DailyDFIR

DailyDFIR

408 bookmarks
Oldest
I've set a goal in 2020 to post a tweet every day about something #DFIR-related. Each month will have a theme with the tweets featuring tips examples and links. Follow me here (and at https://t.co/rSnsnYWaUs) for your #DailyDFIR! https://t.co/ls97iJRqWW
I've set a goal in 2020 to post a tweet every day about something #DFIR-related. Each month will have a theme with the tweets featuring tips examples and links. Follow me here (and at https://t.co/rSnsnYWaUs) for your #DailyDFIR! https://t.co/ls97iJRqWW
https://twitter.com/_RyanBenson/status/1212506065343930368
·dfir.blog·
I've set a goal in 2020 to post a tweet every day about something #DFIR-related. Each month will have a theme with the tweets featuring tips examples and links. Follow me here (and at https://t.co/rSnsnYWaUs) for your #DailyDFIR! https://t.co/ls97iJRqWW
Since I'm doing this on @twitter let's start with tweet URLs. #DailyDFIR 2: Each tweet has a unique ID called a snowflake and contains a timestamp. We can extract this timestamp to find when the tweet was sent: https://t.co/gLnZb5hlrK https://t.co/d9IfBHlktq #DFIR https://t.co/F6DbBtkQR7
Since I'm doing this on @twitter let's start with tweet URLs. #DailyDFIR 2: Each tweet has a unique ID called a snowflake and contains a timestamp. We can extract this timestamp to find when the tweet was sent: https://t.co/gLnZb5hlrK https://t.co/d9IfBHlktq #DFIR https://t.co/F6DbBtkQR7
https://twitter.com/_RyanBenson/status/1212776788897583105
·dfir.blog·
Since I'm doing this on @twitter let's start with tweet URLs. #DailyDFIR 2: Each tweet has a unique ID called a snowflake and contains a timestamp. We can extract this timestamp to find when the tweet was sent: https://t.co/gLnZb5hlrK https://t.co/d9IfBHlktq #DFIR https://t.co/F6DbBtkQR7
Continuing with snowflakes @discordapp uses a variation of Twitter's for IDs. #DailyDFIR 3: A #Discord message URL has 3 snowflakes/timestamps. We can extract when the server channel and message were created . https://t.co/q0DHrA8btf https://t.co/vltPkLVWJT #DFIR https://t.co/UE4a5kYzqJ
Continuing with snowflakes @discordapp uses a variation of Twitter's for IDs. #DailyDFIR 3: A #Discord message URL has 3 snowflakes/timestamps. We can extract when the server channel and message were created . https://t.co/q0DHrA8btf https://t.co/vltPkLVWJT #DFIR https://t.co/UE4a5kYzqJ
https://twitter.com/_RyanBenson/status/1213109006174048257
·dfir.blog·
Continuing with snowflakes @discordapp uses a variation of Twitter's for IDs. #DailyDFIR 3: A #Discord message URL has 3 snowflakes/timestamps. We can extract when the server channel and message were created . https://t.co/q0DHrA8btf https://t.co/vltPkLVWJT #DFIR https://t.co/UE4a5kYzqJ
This one is also about @discordapp but with a #OSINT twist. #DailyDFIR 4: We can search for the server ID from yesterday's #Discord URL on https://t.co/6H1k3pCHGH and find the message was from @bunsofwrath12's Digital Forensics Discord server: https://t.co/6fy6gvixCk #DFIR https://t.co/SZu083Sz9P
This one is also about @discordapp but with a #OSINT twist. #DailyDFIR 4: We can search for the server ID from yesterday's #Discord URL on https://t.co/6H1k3pCHGH and find the message was from @bunsofwrath12's Digital Forensics Discord server: https://t.co/6fy6gvixCk #DFIR https://t.co/SZu083Sz9P
https://twitter.com/_RyanBenson/status/1213485614860918789
·dis.cool·
This one is also about @discordapp but with a #OSINT twist. #DailyDFIR 4: We can search for the server ID from yesterday's #Discord URL on https://t.co/6H1k3pCHGH and find the message was from @bunsofwrath12's Digital Forensics Discord server: https://t.co/6fy6gvixCk #DFIR https://t.co/SZu083Sz9P
