Unfurl

Unfurl v2023.09 Released!

Unfurl v2023.09 adds parsing for JWTs, URLs with encoded DoH (DNS over HTTPS) requests, and more Mastodon servers.

Unfurl

Unfurl v2022.11: Social Media Edition

This "social media edition" Unfurl release includes parsing Twitter sharing codes, timestamps from Mastodon and LinkedIn IDs, expanding Substack redirects, & more!

Unfurl

More Search URL Parsing, MISP Lists, & More in Unfurl v2022.02

Unfurl v2022.02 adds parsing for Google Search's aqs parameter, integrates MISP "warninglists", adds 3x more shortlink expansions, and more!

Hindsight

Hindsight v2021.12

Hindsight v2021.12 adds parsing of more preference items, site settings (including HSTS records), Session Storage, and more!

Chrome

Cookies Database Moving in Chrome 96

To support stronger security for Chrome, some network-related files - including the Cookies database - are moving locations on disk.

Unfurl

Metasploit URLs, Hash Lookups, & More in Unfurl v2021.06.15

A new Unfurl release is here! v2021.06.15 adds decoding of some Metasploit URLs, hash identification and API lookups, & more!

Hindsight

Unfurl Plugin and "Site Characteristics" Artifact Added in Hindsight

I'm happy to announce there is a new Hindsight release available! 2021.04.26 has many small improvements and fixes, including adding support Chrome 88 - 90, but the main new features are an Unfurl plugin and parsing of the Site Characteristics Database! Unfurl Plugin I'm

Visualizations

Keystroke Flow from Chrome Omnibox

I take saved keystrokes from Chrome's Omnibox and graph them in a Sankey flow diagram.

Hindsight

New Hindsight Release: Better LevelDB parsing, New Web UI View, & More!

Latest Hindsight version (2021.01.16) brings exciting new features: improved LevelDB parsing (including deleted!), viewing Hindsight results in the web UI, and more!

Digital Forensics

A Year of #DailyDFIR

A look back at a year of tweeting every day about DFIR topics - including a recap of the most popular tweets, coverage trends, and what's next in 2021.

Presentations & Interviews

"Cache Up" with Ryan Benson

I sat down with Jessica Hyde (from Magnet Forensics) on her "Cache Up" podcast and talked about my DFIR career, open source projects, and share thoughts on how folks can get started in DFIR. Check it out!

Chrome

New "Media History" File Added to Chrome

There's a new database added in Chrome 86, dedicated to tracking media playback. Here's a first look at its contents!

Presentations & Interviews

Unfurl on "Life Has No Ctrl+Alt+Delete"

A few weeks ago I was on "Life Has No Ctrl+Alt+Del" with @HeatherMahalik of Cellebrite giving an overview of Unfurl, how to use it, and walking through (many) examples. The video recording is now up!

Presentations & Interviews

Video of "Extract & Visualize Data from URLs using Unfurl" Posted

My talk "Extract and Visualize Data from URLs using Unfurl" at the SANS DFIR Summit 2020 has been posted on YouTube! I had a great time presenting at the first ever virtual DFIR Summit (yay 2020). Check out the video below and give Unfurl a try!

Digital Forensics

Tinkering with TikTok Timestamps

I tinker with TikTok - and find a timestamp embedded in video URLs!

Unfurl

New Unfurl Version Released

A new version of Unfurl is here! v20200729 adds: improved Google Search URL parsing (RLZ and EI parameters), more short-link expansions, DuckDuckGo search parsing, mailto link parsing, and a better Docker setup.

Python

Another Google Search Parameter? For RLZ!

There are many query string parameters in Google Search URLs that hold interesting information. The rlz parameter is no exception, but thankfully it isn't as mysterious as many others; Google explains what the RLZ parameter is and how it functions in a white paper. From the Google Chrome

Unfurl

Unfurl CLI version (and now on PyPI)

A new Unfurl version brings a CLI tool & easier installs via PyPI.

Hindsight

Hindsight is 2020

Hindsight is 2020! ... ok, it's actually 20200607, but I've been waiting years to make a bad "Hindsight 2020" joke. There's a new version of Hindsight!

Digital Forensics

Unfurling Unknown Protobufs

With this latest update, Unfurl can now parse protobufs as well! If you hover over a field, Unfurl tries to explain a bit about wire types and possible other data formats.

Tools

Unfurl... in 3D

Unfurl has been a fun tool, but I've heard you: it's boring. This update to Unfurl will change all that!

Web Browsers

Google "ved" Parameter Versions

The "ved" parameter in Google URLs contains valuable link context. I've found a new version ("v2") with more info!

Presentations & Interviews

Talking about Unfurl on the Forensic Lunch

Ryan Benson on Dave Cowen's Forensic Lunch talking about Unfurl (and other DFIR things).

Tools Featured

Introducing Unfurl

Unfurl takes a URL and expands ("unfurls") it into a directed graph, extracting every bit of information from the URL and exposing the obscured. It does this by breaking up a URL up into components, extracting as much information as it can from each piece, and presenting it

Web Browsers

Deciphering Browser Hieroglyphics: FileSystem (Part 3)

Part 3 in the Deciphering Browser Hieroglyphics series examines LevelDB databases and Chrome's FileSystem.