Unfurl

New Unfurl Version Released

A new version of Unfurl is here! v20200729 adds: improved Google Search URL parsing (RLZ and EI parameters), more short-link expansions, DuckDuckGo search parsing, mailto link parsing, and a better Docker setup.

Ryan Benson

3 min read
New Unfurl Version Released

A new version of Unfurl is here! v20200729 adds: improved Google Search URL parsing (RLZ and EI parameters), more short-link expansions, DuckDuckGo search parsing, mailto link parsing, and a better Docker setup. More details:

Parsing RLZ Google Search parameter

The RLZ parameter has been around for a while and can have pretty useful information about the device the search came from, as well as timing. I wrote a whole post about it; see that one for more details.

Unfurl parsing a URL with a RLZ tag
Unfurl expanding a fb.me link

Unfurl adds expanding short-links for these domains:

  • cutt.ly
  • fb.me
  • lc.chat
  • nyti.ms
  • sansurl.com
  • snip.ly
  • urlzs.com

That's in addition to what Unfurl could already expand, which brings the total to 25.

DuckDuckGo Search Parsing

Thanks to Moshe Kaplan, Unfurl can now do basic DuckDuckGo search URL parsing! There's more to parse here, and it's a great one to look at if you'd like to contribute to Unfurl.

Unfurl parsing a DuckDuckGo Search

Thanks to OllieJC, Unfurl can now parse mailto links! I think it does a nice job of making a long hard-to-read string a bit more readable. This parser also opens up interesting possibilities of further OSINT-type enrichments on email addresses.

Unfurl parsing a mailto: link

Better Docker

Also thanks to OllieJC and Wes Lambert, Unfurl's Docker setup is a bit more efficient. I haven't done much with Docker, so I'm really grateful for the help from these two in getting this figured out.

Updates ei param parsing

Lastly, I received an email from Adam Mazack, who observed that in Google Search URLs, the 2nd component of the ei parameter matches the fractional seconds in the ved parameter, along with a few test cases demonstrating this. This was awesome, as I love it when others can help piece together the meaning of these artifacts; there's still so much we don't know!

I've updated the ei parsing in Unfurl to combine the first two components into one timestamp: ei timestamps are now in microseconds instead of seconds.

Timestamps in ei and ved parameters now match

Get it!

To get these latest updates, you can:

  • use dfir.blog/unfurl online
  • if using pip, pip install dfir-unfurl -U will upgrade your local Unfurl to the latest
  • get the code from GitHub

All features work in both the web UI and command line versions (unfurl_app.py & unfurl_cli.py).

Let me know what you think!