#Discord is a chat app but it can send files as attachments too. #DailyDFIR 5: We can tell when a file was uploaded to @discordapp from its URL by looking at the timestamp in the File ID (2nd snowflake ): https://t.co/ZqtBb3etB7 #DFIR https://t.co/P79YtVpObo
#Discord is a chat app but it can send files as attachments too. #DailyDFIR 5: We can tell when a file was uploaded to @discordapp from its URL by looking at the timestamp in the File ID (2nd snowflake ): https://t.co/ZqtBb3etB7 #DFIR https://t.co/P79YtVpObo
https://twitter.com/_RyanBenson/status/1213870768070610944
·dfir.blog·
#Discord is a chat app but it can send files as attachments too. #DailyDFIR 5: We can tell when a file was uploaded to @discordapp from its URL by looking at the timestamp in the File ID (2nd snowflake ): https://t.co/ZqtBb3etB7 #DFIR https://t.co/P79YtVpObo
Since a lot of uh interesting files get passed around on chat apps we can use snowflake timestamps to add a layer to our analysis. #DailyDFIR 6: Knowing when a file was uploaded to #Discord can be useful in both malware and insider investigations. #DFIR cc: @ItsReallyNick https://t.co/l6C15G8zn4
Since a lot of uh interesting files get passed around on chat apps we can use snowflake timestamps to add a layer to our analysis. #DailyDFIR 6: Knowing when a file was uploaded to #Discord can be useful in both malware and insider investigations. #DFIR cc: @ItsReallyNick https://t.co/l6C15G8zn4
https://twitter.com/_RyanBenson/status/1214209931584270337
·twitter.com·
Since a lot of uh interesting files get passed around on chat apps we can use snowflake timestamps to add a layer to our analysis. #DailyDFIR 6: Knowing when a file was uploaded to #Discord can be useful in both malware and insider investigations. #DFIR cc: @ItsReallyNick https://t.co/l6C15G8zn4
UUIDv1 has a timestamp & node ID which can be the MAC address of the machine it was generated on (or random; it depends ). #DailyDFIR 8: Unfurl can extract the timestamp & node ID from a UUIDv1 and look up the vendor if it's a real MAC address. https://t.co/k4jM1cBJUL #DFIR https://t.co/KarLXl0mmy
UUIDv1 has a timestamp & node ID which can be the MAC address of the machine it was generated on (or random; it depends ). #DailyDFIR 8: Unfurl can extract the timestamp & node ID from a UUIDv1 and look up the vendor if it's a real MAC address. https://t.co/k4jM1cBJUL #DFIR https://t.co/KarLXl0mmy
https://twitter.com/_RyanBenson/status/1214927503115993089
·dfir.blog·
UUIDv1 has a timestamp & node ID which can be the MAC address of the machine it was generated on (or random; it depends ). #DailyDFIR 8: Unfurl can extract the timestamp & node ID from a UUIDv1 and look up the vendor if it's a real MAC address. https://t.co/k4jM1cBJUL #DFIR https://t.co/KarLXl0mmy
#DailyDFIR 10: ULID (Universally Unique Lexicographically Sortable Identifier) is another -like timestamp. Example: 01ARZ3NDEKTSV4RRFFQ69G5FAV Features: Sortable 26 chars vs UUID's 36 Larger timestamp range https://t.co/B90zLEgMb7 https://t.co/OBvszWO2RK #DFIR https://t.co/Z49zMuhmCG
#DailyDFIR 10: ULID (Universally Unique Lexicographically Sortable Identifier) is another -like timestamp. Example: 01ARZ3NDEKTSV4RRFFQ69G5FAV Features: Sortable 26 chars vs UUID's 36 Larger timestamp range https://t.co/B90zLEgMb7 https://t.co/OBvszWO2RK #DFIR https://t.co/Z49zMuhmCG
https://twitter.com/_RyanBenson/status/1215646248612401152
·github.com·
