DailyDFIR

#DailyDFIR 67: Check out @josh_hickman1's talk from DFRWS US 2019 - "Android Auto And Google Assistant How Google Encourages Hands-Free Motoring". There's lots of good stuff in it and I always love seeing anyone talk about protobufs! https://t.co/GdBWF9Oje8 #DFIR

#DailyDFIR 68: Today was the start of Daylight saving time in the US. Except not all of the US. In those parts that did shift an hour each timezone shifted at local 2am so the shift was staggered across the county. What I'm trying to say here is: Log everything in UTC #DFIR

#DailyDFIR 69: Do you use strings.exe on files to try to get an idea of what's in them? Use @FireEye's FLOSS (FireEye Labs Obfuscated String Solver) instead. It's a drop-in replacement for strings that handles deobfuscation. https://t.co/Gr3R6Xro94 #DFIR @williballenthin

#DailyDFIR 70: This is a nice article by @hackerfactor looking at Telegram. I like his descriptions of encryption (or lack thereof) & the ramifications along with what he has inferred about the app through testing. https://t.co/aqrbBWFNBS #DFIR

#DailyDFIR 71: We use & love timestamps in #DFIR but with that comes a duty to really understand what they mean. This can be difficult when moving files across filesystems; this post discusses collecting evidence from an iOS device. Thanks @B1N2H3X @reccetech @forensicmike1! https://t.co/mwWsbU9xlx

#DailyDFIR 72: "Objective by the Sea" (Mac Security Conference) is streaming live! What a great #DFIR thing to do while you stay inside away from everyone ;) https://t.co/PMH9AuHeli

#DailyDFIR 73: Make your #DFIR-life easier for Android analysis! Let @AlexisBrignoni and @SwiftForensics know what you would find helpful so they can add it! https://t.co/DaRVN7tTHp

#DailyDFIR 74: If you're going to rip off someone's work maybe don't pick @nixintel? First thought: "I have a very particular set of skills. Skills I have acquired over a very long career. Skills that make me a nightmare for people like you." #DFIR #OSINT https://t.co/wl0mzYDzOR

#DailyDFIR 75: Slides and video are posted from @iamevltwin's "Exploring macOS with APOLLO" from #OBTS 3.0! Some great Sunday #DFIR reading/viewing https://t.co/ah8dgVeM5H https://t.co/myaQ8hv83g

#DailyDFIR 76: @trailofbits released a new @osquery table for NTFS change journal events! The USN journal has been a favorite evidence source for me since I learned about it from @HECFBlog; there is so much good #DFIR stuff there! https://t.co/Rqa4UYjF9W

#DailyDFIR 78: One thing I like about Unfurl is how its basic parsers (like url base64 & timestamp) work on a wide range of URLs. For example I haven't done any research or customization for @amazon but this long URL still Unfurls nicely: https://t.co/sBQFzHSg4k #DFIR https://t.co/VaJ8I5ruxx

#DailyDFIR 79: @ArsenalRecon's Arsenal Image Mounter got an update and it can do (even more!) cool stuff. Great tool; both free and paid versions! It looks very helpful for those dealing with BitLocker-protected volumes. https://t.co/yyZF5EMiS2 #DFIR

#DailyDFIR 80: I use my collection of #DFIR #OSINT #RE & #Python RSS feeds daily to (try to) keep up with the rapid changes in our fields. This "starter pack" resource from @bunsofwrath12 is a great way to kickstart your own RSS collection! https://t.co/UPPk5U4hww

#DailyDFIR 81: Try to build a parser from scratch for an artifact (any artifact!). It doesn't matter how simple or complicated it is or if other parsers already can do it; it really is a fantastic learning process. #DFIR #Python https://t.co/k42d3FqDss

#DailyDFIR 82: @phillmoore's "This Week in 4n6" is a fantastic roundup of #DFIR info. If you aren't getting it via RSS or email you should: https://t.co/RgPpABlhQ5 I find the short summaries of the linked resources helpful in trying to keep up in this ever-changing industry.

