DailyDFIR

#DailyDFIR 200: In my presentation on Unfurl at the #DFIRSummit I talked (a lot) about extracting things from URLs. I also covered some of my general investigative principles: 1 Use What You Have 2 Automate 3 Recognize Dead Ends 4 Details Matter 5 Context Matters #DFIR https://t.co/1dakNza2H1

#DailyDFIR 201: In my Unfurl talk I covered pulling server creation times (& other timestamps ) from #Discord URLs. With a little bit of #OSINT you can find the name of the @discord server too! Search the ID on https://t.co/yR7IUIXbFg: https://t.co/0O9Ye0BuAk #DFIR https://t.co/deQIpxnxoc

#DailyDFIR 202: @vicomarziale from @blackbagtech has a series of blog posts on "Exploring the Windows Activity Timeline" full of technical details: 1 https://t.co/eG42vIMmMp 2 https://t.co/bkfkrsN8dy 3 https://t.co/TrXufkEMYK Lots to explore in this artifact! #DFIR

#DailyDFIR 203: This was a great presentation! @josh_hickman1 & @AlexisBrignoni have done some really good research on these artifacts that enable building very detailed timelines of activities on mobile devices. I'm looking forward to what they do next! #DFIR #mobile4n6 https://t.co/vSiqirMyy9

#DailyDFIR 205: @bizzybarney gave a great talk at the #DFIRSummit on iOS 13 artifacts and he has a follow-up post looking at Facial Recognition artifacts in the native Photos app! https://t.co/aCjN8zFGh0 #DFIR

#DailyDFIR 206: Excellent post by @BlakDouble on Locations in iOS: https://t.co/FgqQNpaLfO It's clear a massive amount of effort went into researching testing & writing the article. It's a fantastic reference with a lot of background foundational info. Well done! #DFIR

#DailyDFIR 207: A new version of @REMnux is here! Version 7 of the VM packed full of malware analysis tools brings many updates and new tools! https://t.co/Eirt6kE5cj #DFIR @lennyzeltser

#DailyDFIR 208: Want to do some Sunday coding? @AlexisBrignoni has put together an awesome #Python study group with a #DFIR slant for those looking to learn to code (or just a refresher). The class is still ongoing but past sessions are on YouTube: https://t.co/Xa1KD8Gyvx

#DailyDFIR 209: New plugin to read #macOS DocumentRevisions created by @nicoleibrahim for @SwiftForensics' mac_apt tool! https://t.co/A1GNpMAylb mac_apt is a #Python #DFIR tool to process #Mac disk images or live machines and parse useful artifacts. Check it out!

#DailyDFIR 210: Interested in contributing to an open-source #DFIR project but don't know where to start with git? Intro to git commands: https://t.co/qoQL8lExrg Forensic Lunch with @HECFBlog & @sroberts on git/GitHub: https://t.co/UqpWv5wk2v #Python #git #github

#DailyDFIR 210: Interested in contributing to an open-source #DFIR project but don't know where to start with git? Intro to git commands: https://t.co/qoQL8lExrg Forensic Lunch with @HECFBlog & @sroberts on git/GitHub: https://t.co/UqpWv5wk2v #Python #git #github

#DailyDFIR 211: Chrome v84 arrived last week! No major changes to the DBs; #DFIR tools (including https://t.co/EEFa3JuxMl) should parse it fine. I updated my "Chrome Evolution" visualization if you want to dig into what files make up your browser history: https://t.co/EFjQ4er6BZ https://t.co/p1I9DbOTBv

#DailyDFIR 212: See something like rlz=1T4ADBR_enUS236US239 in a #Google Search URL? It's called an RLZ tag & contains: - App used for search - Install language - Install time (to the week) & country - & more! RLZ tags explained & added to Unfurl: https://t.co/taPit7QADA #DFIR https://t.co/O6sI5mdYSu

#DailyDFIR 212: See something like rlz=1T4ADBR_enUS236US239 in a #Google Search URL? It's called an RLZ tag & contains: - App used for search - Install language - Install time (to the week) & country - & more! RLZ tags explained & added to Unfurl: https://t.co/taPit7QADA #DFIR https://t.co/O6sI5mdYSu