#DailyDFIR 10: ULID (Universally Unique Lexicographically Sortable Identifier) is another -like timestamp. Example: 01ARZ3NDEKTSV4RRFFQ69G5FAV Features: Sortable 26 chars vs UUID's 36 Larger timestamp range https://t.co/B90zLEgMb7 https://t.co/OBvszWO2RK #DFIR https://t.co/Z49zMuhmCG
I've been showing Unfurl for URLs but it can also parse other things. #DailyDFIR 11: Unfurl will try to interpret a numberas whatever timestamp makes most sense. Supports: Unix epoch micro/milli/seconds WebKit Mac Abs Time & more! https://t.co/efiU0XBqEG #DFIR
I've been showing Unfurl for URLs but it can also parse other things. #DailyDFIR 11: Unfurl will try to interpret a numberas whatever timestamp makes most sense. Supports: Unix epoch micro/milli/seconds WebKit Mac Abs Time & more! https://t.co/efiU0XBqEG #DFIR
https://twitter.com/_RyanBenson/status/1216077355480801280
·dfir.blog·
I've been showing Unfurl for URLs but it can also parse other things. #DailyDFIR 11: Unfurl will try to interpret a numberas whatever timestamp makes most sense. Supports: Unix epoch micro/milli/seconds WebKit Mac Abs Time & more! https://t.co/efiU0XBqEG #DFIR
Mastodon is an open source distributed Twitter-like service. Each independent instance has its own domain. #DailyDFIR 12: #Mastodon has IDs similar to Twitter & we can extract post timestamps from them. https://t.co/MbUFzImWOw Thanks to @sim4n6 for the Unfurl PR! #DFIR
Mastodon is an open source distributed Twitter-like service. Each independent instance has its own domain. #DailyDFIR 12: #Mastodon has IDs similar to Twitter & we can extract post timestamps from them. https://t.co/MbUFzImWOw Thanks to @sim4n6 for the Unfurl PR! #DFIR
https://twitter.com/_RyanBenson/status/1216434604766191617
·dfir.blog·
Mastodon is an open source distributed Twitter-like service. Each independent instance has its own domain. #DailyDFIR 12: #Mastodon has IDs similar to Twitter & we can extract post timestamps from them. https://t.co/MbUFzImWOw Thanks to @sim4n6 for the Unfurl PR! #DFIR
#DailyDFIR 13: Unfurl update! Improvements around domain parsing. Added: Support for internationalized domain names Extract subdomains/TLD Show scheme user/password and/or port (if provided) Thanks to @djnemec for the PR! https://t.co/ldvc8sBlOD #DFIR https://t.co/ByEyAVruBz
#DailyDFIR 13: Unfurl update! Improvements around domain parsing. Added: Support for internationalized domain names Extract subdomains/TLD Show scheme user/password and/or port (if provided) Thanks to @djnemec for the PR! https://t.co/ldvc8sBlOD #DFIR https://t.co/ByEyAVruBz
https://twitter.com/_RyanBenson/status/1216732130027483136
·dfir.blog·
#DailyDFIR 13: Unfurl update! Improvements around domain parsing. Added: Support for internationalized domain names Extract subdomains/TLD Show scheme user/password and/or port (if provided) Thanks to @djnemec for the PR! https://t.co/ldvc8sBlOD #DFIR https://t.co/ByEyAVruBz
Malicious or fraudulent URLs often have inconsistencies that Unfurl can help reveal. #DailyDFIR 14: @PhishLabs had a write-up about Office365 app phishing (https://t.co/F2PwnHP7zy). Check out the Unfurled URL in the image; see anything strange? #DFIR https://t.co/gB9WvPD1rk
Malicious or fraudulent URLs often have inconsistencies that Unfurl can help reveal. #DailyDFIR 14: @PhishLabs had a write-up about Office365 app phishing (https://t.co/F2PwnHP7zy). Check out the Unfurled URL in the image; see anything strange? #DFIR https://t.co/gB9WvPD1rk
https://twitter.com/_RyanBenson/status/1217137197372956672
·info.phishlabs.com·