#DailyDFIR 83: In #DFIR we talk about vetting our tools often with a focus on accuracy. As this nice investigative post by @MwOsint shows that's not the only aspect of a tool worth digging into... https://t.co/H3nybOJax3

#DailyDFIR 84: Get some great #DFIR training focused on Linux for free! Thanks @hal_pomeranz! (torrent): https://t.co/H5vXaLru0u #DFIR #Linux https://t.co/CnAVl11aDh

#DailyDFIR 85: ICYMI Unfurl can expand short links from: bit[.]ly bitly[.]com j[.]mp bit[.]do buff[.]ly goo[.]gl is[.]gd ow[.]ly t[.]co tinyurl[.]com Unfurl uses APIs when possible and 301 headers when not; it will not contact link destinations. #DFIR #opsec https://t.co/uY237xSeHu

#DailyDFIR 86: Hey look more #DailyDFIR! I'm looking forward to checking out these videos and hope to learn some new #DFIR things. https://t.co/u4AHd6Orch

#DailyDFIR 88: More great features for ALEAPP by @SwiftForensics. He and @AlexisBrignoni have been cranking out a lot of great new parsers! https://t.co/RxjiYzLDsD

#DailyDFIR 89: Interested in figuring out what exactly a Chrome extension does? Here are a trio of posts for your Sunday #DFIR reading: https://t.co/7BpBxguyfU by @th3_protoCOL https://t.co/1PhsZQKoMD by @sk3tchymoos3 https://t.co/CFTRqM8vN4 by @crxpert #DFIR #Chrome

#DailyDFIR 91: @BlakDouble digs into the standard iOS Mail app: https://t.co/FEwy1ZMUWd I couldn't agree more with the conclusion: "I always find it interesting looking into aspects of a device that you think you already understand and finding out new things." #DFIR #iOS

#DailyDFIR 92: Unfurl has been a fun tool but I've heard you: it's boring. This update to Unfurl will change all that! https://t.co/vy1NPjz9GZ It's 2020; we deserve some "Minority Report"-style forensics in VR! #DFIR #VR #DFIRin2DisObsolete https://t.co/sNLeOZR4kP

#DailyDFIR 94: Check out this great thread of #DFIR resources meetups trainings CTFs and videos! There is so much good stuff here. If you are at home looking for ways to up your #DFIR game definitely check this out. Thanks @phillmoore! https://t.co/3tC2P8NkGD

#DailyDFIR 95: The forensics team at @Google has launched the "Open Source DFIR" blog & the first post is "Processing at Scale": https://t.co/fAvHtqTLHM Check it out and let us know if there's anything you'd like to see! (all things open source #DFIR not just Google-related)

#DailyDFIR 96: I mostly show Unfurl with URLs but it can parse individual strings as well. I often drop a number in Unfurl to see if it's a timestamp & what format it is: https://t.co/p81tm0BARi Tip: Hover over the link to see the timestamp format. #DFIR https://t.co/cJvpMQcl6l

#DailyDFIR 97: @13CubedDFIR (by @davisrichardg) is a fantastic set of #DFIR walkthrough videos. Check out the latest one featuring @AlexisBrignoni's iLEAPP: https://t.co/Ij2XNRDRCw #DFIR

#DailyDFIR 98: There's so much to remember in #DFIR. Why not use this poster-sized cheat sheet to help out? Lots of great references for #mobile4n6! https://t.co/L3JiyRLd9p

#DailyDFIR 99: Have a #protobuf you want to decode? Unfurl can now do it! https://t.co/CLlGkedU5r It can parse protobufs standalone (just put an encoded one in) or if it finds them in URLs. Thanks to @SwiftForensics for his helpful post & sharing his test file! #DFIR #Python https://t.co/M2p8DKPJeB

#DailyDFIR 100: Phones are constantly changing and becoming more secure; it's becoming even more important to be resourceful & work with what you have. #TBT post: "Visualizing activity from an encrypted iPhone backup using only metadata" https://t.co/LaM2KNgHC3 #DFIR #Python https://t.co/QgPfpWHJYW