Introducing Unfurl
Unfurl takes a URL and expands ("unfurls") it into a directed graph, extracting every bit of information from the URL and exposing the obscured. It does this by breaking up a URL up into components, extracting as much information as it can from each piece, and presenting it all visually. This “show your work” approach (along with embedded references and documentation) makes the analysis transparent to the user and helps them learn about (and discover) semantic and syntactical URL structures.
Here is a very simple example:
Unfurl attempts to split the input into components; in this example, the URL is split into its netloc (or domain), path, and query string. Those components are then split again if possible; the path is split into its segments, and the query string is split by its the key/value pairs.
This example only uses one parser: the URL parser (indicated in the graph by the dark gray edges and the letter "u"). The real beauty of Unfurl is when multiple parsers, each doing relatively simple things, combine to provide unexpected insights.
Unfurl has parsers for URLs, search engines, chat applications, social media sites, and more. It also has more generic parsers (timestamps, UUIDs, base64, etc) helpful for exploring new URLs or reverse engineering. It’s also easy to build new parsers, since Unfurl is open source (Python 3) and has an extensible plugin system.
I've said Unfurl takes a URL as input, but that's not strictly true. It can take any string as input; URLs are just the most common use case. It can "unfurl" any structure it understands (like numeric timestamps or UUIDs, for example).
No matter if you extracted a URL from a memory image, carved it from slack space, or pulled it from a browser’s history file, Unfurl can help you get the most out of it.
How to use Unfurl
Online Version
- There is an online version at https://dfir.blog/unfurl. Visit that page, enter the URL in the form, and click 'Unfurl!'.
- You can also access the online version using a bookmarklet - create a new bookmark and paste
javascript:window.location.href='https://dfir.blog/unfurl/?url='+window.location.href;'
as the location. Then when on any page with an interesting URL, you can click the bookmarklet and see the URL "unfurled".
Local Install
- Clone or download Unfurl from GitHub.
- Install Python 3 and the modules in
requirements.txt
- Run
python unfurl_app.py
- Browse to http://localhost:5000/
- Enter the URL to unfurl in the form, and 'Unfurl!'