Malicious or fraudulent URLs often have inconsistencies that Unfurl can help reveal. #DailyDFIR 14: @PhishLabs had a write-up about Office365 app phishing (https://t.co/F2PwnHP7zy). Check out the Unfurled URL in the image; see anything strange? #DFIR https://t.co/gB9WvPD1rk
#DailyDFIR 15: Ever seen a long Facebook search URL and wonder what's in it? FB search filters use JSON and Base64 both of which Unfurl can parse: https://t.co/cMSgi4V5Rc There's a ton of good info and discussion on @djnemec's gist: https://t.co/mL1CYw3CoR #DFIR #OSINT
#DailyDFIR 15: Ever seen a long Facebook search URL and wonder what's in it? FB search filters use JSON and Base64 both of which Unfurl can parse: https://t.co/cMSgi4V5Rc There's a ton of good info and discussion on @djnemec's gist: https://t.co/mL1CYw3CoR #DFIR #OSINT
https://twitter.com/_RyanBenson/status/1217469622066143234
·dfir.blog·
#DailyDFIR 15: Ever seen a long Facebook search URL and wonder what's in it? FB search filters use JSON and Base64 both of which Unfurl can parse: https://t.co/cMSgi4V5Rc There's a ton of good info and discussion on @djnemec's gist: https://t.co/mL1CYw3CoR #DFIR #OSINT
Yesterday Microsoft launched its Chromium-based Edge. #DailyDFIR 16: The new #MicrosoftEdge looks a lot like #Chrome from a #DFIR perspective. Hindsight can parse it . I took a quick look and not much has changed from my look at the dev version: https://t.co/aJI7dqvdAl
Yesterday Microsoft launched its Chromium-based Edge. #DailyDFIR 16: The new #MicrosoftEdge looks a lot like #Chrome from a #DFIR perspective. Hindsight can parse it . I took a quick look and not much has changed from my look at the dev version: https://t.co/aJI7dqvdAl
https://twitter.com/_RyanBenson/status/1217834164205940736
·dfir.blog·
Yesterday Microsoft launched its Chromium-based Edge. #DailyDFIR 16: The new #MicrosoftEdge looks a lot like #Chrome from a #DFIR perspective. Hindsight can parse it . I took a quick look and not much has changed from my look at the dev version: https://t.co/aJI7dqvdAl
Looking for some Saturday #DFIR reading? How about on private browsing forensics? #DailyDFIR 18: tl;dr: Most browsers are pretty good (except IE) & RAM is your best chance of recovering anything. https://t.co/i6tB8pdEqM by @GraemeHorsman https://t.co/hVqrmfsa2p by Joe Walsh
Looking for some Saturday #DFIR reading? How about on private browsing forensics? #DailyDFIR 18: tl;dr: Most browsers are pretty good (except IE) & RAM is your best chance of recovering anything. https://t.co/i6tB8pdEqM by @GraemeHorsman https://t.co/hVqrmfsa2p by Joe Walsh
https://twitter.com/_RyanBenson/status/1218568164755169280
·sciencedirect.com·
Looking for some Saturday #DFIR reading? How about on private browsing forensics? #DailyDFIR 18: tl;dr: Most browsers are pretty good (except IE) & RAM is your best chance of recovering anything. https://t.co/i6tB8pdEqM by @GraemeHorsman https://t.co/hVqrmfsa2p by Joe Walsh
Sometimes URL structures aren't mysterious just annoying to read all crammed on one line. #DailyDFIR 19: Unfurl can expand a #JSON string to make the key/value pairs easier to see. https://t.co/qmTG1KZR2W #DFIR https://t.co/7aQZT1Sgew
Sometimes URL structures aren't mysterious just annoying to read all crammed on one line. #DailyDFIR 19: Unfurl can expand a #JSON string to make the key/value pairs easier to see. https://t.co/qmTG1KZR2W #DFIR https://t.co/7aQZT1Sgew
https://twitter.com/_RyanBenson/status/1218943691508740096
·dfir.blog·
Sometimes URL structures aren't mysterious just annoying to read all crammed on one line. #DailyDFIR 19: Unfurl can expand a #JSON string to make the key/value pairs easier to see. https://t.co/qmTG1KZR2W #DFIR https://t.co/7aQZT1Sgew
