Ryan Benson

Here's the blog post on my new tool: dfir.blog/introducing-un… Unfurl takes a URL🔗 and expands ("unfurls") it to show all the data it contains. It's amazing how much can be hidden inside URLs! Take it for a spin and tell me what interesting stuff you find🔗🌿#DFIR #Python

@GergelyOrosz FYI that link in the screenshot is acquired by the user tapping "Copy Link" button from the Twitter app on iPhone. That's what the parameter "s=46" means. It's safe to also drop that from the final URL. Here's where I got the s-parameter table to look up: dfir.blog/unfurl-parsing…

@KevinPagano3 thanks, I'll take a look and get them added

@_RyanBenson here is a large list of Mastodon instances coxy.co/mastodon/

There's a new Unfurl release! v2022.11 adds: 🔹Parsing #Twitter "s" values - all 71 of them! 🔹Timestamps from #Mastodon IDs 🔹Decoding #LinkedIn identifiers 🔹Expanding #Substack redirect links 🔹Parsing common tracking parameters Blog: dfir.blog/unfurl-parsing… #DFIR #OSINT

With all the uncertainty @Twitter, I've seen more people talking about alternatives like #Mastodon. Like tweets, Mastodon IDs have embedded timestamps in them, and Unfurl can parse them: 🔗@Gargron/109256990373721673" target="_blank" rel="nofollow noopener">dfir.blog/unfurl/?url=ht… #DFIR #OSINT

@phillmoore @inversecos It doesn't. These files are in the SNSS format, which involves some serialization. AFAIK, there aren't any working open source parsers (github.com/cclgroupltd/cc… & github.com/JRBANCEL/Chrom… worked at least partially in the past) and I haven't taken a pass at parsing it myself yet.

@inversecos @_RyanBenson does hindsight have coverage for this file?

1\ #DFIR: Chrome Forensics - How to Recover CLEARED History If a user just cleared their browser history, you can still recover everything they were just looking at from the session files: %appdata%\Local\Google\Chrome\User Data\Default\Sessions inversecos.com/2022/10/recove…

We are reviewing our @MISPProject warning lists and we are looking for a maintained list of hosts which are domain parking. Do you know someone doing such thing? or should we start to build one from scratch? #threatintelligence

A key mindset to grasp as you transition from junior analyst to a more experienced level is that you won't have all the answers, but you can ask the right questions and know where to start looking for the answers.

@WebBreacher Double-click any node and it copies the text to clipboard. I need to make that feature more visible, sorry.

@_RyanBenson for unfurl...when it decodes one of the long URLs I have into all the parts, I cannot select a decoded part and copy it to clipboard. I have to use CyberChef or something to recreate what unfurl does. Any way we can get a copy/paste of the nodes as text?

@ollie_boyd_ Awesome! Will do for sure.

@_RyanBenson I used your TikTok research to figure out the Linkedin post timestamp from URL in case you want to add to Unfurl github.com/Ollie-Boyd/Lin…

Nice little tidbit here about decoding #LinkedIn profile ids from URLs, then using their sequential nature to estimate profile creation time. I see an @unfurl_link update in the future! #DFIR #OSINT

Apparently TikTok uses the same ID scheme for job postings as it does for videos? Random, but kind of interesting.🤷‍♂️ Example: dfir.blog/unfurl/?url=ht… More info on TikTok timestamps: dfir.blog/tinkering-with… #DFIR #TikTok #OSINT

@WebBreacher Ha, thanks 😉. I updated the logo at least for dark mode, other components will take more time.

@_RyanBenson LOL. It is a terrific tool! I appreciate all the work you put into it. And yes, the logo could look nicer in DM....but that was not my intent of this post!

Have a long URL to decode? Use dfir.blog/unfurl/. It decodes parameters & values in the URL. Ex: I used Amazon & ran a search, copied URL, pasted into Unfurl. It broke the URL down & revealed "qid" param (2) is a time stamp and a date (3). #osint #cyber #tools

@WebBreacher Thanks! Glad you like it. And after seeing your screenshot, I'll make the logo look better in dark mode ;)

love the tool @_RyanBenson! Thanks!

If you want a refresher on the benefits of allowlisting vs denylisting, just ask a 5 year old to stop doing something.

Very cool! #DFIR #Python

@WHInspector If you're interested in browser forensics, check out hindsig.ht

Ok I am doing my first steps on browser #DFIR. I know one thing for sure: If someone steals your laptop/PC and he knows what he is doing, you are screwed. 😨😱

Hey, thanks! Your #DailyOSINT looks really interesting too!

debugging strategy: write a message asking for help