DailyDFIR

#DailyDFIR 45: In addition to his unparalleled artistic skills @Cheeky4n6Monkey has a great #DFIR blog. I enjoy his deep dives into the inner workings of different mobile applications and artifacts. Give him a follow and check out the blog: https://t.co/4A8GIT4Je3

#DailyDFIR 44: Read "The Cuckoo's Egg" by Cliff Stoll - it's a fun introduction to #DFIR. Although the technology is old the techniques all have modern counterparts and the lessons are timeless. Here's Cliff at the @SANSInstitute CTI Summit: https://t.co/lcpydDQMi6

#DailyDFIR 43: This is a great list of tools for #DFIR beginner and experienced alike. I'd recommend at least clicking through the slides making sure you know of all the great resources out there and digging into any you aren't familiar with (or haven't touched in a while). https://t.co/Ov9L24a5y1

Having #DFIR discussions and dropping knowledge bombs online is great... but it's even better in person! #DailyDFIR 42: If you're able attending a forensics conference is a great way to learn and build relationships. The @MagnetForensics User Summit looks great! https://t.co/akHKuGO4Ya

#DailyDFIR 41: Unfurl can now expand short links from these domains: bit[.]ly bitly[.]com j[.]mp It uses the @Bitly API; Unfurl doesn't reach out to the link destinations. It allows shows the link's creation timestamp . https://t.co/Cv4CpefsbB #DFIR #OSINT https://t.co/EnoeVjS1jL

#DailyDFIR 40: @ArsenalRecon wrote nice posts about extracting info embedded in Gmail URLs. I like how they walk through their observations process & results; it's a good sleuthing story! https://t.co/VD0SMEG8m5 https://t.co/jYKOZ2HCsR I need to add this to Unfurl! #DFIR

Here's some #DFIR Saturday reading. It's an older post but has a timeless message: details matter. #DailyDFIR 39: By understanding at a low level how something works you can spot subtle differences that can tip you off to when something isn't right. https://t.co/H6Ej8QJAeL

Initialization Vectors

One of the bigger changes in #Chrome v80 is around cookies . The 'SameSite' value will be set to 'Lax' by default making the cookie 'first-party'. #DailyDFIR 37: What is SameSite all about? Here are some resources: https://t.co/DKLfUBwMdp https://t.co/FBTrNUnMQW #DFIR

There are a _lot_ of different timestamps you might come across in #DFIR. #DailyDFIR 35: Nice post by @BlakDouble on different timestamps . I like the level of explanation on how to do each conversion & the live updating current time is a nice touch! https://t.co/5wAiZ0ElgY

I put out a short (hopefully fun) challenge yesterday. The encoding chain in the challenge was: Base32 > zlib inflate > Morse > ROT13 I made a video showing how easy CyberChef makes those transforms. #DailyDFIR 34: The CyberChef "Magic" button is well magic! #DFIR https://t.co/tHQoUi4NVK

Here's a short challenge for today: #DailyDFIR 33: What does this say? PCOBLCKBBUAAAEEC72L4EAWSH6PJZDSNI5J6ABFHEE6PDI5TDVWLSBPU #DFIR #SundayFunday

Malicious emails can have interesting links but if you really want some convulsion look at marketing emails . #DailyDFIR 31: Unfurl can now inflate zlib-compressed strings. This example has base64 zlib &-delimited string: https://t.co/d4Se15kiIN All for ! #DFIR https://t.co/srrAzugYu6

On the topic of Google Search URLs: #DailyDFIR 30: @phillmoore did a @SANSInstitute webcast a few years ago talking about his research into #Google web artifacts: google[.]com/search?q=whatdoesthisallmean? https://t.co/64O6pJGbaO (SANS account login required) #DFIR #TBT

More on #Google timestamps & context: #DailyDFIR 29: If you see google[.]com/url?q=.. (url not search) you often can tell where & when(ish) the user clicked the link. ust param gives source param shows where clicked (gmail hangouts etc). https://t.co/tKffLBhoum #DFIR

