DailyDFIR

#DailyDFIR 268: If you've looked at Google search URLs you might have noticed the "ved" parameter in query string. Some fun facts about it: There are four versions of the "ved" Two versions contain timestamps More: https://t.co/HqnumPxVDZ #DFIR #OSINT #TBT https://t.co/Urc3bckXwa

obsidianforensics/unfurl

nccgroup/blackboxprotobuf

@forensicmike1 @rasriis Yeah definitely. @CiofecaForensic has a great post on iteratively building a .proto (https://t.co/MiQWuMY3V6) and @SwiftForensics has one comparing different protobuf-decoding methods (https://t.co/uUnzmg9GAj)

#DailyDFIR 269: My "Tinkering with TikTok Timestamps" post finished peer-review and is posted on @DFIRReview! Check it out if you want to learn how to extract when a #TikTok video was posted from the URL alone (even if video is deleted or private). #DFIR https://t.co/lMJHmdYrBG https://t.co/lPI3NEjwr9

#DailyDFIR 269: My "Tinkering with TikTok Timestamps" post finished peer-review and is posted on @DFIRReview! Check it out if you want to learn how to extract when a #TikTok video was posted from the URL alone (even if video is deleted or private). #DFIR https://t.co/lMJHmdYrBG https://t.co/lPI3NEjwr9

#DailyDFIR 270: Check out @joachimmetz's post on testing digital forensic data processing tools: https://t.co/h6MWv5Is6v The work we do in #DFIR is important; it can have serious consequences. It's important that our tools are as robust accurate & transparent as possible.

#DailyDFIR 271: In case you missed @DFRWS USA 2020 (like me) @ForensicFocus has a nice recap of the event: https://t.co/MrOhPecob4 Lots of interesting talks I'd love to see; anyone know if recordings will be posted? Since it was virtual I'm hoping there's a chance. #DFIR

#DailyDFIR 272: @NW3CNews is back with another round of small CTFs! The last ones were fun and this new set is focused on #OSINT. Starts October 4th sign up: https://t.co/UvyAgJ8fDf #CTF #DFIR

#DailyDFIR 273: A few weeks ago I was on "Life Has No CtrlAltDel" with @HeatherMahalik giving an overview of Unfurl (https://t.co/H5XHNrawum) how to use it & walking through (many) examples. The video recording is now up! https://t.co/7vf7frXS3f #DFIR @Cellebrite_UFED

#DailyDFIR 274: @SANSInstitute is hosting a free online event tomorrow (Oct-1) called "BIPOC in Cybersecurity Forum: From Inclusion to Equity" hosted by @hexplates & @stephenahart and featuring many more great speakers. Check it out! https://t.co/st0FGaZklk #DFIR #InfoSec

#DailyDFIR 275: Hunting for webshells? Check out this tool & post by @Tstillz1. It's cross-platform multi-threaded and handles many obfuscation types: Post : https://t.co/DRMOGqCF6S Tool : https://t.co/V67UAGecqT #DFIR #webshell #Golang

#DailyDFIR 275: Hunting for webshells? Check out this tool & post by @Tstillz1. It's cross-platform multi-threaded and handles many obfuscation types: Post : https://t.co/DRMOGqCF6S Tool : https://t.co/V67UAGecqT #DFIR #webshell #Golang

#DailyDFIR 276: The #OSDFCon agenda has been released. It's online free and you can still register! Agenda: https://t.co/rCX3pZW8Yv Register: https://t.co/nrIU6KcrAf Come see talks about great #opensource #DFIR tools!

#DailyDFIR 276: The #OSDFCon agenda has been released. It's online free and you can still register! Agenda: https://t.co/rCX3pZW8Yv Register: https://t.co/nrIU6KcrAf Come see talks about great #opensource #DFIR tools!

