A Year of #DailyDFIR

Ryan Benson -

2020 was quite the year, for so many reasons. A comparatively minor reason was I chose to challenge myself to tweet every day about something of interest to those in DFIR (Digital Forensics & Incident Response). It was quite the effort, but I succeeded in putting out one a day for the whole year, ending up with 366 "Daily DFIR" tweets in all (of course 2020 was a leap year)!

I've made a word cloud of all my #DailyDFIR tweets to get an overall feel for what I focused on this past year. My tweets tended (unsurprisingly) to skew towards my interests in DFIR: open source projects, Python, Chrome, and URLs. There also were a good number of tweets on mobile forensics and OSINT tools & techniques, mostly because there was just so much good content being produced in those areas.

A word cloud of all my #DailyDFIR tweets

I used the hashtag #DailyDFIR for all these tweets, in case you want to go look through some of them. I've also made a searchable bookmark database of all the #DailyDFIR links in my tweets (see the bottom of the post for more info). 300+ is kind of a lot though, so as a start here are the five most popular (as far as impressions go at least) of my #DailyDFIR tweets:

#5: Kick-off Tweet about Unfurl

The first #DailyDFIR tweet was about my (new at the time) open source tool Unfurl. Unfurl got a decent amount of coverage in my tweets; unsurprising as it was one of the projects I spent a lot of time on in 2020, and I just really like dissecting URLs and finding cool stuff!

#4: ExplainShell

I'm glad this tweet about ExplainShell got as much exposure as it did, because it is an awesome tool that's been around for a while that could use more attention. I simply love it; it does a fantastic job explaining many Linux commands in a visual way. I've described Unfurl as a mix of ExplainShell and CyberChef - both tools definitely had an outsized impact on how Unfurl turned out.

#3: Replacing strings.exe with FLOSS

FireEye's FLOSS (FireEye Labs Obfuscated String Solver) is another tool that isn't new, but I think all of DFIR should have in their toolbox. It works in a similar fashion to strings.exe, so it's easy to swap it into your workflow. However, FLOSS has multiple deobfuscation routines built in that let it find and extract strings that malware authors have tried to hide.

#2: Introducing libcloudforensics: open source utility for doing #DFIR in multiple clouds

libcloudforensics provides a unified API to multiple cloud providers. It's developed by some of my teammates at Google and it aims to streamline DFIR in multiple cloud environments by providing a common interface to do tasks typically needed during an investigation, such as: making forensic copies of disks, querying cloud logs, and creating analysis virtual machines. All using a single CLI interface that works across AWS, GCP, and Azure!

#1: Finding TikTok account creation time

The most popular of all my #DailyDFIR posts ended up being one about finding when a TikTok account was created. When TikTok was in the news a bunch in mid-2020, I decided to take a look at its URLs for anything interesting. I found that it's possible to extract a creation timestamp from the IDs that TikTok uses for most things; this means it's possible to tell when a video was posted, account created, song uploaded, etc, solely from the URL! Because the timestamp is in the URL, this technique works regardless of whether you can view the actual resource or not; this means it also works on private or deleted items (as long as you have the URL, of course). I wrote up this research and it ended up getting peer-reviewed and published in DFIR Review. It's also been incorporated into Unfurl, to make extracting these timestamps easy.

If you found those five tweets interesting, there's a lot more! Most of the tweets involve links to useful DFIR resources. I've added all the links I tweeted about to a Raindrop collection; it's a bookmark manager with some cool features (it also looks nice). One neat thing is that it indexes the content of the linked pages as well, so if you search for a specific term that's not in the description or title (example: last_clear_browsing_data_time), it can still find it.

Here's a small embedded preview of the #DailyDFIR link collection; click the "More" button to view the full collection and enable searches, sorting, and more:


What's in store for 2021?

I have many DFIR-related things I'm excited about tackling in 2021, but more daily tweets won't be one of them. It was an experiment on my part which I think went well; I learned a lot, it forced me to be more vocal and share more frequently, and I was able to promote some people's great work in DFIR to a wider audience. Regardless of how successful it was, it's time for it to come to an end so I can invest the time it was taking into other things. I'll still be tweeting about DFIR topics, just probably not every single day ๐Ÿ˜‰.

I wanted to close with a thank you to all the wonderful members of the DFIR community - those who put out blog posts, build and run CTFs, host conferences or podcasts, contribute to open source tools, and just generally encourage each other. I couldn't have found that many positive DFIR things to tweet about in 2020 without you, and I couldn't imagine doing this job alone.

Thanks again, and here's to hoping for a great 2021!