DailyDFIR

#DailyDFIR 366: It's here, the end of 2020! I've finished my year of tweeting about #DFIR topics every single day. I've put together a wrap-up post: 🔗 https://t.co/eePvJX9wQp Thanks to all of #DFIR; I couldn't have found 366 positive things to tweet about without your work! https://t.co/RLFmUNoKq6" / Twitter

#DailyDFIR 365: #DFIR and #OSINT are complimentary skills, and this quiz looks like a great way to learn through doing! It's been put together by some serious #OSINT people, so you know it'll be good!

"January's #DailyDFIR theme will be URLs and the things you can find inside of them. #DailyDFIR 1: Unfurl takes a URL and expands ("unfurls") it into a graph to show data it contains. It's amazing how much can be hidden inside URLs! 🛠️🌿 #DFIR 🔗https://t.co/ZfRisFEVnM https://t.co/Ti84QqEh7E"

UUIDs (universally unique identifiers) are everywhere online. UUIDv4 is the most common (random), but UUIDv1 (time-based) is still out there. #DailyDFIR 7: The 13th digit (or 1st of 3rd group) is a quick way to tell if a UUID holds a timestamp⏰ 🔗https://t.co/BjawVb8pzg #DFIR https://t.co/saqSR6esHU

#DailyDFIR 36: Chrome v80 is here! I've updated my interactive "evolution" visualization. You can explore how the structure of the data that makes up your browsing history has changed through #Chrome's many versions: 🔗https://t.co/tyR4hbFVyV #DFIR #dataviz https://t.co/wJDv7bjfac

#DailyDFIR 57: Ever wondered what a value buried in a Chrome artifact means? I've collected some of the ones I find helpful for easy reference: 🔗https://t.co/Op40XXkGnj Personal favorite: "The download was ... danger[ous], but the user told us to go ahead anyway" #YOLO #DFIR

I've spotted a new version of the useful "ved" #Google URL parameter. #DailyDFIR 58: I created a comparison write-up of "ved" Google URL parameters and how to parse them, including the new v2 type: 🔗https://t.co/HqnumPxVDZ Don't worry #DFIR, the timestamp is still there! ⏰ https://t.co/kIUj2IeWLm

#DailyDFIR 87: Check out the daily CTF from @NW3CNews. Each part is small, so you can try some even if your time is limited: 🔗https://t.co/UvyAgJ8fDf I like CTFs because they are a fun way to exercise skills you might not use in your day-to-day. #DFIR #OSINT #CTF

#DailyDFIR 90: ICYMI, there is new version of the "ved" Google URL parameter (it still has the timestamp ⏰). I've created a comparison write-up of "ved" #Google URL parameters and how to parse them, including the new v2 type: 🔗https://t.co/HqnumPxVDZ #DFIR https://t.co/Qb2vvbGya9

#DailyDFIR 93: Check out this excellent post by @SwiftForensics on parsing unknown protobufs: 🔗https://t.co/uUnzmg9GAj The demonstration of parsing a test "unknown" protobuf with different tools and comparing results was great! #DFIR #Android #Python #mobile4n6

#DailyDFIR 110: Looking for easy ways to use the online Unfurl? You have options: 🔸https://t.co/O2nzGi4lNX 🔸https://t.co/H5XHNrawum 🔸Make a bookmarklet (instructions at https://t.co/g6VWYYwY12) #DFIR

#DailyDFIR 118: Did you know #Chrome tracks how long each page is open? "History" SQLite DB ➡️ "visits" table ➡️ "visit_duration" column ➡️ value in milliseconds. Hindsight will parse this for you as "Visit Duration": 🔗https://t.co/B7fJ9TxeZh #DFIR #Python

#DailyDFIR 140: I'll be speaking about Unfurl at the (virtual) @SANSInstitute DFIR Summit in July! (I missed when the agenda was first posted publicly, whoops). 🔗https://t.co/ZfRisFEVnM 🔗https://t.co/wLC6EYJYgM I'm looking forward to a lot of these talks! #DFIR #DFIRSummit

#DailyDFIR 142: Did you know Unfurl can parse more than URLs? Quick example: 🔸Open a SQLite DB 🔸See a column named "proto" (hint, hint) 🔸Copy hex bytes 🔸Paste into Unfurl 🔸Unfurl expands it & runs other parsers (ex: timestamp translated) 🔗https://t.co/08eKH0YCch #DFIR https://t.co/bF69V6jXmc

#DailyDFIR 144: @13CubedDFIR has a ton of great video content on #DFIR topics, including: 🔹Windows Forensics 🔹Memory Forensics 🔹Malware Analysis 🔹Mobile Forensics Check it out! https://t.co/duqS8f35Fn

#DailyDFIR 149: Small update to Unfurl 🌿 is out, with a few new features & fixes: 🖱️📋 Double-click a node to copy its value 🩳🔗 Add support for more short-links 🔂💬 Clarify ei parameter explanation Check it out at https://t.co/H5XHNrawum! More updates to come #DFIR

#DailyDFIR 169: Did you know you can often see how long someone was on a Google search page just from the URL? It's in the gs_l param & https://t.co/H5XHNrawum can show you it (and more!) @300Dfir covers it in his write-up on the #MVS2020CTF: 🔗 https://t.co/6yZaokNIMm #DFIR

#DailyDFIR 179: New post by @hacktobeer showing how to query #AWS and #GCP logs using the libcloudforensics #Python module or CLI tool: 🔗 https://t.co/kY32U6ka9V 🔗 https://t.co/5AKjpLVykj #DFIR #Cloud