#DailyDFIR 229: If you want to learn malware analysis and gets hands on with some samples REMnux is a great place to start. Check out what's new! #DFIR https://t.co/3kTq3OqlzN
http://twitter.com/_RyanBenson/status/1295181727673888768
DailyDFIR
#DailyDFIR 230: Want to do some OSINT? A pre-built #VM loaded with tools can be a great way to get going quickly. @baywolf88 has a nice comparison of #OSINT / #DFIR-focused virtual machines along with thoughts on each: https://t.co/S72bRUF51z
http://twitter.com/_RyanBenson/status/1295505887063203840
#DailyDFIR 231: Want to see when a #TikTok account was created? Use its ID! - On the user's profile page view source - Search for userId - Unfurl the ID to see when the account was created! More details on the timestamp embedded in the ID: https://t.co/uNqtmNyqY4 #OSINT #DFIR https://t.co/2GVCGH9O76
http://twitter.com/_RyanBenson/status/1295775196071120896
#DailyDFIR 233: This is an amazing resource - a whole course on learning #Python loaded with real-world #DFIR coding examples. The live classes are over now but the entire course is recorded so you can work through it at your own pace. Great job @AlexisBrignoni & @xbrookego! https://t.co/8GKRB6Yy6p
http://twitter.com/_RyanBenson/status/1296650859988705281
#DailyDFIR 234: Words matter. Especially in #DFIR. Nice thread by @cglyer: https://t.co/aq0JIALIGf
http://twitter.com/_RyanBenson/status/1297032794862809088
#DailyDFIR 235: Another nice write-up from @josh_hickman1 this time on "Nearby Share" (AirDrop-type system for #Android and ChromeOS) artifacts: https://t.co/1yjNMeXmG4 Yet another exfil vector with limited #DFIR visibility...
http://twitter.com/_RyanBenson/status/1297391718535315456
#DailyDFIR 236: Did you know Unfurl can parse more than URLs? Quick example: Open a SQLite DB See a column named "proto" (hint hint) Copy hex bytes Paste into Unfurl Unfurl expands it & runs other parsers (ex: timestamp translated) https://t.co/08eKH0YCch #DFIR https://t.co/nwEDfWQobb
http://twitter.com/_RyanBenson/status/1297755227710304256
#DailyDFIR 236: Did you know Unfurl can parse more than URLs? Quick example: Open a SQLite DB See a column named "proto" (hint hint) Copy hex bytes Paste into Unfurl Unfurl expands it & runs other parsers (ex: timestamp translated) https://t.co/08eKH0YCch #DFIR https://t.co/nwEDfWQobb
http://twitter.com/_RyanBenson/status/1297755227710304256
#DailyDFIR 238: Interested in setting up a serious test lab for mobile forensics? @cScottVance has a nice post exploring picking devices to maximize the types of artifacts you can explore and minimize the costs: https://t.co/K4ZO6BPw73 #DFIR #mobile4n6 #iOS #Android
http://twitter.com/_RyanBenson/status/1298448100516798464
#DailyDFIR 239: @FSecureLabs has a report (https://t.co/fF4vhqvXKp) on a Lazarus group phishing & malware campaign and reference a Bitly link used. Unfurl can show when that link was created & where it points to (even with non-ASCII domains)! https://t.co/PnfEEwuejU #DFIR https://t.co/vJa3WL9RZQ
http://twitter.com/_RyanBenson/status/1298644009124941825
#DailyDFIR 239: @FSecureLabs has a report (https://t.co/fF4vhqvXKp) on a Lazarus group phishing & malware campaign and reference a Bitly link used. Unfurl can show when that link was created & where it points to (even with non-ASCII domains)! https://t.co/PnfEEwuejU #DFIR https://t.co/vJa3WL9RZQ
http://twitter.com/_RyanBenson/status/1298644009124941825
#DailyDFIR 239: @FSecureLabs has a report (https://t.co/fF4vhqvXKp) on a Lazarus group phishing & malware campaign and reference a Bitly link used. Unfurl can show when that link was created & where it points to (even with non-ASCII domains)! https://t.co/PnfEEwuejU #DFIR https://t.co/vJa3WL9RZQ
http://twitter.com/_RyanBenson/status/1298644009124941825
#DailyDFIR 240: Where do you start an investigation? For #TBT here's a post from a few years ago where I use a visualization to help find things to examine further: https://t.co/h1bv34wzsK https://t.co/OafQvanBk0 #DFIR #webshell @binaryz0ne
http://twitter.com/_RyanBenson/status/1299215462782312448
#DailyDFIR 240: Where do you start an investigation? For #TBT here's a post from a few years ago where I use a visualization to help find things to examine further: https://t.co/h1bv34wzsK https://t.co/OafQvanBk0 #DFIR #webshell @binaryz0ne
http://twitter.com/_RyanBenson/status/1299215462782312448
#DailyDFIR 241: @Scott_Kjr has a post investigating what happens on #iOS when different apps are used to take a photo: https://t.co/6350LvUZ9N Looking beyond Photos.sqlite he found other app-specific locations that can hold key information (including deleted files!) #DFIR
http://twitter.com/_RyanBenson/status/1299492395814330368
#DailyDFIR 242: Check out @williballenthin talking with @HECFBlog and @forensic_matt on the Forensic Lunch! https://t.co/rcEN0bH6BH #DFIR #RE #rustlang
http://twitter.com/_RyanBenson/status/1299883066735820801
#DailyDFIR 243: Check out all these great #DFIR events in September! Thanks @DfirDiva! https://t.co/0eDVgUflAq
http://twitter.com/_RyanBenson/status/1300263340116045824
#DailyDFIR 245: I'll be on "Life Does Not Have a CtrlAltDel" with @HeatherMahalik tomorrow demoing Unfurl and answering questions about it! When: 2020-09-02 9:30am PDT (12:30pm EDT) Register: https://t.co/9tN91Xax7x #DFIR #Python
http://twitter.com/_RyanBenson/status/1300991600596668417