Digital Forensics Unfurling Unknown Protobufs With this latest update, Unfurl can now parse protobufs as well! If you hover over a field, Unfurl tries to explain a bit about wire types and possible other data formats.
Tools Unfurl... in 3D Unfurl has been a fun tool, but I've heard you: it's boring. This update to Unfurl will change all that!
Web Browsers Google "ved" Parameter Versions The "ved" parameter in Google URLs contains valuable link context. I've found a new version ("v2") with more info!
Presentations & Interviews Talking about Unfurl on the Forensic Lunch Ryan Benson on Dave Cowen's Forensic Lunch talking about Unfurl (and other DFIR things).
Tools Introducing Unfurl Unfurl takes a URL and expands ("unfurls") it into a directed graph, extracting every bit of information from the URL and exposing the obscured. It does this by breaking up a URL up
Web Browsers Deciphering Browser Hieroglyphics: FileSystem (Part 3) Part 3 in the Deciphering Browser Hieroglyphics series examines LevelDB databases and Chrome's FileSystem.
Web Browsers Deciphering Browser Hieroglyphics: LocalStorage (Part 2) The second post in "Deciphering Browser Hieroglyphics" discusses LocalStorage and using CyberChef to decode it.
Open Source Tools Hindsight v2.4 Adds JSONL Output Hindsight v2.4.0 add JSONL output, support for the newest versions of Chrome (1-76), and other small fixes.
Web Browsers Deciphering Browser Hieroglyphics: Intro (Part 1) In this first post in "Deciphering Browser Hieroglyphics" I introduce Chromotopia and our artifact deciphering approach.
Open Source Tools Solving Magnet Forensics CTF with Plaso, Timesketch, and Colab The folks at Magnet Forensics had a digital forensics-themed Capture the Flag competition and I wanted to take a crack at it using the open source tools we use/build here at Google: Plaso, Timesketch, and Colab/Python.
Web Browsers A First Look at Chromium-Based Edge A quick (forensic) look at the new Chromium-based Edge web browser. TL;DR: it looks a lot like Chrome.
Open Source Tools Hindsight v2.3 Finds and Parses Multiple Chrome Profiles Hindsight v2.3.0 adds input path searching, parsing of LocalStorage LevelDB files, support for newer versions of Chrome (1-73), and minor fixes.
Web Browsers Chrome Values Lookup Tables I've fielded a few questions recently about what some value buried in a Chrome artifact means. I find myself going to the Hindsight source on GitHub and drilling down into the code because
Chrome Capturing Chrome's Evolution When I was pretty fresh in the field of digital forensics, I picked this new thing called Google Chrome to dig into. There weren't a lot of tools out there that could parse
Tools Chrome Evolution Chrome has evolved in many aspects since its release: the browser's appearance, capabilities, and how it stores data have all changed greatly since 2008. This page lets you explore how the files and
Digital Forensics New Year, New dfir.blog 2019 is here and the new year brings something with it I've wanted to do for a while: re-launch my blog! It has a new look and a new home at dfir.blog.
Tools Hindsight Hindsight is a free tool for analyzing web artifacts. It started with the browsing history of the Google Chrome web browser and has expanded to support other Chromium-based applications - with more to
Presentations & Interviews Video of "Efficiently Summarizing Web Browsing Activity" at SANS DFIR Summit 2018 I spoke at the SANS DFIR Summit 2018 on "Efficiently Summarizing Web Browsing Activity" in Austin, TX. My abstract was: Reviewing web browsing activity is relevant in a wide variety of DFIR cases.
Presentations & Interviews Ryan Benson Interviewed by BBC Click about Web Browsers I was interviewed by BBC Click for their "What is GDPR?" episode. I'm not really sure what the personal information web browsers are storing on your computer has to do with the GDPR,
Open Source Tools Hindsight v2.2 Parses More Chrome Preference Items Hindsight v2.2.0 adds parsing of more preference items and support for newer versions of Chrome. The quick version is:Support for Chrome versions 1 - 66Preference items with timestamps now are
Presentations & Interviews Deciphering Browser Hieroglyphics I spoke about "Deciphering Browser Hieroglyphics" at the SANS DFIR Summit 2017 in Austin, TX. I talked about how to "decipher" different kinds of information stored in web browsers, using a variety of
Visualizations Visualizing Activity from Metadata Encrypted iPhone backup? That means it's useless to an investigator (or attacker), right? Not so fast. We can still get an incredible amount of insight into the actions on the devices from the
Open Source Tools Hindsight v2 Adds a Web UI and Cache Parsing Hindsight v2 is here! The new release brings new features, many of which are focused on ease-of-use, along with a refactoring of the code into a Python package pyhindsight. The highlights are:Cross-platform
Web Browsers Investigating Universal Analytics Two common questions when investigating web browsing are: (1) how long did a user spend on a website, and (2) what actions did they take while on it?We have a number of
Web Browsers Load Balancer Cookie Decoder I was going through my bookmarks and found a write-up from a few years ago on decoding NetScaler load balancer cookies. Adam Maxwell (@catalyst256) wrote a few blog posts describing his process of