When I come across a new thing in #DFIR that I'm trying to understand #CyberChef is one of my go-to tools. #DailyDFIR 20: Check out @mattnotmax's list of great CyberChef recipes for insight (and inspiration!) on what that great tool can do: https://t.co/TIKQSi7c9z
When I come across a new thing in #DFIR that I'm trying to understand #CyberChef is one of my go-to tools. #DailyDFIR 20: Check out @mattnotmax's list of great CyberChef recipes for insight (and inspiration!) on what that great tool can do: https://t.co/TIKQSi7c9z
https://twitter.com/_RyanBenson/status/1219335724819865603
·github.com·
When I come across a new thing in #DFIR that I'm trying to understand #CyberChef is one of my go-to tools. #DailyDFIR 20: Check out @mattnotmax's list of great CyberChef recipes for insight (and inspiration!) on what that great tool can do: https://t.co/TIKQSi7c9z
Since we're talking about extracting data from URLs we can't ignore the most common (and useful) one: @Google search. #DailyDFIR 21: There is way more info in a #Google search URL than just the search terms https://t.co/MFwBLlBkje We'll look at parts in more detail #DFIR https://t.co/1IXhf76arI
Since we're talking about extracting data from URLs we can't ignore the most common (and useful) one: @Google search. #DailyDFIR 21: There is way more info in a #Google search URL than just the search terms https://t.co/MFwBLlBkje We'll look at parts in more detail #DFIR https://t.co/1IXhf76arI
https://twitter.com/_RyanBenson/status/1219630174007750656
·dfir.blog·
Since we're talking about extracting data from URLs we can't ignore the most common (and useful) one: @Google search. #DailyDFIR 21: There is way more info in a #Google search URL than just the search terms https://t.co/MFwBLlBkje We'll look at parts in more detail #DFIR https://t.co/1IXhf76arI
Google Search URLs can be for #DFIR because of timestamps . #DailyDFIR 22: #Google Search URLs have 3 parameters (sxsrf ei & ved) with embedded timestamps that show (approx) when a search took place. @phillmoore's https://t.co/cRLg4xAY2a https://t.co/sqiGksA3Am https://t.co/35rvVZexU9
Google Search URLs can be for #DFIR because of timestamps . #DailyDFIR 22: #Google Search URLs have 3 parameters (sxsrf ei & ved) with embedded timestamps that show (approx) when a search took place. @phillmoore's https://t.co/cRLg4xAY2a https://t.co/sqiGksA3Am https://t.co/35rvVZexU9
https://twitter.com/_RyanBenson/status/1220004765112758272
·twitter.com·
Google Search URLs can be for #DFIR because of timestamps . #DailyDFIR 22: #Google Search URLs have 3 parameters (sxsrf ei & ved) with embedded timestamps that show (approx) when a search took place. @phillmoore's https://t.co/cRLg4xAY2a https://t.co/sqiGksA3Am https://t.co/35rvVZexU9
Another #Google #Search parameter packed with data is gs_l. #DailyDFIR 23: The gs_l parameter can provide context around how a user performed a search and (very!) detailed timing . @phillmoore's GSERPent tool : https://t.co/xM5YJYREB2 https://t.co/sqiGksA3Am #DFIR https://t.co/OJ79ugf36G
Another #Google #Search parameter packed with data is gs_l. #DailyDFIR 23: The gs_l parameter can provide context around how a user performed a search and (very!) detailed timing . @phillmoore's GSERPent tool : https://t.co/xM5YJYREB2 https://t.co/sqiGksA3Am #DFIR https://t.co/OJ79ugf36G
https://twitter.com/_RyanBenson/status/1220367842115145730
·github.com·
Another #Google #Search parameter packed with data is gs_l. #DailyDFIR 23: The gs_l parameter can provide context around how a user performed a search and (very!) detailed timing . @phillmoore's GSERPent tool : https://t.co/xM5YJYREB2 https://t.co/sqiGksA3Am #DFIR https://t.co/OJ79ugf36G
