DailyDFIR

#DailyDFIR 101: Looking for some #DFIR fun this weekend? Check out @FoxtonForensics's challenge! Their last one was a lot of fun. These generally have a browser forensics focus which I love. https://t.co/Z4egiEilEz

#DailyDFIR 102: Some Unfurl graphs get a little big... https://t.co/18ykVCAa6v There's a lot parsed out here but I'm sure there's more it could do! I see lots of potential IDs that would make great Unfurl parsers (you know if anyone is looking for things to do ). #DFIR https://t.co/1HAaIZDyCa

#DailyDFIR 103: I'm excited about the return of @HECFBlog's Sunday Funday! I have learned a lot from reading everyone's responses to past ones. I think this week's challenge (looking for Microsoft Teams artifacts) is also spot-on: https://t.co/BKQowJAx1A #DFIR

#DailyDFIR 104: @JoakimSchicht from @ArsenalRecon did a very detailed technical dive into the Office Document Cache: https://t.co/5BHf364Cv5 If edit and version history for #Microsoft Office docs is relevant to your investigation definitely check this out. #DFIR

#DailyDFIR 105: Dave Cowen (@HECFBlog) is back to daily blogging and he's been experimenting with the AWS EBS Block API. If you do #DFIR in #AWS be sure to check out his posts and stay tuned for more: https://t.co/YujHayV6UV https://t.co/FjBZqe4QYK #DFIR #Python

#DailyDFIR 107: Unfurl can now parse Magnet links! Magnet links are often used for P2P file sharing in place of .torrent files. They can contain a lot of information! https://t.co/xflvyDWHyo #DFIR https://t.co/LQlLrjBuy6

#DailyDFIR 108: Have you wanted to learn mobile forensics but your excuse was no test data? Not any more! @josh_hickman1 just posted iOS 13 images to go along with his Android ones (& all have detailed documentation!): https://t.co/eMJToK5ggW https://t.co/LTvA0Ue4JL #DFIR

#DailyDFIR 109: I saw a Google query string parameter (gs_ssp) I didn't recognize so I put it in Unfurl. Unfurl parsed it as b64zipprotobuf! It's really fun to see the tools you've made function as you hoped (helping me find new things). https://t.co/USlfyRzkAb #DFIR https://t.co/wJqtZ04wb4

#DailyDFIR 111: Unfurl 3D was released on April 1st but it's not (completely) a joke. It works just like normal Unfurl & can parse the same things. https://t.co/EYBtXGqohl It also pairs nicely with your pew-pew dashboard if you need something shiny. #DFIR #VR #Python https://t.co/LK0YAzC1u7

#DailyDFIR 112: @iamevltwin is starting a new blog series on Apple Unified Logs! These logs are not straightforward so if you do any Mac investigations be sure to check it out. First two posts: https://t.co/t6rwC5RhQQ https://t.co/iXA4WpccMH #DFIR #mac4n6

#DailyDFIR 113: @matt0177 is starting a blog series on using #Python & #AWS for OSINT. The first post covers AWS setup & image (photo) analysis: https://t.co/BnnIwy9Qw1 I've found #OSINT & #DFIR to be complementary; often a bit of one can make the other much more effective.

#DailyDFIR 114: Playing an online CTF? I created a Python notebook & write-up showing how I answered questions in the @MagnetForensics #CTF using open source tools: Plaso Timesketch Colab / #Python Blog: https://t.co/gqxATPnacm Notebook: https://t.co/nj9EMUuzd2 #DFIR

#DailyDFIR 115: Some of @Google's #DFIR team will be on @HECFBlog's forensic lunch talking about our open source forensic tools! It's going to be packed with people tools & knowledge: https://t.co/Wa3ifEP5RY It's 90 min from NOW (at 8am Pacific / 11am Eastern) Don't miss it!

