dfir.blog
  • Tools
  • Web Browsers
  • Visualizations
  • Open Source
  • Presentations & Interviews
Ryan Benson

Ryan Benson

SF Bay Area •
63 posts •
Hindsight

New Hindsight Release: Better LevelDB parsing, New Web UI View, & More!

Latest Hindsight version (2021.01.16) brings exciting new features: improved LevelDB parsing (including deleted!), viewing Hindsight results in the web UI, and more!

  • Ryan Benson
    Ryan Benson
4 min read
Digital Forensics

A Year of #DailyDFIR

A look back at a year of tweeting every day about DFIR topics - including a recap of the most popular tweets, coverage trends, and what's next in 2021.

  • Ryan Benson
    Ryan Benson
5 min read
Presentations & Interviews

"Cache Up" with Ryan Benson

I sat down with Jessica Hyde (from Magnet Forensics) on her "Cache Up" podcast and talked about my DFIR career, open source projects, and share thoughts on how folks can get started in DFIR. Check it out!

  • Ryan Benson
    Ryan Benson
1 min read
Chrome

New "Media History" File Added to Chrome

There's a new database added in Chrome 86, dedicated to tracking media playback. Here's a first look at its contents!

  • Ryan Benson
    Ryan Benson
8 min read
Presentations & Interviews

Unfurl on "Life Has No Ctrl+Alt+Delete"

A few weeks ago I was on "Life Has No Ctrl+Alt+Del" with @HeatherMahalik of Cellebrite giving an overview of Unfurl, how to use it, and walking through (many) examples. The video recording is now up!

  • Ryan Benson
    Ryan Benson
1 min read
Presentations & Interviews

Video of "Extract & Visualize Data from URLs using Unfurl" Posted

My talk "Extract and Visualize Data from URLs using Unfurl" at the SANS DFIR Summit 2020 has been posted on YouTube! I had a great time presenting at the first ever virtual DFIR

  • Ryan Benson
    Ryan Benson
1 min read
Digital Forensics

Tinkering with TikTok Timestamps

I tinker with TikTok - and find a timestamp embedded in video URLs!

  • Ryan Benson
    Ryan Benson
6 min read
Unfurl

New Unfurl Version Released

A new version of Unfurl is here! v20200729 adds: improved Google Search URL parsing (RLZ and EI parameters), more short-link expansions, DuckDuckGo search parsing, mailto link parsing, and a better Docker setup.

  • Ryan Benson
    Ryan Benson
3 min read
Python

Another Google Search Parameter? For RLZ!

There are many query string parameters in Google Search URLs that hold interesting information. The rlz parameter is no exception, but thankfully it isn't as mysterious as many others; Google explains what the

  • Ryan Benson
    Ryan Benson
2 min read
Unfurl

Unfurl CLI version (and now on PyPI)

A new Unfurl version brings a CLI tool & easier installs via PyPI.

  • Ryan Benson
    Ryan Benson
3 min read
Hindsight

Hindsight is 2020

Hindsight is 2020! ... ok, it's actually 20200607, but I've been waiting years to make a bad "Hindsight 2020" joke. There's a new version of Hindsight!

  • Ryan Benson
    Ryan Benson
3 min read
Digital Forensics

Unfurling Unknown Protobufs

With this latest update, Unfurl can now parse protobufs as well! If you hover over a field, Unfurl tries to explain a bit about wire types and possible other data formats.

  • Ryan Benson
    Ryan Benson
3 min read
Tools

Unfurl... in 3D

Unfurl has been a fun tool, but I've heard you: it's boring. This update to Unfurl will change all that!

  • Ryan Benson
    Ryan Benson
1 min read
Web Browsers

Google "ved" Parameter Versions

The "ved" parameter in Google URLs contains valuable link context. I've found a new version ("v2") with more info!

  • Ryan Benson
    Ryan Benson
4 min read
Presentations & Interviews

Talking about Unfurl on the Forensic Lunch

Ryan Benson on Dave Cowen's Forensic Lunch talking about Unfurl (and other DFIR things).

  • Ryan Benson
    Ryan Benson
1 min read
Tools

Introducing Unfurl

Unfurl takes a URL and expands ("unfurls") it into a directed graph, extracting every bit of information from the URL and exposing the obscured. It does this by breaking up a URL up

  • Ryan Benson
    Ryan Benson
2 min read
Web Browsers

Deciphering Browser Hieroglyphics: FileSystem (Part 3)

Part 3 in the Deciphering Browser Hieroglyphics series examines LevelDB databases and Chrome's FileSystem.

  • Ryan Benson
    Ryan Benson
7 min read
Web Browsers

Deciphering Browser Hieroglyphics: LocalStorage (Part 2)

The second post in "Deciphering Browser Hieroglyphics" discusses LocalStorage and using CyberChef to decode it.

  • Ryan Benson
    Ryan Benson
9 min read
Open Source Tools

Hindsight v2.4 Adds JSONL Output

Hindsight v2.4.0 add JSONL output, support for the newest versions of Chrome (1-76), and other small fixes.

  • Ryan Benson
    Ryan Benson
3 min read
Web Browsers

Deciphering Browser Hieroglyphics: Intro (Part 1)

In this first post in "Deciphering Browser Hieroglyphics" I introduce Chromotopia and our artifact deciphering approach.

  • Ryan Benson
    Ryan Benson
6 min read
Open Source Tools

Solving Magnet Forensics CTF with Plaso, Timesketch, and Colab

The folks at Magnet Forensics had a digital forensics-themed Capture the Flag competition and I wanted to take a crack at it using the open source tools we use/build here at Google: Plaso, Timesketch, and Colab/Python.

  • Ryan Benson
    Ryan Benson
34 min read
Web Browsers

A First Look at Chromium-Based Edge

A quick (forensic) look at the new Chromium-based Edge web browser. TL;DR: it looks a lot like Chrome.

  • Ryan Benson
    Ryan Benson
5 min read
Open Source Tools

Hindsight v2.3 Finds and Parses Multiple Chrome Profiles

Hindsight v2.3.0 adds input path searching, parsing of LocalStorage LevelDB files, support for newer versions of Chrome (1-73), and minor fixes.

  • Ryan Benson
    Ryan Benson
2 min read
Web Browsers

Chrome Values Lookup Tables

I've fielded a few questions recently about what some value buried in a Chrome artifact means. I find myself going to the Hindsight source on GitHub and drilling down into the code because

  • Ryan Benson
    Ryan Benson
4 min read
Chrome

Capturing Chrome's Evolution

When I was pretty fresh in the field of digital forensics, I picked this new thing called Google Chrome to dig into. There weren't a lot of tools out there that could parse

  • Ryan Benson
    Ryan Benson
4 min read
dfir.blog © 2021
Latest Posts Twitter