#DailyDFIR 24: I'll be on the Forensic Lunch talking about Unfurl! @MagnetForensics's @B1N2H3X will be there too! at 10am PST: https://t.co/fIUEA10jgv The Forensic Lunch by @HECFBlog is a great way to learn about different facets of #DFIR. Past shows: https://t.co/xDnxIqIT64
#DailyDFIR 24: I'll be on the Forensic Lunch talking about Unfurl! @MagnetForensics's @B1N2H3X will be there too! at 10am PST: https://t.co/fIUEA10jgv The Forensic Lunch by @HECFBlog is a great way to learn about different facets of #DFIR. Past shows: https://t.co/xDnxIqIT64
https://twitter.com/_RyanBenson/status/1220736069261385729
·youtube.com·
#DailyDFIR 24: I'll be on the Forensic Lunch talking about Unfurl! @MagnetForensics's @B1N2H3X will be there too! at 10am PST: https://t.co/fIUEA10jgv The Forensic Lunch by @HECFBlog is a great way to learn about different facets of #DFIR. Past shows: https://t.co/xDnxIqIT64
#DailyDFIR 25: I've liked trying to decipher what User Agent strings mean. There's so much (seemingly conflicting!) info in them. For some Saturday #DFIR reading @hackerfactor has a great blog on telling truth vs lies in User Agent Strings: https://t.co/lppTN6skd9
#DailyDFIR 25: I've liked trying to decipher what User Agent strings mean. There's so much (seemingly conflicting!) info in them. For some Saturday #DFIR reading @hackerfactor has a great blog on telling truth vs lies in User Agent Strings: https://t.co/lppTN6skd9
https://twitter.com/_RyanBenson/status/1221112287487938561
·hackerfactor.com·
#DailyDFIR 25: I've liked trying to decipher what User Agent strings mean. There's so much (seemingly conflicting!) info in them. For some Saturday #DFIR reading @hackerfactor has a great blog on telling truth vs lies in User Agent Strings: https://t.co/lppTN6skd9
Another reason I working on open source tools: others helping make your thing better. #DailyDFIR 26: You can now run Unfurl using #Docker thanks to @therealwlambert! Readme updated with instructions: https://t.co/X4E0smtNGA #DFIR
Another reason I working on open source tools: others helping make your thing better. #DailyDFIR 26: You can now run Unfurl using #Docker thanks to @therealwlambert! Readme updated with instructions: https://t.co/X4E0smtNGA #DFIR
https://twitter.com/_RyanBenson/status/1221534126945103872
·github.com·
Another reason I working on open source tools: others helping make your thing better. #DailyDFIR 26: You can now run Unfurl using #Docker thanks to @therealwlambert! Readme updated with instructions: https://t.co/X4E0smtNGA #DFIR
More on #Google Search : the ved has more in it that just a timestamp . #DailyDFIR 27: the ved parameter can give you context on how a user got to a page: what kind of link they clicked on & its position. Older (but still relevant post): https://t.co/9OmQDIpIBV #DFIR
More on #Google Search : the ved has more in it that just a timestamp . #DailyDFIR 27: the ved parameter can give you context on how a user got to a page: what kind of link they clicked on & its position. Older (but still relevant post): https://t.co/9OmQDIpIBV #DFIR
https://twitter.com/_RyanBenson/status/1221849892412280832
·deedpolloffice.com·
More on #Google Search : the ved has more in it that just a timestamp . #DailyDFIR 27: the ved parameter can give you context on how a user got to a page: what kind of link they clicked on & its position. Older (but still relevant post): https://t.co/9OmQDIpIBV #DFIR
