DailyDFIR

#DailyDFIR 318: I'm seeing write-ups on #Malware hosted on #Discord but this is nothing new. Reminder that @Discord file attachments have an embedded timestamp (that tells when the file was uploaded) and Unfurl can parse that out for you: https://t.co/oFgrN4OxYh #DFIR #RE https://t.co/Qbj0OZCNL6

#DailyDFIR 318: I'm seeing write-ups on #Malware hosted on #Discord but this is nothing new. Reminder that @Discord file attachments have an embedded timestamp (that tells when the file was uploaded) and Unfurl can parse that out for you: https://t.co/oFgrN4OxYh #DFIR #RE https://t.co/Qbj0OZCNL6

#DailyDFIR 319: When I look at #SQLite DBs 3 tools I use often are: sqlite3 CLI DB Browser for SQLite (https://t.co/Hekxentu6g) #OpenSource cross-platform SQLite Expert (https://t.co/ip6W34tO3r) Free version/Windows only If you like a different one what is it? #DFIR

#DailyDFIR 319: When I look at #SQLite DBs 3 tools I use often are: sqlite3 CLI DB Browser for SQLite (https://t.co/Hekxentu6g) #OpenSource cross-platform SQLite Expert (https://t.co/ip6W34tO3r) Free version/Windows only If you like a different one what is it? #DFIR

#DailyDFIR 320: Interested in what happened on a #Linux (or #macOS) system? The .bash_history file is a valuable artifact - but it has its quirks. Check out "You Dont Know Jack About .bash_history" by @hal_pomeranz: https://t.co/4yH0F3g1X9 I found it very helpful! #DFIR

#DailyDFIR 321: Another great video from @13CubedDFIR this one on using Plaso within the Windows Subsystem for Linux (WSL): https://t.co/a8WHy9889S #DFIR

#DailyDFIR 322: #OSDFCon is tomorrow! It's online free and a great way to see what's new in the #OpenSource #DFIR world: https://t.co/fv3fWbLOco Good luck to all those presenting!

#DailyDFIR 323: Have a bunch of Sigma rules that you'd like to use on data you've collected into Timesketch? @alexanderjaeger has a write-up explaining how to get started: https://t.co/gDFLKhZPW0 #DFIR #Sigma #IOC

More on Windows Subsystem for Linux! #DailyDFIR 324: @sk3tchymoos3 has an article on what forensic artifacts are created when WSL is used: https://t.co/HUA3WPWUvf #DFIR #Linux #WSL

Still more on #DFIR for WSL! #DailyDFIR 325: In this video from @DFRWS USA 2020 Asif Matadar shows how to investigate malware on WSL endpoints: https://t.co/YpfeDoWcj6 #DFIR #Malware #WSL2

#DailyDFIR 326: Every year as part of #OSDFCon there is a contest for new Autopsy modules. A compilation video of this year's submissions is available: https://t.co/8m8fW7nGis Lots of interesting ideas! Thanks to all the participants for their additions to #OpenSource #DFIR!

#DailyDFIR 327: In this post @alexanderjaeger explores Garmin .Fit files including parsing them in #Python uploading to #Timesketch then analyzing the data with #Pandas: https://t.co/sGIaWSktuC Really puts the #DFIR in #DFIRFit!

#DailyDFIR 328: How about a double-dose of @brianjmoran? Brian is a great guy who is active in the #DFIR & #DFIRFit communities. Check out: Interview on #CacheUp: https://t.co/W3TOkaLShl OSDFCon talk on reconstructing RDP activity images: https://t.co/W3TOkaLShl #DFIR

#DailyDFIR 329: Chrome 87 is here with its typical slew of fixes & new behind-the-scenes features (including tab throttling & back/forward cache). I've updated my interactive "Chrome Evolution" page: https://t.co/EFjQ4e9vKr #DFIR #Chrome #Visualization #infosec https://t.co/LWDfbMtB47