#DailyDFIR 116: Lots of good stuff this week in @phillmoore's This Week in 4n6; check it out! It's a great way to keep up with all the new content being created for #DFIR https://t.co/xuwoX9jJSs

#DailyDFIR 117: If you are looking to learn mobile forensics @mattiaep's "Build Your Own Methodology" post/presentation has a fantastic collection of tools books scripts blogs and references: https://t.co/jJg0jqnXpM Bookmark & revisit later too so much good stuff #DFIR

#DailyDFIR 119: Want a test file for a #DFIR tool but don't want to use one you've created (for privacy/other reasons)? The Plaso test_data & the dfirlabs "specimens" may have what you need: https://t.co/Pcli2LPS1v https://t.co/RJra22Mmie Many app & file system artifacts!

#DailyDFIR 120: Did you hear @aarontpeterson talk about Turbinia on the Forensic Lunch & want to learn more? Resources: Forensic Lunch: https://t.co/Nh4eSiLFBo Blog Post: https://t.co/pr6WRpdB1e Code lab: https://t.co/QgsV8MVhIe GitHub: https://t.co/hx5tZScLfo #DFIR

#DailyDFIR 121: Parsing the $MFT from an NTFS volume? @joachimmetz dives into the details of parsing the challenges and edge cases to be aware of: https://t.co/iFqiOdmE4m #DFIR

#DailyDFIR 122: Want to learn #DFIR? There are many virtual conferences #CTFs & trainings in May! https://t.co/Pg1KC3Ar6y by @DfirDiva https://t.co/uaRwtnNQkd by @MagnetForensics https://t.co/HFaMRdskd9 by @DFIRTraining https://t.co/fSN5Iak9bK by @aboutdfir #DFIR

#DailyDFIR 123: For some Saturday #DFIR reading check out @forensicmike1's very timely look at a COVID-19 contract tracing app: https://t.co/R9X2L1mWwD

#DailyDFIR 124: Browser extensions are great but those extra features they add can also add more forensic artifacts. @Russ_Taylor_ has a nice post on recovering browsing activities from NoScript on #Firefox: https://t.co/wI2OQgtCU9 #DFIR

#DailyDFIR 125: Check out this great thread from @mattnotmax on timestamps from a while back. Come for the guided tour of different timestamps you may see in #DFIR stay for the GIFs . https://t.co/9uIE5DVFei

#DailyDFIR 126: This is a great looking challenge! It's nice to see variety in device and OS types becoming more common in these #DFIR challenges; helps you refresh skills you might use on a daily basis. Thanks @champdfa! Now if only I can find the time... https://t.co/M5qUeDhEtT

#DailyDFIR 127: Digging into #Chrome or something Chromium-based (like Electron apps)? My "Deciphering Browser Hieroglyphics" post might help you. There is way more to Chrome than SQLite! Part 1 is "Introduction to Chromotopia": https://t.co/lL9jitTF4O #DFIR #TBT

#DailyDFIR 128: Continuing with "Deciphering Browser Hieroglyphics" part 2 explores #Chrome's LocalStorage featuring CyberChef! https://t.co/EP7lFJu2Pg #DFIR #Slack #CyberChef

#DailyDFIR 129: Part 3 of "Deciphering Browser Hieroglyphics" looks at #Chrome's FileSystem and the LevelDB databases behind it including examples from @MegaPrivacy & @Google Docs: https://t.co/zTXKd7XEGE #DFIR #LevelDB #Python

#DailyDFIR 130: A new version of Plaso is here! Highlights: Switch to libfsntfs from TSK for accessing NTFS Performance improvements Support for NTFS directories with case-sensitive entries Support Python 3.8 Blog post: https://t.co/MSU9XyUo1h #DFIR

#DailyDFIR 131: Check out iLEAPP 1.2 hot off the presses! Lots of new features I'm eager to try out! #DFIR https://t.co/TnB4SRyIdV

#DailyDFIR 132: We use hashes a lot in #DFIR; this script performs SHA-256 and shows all the steps! It's a really neat visual. The GitHub page also has nice smaller animations of different functions (shift rotate XOR) that nicely illustrate what they do. #DFIR https://t.co/ocDz3ukSt1

#DailyDFIR 133: Congrats everyone who played the @MagnetForensics CTF! The event is over but if you want to work through the challenges at your own pace it's still live at https://t.co/74h3lcAuVd. #MVS2020CTF #DFIR