DailyDFIR

#DailyDFIR 78: One thing I like about Unfurl is how its basic parsers (like url base64 & timestamp) work on a wide range of URLs. For example I haven't done any research or customization for @amazon but this long URL still Unfurls nicely: https://t.co/sBQFzHSg4k #DFIR https://t.co/VaJ8I5ruxx

#DailyDFIR 76: @trailofbits released a new @osquery table for NTFS change journal events! The USN journal has been a favorite evidence source for me since I learned about it from @HECFBlog; there is so much good #DFIR stuff there! https://t.co/Rqa4UYjF9W

#DailyDFIR 75: Slides and video are posted from @iamevltwin's "Exploring macOS with APOLLO" from #OBTS 3.0! Some great Sunday #DFIR reading/viewing https://t.co/ah8dgVeM5H https://t.co/myaQ8hv83g

#DailyDFIR 74: If you're going to rip off someone's work maybe don't pick @nixintel? First thought: "I have a very particular set of skills. Skills I have acquired over a very long career. Skills that make me a nightmare for people like you." #DFIR #OSINT https://t.co/wl0mzYDzOR

#DailyDFIR 73: Make your #DFIR-life easier for Android analysis! Let @AlexisBrignoni and @SwiftForensics know what you would find helpful so they can add it! https://t.co/DaRVN7tTHp

#DailyDFIR 72: "Objective by the Sea" (Mac Security Conference) is streaming live! What a great #DFIR thing to do while you stay inside away from everyone ;) https://t.co/PMH9AuHeli

#DailyDFIR 71: We use & love timestamps in #DFIR but with that comes a duty to really understand what they mean. This can be difficult when moving files across filesystems; this post discusses collecting evidence from an iOS device. Thanks @B1N2H3X @reccetech @forensicmike1! https://t.co/mwWsbU9xlx

#DailyDFIR 70: This is a nice article by @hackerfactor looking at Telegram. I like his descriptions of encryption (or lack thereof) & the ramifications along with what he has inferred about the app through testing. https://t.co/aqrbBWFNBS #DFIR

#DailyDFIR 69: Do you use strings.exe on files to try to get an idea of what's in them? Use @FireEye's FLOSS (FireEye Labs Obfuscated String Solver) instead. It's a drop-in replacement for strings that handles deobfuscation. https://t.co/Gr3R6Xro94 #DFIR @williballenthin

#DailyDFIR 68: Today was the start of Daylight saving time in the US. Except not all of the US. In those parts that did shift an hour each timezone shifted at local 2am so the shift was staggered across the county. What I'm trying to say here is: Log everything in UTC #DFIR

#DailyDFIR 67: Check out @josh_hickman1's talk from DFRWS US 2019 - "Android Auto And Google Assistant How Google Encourages Hands-Free Motoring". There's lots of good stuff in it and I always love seeing anyone talk about protobufs! https://t.co/GdBWF9Oje8 #DFIR

#DailyDFIR 66: Nice talk by @B1N2H3X at DFRWS EU 2019 on #DFIR for ChromeOS discussing what it is what information can be present and challenges: Chrome Nuts And Bolts: ChromeOS / Chromebook Forensics https://t.co/Z73B5P6Sgg #DFIR #Chrome

#DailyDFIR 65: Publicly-released case studies in #DFIR are rare. @ArsenalArmed's "Odatv" report is a great one and it even has some evidence attached so you can follow along! https://t.co/zFkNwroKMJ #DFIR #tbt

#DailyDFIR 64: This is a fun read. I'm sure getting that vague notification from a three-letter agency feels the same whether you are gov mil or private... I wish I had a helicopter to ferry me around during my #DFIR wild goose chases. https://t.co/7Yg1gEkGwf

#DailyDFIR 63: Right now "Automate the Boring Stuff with Python Programming" is free with code FEB2020FREE2 on Udemy. The book is a hands-on intro to Python great if you are looking to start coding: https://t.co/gMQstsWv2Y #DFIR #Python

#DailyDFIR 62: @4n6ist is starting a blog series on MSSQL forensics based on experience in the 2019 Digital Forensics Challenge (https://t.co/x0IFcr9EKo). https://t.co/SzKqKkbBQa If you ever need to recover deleted records from MSSQL this is a good place to start.

