#DailyDFIR 242: Check out @williballenthin talking with @HECFBlog and @forensic_matt on the Forensic Lunch! https://t.co/rcEN0bH6BH #DFIR #RE #rustlang

#DailyDFIR 241: @Scott_Kjr has a post investigating what happens on #iOS when different apps are used to take a photo: https://t.co/6350LvUZ9N Looking beyond Photos.sqlite he found other app-specific locations that can hold key information (including deleted files!) #DFIR

#DailyDFIR 240: Where do you start an investigation? For #TBT here's a post from a few years ago where I use a visualization to help find things to examine further: https://t.co/h1bv34wzsK https://t.co/OafQvanBk0 #DFIR #webshell @binaryz0ne

#DailyDFIR 240: Where do you start an investigation? For #TBT here's a post from a few years ago where I use a visualization to help find things to examine further: https://t.co/h1bv34wzsK https://t.co/OafQvanBk0 #DFIR #webshell @binaryz0ne

#DailyDFIR 239: @FSecureLabs has a report (https://t.co/fF4vhqvXKp) on a Lazarus group phishing & malware campaign and reference a Bitly link used. Unfurl can show when that link was created & where it points to (even with non-ASCII domains)! https://t.co/PnfEEwuejU #DFIR https://t.co/vJa3WL9RZQ

#DailyDFIR 239: @FSecureLabs has a report (https://t.co/fF4vhqvXKp) on a Lazarus group phishing & malware campaign and reference a Bitly link used. Unfurl can show when that link was created & where it points to (even with non-ASCII domains)! https://t.co/PnfEEwuejU #DFIR https://t.co/vJa3WL9RZQ

#DailyDFIR 239: @FSecureLabs has a report (https://t.co/fF4vhqvXKp) on a Lazarus group phishing & malware campaign and reference a Bitly link used. Unfurl can show when that link was created & where it points to (even with non-ASCII domains)! https://t.co/PnfEEwuejU #DFIR https://t.co/vJa3WL9RZQ

#DailyDFIR 238: Interested in setting up a serious test lab for mobile forensics? @cScottVance has a nice post exploring picking devices to maximize the types of artifacts you can explore and minimize the costs: https://t.co/K4ZO6BPw73 #DFIR #mobile4n6 #iOS #Android

#DailyDFIR 236: Did you know Unfurl can parse more than URLs? Quick example: Open a SQLite DB See a column named "proto" (hint hint) Copy hex bytes Paste into Unfurl Unfurl expands it & runs other parsers (ex: timestamp translated) https://t.co/08eKH0YCch #DFIR https://t.co/nwEDfWQobb

#DailyDFIR 236: Did you know Unfurl can parse more than URLs? Quick example: Open a SQLite DB See a column named "proto" (hint hint) Copy hex bytes Paste into Unfurl Unfurl expands it & runs other parsers (ex: timestamp translated) https://t.co/08eKH0YCch #DFIR https://t.co/nwEDfWQobb

#DailyDFIR 235: Another nice write-up from @josh_hickman1 this time on "Nearby Share" (AirDrop-type system for #Android and ChromeOS) artifacts: https://t.co/1yjNMeXmG4 Yet another exfil vector with limited #DFIR visibility...

#DailyDFIR 234: Words matter. Especially in #DFIR. Nice thread by @cglyer: https://t.co/aq0JIALIGf

#DailyDFIR 233: This is an amazing resource - a whole course on learning #Python loaded with real-world #DFIR coding examples. The live classes are over now but the entire course is recorded so you can work through it at your own pace. Great job @AlexisBrignoni & @xbrookego! https://t.co/8GKRB6Yy6p

#DailyDFIR 231: Want to see when a #TikTok account was created? Use its ID! - On the user's profile page view source - Search for userId - Unfurl the ID to see when the account was created! More details on the timestamp embedded in the ID: https://t.co/uNqtmNyqY4 #OSINT #DFIR https://t.co/2GVCGH9O76

#DailyDFIR 230: Want to do some OSINT? A pre-built #VM loaded with tools can be a great way to get going quickly. @baywolf88 has a nice comparison of #OSINT / #DFIR-focused virtual machines along with thoughts on each: https://t.co/S72bRUF51z

