DailyDFIR

#DailyDFIR 113: @matt0177 is starting a blog series on using #Python & #AWS for OSINT. The first post covers AWS setup & image (photo) analysis: https://t.co/BnnIwy9Qw1 I've found #OSINT & #DFIR to be complementary; often a bit of one can make the other much more effective.

#DailyDFIR 112: @iamevltwin is starting a new blog series on Apple Unified Logs! These logs are not straightforward so if you do any Mac investigations be sure to check it out. First two posts: https://t.co/t6rwC5RhQQ https://t.co/iXA4WpccMH #DFIR #mac4n6

#DailyDFIR 111: Unfurl 3D was released on April 1st but it's not (completely) a joke. It works just like normal Unfurl & can parse the same things. https://t.co/EYBtXGqohl It also pairs nicely with your pew-pew dashboard if you need something shiny. #DFIR #VR #Python https://t.co/LK0YAzC1u7

#DailyDFIR 109: I saw a Google query string parameter (gs_ssp) I didn't recognize so I put it in Unfurl. Unfurl parsed it as b64zipprotobuf! It's really fun to see the tools you've made function as you hoped (helping me find new things). https://t.co/USlfyRzkAb #DFIR https://t.co/wJqtZ04wb4

#DailyDFIR 108: Have you wanted to learn mobile forensics but your excuse was no test data? Not any more! @josh_hickman1 just posted iOS 13 images to go along with his Android ones (& all have detailed documentation!): https://t.co/eMJToK5ggW https://t.co/LTvA0Ue4JL #DFIR

#DailyDFIR 107: Unfurl can now parse Magnet links! Magnet links are often used for P2P file sharing in place of .torrent files. They can contain a lot of information! https://t.co/xflvyDWHyo #DFIR https://t.co/LQlLrjBuy6

#DailyDFIR 105: Dave Cowen (@HECFBlog) is back to daily blogging and he's been experimenting with the AWS EBS Block API. If you do #DFIR in #AWS be sure to check out his posts and stay tuned for more: https://t.co/YujHayV6UV https://t.co/FjBZqe4QYK #DFIR #Python

#DailyDFIR 104: @JoakimSchicht from @ArsenalRecon did a very detailed technical dive into the Office Document Cache: https://t.co/5BHf364Cv5 If edit and version history for #Microsoft Office docs is relevant to your investigation definitely check this out. #DFIR

#DailyDFIR 103: I'm excited about the return of @HECFBlog's Sunday Funday! I have learned a lot from reading everyone's responses to past ones. I think this week's challenge (looking for Microsoft Teams artifacts) is also spot-on: https://t.co/BKQowJAx1A #DFIR

#DailyDFIR 102: Some Unfurl graphs get a little big... https://t.co/18ykVCAa6v There's a lot parsed out here but I'm sure there's more it could do! I see lots of potential IDs that would make great Unfurl parsers (you know if anyone is looking for things to do ). #DFIR https://t.co/1HAaIZDyCa

#DailyDFIR 101: Looking for some #DFIR fun this weekend? Check out @FoxtonForensics's challenge! Their last one was a lot of fun. These generally have a browser forensics focus which I love. https://t.co/Z4egiEilEz

#DailyDFIR 100: Phones are constantly changing and becoming more secure; it's becoming even more important to be resourceful & work with what you have. #TBT post: "Visualizing activity from an encrypted iPhone backup using only metadata" https://t.co/LaM2KNgHC3 #DFIR #Python https://t.co/QgPfpWHJYW

#DailyDFIR 99: Have a #protobuf you want to decode? Unfurl can now do it! https://t.co/CLlGkedU5r It can parse protobufs standalone (just put an encoded one in) or if it finds them in URLs. Thanks to @SwiftForensics for his helpful post & sharing his test file! #DFIR #Python https://t.co/M2p8DKPJeB

#DailyDFIR 98: There's so much to remember in #DFIR. Why not use this poster-sized cheat sheet to help out? Lots of great references for #mobile4n6! https://t.co/L3JiyRLd9p

#DailyDFIR 97: @13CubedDFIR (by @davisrichardg) is a fantastic set of #DFIR walkthrough videos. Check out the latest one featuring @AlexisBrignoni's iLEAPP: https://t.co/Ij2XNRDRCw #DFIR