Continuing on the topic of writing in #DFIR: #DailyDFIR 61: @lennyzeltser has a one-page cheat sheet of writing tips. It's a great reference to keep handy and has general advice for sentences and paragraphs as well as specifics for emails and reports. https://t.co/Jswf9UoFug https://t.co/kPSEw5DIMm

#DailyDFIR 60: It doesn't matter how good your #DFIR analysis is if your "client" can't understand your findings. @Google has free technical writing courses. Take advantage of them: https://t.co/3cz36itoVg PS: #DFIR blogging is great for showcasing your skills for employers.

#DailyDFIR 59: I've updated Unfurl to handle the new v2 "ved" parameter from #Google URLs. https://t.co/U8MhXz3ErJ Here's the blog post on veds explaining differences & how to parse (including the new type): https://t.co/HqnumPxVDZ #DFIR https://t.co/QCUds9KClJ

#DailyDFIR 56: Some perspectives on "Pattern of Life" analysis techniques applications and issues by @christammiller featuring @iamevltwin and @AlexisBrignoni: https://t.co/rRo2ZU2ZUb https://t.co/myaQ8hv83g #DFIR

#DailyDFIR 55: The MDSec blog (https://t.co/BzF2dtRXXL) has articles heavy on technical details. It's Red Team focused but defenders benefit from understanding how attacks work too. Two recent macOS articles I liked: https://t.co/oTUnicUSHc https://t.co/9lnqDyTBJy #DFIR

#DailyDFIR 54: Here's a pair of collaborative posts on #Android artifacts from @josh_hickman1 & @AlexisBrignoni for your Sunday #DFIR reading : https://t.co/jcen85Olo8 https://t.co/pj5KYq6lFN #DFIR

#DailyDFIR 53: Take a look at this thread and the linked resources in it. Some very sharp people talking about detection in #DFIR and the "#Detectrum" https://t.co/yaFoC7237M

#DailyDFIR 52: Sarah has great advice for all those in #DFIR. When I was starting out there was this new browser called Chrome and I started digging into it. I'd say that interest and research has turned out pretty well for me Winking face. https://twitter.com/SANSEMEA/status/1230903814091239425

#DailyDFIR 51: You never know what you'll find during a #DFIR investigation. For example this is my favorite USB VID/PID: VID: 0a81 - Chesen Electronics Corp. PID: 0701 - USB Missile Launcher Good resource for looking up VID/PID: https://t.co/zfHnEqTExb #tbt

#DailyDFIR 50: Unfurl update! It can now expand more short links from these domains: bit[.]do buff[.]ly goo[.]gl is[.]gd ow[.]ly t[.]co tinyurl[.]com When these shorteners chain together the graph can get a bit big. https://t.co/VuCFwN8V2T #DFIR https://t.co/wlbZq5gljQ

The @SANSInstitute OSINT Summit is today! I'll be watching the #OSINTSummit hashtag today hoping for some of the presentations to be posted. #DailyDFIR 49: It can be incredibly helpful to enrich your #DFIR investigation with #OSINT data. Context is king! https://t.co/AY3UEkvkcO

Want to practice some mobile forensics? #DailyDFIR 48: @josh_hickman1 has posted an Android 10 image full of apps for you to dig into. He also has great write-ups on the inner working of mobile apps on his blog. https://t.co/LTvA0UvFBj Hands-on #DFIR is a great way to learn!

#DailyDFIR 47: This is a neat little trick but also serves as a reminder for #DFIR: it's important to understand how your tools work and what exactly they are doing. If you don't they might do things that surprise you in unpleasant ways. https://t.co/DFshFV3ecV

#DailyDFIR 46: The ForensicsWiki has been resurrected at a new location: https://t.co/oe6NEa6b4w. If you have some #DFIR knowledge in a specific area please check if you can help get it back up to date! https://t.co/lzdIKViHal