DailyDFIR

#DailyDFIR 13: Unfurl update! Improvements around domain parsing. Added: Support for internationalized domain names Extract subdomains/TLD Show scheme user/password and/or port (if provided) Thanks to @djnemec for the PR! https://t.co/ldvc8sBlOD #DFIR https://t.co/ByEyAVruBz

Mastodon is an open source distributed Twitter-like service. Each independent instance has its own domain. #DailyDFIR 12: #Mastodon has IDs similar to Twitter & we can extract post timestamps from them. https://t.co/MbUFzImWOw Thanks to @sim4n6 for the Unfurl PR! #DFIR

I've been showing Unfurl for URLs but it can also parse other things. #DailyDFIR 11: Unfurl will try to interpret a numberas whatever timestamp makes most sense. Supports: Unix epoch micro/milli/seconds WebKit Mac Abs Time & more! https://t.co/efiU0XBqEG #DFIR

#DailyDFIR 10: ULID (Universally Unique Lexicographically Sortable Identifier) is another -like timestamp. Example: 01ARZ3NDEKTSV4RRFFQ69G5FAV Features: Sortable 26 chars vs UUID's 36 Larger timestamp range https://t.co/B90zLEgMb7 https://t.co/OBvszWO2RK #DFIR https://t.co/Z49zMuhmCG

UUIDv1 has a timestamp & node ID which can be the MAC address of the machine it was generated on (or random; it depends ). #DailyDFIR 8: Unfurl can extract the timestamp & node ID from a UUIDv1 and look up the vendor if it's a real MAC address. https://t.co/k4jM1cBJUL #DFIR https://t.co/KarLXl0mmy

Since a lot of uh interesting files get passed around on chat apps we can use snowflake timestamps to add a layer to our analysis. #DailyDFIR 6: Knowing when a file was uploaded to #Discord can be useful in both malware and insider investigations. #DFIR cc: @ItsReallyNick https://t.co/l6C15G8zn4

#Discord is a chat app but it can send files as attachments too. #DailyDFIR 5: We can tell when a file was uploaded to @discordapp from its URL by looking at the timestamp in the File ID (2nd snowflake ): https://t.co/ZqtBb3etB7 #DFIR https://t.co/P79YtVpObo

This one is also about @discordapp but with a #OSINT twist. #DailyDFIR 4: We can search for the server ID from yesterday's #Discord URL on https://t.co/6H1k3pCHGH and find the message was from @bunsofwrath12's Digital Forensics Discord server: https://t.co/6fy6gvixCk #DFIR https://t.co/SZu083Sz9P

Continuing with snowflakes @discordapp uses a variation of Twitter's for IDs. #DailyDFIR 3: A #Discord message URL has 3 snowflakes/timestamps. We can extract when the server channel and message were created . https://t.co/q0DHrA8btf https://t.co/vltPkLVWJT #DFIR https://t.co/UE4a5kYzqJ

#DailyDFIR 179: New post by @hacktobeer showing how to query #AWS and #GCP logs using the libcloudforensics #Python module or CLI tool: 🔗 https://t.co/kY32U6ka9V 🔗 https://t.co/5AKjpLVykj #DFIR #Cloud

#DailyDFIR 169: Did you know you can often see how long someone was on a Google search page just from the URL? It's in the gs_l param & https://t.co/H5XHNrawum can show you it (and more!) @300Dfir covers it in his write-up on the #MVS2020CTF: 🔗 https://t.co/6yZaokNIMm #DFIR

#DailyDFIR 149: Small update to Unfurl 🌿 is out, with a few new features & fixes: 🖱️📋 Double-click a node to copy its value 🩳🔗 Add support for more short-links 🔂💬 Clarify ei parameter explanation Check it out at https://t.co/H5XHNrawum! More updates to come #DFIR

#DailyDFIR 144: @13CubedDFIR has a ton of great video content on #DFIR topics, including: 🔹Windows Forensics 🔹Memory Forensics 🔹Malware Analysis 🔹Mobile Forensics Check it out! https://t.co/duqS8f35Fn

#DailyDFIR 142: Did you know Unfurl can parse more than URLs? Quick example: 🔸Open a SQLite DB 🔸See a column named "proto" (hint, hint) 🔸Copy hex bytes 🔸Paste into Unfurl 🔸Unfurl expands it & runs other parsers (ex: timestamp translated) 🔗https://t.co/08eKH0YCch #DFIR https://t.co/bF69V6jXmc

#DailyDFIR 140: I'll be speaking about Unfurl at the (virtual) @SANSInstitute DFIR Summit in July! (I missed when the agenda was first posted publicly, whoops). 🔗https://t.co/ZfRisFEVnM 🔗https://t.co/wLC6EYJYgM I'm looking forward to a lot of these talks! #DFIR #DFIRSummit