#DailyDFIR 229: If you want to learn malware analysis and gets hands on with some samples REMnux is a great place to start. Check out what's new! #DFIR https://t.co/3kTq3OqlzN

#DailyDFIR 228: This post from @CiofecaForensic dives deep into how Apple Notes encryption & decryption works. It's a very thorough article and includes a tool at the end for decryption if you want want to do it all yourself https://t.co/FCwQkD243g #DFIR #mobile4n6

#DailyDFIR 227: libcloudforensics now supports copying disks in #Azure! It already supported #GCP and #AWS so now you can copy disks in 3 different #Cloud environments using a single open source CLI tool! https://t.co/jch4pz5PNC https://t.co/GGd2TVP4vi #DFIR #Python

#DailyDFIR 227: libcloudforensics now supports copying disks in #Azure! It already supported #GCP and #AWS so now you can copy disks in 3 different #Cloud environments using a single open source CLI tool! https://t.co/jch4pz5PNC https://t.co/GGd2TVP4vi #DFIR #Python

#DailyDFIR 226: Check out this interview with Google's @ShaneHuntley lead for their Threat Analysis Group (TAG). Having good threat intel makes #DFIR a whole lot easier. https://t.co/YoU9zoR5h8

#DailyDFIR 225: New Unfurl release! 20200812 adds parsing of: TikTok URLs including embedded creation timestamp (https://t.co/uNqtmNyqY4) YouTube URL "continue_time" Sonyflake IDs "generic" QSPs (lang & language for now) Try it: https://t.co/69yqXmvubj #DFIR #OSINT

#DailyDFIR 224: Investigating #TikTok activity? I've found a way to extract embedded timestamps from TikTok IDs (). This means we can tell when a TikTok was posted just from the URL! Works even if video is deleted or private. https://t.co/uNqtmNyqY4 #DFIR #OSINT https://t.co/oJF3UeJDrL

#DailyDFIR 224: Investigating #TikTok activity? I've found a way to extract embedded timestamps from TikTok IDs (). This means we can tell when a TikTok was posted just from the URL! Works even if video is deleted or private. https://t.co/uNqtmNyqY4 #DFIR #OSINT https://t.co/oJF3UeJDrL

#DailyDFIR 223: UUIDs (universally unique identifiers) are everywhere online. UUIDv4 is most common (random) but UUIDv1 (time-based) is still out there. Checking if 1st digit in 3rd group is 1 or 4 is a way to tell if a UUID holds a timestamp #DFIR https://t.co/BjawVb8pzg https://t.co/oDFp6VdBW7

#DailyDFIR 223: UUIDs (universally unique identifiers) are everywhere online. UUIDv4 is most common (random) but UUIDv1 (time-based) is still out there. Checking if 1st digit in 3rd group is 1 or 4 is a way to tell if a UUID holds a timestamp #DFIR https://t.co/BjawVb8pzg https://t.co/oDFp6VdBW7

#DailyDFIR 222: Digital Detective's DCode is a handy free (Windows only) tool to convert timestamps: https://t.co/TlVP0PtRhr They also started a blog series explaining in more detail how to manually decode some of the timestamps : https://t.co/6kFYVUMGfC #DFIR

#DailyDFIR 221: Unfurl is now included in @REMnux! Thanks @lennyzeltser! #DFIR #RE #Python https://t.co/U2JPyrA2dz

#DailyDFIR 220: This is looks like a great resource not only for learning about malware on #macOS but also a deeper understanding of general Mac internals for #DFIR. Can't wait to see what else is added over time! https://t.co/UFhfKgGz0T

#DailyDFIR 219: Nice update to @FireEye's free capa tool for identifying malware behaviors. If you aren't familiar with the tool they have a good introductory post: https://t.co/8Xh31JIDL7 #DFIR https://t.co/M1PhTgkb5n

#DailyDFIR 219: Nice update to @FireEye's free capa tool for identifying malware behaviors. If you aren't familiar with the tool they have a good introductory post: https://t.co/8Xh31JIDL7 #DFIR https://t.co/M1PhTgkb5n