#DailyDFIR 190: https://t.co/yYRNtjkQuf is an interesting tool for #OSINT (Google search as if you were in a different place). It's also useful to test Unfurl; for example I added the "uule" param long ago but hadn't seen it used before: https://t.co/yEwy6l1txt #DFIR https://t.co/V5rgP4HXqu

#DailyDFIR 189: Looking for a place to ask a #DFIR question (besides Twitter)? Check out the Digital Forensics Discord Server (run by @bunsofwrath12)! It has dozens of channels for different #DFIR subtopics and hundreds of active users. to join: https://t.co/rPBbuQqFwq

#DailyDFIR 188: Geolocating an IP address sounds like a fun analysis step but it typically isn't very accurate (esp for mobile devices). Expect to get general area at best not precise location. @nixintel & @MwOsint did some experiments: https://t.co/udF9nTu7VA #DFIR #OSINT

#DailyDFIR 187: There's a new Plaso release! Changes in v20200630: - New parsers for Apple TCC.db & Google glog - Status view shows more info - New unattended mode for when Plaso is being run by another tool - Better timezone handling Full details: https://t.co/kn445IlmZn #DFIR

#DailyDFIR 185: New input/output modes for Unfurl! If you pass Unfurl a file path instead of a URL it will open that file and parse each line in it. Using -o option will save output to a CSV file (leave off to send output to screen). Thanks @B1N2H3X for the request! #DFIR https://t.co/JQnlbrrf5b

#DailyDFIR 184: Have a number you suspect is a timestamp? Pass it to Unfurl! It will convert if it's a "plausible" value (year 2015-2025) for any of these timestamp types: Unix epoch micro/milli/centi/seconds Webkit Windows FileTime/DateTime Mac/Cocoa #DFIR https://t.co/h5elrmsiS9

#DailyDFIR 183: Want to parse a string or some hex you think might be a protobuf? The new Unfurl CLI like the web app can parse more than URLs. It runs all the other parsers on each value. In this example an integer inside the protobuf was parsed as a timestamp . #DFIR https://t.co/oFcL9oC9q0

#DailyDFIR 182: A new version of Unfurl is here! Features: New command-line tool: unfurl_cli.py Now on PyPI - easier install with "pip install dfir-unfurl" More details: https://t.co/nkUR4JOXvu #DFIR https://t.co/NSCJWWNRSo

#DailyDFIR 181: It's almost July and that means more great #DFIR events! Check out the list @DfirDiva put together with a focus on beginners: https://t.co/GZzarsNS81 It includes the @DFIRSummit which I'll be speaking at about Unfurl!

#DailyDFIR 180: @DianaInitiative CFP is open! This year the slogan is "Breaking Boundaries Byte by Byte" and the (virtual) conference is August 21-22. #DFIR https://t.co/Pwg0brwdHP

#DailyDFIR 178: I'm a big proponent of using visualizations to help with analysis & I love seeing how others make use of them. @Forensicator4 wrote a post about exploring the visualization options in #Python & #Pandas with a #DFIR spin: https://t.co/00RmMH0FCx #DFIR

#DailyDFIR 177: More fun with .DS_Store files: @JPoForenso on using .DS_Store files to find references to deleted files: https://t.co/luIC3GVKaq & https://t.co/0wIg3moWLd Interesting way to leverage exposed .DS_Store files: https://t.co/KfgDuc5P2n #DFIR #macOS

#DailyDFIR 176: @13CubedDFIR has a video explaining basics about .DS_Store files on #macOS and how to get value from them in #DFIR investigations: https://t.co/dUvkr6tvrH by @13CubedDFIR DSStoreParser Tool https://t.co/4Kx2eMJys6 by @nicoleibrahim

#DailyDFIR 175: @hackerfactor has a detailed post examining a plethora of approaches to detect timestamp manipulation in photos: https://t.co/2PeKWKNJ9S It is similar to #DFIR cases where the system clock was changed; you can use other factors to tell something is off.

