DailyDFIR

#DailyDFIR 227: libcloudforensics now supports copying disks in #Azure! It already supported #GCP and #AWS so now you can copy disks in 3 different #Cloud environments using a single open source CLI tool! https://t.co/jch4pz5PNC https://t.co/GGd2TVP4vi #DFIR #Python

#DailyDFIR 228: This post from @CiofecaForensic dives deep into how Apple Notes encryption & decryption works. It's a very thorough article and includes a tool at the end for decryption if you want want to do it all yourself https://t.co/FCwQkD243g #DFIR #mobile4n6

#DailyDFIR 229: If you want to learn malware analysis and gets hands on with some samples REMnux is a great place to start. Check out what's new! #DFIR https://t.co/3kTq3OqlzN

#DailyDFIR 230: Want to do some OSINT? A pre-built #VM loaded with tools can be a great way to get going quickly. @baywolf88 has a nice comparison of #OSINT / #DFIR-focused virtual machines along with thoughts on each: https://t.co/S72bRUF51z

#DailyDFIR 231: Want to see when a #TikTok account was created? Use its ID! - On the user's profile page view source - Search for userId - Unfurl the ID to see when the account was created! More details on the timestamp embedded in the ID: https://t.co/uNqtmNyqY4 #OSINT #DFIR https://t.co/2GVCGH9O76

#DailyDFIR 233: This is an amazing resource - a whole course on learning #Python loaded with real-world #DFIR coding examples. The live classes are over now but the entire course is recorded so you can work through it at your own pace. Great job @AlexisBrignoni & @xbrookego! https://t.co/8GKRB6Yy6p

#DailyDFIR 234: Words matter. Especially in #DFIR. Nice thread by @cglyer: https://t.co/aq0JIALIGf

#DailyDFIR 235: Another nice write-up from @josh_hickman1 this time on "Nearby Share" (AirDrop-type system for #Android and ChromeOS) artifacts: https://t.co/1yjNMeXmG4 Yet another exfil vector with limited #DFIR visibility...

#DailyDFIR 236: Did you know Unfurl can parse more than URLs? Quick example: Open a SQLite DB See a column named "proto" (hint hint) Copy hex bytes Paste into Unfurl Unfurl expands it & runs other parsers (ex: timestamp translated) https://t.co/08eKH0YCch #DFIR https://t.co/nwEDfWQobb

#DailyDFIR 236: Did you know Unfurl can parse more than URLs? Quick example: Open a SQLite DB See a column named "proto" (hint hint) Copy hex bytes Paste into Unfurl Unfurl expands it & runs other parsers (ex: timestamp translated) https://t.co/08eKH0YCch #DFIR https://t.co/nwEDfWQobb

#DailyDFIR 238: Interested in setting up a serious test lab for mobile forensics? @cScottVance has a nice post exploring picking devices to maximize the types of artifacts you can explore and minimize the costs: https://t.co/K4ZO6BPw73 #DFIR #mobile4n6 #iOS #Android

#DailyDFIR 239: @FSecureLabs has a report (https://t.co/fF4vhqvXKp) on a Lazarus group phishing & malware campaign and reference a Bitly link used. Unfurl can show when that link was created & where it points to (even with non-ASCII domains)! https://t.co/PnfEEwuejU #DFIR https://t.co/vJa3WL9RZQ

#DailyDFIR 239: @FSecureLabs has a report (https://t.co/fF4vhqvXKp) on a Lazarus group phishing & malware campaign and reference a Bitly link used. Unfurl can show when that link was created & where it points to (even with non-ASCII domains)! https://t.co/PnfEEwuejU #DFIR https://t.co/vJa3WL9RZQ

#DailyDFIR 239: @FSecureLabs has a report (https://t.co/fF4vhqvXKp) on a Lazarus group phishing & malware campaign and reference a Bitly link used. Unfurl can show when that link was created & where it points to (even with non-ASCII domains)! https://t.co/PnfEEwuejU #DFIR https://t.co/vJa3WL9RZQ