#DailyDFIR 118: Did you know #Chrome tracks how long each page is open? "History" SQLite DB ➡️ "visits" table ➡️ "visit_duration" column ➡️ value in milliseconds. Hindsight will parse this for you as "Visit Duration": 🔗https://t.co/B7fJ9TxeZh #DFIR #Python

#DailyDFIR 110: Looking for easy ways to use the online Unfurl? You have options: 🔸https://t.co/O2nzGi4lNX 🔸https://t.co/H5XHNrawum 🔸Make a bookmarklet (instructions at https://t.co/g6VWYYwY12) #DFIR

#DailyDFIR 93: Check out this excellent post by @SwiftForensics on parsing unknown protobufs: 🔗https://t.co/uUnzmg9GAj The demonstration of parsing a test "unknown" protobuf with different tools and comparing results was great! #DFIR #Android #Python #mobile4n6

#DailyDFIR 90: ICYMI, there is new version of the "ved" Google URL parameter (it still has the timestamp ⏰). I've created a comparison write-up of "ved" #Google URL parameters and how to parse them, including the new v2 type: 🔗https://t.co/HqnumPxVDZ #DFIR https://t.co/Qb2vvbGya9

#DailyDFIR 87: Check out the daily CTF from @NW3CNews. Each part is small, so you can try some even if your time is limited: 🔗https://t.co/UvyAgJ8fDf I like CTFs because they are a fun way to exercise skills you might not use in your day-to-day. #DFIR #OSINT #CTF

I've spotted a new version of the useful "ved" #Google URL parameter. #DailyDFIR 58: I created a comparison write-up of "ved" Google URL parameters and how to parse them, including the new v2 type: 🔗https://t.co/HqnumPxVDZ Don't worry #DFIR, the timestamp is still there! ⏰ https://t.co/kIUj2IeWLm

#DailyDFIR 57: Ever wondered what a value buried in a Chrome artifact means? I've collected some of the ones I find helpful for easy reference: 🔗https://t.co/Op40XXkGnj Personal favorite: "The download was ... danger[ous], but the user told us to go ahead anyway" #YOLO #DFIR

#DailyDFIR 36: Chrome v80 is here! I've updated my interactive "evolution" visualization. You can explore how the structure of the data that makes up your browsing history has changed through #Chrome's many versions: 🔗https://t.co/tyR4hbFVyV #DFIR #dataviz https://t.co/wJDv7bjfac

UUIDs (universally unique identifiers) are everywhere online. UUIDv4 is the most common (random), but UUIDv1 (time-based) is still out there. #DailyDFIR 7: The 13th digit (or 1st of 3rd group) is a quick way to tell if a UUID holds a timestamp⏰ 🔗https://t.co/BjawVb8pzg #DFIR https://t.co/saqSR6esHU

"January's #DailyDFIR theme will be URLs and the things you can find inside of them. #DailyDFIR 1: Unfurl takes a URL and expands ("unfurls") it into a graph to show data it contains. It's amazing how much can be hidden inside URLs! 🛠️🌿 #DFIR 🔗https://t.co/ZfRisFEVnM https://t.co/Ti84QqEh7E"

Since I'm doing this on @twitter let's start with tweet URLs. #DailyDFIR 2: Each tweet has a unique ID called a snowflake and contains a timestamp. We can extract this timestamp to find when the tweet was sent: https://t.co/gLnZb5hlrK https://t.co/d9IfBHlktq #DFIR https://t.co/F6DbBtkQR7

#DailyDFIR 366: It's here, the end of 2020! I've finished my year of tweeting about #DFIR topics every single day. I've put together a wrap-up post: 🔗 https://t.co/eePvJX9wQp Thanks to all of #DFIR; I couldn't have found 366 positive things to tweet about without your work! https://t.co/RLFmUNoKq6" / Twitter

#DailyDFIR 365: #DFIR and #OSINT are complimentary skills, and this quiz looks like a great way to learn through doing! It's been put together by some serious #OSINT people, so you know it'll be good!

#DailyDFIR 364: A new Plaso release (20201228) is here! Updates: libfshfs added as option to improve HFS/HFSX parsing filestat parser supports more timestamp types libfsxfs added to provide XFS support and more! Post with more details: https://t.co/1Q51v6jv7v #DFIR

#DailyDFIR 363: @SANSInstitute is having a free "Cyber Camp" for teens starting TOMORROW: https://t.co/AHsh9e69N9 It looks like a neat event with lots of hands-on learning opportunities (& even a #CTF). I think this info is useful for all not just those getting into #DFIR.