A new version of Unfurl is here! v20200729 adds: improved Google Search URL parsing (RLZ and EI parameters), more short-link expansions, DuckDuckGo search parsing, mailto link parsing, and a better Docker setup. More details:
Parsing RLZ Google Search parameter
The RLZ parameter has been around for a while and can have pretty useful information about the device the search came from, as well as timing. I wrote a whole post about it; see that one for more details.
Added expansion for more shortlink domains
Unfurl adds expanding short-links for these domains:
That's in addition to what Unfurl could already expand, which brings the total to 25.
DuckDuckGo Search Parsing
Thanks to Moshe Kaplan, Unfurl can now do basic DuckDuckGo search URL parsing! There's more to parse here, and it's a great one to look at if you'd like to contribute to Unfurl.
Parsing mailto links
Thanks to OllieJC, Unfurl can now parse mailto links! I think it does a nice job of making a long hard-to-read string a bit more readable. This parser also opens up interesting possibilities of further OSINT-type enrichments on email addresses.
Also thanks to OllieJC and Wes Lambert, Unfurl's Docker setup is a bit more efficient. I haven't done much with Docker, so I'm really grateful for the help from these two in getting this figured out.
Updates ei param parsing
Lastly, I received an email from Adam Mazack, who observed that in Google Search URLs, the 2nd component of the ei parameter matches the fractional seconds in the ved parameter, along with a few test cases demonstrating this. This was awesome, as I love it when others can help piece together the meaning of these artifacts; there's still so much we don't know!
I've updated the ei parsing in Unfurl to combine the first two components into one timestamp: ei timestamps are now in microseconds instead of seconds.
To get these latest updates, you can:
- use dfir.blog/unfurl online
- if using pip,
pip install dfir-unfurl -Uwill upgrade your local Unfurl to the latest
- get the code from GitHub
All features work in both the web UI and command line versions (unfurl_app.py & unfurl_cli.py).
Let me know what you think!