#DailyDFIR 277: Nice post by @_D00mfist (from @SpecterOps) outlining a #macOS persistence technique. It uses the Dock and is similar in concept to persisting via Windows .LNK files: https://t.co/GEAsYB2sGT Bonus points for including detection tips as well! #DFIR

#DailyDFIR 278: I still have some Unfurl stickers left! If you'd like one send me a DM or email with where you'd like it sent (while they last). I've loved all the stickers being sent around in #DFIR; it makes not having live conferences a bit better. https://t.co/MpnnnnrxOH

#DailyDFIR 279: Check out @lor1050's write-ups exploring ProtonMail on #Android and #iOS: https://t.co/d7l9oBdw0L https://t.co/9ISZtP3xrE #DFIR #mobile4n6

#DailyDFIR 279: Check out @lor1050's write-ups exploring ProtonMail on #Android and #iOS: https://t.co/d7l9oBdw0L https://t.co/9ISZtP3xrE #DFIR #mobile4n6

#DailyDFIR 280: Looking at files inside an archive (ZIP 7z RAR or CAB) and seeing some timestamps that just don't quite look right? Check out this post by @joshlemon exploring how the different formats and tools can alter timestamps: https://t.co/8GKsJFVTMI #DFIR

A bit more on Zip files... #DailyDFIR 281: @GlassSec had a nice presentation really diving into ZIP internals: https://t.co/Q6LQM4sybG Check out the slides I learned a lot. There's lots of other good #DFIR stuff on his site https://t.co/4g3XxCJoUr (& amazing domain name!)

A bit more on Zip files... #DailyDFIR 281: @GlassSec had a nice presentation really diving into ZIP internals: https://t.co/Q6LQM4sybG Check out the slides I learned a lot. There's lots of other good #DFIR stuff on his site https://t.co/4g3XxCJoUr (& amazing domain name!)

#DailyDFIR 282: Check out this (free!) #DFIR training from the one & only @carrier4n6! The name may start with "Intro" but being able to divide an investigation into manageable discrete tasks is valuable for all levels. https://t.co/zmTZ5peRJl

#DailyDFIR 283: @josh_hickman1 released a new #Android 11 image! Like the others he's done it's great for testing tools exploring data & finding new things to parse. All the user actions are documented so you can compare app data to actions. https://t.co/1SuKYRJRde #DFIR

#DailyDFIR 284: @kal_inko has a three-part analysis of the HealthMate #Android app from @WithingsEN: 1 https://t.co/WbVEhQdEFT 2 https://t.co/bk8lpv0Jiy 3 https://t.co/AH7VHfM1Tj Lots of good stuff in there! Timelines locations users messages & more! #DFIR #mobile4n6

#DailyDFIR 284: @kal_inko has a three-part analysis of the HealthMate #Android app from @WithingsEN: 1 https://t.co/WbVEhQdEFT 2 https://t.co/bk8lpv0Jiy 3 https://t.co/AH7VHfM1Tj Lots of good stuff in there! Timelines locations users messages & more! #DFIR #mobile4n6

#DailyDFIR 284: @kal_inko has a three-part analysis of the HealthMate #Android app from @WithingsEN: 1 https://t.co/WbVEhQdEFT 2 https://t.co/bk8lpv0Jiy 3 https://t.co/AH7VHfM1Tj Lots of good stuff in there! Timelines locations users messages & more! #DFIR #mobile4n6

#DailyDFIR 286: I've updated my "Chrome Evolution" visualization with the latest #Chrome versions. https://t.co/EFjQ4er6BZ It has interactive collapsible trees for each Chrome version (1-86) showing the files that store browsing history. See how artifacts change! #DFIR https://t.co/Yc54DcH8s3

#DailyDFIR 287: #Chrome 86 added a new SQLite database: Media History. It tracks (some) videos played watch times and more! I did some testing to see how it works: https://t.co/cm2tCcbHbQ If you have a case where videos watched is key this new artifact might help! #DFIR

#DailyDFIR 288: A new version (20201007) of Plaso was released last week! Blog post with highlights: https://t.co/EHBVU27Hsm Full list of changes: https://t.co/knlsR7vNXp #DFIR