#DailyDFIR 96: I mostly show Unfurl with URLs but it can parse individual strings as well. I often drop a number in Unfurl to see if it's a timestamp & what format it is: https://t.co/p81tm0BARi Tip: Hover over the link to see the timestamp format. #DFIR https://t.co/cJvpMQcl6l

#DailyDFIR 94: Check out this great thread of #DFIR resources meetups trainings CTFs and videos! There is so much good stuff here. If you are at home looking for ways to up your #DFIR game definitely check this out. Thanks @phillmoore! https://t.co/3tC2P8NkGD

#DailyDFIR 95: The forensics team at @Google has launched the "Open Source DFIR" blog & the first post is "Processing at Scale": https://t.co/fAvHtqTLHM Check it out and let us know if there's anything you'd like to see! (all things open source #DFIR not just Google-related)

#DailyDFIR 92: Unfurl has been a fun tool but I've heard you: it's boring. This update to Unfurl will change all that! https://t.co/vy1NPjz9GZ It's 2020; we deserve some "Minority Report"-style forensics in VR! #DFIR #VR #DFIRin2DisObsolete https://t.co/sNLeOZR4kP

#DailyDFIR 91: @BlakDouble digs into the standard iOS Mail app: https://t.co/FEwy1ZMUWd I couldn't agree more with the conclusion: "I always find it interesting looking into aspects of a device that you think you already understand and finding out new things." #DFIR #iOS

#DailyDFIR 89: Interested in figuring out what exactly a Chrome extension does? Here are a trio of posts for your Sunday #DFIR reading: https://t.co/7BpBxguyfU by @th3_protoCOL https://t.co/1PhsZQKoMD by @sk3tchymoos3 https://t.co/CFTRqM8vN4 by @crxpert #DFIR #Chrome

#DailyDFIR 88: More great features for ALEAPP by @SwiftForensics. He and @AlexisBrignoni have been cranking out a lot of great new parsers! https://t.co/RxjiYzLDsD

#DailyDFIR 86: Hey look more #DailyDFIR! I'm looking forward to checking out these videos and hope to learn some new #DFIR things. https://t.co/u4AHd6Orch

#DailyDFIR 85: ICYMI Unfurl can expand short links from: bit[.]ly bitly[.]com j[.]mp bit[.]do buff[.]ly goo[.]gl is[.]gd ow[.]ly t[.]co tinyurl[.]com Unfurl uses APIs when possible and 301 headers when not; it will not contact link destinations. #DFIR #opsec https://t.co/uY237xSeHu

#DailyDFIR 84: Get some great #DFIR training focused on Linux for free! Thanks @hal_pomeranz! (torrent): https://t.co/H5vXaLru0u #DFIR #Linux https://t.co/CnAVl11aDh

#DailyDFIR 83: In #DFIR we talk about vetting our tools often with a focus on accuracy. As this nice investigative post by @MwOsint shows that's not the only aspect of a tool worth digging into... https://t.co/H3nybOJax3

#DailyDFIR 82: @phillmoore's "This Week in 4n6" is a fantastic roundup of #DFIR info. If you aren't getting it via RSS or email you should: https://t.co/RgPpABlhQ5 I find the short summaries of the linked resources helpful in trying to keep up in this ever-changing industry.

#DailyDFIR 81: Try to build a parser from scratch for an artifact (any artifact!). It doesn't matter how simple or complicated it is or if other parsers already can do it; it really is a fantastic learning process. #DFIR #Python https://t.co/k42d3FqDss

#DailyDFIR 80: I use my collection of #DFIR #OSINT #RE & #Python RSS feeds daily to (try to) keep up with the rapid changes in our fields. This "starter pack" resource from @bunsofwrath12 is a great way to kickstart your own RSS collection! https://t.co/UPPk5U4hww

#DailyDFIR 79: @ArsenalRecon's Arsenal Image Mounter got an update and it can do (even more!) cool stuff. Great tool; both free and paid versions! It looks very helpful for those dealing with BitLocker-protected volumes. https://t.co/yyZF5EMiS2 #DFIR