Thanks @PhilHagen! Unfurl can be run locally with #Python or with #Docker. #DailyDFIR 28: There are many great tools with online & local versions. Know what's best for your situation. Not just with #DFIR tools - is it really ok to upload <x> to that "free" site? https://t.co/aO2yuhAS7O

More on #Google Search : the ved has more in it that just a timestamp . #DailyDFIR 27: the ved parameter can give you context on how a user got to a page: what kind of link they clicked on & its position. Older (but still relevant post): https://t.co/9OmQDIpIBV #DFIR

Another reason I working on open source tools: others helping make your thing better. #DailyDFIR 26: You can now run Unfurl using #Docker thanks to @therealwlambert! Readme updated with instructions: https://t.co/X4E0smtNGA #DFIR

#DailyDFIR 25: I've liked trying to decipher what User Agent strings mean. There's so much (seemingly conflicting!) info in them. For some Saturday #DFIR reading @hackerfactor has a great blog on telling truth vs lies in User Agent Strings: https://t.co/lppTN6skd9

#DailyDFIR 24: I'll be on the Forensic Lunch talking about Unfurl! @MagnetForensics's @B1N2H3X will be there too! at 10am PST: https://t.co/fIUEA10jgv The Forensic Lunch by @HECFBlog is a great way to learn about different facets of #DFIR. Past shows: https://t.co/xDnxIqIT64

Another #Google #Search parameter packed with data is gs_l. #DailyDFIR 23: The gs_l parameter can provide context around how a user performed a search and (very!) detailed timing . @phillmoore's GSERPent tool : https://t.co/xM5YJYREB2 https://t.co/sqiGksA3Am #DFIR https://t.co/OJ79ugf36G

Google Search URLs can be for #DFIR because of timestamps . #DailyDFIR 22: #Google Search URLs have 3 parameters (sxsrf ei & ved) with embedded timestamps that show (approx) when a search took place. @phillmoore's https://t.co/cRLg4xAY2a https://t.co/sqiGksA3Am https://t.co/35rvVZexU9

Since we're talking about extracting data from URLs we can't ignore the most common (and useful) one: @Google search. #DailyDFIR 21: There is way more info in a #Google search URL than just the search terms https://t.co/MFwBLlBkje We'll look at parts in more detail #DFIR https://t.co/1IXhf76arI

When I come across a new thing in #DFIR that I'm trying to understand #CyberChef is one of my go-to tools. #DailyDFIR 20: Check out @mattnotmax's list of great CyberChef recipes for insight (and inspiration!) on what that great tool can do: https://t.co/TIKQSi7c9z

Sometimes URL structures aren't mysterious just annoying to read all crammed on one line. #DailyDFIR 19: Unfurl can expand a #JSON string to make the key/value pairs easier to see. https://t.co/qmTG1KZR2W #DFIR https://t.co/7aQZT1Sgew

Looking for some Saturday #DFIR reading? How about on private browsing forensics? #DailyDFIR 18: tl;dr: Most browsers are pretty good (except IE) & RAM is your best chance of recovering anything. https://t.co/i6tB8pdEqM by @GraemeHorsman https://t.co/hVqrmfsa2p by Joe Walsh

Digital Forensics & Incident Response Summit & Training 2021 | SANS Institute

Yesterday Microsoft launched its Chromium-based Edge. #DailyDFIR 16: The new #MicrosoftEdge looks a lot like #Chrome from a #DFIR perspective. Hindsight can parse it . I took a quick look and not much has changed from my look at the dev version: https://t.co/aJI7dqvdAl

#DailyDFIR 15: Ever seen a long Facebook search URL and wonder what's in it? FB search filters use JSON and Base64 both of which Unfurl can parse: https://t.co/cMSgi4V5Rc There's a ton of good info and discussion on @djnemec's gist: https://t.co/mL1CYw3CoR #DFIR #OSINT

Malicious or fraudulent URLs often have inconsistencies that Unfurl can help reveal. #DailyDFIR 14: @PhishLabs had a write-up about Office365 app phishing (https://t.co/F2PwnHP7zy). Check out the Unfurled URL in the image; see anything strange? #DFIR https://t.co/gB9WvPD1rk