#DailyDFIR 240: Where do you start an investigation? For #TBT here's a post from a few years ago where I use a visualization to help find things to examine further: https://t.co/h1bv34wzsK https://t.co/OafQvanBk0 #DFIR #webshell @binaryz0ne

#DailyDFIR 240: Where do you start an investigation? For #TBT here's a post from a few years ago where I use a visualization to help find things to examine further: https://t.co/h1bv34wzsK https://t.co/OafQvanBk0 #DFIR #webshell @binaryz0ne

#DailyDFIR 241: @Scott_Kjr has a post investigating what happens on #iOS when different apps are used to take a photo: https://t.co/6350LvUZ9N Looking beyond Photos.sqlite he found other app-specific locations that can hold key information (including deleted files!) #DFIR

#DailyDFIR 242: Check out @williballenthin talking with @HECFBlog and @forensic_matt on the Forensic Lunch! https://t.co/rcEN0bH6BH #DFIR #RE #rustlang

#DailyDFIR 243: Check out all these great #DFIR events in September! Thanks @DfirDiva! https://t.co/0eDVgUflAq

#DailyDFIR 245: I'll be on "Life Does Not Have a CtrlAltDel" with @HeatherMahalik tomorrow demoing Unfurl and answering questions about it! When: 2020-09-02 9:30am PDT (12:30pm EDT) Register: https://t.co/9tN91Xax7x #DFIR #Python

#DailyDFIR 246: Unfurl can expand some short-links. A common question is how? It uses an allowlist of domains & queries them for the 301 Location header. It doesn't reach out to the target sites. #opsec 25 short-link domains supported; full list: https://t.co/dKD0zI9k3X #DFIR https://t.co/J5QOw4biHd

#DailyDFIR 246: Unfurl can expand some short-links. A common question is how? It uses an allowlist of domains & queries them for the 301 Location header. It doesn't reach out to the target sites. #opsec 25 short-link domains supported; full list: https://t.co/dKD0zI9k3X #DFIR https://t.co/J5QOw4biHd

@GPurohit4 @HeatherMahalik Past ones have been posted at https://t.co/YnavMAzgcH I believe this one should be up there as well eventually.

#DailyDFIR 247: ICYMI I've found a way to extract embedded timestamps from #TikTok IDs (). This means we can tell when a TikTok was posted (or an account was created) just from the URL! Works even if video is deleted or private. https://t.co/uNqtmNyqY4 #DFIR #OSINT https://t.co/JJ8CjFo5DE

#DailyDFIR 248: @cScottVance has a series of posts exploring the "Tile" app. The app helps users track & find objects so it makes sense that there's a ton of interesting location data in it! 1 https://t.co/N1evt8eDYf 2 https://t.co/XXp27xuhaJ 3 https://t.co/FlLdMMw29N #DFIR

#DailyDFIR 248: @cScottVance has a series of posts exploring the "Tile" app. The app helps users track & find objects so it makes sense that there's a ton of interesting location data in it! 1 https://t.co/N1evt8eDYf 2 https://t.co/XXp27xuhaJ 3 https://t.co/FlLdMMw29N #DFIR

#DailyDFIR 248: @cScottVance has a series of posts exploring the "Tile" app. The app helps users track & find objects so it makes sense that there's a ton of interesting location data in it! 1 https://t.co/N1evt8eDYf 2 https://t.co/XXp27xuhaJ 3 https://t.co/FlLdMMw29N #DFIR

#DailyDFIR 249: Understanding file formats can be key in #DFIR. This is a nice examination of the JPEG file format including #Python code: https://t.co/6VZHogAtRr #DFIR

#DailyDFIR 250: Have a long command on Linux that you're trying to make sense of? Check out explainshell! https://t.co/Nbhv1bGj5Z I think the interface is really nice and like the hover interactions. It was definitely part of my inspiration for Unfurl. #DFIR #bash #Linux https://t.co/iOh2rioB51

#DailyDFIR 250: Have a long command on Linux that you're trying to make sense of? Check out explainshell! https://t.co/Nbhv1bGj5Z I think the interface is really nice and like the hover interactions. It was definitely part of my inspiration for Unfurl. #DFIR #bash #Linux https://t.co/iOh2rioB51