently with new features: Autopsy integration: https://t.co/qERybp52Ts Map visualizations photo.sqlite parsing update DFRWS video posted: https://t.co/DE5sa8YkUk Check it out! #DFIR

#DailyDFIR 314: iLEAPP & ALEAPP by @AlexisBrignoni (& others!) have been on a tear recently with new features: Autopsy integration: https://t.co/qERybp52Ts Map visualizations photo.sqlite parsing update DFRWS video posted: https://t.co/DE5sa8YkUk Check it out! #DFIR

#DailyDFIR 313: Myself @el_killerdwarf & @alexanderjaeger will be presenting TOMORROW at 8am Pacific / 11am Eastern on how to use Timesketch and #Python notebooks to solve #DFIR challenges! Register: https://t.co/Ti4s5C9HOy Join us & ask questions! #OpenSource #OSDFCon

#DailyDFIR 312: @CiofecaForensic has some great write-ups of the recent @Cellebrite CTF. A fantastic thing is that their team used only free tools demonstrating that you can do top-notch analysis on a budget: https://t.co/KUnQBjFXKE #DFIR #mobile4n6 #OpenSource #CTF

#DailyDFIR 311: CyberChef is a fantastic utility that's incredibly useful (and easy to use) for a range of #DFIR & #RE tasks. @GlassSec walks through how to go from "Cybersecurity Zero to Hero with CyberChef" in his talk from @RVAsec 2019: https://t.co/wv1Rv6AdsM

#DailyDFIR 310: UUIDv4 (random) is much more common than UUIDv1 (time- & MAC-based) online these days. But UUIDv1s still do appear & the embedded timestamp may be useful. Example: https://t.co/pxrrUAfUyD PS: Advertising emails are a great source of interesting URLs #DFIR https://t.co/AWzbteVcpO

#DailyDFIR 310: UUIDv4 (random) is much more common than UUIDv1 (time- & MAC-based) online these days. But UUIDv1s still do appear & the embedded timestamp may be useful. Example: https://t.co/pxrrUAfUyD PS: Advertising emails are a great source of interesting URLs #DFIR https://t.co/AWzbteVcpO

#DailyDFIR 309: It can't help you understand the election but Unfurl can help you understand URLs! A new Unfurl release (20201102) is here! It adds: New examples page Improved parsing of Google & Bing searches Parsing #TikTok IDs & more! Try it: https://t.co/H5XHNrawum https://t.co/MYQy4taOAt