DailyDFIR

I put out a short (hopefully fun) challenge yesterday. The encoding chain in the challenge was: Base32 > zlib inflate > Morse > ROT13 I made a video showing how easy CyberChef makes those transforms. #DailyDFIR 34: The CyberChef "Magic" button is well magic! #DFIR https://t.co/tHQoUi4NVK

There are a _lot_ of different timestamps you might come across in #DFIR. #DailyDFIR 35: Nice post by @BlakDouble on different timestamps . I like the level of explanation on how to do each conversion & the live updating current time is a nice touch! https://t.co/5wAiZ0ElgY

One of the bigger changes in #Chrome v80 is around cookies . The 'SameSite' value will be set to 'Lax' by default making the cookie 'first-party'. #DailyDFIR 37: What is SameSite all about? Here are some resources: https://t.co/DKLfUBwMdp https://t.co/FBTrNUnMQW #DFIR

Initialization Vectors

Here's some #DFIR Saturday reading. It's an older post but has a timeless message: details matter. #DailyDFIR 39: By understanding at a low level how something works you can spot subtle differences that can tip you off to when something isn't right. https://t.co/H6Ej8QJAeL

#DailyDFIR 40: @ArsenalRecon wrote nice posts about extracting info embedded in Gmail URLs. I like how they walk through their observations process & results; it's a good sleuthing story! https://t.co/VD0SMEG8m5 https://t.co/jYKOZ2HCsR I need to add this to Unfurl! #DFIR

#DailyDFIR 41: Unfurl can now expand short links from these domains: bit[.]ly bitly[.]com j[.]mp It uses the @Bitly API; Unfurl doesn't reach out to the link destinations. It allows shows the link's creation timestamp . https://t.co/Cv4CpefsbB #DFIR #OSINT https://t.co/EnoeVjS1jL

Having #DFIR discussions and dropping knowledge bombs online is great... but it's even better in person! #DailyDFIR 42: If you're able attending a forensics conference is a great way to learn and build relationships. The @MagnetForensics User Summit looks great! https://t.co/akHKuGO4Ya

#DailyDFIR 43: This is a great list of tools for #DFIR beginner and experienced alike. I'd recommend at least clicking through the slides making sure you know of all the great resources out there and digging into any you aren't familiar with (or haven't touched in a while). https://t.co/Ov9L24a5y1

#DailyDFIR 44: Read "The Cuckoo's Egg" by Cliff Stoll - it's a fun introduction to #DFIR. Although the technology is old the techniques all have modern counterparts and the lessons are timeless. Here's Cliff at the @SANSInstitute CTI Summit: https://t.co/lcpydDQMi6

#DailyDFIR 45: In addition to his unparalleled artistic skills @Cheeky4n6Monkey has a great #DFIR blog. I enjoy his deep dives into the inner workings of different mobile applications and artifacts. Give him a follow and check out the blog: https://t.co/4A8GIT4Je3

#DailyDFIR 46: The ForensicsWiki has been resurrected at a new location: https://t.co/oe6NEa6b4w. If you have some #DFIR knowledge in a specific area please check if you can help get it back up to date! https://t.co/lzdIKViHal

#DailyDFIR 47: This is a neat little trick but also serves as a reminder for #DFIR: it's important to understand how your tools work and what exactly they are doing. If you don't they might do things that surprise you in unpleasant ways. https://t.co/DFshFV3ecV

Want to practice some mobile forensics? #DailyDFIR 48: @josh_hickman1 has posted an Android 10 image full of apps for you to dig into. He also has great write-ups on the inner working of mobile apps on his blog. https://t.co/LTvA0UvFBj Hands-on #DFIR is a great way to learn!