#DailyDFIR 330: @jaco_ZA has a post on the genesis evolution & future of #Emotet (complete with year-appropriate pop culture references): https://t.co/7BP9lYFuGh Easy to read & informative write-up about a complex and long-lived threat. Nice Jaco! #DFIR #Malware #infosec

#DailyDFIR 332: Some nice #DFIR-related discounts on this list including: 010 Editor books from @nostarch many training courses and a lot more! https://t.co/r0jw2WXvOq

#DailyDFIR 333: @iamevltwin's APOLLO tool for iOS & macOS uses #Python & SQL queries to extract a ton of information. Sarah's #OSDFCon talk shows how to get started analyzing this data for user activity application usage & more! https://t.co/HkWhGJNfXH #DFIR #openSource

RT @DfirDiva: TeePublic is having a Black Friday sale. Everything in my shop is up to 35% off. https://t.co/9EQsWK4yiv https://t.co/quZHzwd5aq

RT @DfirDiva: TeePublic is having a Black Friday sale. Everything in my shop is up to 35% off. https://t.co/9EQsWK4yiv https://t.co/quZHzwd5aq

#DailyDFIR 334: Lots of CTFs free online training and career fairs! Good stuff here as always. #DFIR https://t.co/cRu8VDE7QA

#DailyDFIR 335: There's a great deal from @humble right now - while it's called the "Hacking 101" bundle it has great #DFIR titles from @nostarch like @mikesiko's Practical Malware Analysis & @chrissanders88's Practical Packet Analysis: https://t.co/AW0xinFFoM Check it out!

#DailyDFIR 336: I'm not sure how or when but I have a feeling that the M1 Mac clock ticking every 41.67 ns (instead of every 1 ns) is going to cause #DFIR pain: https://t.co/rNwjQmR0Ge @howardnoakley's blog is a great source of in-depth technical explanations on Mac topics!

#DailyDFIR 337: @theAtropos4n6 has a post on examining Windows Event Logs to identify volumes & VSNs on USB drives: https://t.co/J8dwfGi731 This isn't a new artifact but the thorough research methodology could help you see something that otherwise might be overlooked. #DFIR

#DailyDFIR 338: Looking for a #DFIR tool reference or video but aren't quite sure which one? @KevinPagano3 has a @startme page that might help you out: https://t.co/NKeITluoB4 I like looking through people's lists of tools & resources; I almost always find something new!

#DailyDFIR 339: A new version of APOLLO from @iamevltwin is out! Lots of updates for iOS14 & macOS 11 and also added "gather" functions to collect the SQLite DBs from target devices: Blog: https://t.co/83Jh8dKcYC Tool: https://t.co/myaQ8hv83g #DFIR #mac4n6 #Python

#DailyDFIR 339: A new version of APOLLO from @iamevltwin is out! Lots of updates for iOS14 & macOS 11 and also added "gather" functions to collect the SQLite DBs from target devices: Blog: https://t.co/83Jh8dKcYC Tool: https://t.co/myaQ8hv83g #DFIR #mac4n6 #Python

#DailyDFIR 340: Expecting more evidence from a phone than you got? This post from @HeatherMahalik describes how you can determine if (& if so when) an #iOS device was wiped: https://t.co/e9XWyefTjo #DFIR #mobile4n6

#DailyDFIR 341: See search suggestions in the #Chrome omnibox with a picture & bit of context? If you click that suggestion and do the search the search results URL has a gs_ssp parameter. It's base64zipprotobuf & Unfurl (https://t.co/H5XHNrawum) can parse it for you! #DFIR https://t.co/DhpZoAmPOG

#DailyDFIR 342: @SwiftForensics will be talking about Spotlight indexing on #iOS & #macOS in a free webinar from @NW3CNews! Starts in two hours: 9am Pacific / 12pm Eastern Register: https://t.co/bBnHQM5QTQ There's very interesting data in Spotlight; it's a great for #DFIR

#DailyDFIR 343: @B1N2H3X has a post about many ways to share in #DFIR: https://t.co/hCFjRAcUeq It's more than just "write a blog post" (although that is good to do!) There are so many ways to share & contribute and Jessica does a great job leading by example on this front.