Thanks @PhilHagen! Unfurl can be run locally with #Python or with #Docker. #DailyDFIR 28: There are many great tools with online & local versions. Know what's best for your situation. Not just with #DFIR tools - is it really ok to upload <x> to that "free" site? https://t.co/aO2yuhAS7O
Thanks @PhilHagen! Unfurl can be run locally with #Python or with #Docker. #DailyDFIR 28: There are many great tools with online & local versions. Know what's best for your situation. Not just with #DFIR tools - is it really ok to upload <x> to that "free" site? https://t.co/aO2yuhAS7O
https://twitter.com/_RyanBenson/status/1222180157235978241
·twitter.com·
Thanks @PhilHagen! Unfurl can be run locally with #Python or with #Docker. #DailyDFIR 28: There are many great tools with online & local versions. Know what's best for your situation. Not just with #DFIR tools - is it really ok to upload <x> to that "free" site? https://t.co/aO2yuhAS7O
More on #Google timestamps & context: #DailyDFIR 29: If you see google[.]com/url?q=.. (url not search) you often can tell where & when(ish) the user clicked the link. ust param gives source param shows where clicked (gmail hangouts etc). https://t.co/tKffLBhoum #DFIR
More on #Google timestamps & context: #DailyDFIR 29: If you see google[.]com/url?q=.. (url not search) you often can tell where & when(ish) the user clicked the link. ust param gives source param shows where clicked (gmail hangouts etc). https://t.co/tKffLBhoum #DFIR
https://twitter.com/_RyanBenson/status/1222543729111683072
·dfir.blog·
More on #Google timestamps & context: #DailyDFIR 29: If you see google[.]com/url?q=.. (url not search) you often can tell where & when(ish) the user clicked the link. ust param gives source param shows where clicked (gmail hangouts etc). https://t.co/tKffLBhoum #DFIR
On the topic of Google Search URLs: #DailyDFIR 30: @phillmoore did a @SANSInstitute webcast a few years ago talking about his research into #Google web artifacts: google[.]com/search?q=whatdoesthisallmean? https://t.co/64O6pJGbaO (SANS account login required) #DFIR #TBT
On the topic of Google Search URLs: #DailyDFIR 30: @phillmoore did a @SANSInstitute webcast a few years ago talking about his research into #Google web artifacts: google[.]com/search?q=whatdoesthisallmean? https://t.co/64O6pJGbaO (SANS account login required) #DFIR #TBT
https://twitter.com/_RyanBenson/status/1222923369235922945
·sans.org·
On the topic of Google Search URLs: #DailyDFIR 30: @phillmoore did a @SANSInstitute webcast a few years ago talking about his research into #Google web artifacts: google[.]com/search?q=whatdoesthisallmean? https://t.co/64O6pJGbaO (SANS account login required) #DFIR #TBT
Malicious emails can have interesting links but if you really want some convulsion look at marketing emails . #DailyDFIR 31: Unfurl can now inflate zlib-compressed strings. This example has base64 zlib &-delimited string: https://t.co/d4Se15kiIN All for ! #DFIR https://t.co/srrAzugYu6
Malicious emails can have interesting links but if you really want some convulsion look at marketing emails . #DailyDFIR 31: Unfurl can now inflate zlib-compressed strings. This example has base64 zlib &-delimited string: https://t.co/d4Se15kiIN All for ! #DFIR https://t.co/srrAzugYu6
https://twitter.com/_RyanBenson/status/1223269455645429760
·dfir.blog·
Malicious emails can have interesting links but if you really want some convulsion look at marketing emails . #DailyDFIR 31: Unfurl can now inflate zlib-compressed strings. This example has base64 zlib &-delimited string: https://t.co/d4Se15kiIN All for ! #DFIR https://t.co/srrAzugYu6