The @SANSInstitute OSINT Summit is today! I'll be watching the #OSINTSummit hashtag today hoping for some of the presentations to be posted. #DailyDFIR 49: It can be incredibly helpful to enrich your #DFIR investigation with #OSINT data. Context is king! https://t.co/AY3UEkvkcO

#DailyDFIR 50: Unfurl update! It can now expand more short links from these domains: bit[.]do buff[.]ly goo[.]gl is[.]gd ow[.]ly t[.]co tinyurl[.]com When these shorteners chain together the graph can get a bit big. https://t.co/VuCFwN8V2T #DFIR https://t.co/wlbZq5gljQ

#DailyDFIR 51: You never know what you'll find during a #DFIR investigation. For example this is my favorite USB VID/PID: VID: 0a81 - Chesen Electronics Corp. PID: 0701 - USB Missile Launcher Good resource for looking up VID/PID: https://t.co/zfHnEqTExb #tbt

#DailyDFIR 52: Sarah has great advice for all those in #DFIR. When I was starting out there was this new browser called Chrome and I started digging into it. I'd say that interest and research has turned out pretty well for me Winking face. https://twitter.com/SANSEMEA/status/1230903814091239425

#DailyDFIR 53: Take a look at this thread and the linked resources in it. Some very sharp people talking about detection in #DFIR and the "#Detectrum" https://t.co/yaFoC7237M

#DailyDFIR 54: Here's a pair of collaborative posts on #Android artifacts from @josh_hickman1 & @AlexisBrignoni for your Sunday #DFIR reading : https://t.co/jcen85Olo8 https://t.co/pj5KYq6lFN #DFIR

#DailyDFIR 55: The MDSec blog (https://t.co/BzF2dtRXXL) has articles heavy on technical details. It's Red Team focused but defenders benefit from understanding how attacks work too. Two recent macOS articles I liked: https://t.co/oTUnicUSHc https://t.co/9lnqDyTBJy #DFIR

#DailyDFIR 56: Some perspectives on "Pattern of Life" analysis techniques applications and issues by @christammiller featuring @iamevltwin and @AlexisBrignoni: https://t.co/rRo2ZU2ZUb https://t.co/myaQ8hv83g #DFIR

#DailyDFIR 59: I've updated Unfurl to handle the new v2 "ved" parameter from #Google URLs. https://t.co/U8MhXz3ErJ Here's the blog post on veds explaining differences & how to parse (including the new type): https://t.co/HqnumPxVDZ #DFIR https://t.co/QCUds9KClJ

#DailyDFIR 60: It doesn't matter how good your #DFIR analysis is if your "client" can't understand your findings. @Google has free technical writing courses. Take advantage of them: https://t.co/3cz36itoVg PS: #DFIR blogging is great for showcasing your skills for employers.

Continuing on the topic of writing in #DFIR: #DailyDFIR 61: @lennyzeltser has a one-page cheat sheet of writing tips. It's a great reference to keep handy and has general advice for sentences and paragraphs as well as specifics for emails and reports. https://t.co/Jswf9UoFug https://t.co/kPSEw5DIMm

#DailyDFIR 62: @4n6ist is starting a blog series on MSSQL forensics based on experience in the 2019 Digital Forensics Challenge (https://t.co/x0IFcr9EKo). https://t.co/SzKqKkbBQa If you ever need to recover deleted records from MSSQL this is a good place to start.

#DailyDFIR 63: Right now "Automate the Boring Stuff with Python Programming" is free with code FEB2020FREE2 on Udemy. The book is a hands-on intro to Python great if you are looking to start coding: https://t.co/gMQstsWv2Y #DFIR #Python

#DailyDFIR 64: This is a fun read. I'm sure getting that vague notification from a three-letter agency feels the same whether you are gov mil or private... I wish I had a helicopter to ferry me around during my #DFIR wild goose chases. https://t.co/7Yg1gEkGwf

#DailyDFIR 65: Publicly-released case studies in #DFIR are rare. @ArsenalArmed's "Odatv" report is a great one and it even has some evidence attached so you can follow along! https://t.co/zFkNwroKMJ #DFIR #tbt

#DailyDFIR 66: Nice talk by @B1N2H3X at DFRWS EU 2019 on #DFIR for ChromeOS discussing what it is what information can be present and challenges: Chrome Nuts And Bolts: ChromeOS / Chromebook Forensics https://t.co/Z73B5P6Sgg #DFIR #Chrome