#DailyDFIR 214: On Windows the built-in certutil.exe is a versatile program; it can do way more that show CA cert info or hash things. @phillmoore lays out the artifacts created when certutil.exe is used to download files: https://t.co/yEuhBl2RVW #DFIR #LOLBin

#DailyDFIR 215: I had a nice chat with @Celldet about how I got started in #DFIR thoughts on coding & understanding artifacts and of course Unfurl ! https://t.co/8Hdi9rvRY4

#DailyDFIR 217: Check out @B1N2H3X interviewing @josh_hickman1 on @MagnetForensics' #CacheUp! Two great people doing a lot for the community. https://t.co/AS3EXsKTJm #DFIR #mobile4n6

#DailyDFIR 218: A new version of Unfurl is here! v20200729 adds: improved Google Search URL parsing (RLZ & EI params) 7 more short-link expansions (25 total) DuckDuckGo parsing mailto parsing better Docker setup More details: https://t.co/RkB6WhM38d #DFIR #Python

#DailyDFIR 219: Nice update to @FireEye's free capa tool for identifying malware behaviors. If you aren't familiar with the tool they have a good introductory post: https://t.co/8Xh31JIDL7 #DFIR https://t.co/M1PhTgkb5n

#DailyDFIR 219: Nice update to @FireEye's free capa tool for identifying malware behaviors. If you aren't familiar with the tool they have a good introductory post: https://t.co/8Xh31JIDL7 #DFIR https://t.co/M1PhTgkb5n

#DailyDFIR 220: This is looks like a great resource not only for learning about malware on #macOS but also a deeper understanding of general Mac internals for #DFIR. Can't wait to see what else is added over time! https://t.co/UFhfKgGz0T

#DailyDFIR 221: Unfurl is now included in @REMnux! Thanks @lennyzeltser! #DFIR #RE #Python https://t.co/U2JPyrA2dz

#DailyDFIR 222: Digital Detective's DCode is a handy free (Windows only) tool to convert timestamps: https://t.co/TlVP0PtRhr They also started a blog series explaining in more detail how to manually decode some of the timestamps : https://t.co/6kFYVUMGfC #DFIR

#DailyDFIR 223: UUIDs (universally unique identifiers) are everywhere online. UUIDv4 is most common (random) but UUIDv1 (time-based) is still out there. Checking if 1st digit in 3rd group is 1 or 4 is a way to tell if a UUID holds a timestamp #DFIR https://t.co/BjawVb8pzg https://t.co/oDFp6VdBW7

#DailyDFIR 223: UUIDs (universally unique identifiers) are everywhere online. UUIDv4 is most common (random) but UUIDv1 (time-based) is still out there. Checking if 1st digit in 3rd group is 1 or 4 is a way to tell if a UUID holds a timestamp #DFIR https://t.co/BjawVb8pzg https://t.co/oDFp6VdBW7

#DailyDFIR 224: Investigating #TikTok activity? I've found a way to extract embedded timestamps from TikTok IDs (). This means we can tell when a TikTok was posted just from the URL! Works even if video is deleted or private. https://t.co/uNqtmNyqY4 #DFIR #OSINT https://t.co/oJF3UeJDrL

#DailyDFIR 224: Investigating #TikTok activity? I've found a way to extract embedded timestamps from TikTok IDs (). This means we can tell when a TikTok was posted just from the URL! Works even if video is deleted or private. https://t.co/uNqtmNyqY4 #DFIR #OSINT https://t.co/oJF3UeJDrL

#DailyDFIR 225: New Unfurl release! 20200812 adds parsing of: TikTok URLs including embedded creation timestamp (https://t.co/uNqtmNyqY4) YouTube URL "continue_time" Sonyflake IDs "generic" QSPs (lang & language for now) Try it: https://t.co/69yqXmvubj #DFIR #OSINT

#DailyDFIR 226: Check out this interview with Google's @ShaneHuntley lead for their Threat Analysis Group (TAG). Having good threat intel makes #DFIR a whole lot easier. https://t.co/YoU9zoR5h8

#DailyDFIR 227: libcloudforensics now supports copying disks in #Azure! It already supported #GCP and #AWS so now you can copy disks in 3 different #Cloud environments using a single open source CLI tool! https://t.co/jch4pz5PNC https://t.co/GGd2TVP4vi #DFIR #Python