#DailyDFIR 174: @SwiftForensics wrote a good post on Screentime Notifications: https://t.co/u74yxWda2m Besides the content I like the post's format. It's relatively short & focused on a single artifact. Reminds me of 4n6k's "Forensics Quickies" from back in the day. #DFIR

#DailyDFIR 173: Few references materials in #DFIR have remained as useful as @carrier4n6's "File System Forensic Analysis" (from 2005!): https://t.co/SyYKR2Vdqz This deep-dive into file systems is quite handy to have nearby (either for a case or for CTF trivia @bethlogic). https://t.co/II3Zawv8lH

#DailyDFIR 172: Metaspike has a couple nice posts on the different kinds of encoded timestamps you may find in email messages: https://t.co/WHpFqzoBN8 https://t.co/nqecrYwZQa I don't examine emails very often but I do like finding timestamps encoded in new places! #DFIR

#DailyDFIR 171: @iamevltwin has (many!) updates to knowledgeC modules in APOLLO: https://t.co/v8zaUC3HcL https://t.co/myaQ8hv83g knowledgeC is a really interesting resource worth checking out if you are examining an iOS or macOS device! #DFIR

#DailyDFIR 170: Come learn about #DFIR Incident Management at @Google on the Forensic Lunch tomorrow! (8am PDT) https://t.co/UbL4xQxJlP @HECFBlog will have @0xMatt @joachimmetz @JamesNettesheim and @alexanderjaeger - should be a great show!

#DailyDFIR 168: The @SANSInstitute @DFIRSummit is now FREE! It's a great event & it being online and free this year makes me happy b/c it's accessible to more people! July 16-17 2020 Register: https://t.co/G0DG16TnuW Agenda: https://t.co/wLC6EYJYgM #DFIR #Infosec

#DailyDFIR 167: Even #DFIR mailing lists get spam. Nice little write-up by @PhilHagen on how they dealt with a "gap spam" problem using a bit of creative thinking: https://t.co/uNgSrpp2sF #DFIR

#DailyDFIR 166: I use #Python to build #DFIR things. The @pythonbytes podcast is great for learning: https://t.co/3229V14De2 Confession: I haven't ever actually listened to an episode; I just skim the summaries to learn about new scripts & modules. Still really helpful!

#DailyDFIR 165: Check out this nice resource by @technisette for finding the right OSINT tool: https://t.co/Yo9tHBXj5a It has an easy to browse collection of tools and tutorials grouped by category or you can just search the whole thing! #DFIR #OSINT

#DailyDFIR 164: Im continually amazed at what attackers come up with. Impressive innovation. #DFIR https://t.co/naqCRdvwti

#DailyDFIR 163: @jclausing has a post on a different kind of stackstring that's harder to spot: https://t.co/ILSFSebIGt Just like in the rest of #DFIR there's always something new to learn in #malware #RE!

#DailyDFIR 162: Hindsight is 2020! Okay it's actually v20200607 but I've been waiting years to make a bad "Hindsight 2020" joke. There's a new version of Hindsight! Features: #Python 3 Supports #Chrome 1 - 83 More Storage artifacts https://t.co/6eorratUJO #DFIR

#DailyDFIR 161: @iamevltwin has a post on analyzing Apple TV using free tools she's built for iOS & Mac analysis - and it just works! It's sweet when tools do more than expected. https://t.co/6k4FjzLpjz It's a good reminder that #DFIR is more than phones laptops & desktops

#DailyDFIR 160: @BlakDouble has a post explaining Favicon artifacts on mobile Safari and how it can sometimes provide insight into when pages were visited: https://t.co/AFQ2mkYbZ2 I've found the Chrome Favicons to be of similar use. #DFIR

#DailyDFIR 159: DFRWS EU was last week. One interesting paper was "On Challenges in Verifying Trusted Executable Files in Memory Forensics" by Uroz & Rodríguez: Paper: https://t.co/zGeO3kmK3Z Slides: https://t.co/hpyckn6kme #DFIR #Volatility

#DailyDFIR 157: The @EFF has many good guides and how-tos. Check them out. You might learn something or find something relevant to send on to less tech-savvy friend/family member/etc: https://t.co/yWYpFMzsVF #DFIR #opsec