Unfurl Unfurl v2023.09 Released! Unfurl v2023.09 adds parsing for JWTs, URLs with encoded DoH (DNS over HTTPS) requests, and more Mastodon servers.
Unfurl More Search URL Parsing, MISP Lists, & More in Unfurl v2022.02 Unfurl v2022.02 adds parsing for Google Search's aqs parameter, integrates MISP "warninglists", adds 3x more shortlink expansions, and more!
Hindsight Hindsight v2021.12 Hindsight v2021.12 adds parsing of more preference items, site settings (including HSTS records), Session Storage, and more!
Unfurl Metasploit URLs, Hash Lookups, & More in Unfurl v2021.06.15 A new Unfurl release is here! v2021.06.15 adds decoding of some Metasploit URLs, hash identification and API lookups, & more!
Hindsight Unfurl Plugin and "Site Characteristics" Artifact Added in Hindsight I'm happy to announce there is a new Hindsight release available! 2021.04.26 has many small improvements and fixes, including adding support Chrome 88 - 90, but the main new features are an Unfurl plugin and parsing of the Site Characteristics Database! Unfurl Plugin I'm
Visualizations Keystroke Flow from Chrome Omnibox I take saved keystrokes from Chrome's Omnibox and graph them in a Sankey flow diagram.
Hindsight New Hindsight Release: Better LevelDB parsing, New Web UI View, & More! Latest Hindsight version (2021.01.16) brings exciting new features: improved LevelDB parsing (including deleted!), viewing Hindsight results in the web UI, and more!
Digital Forensics Tinkering with TikTok Timestamps I tinker with TikTok - and find a timestamp embedded in video URLs!
Unfurl New Unfurl Version Released A new version of Unfurl is here! v20200729 adds: improved Google Search URL parsing (RLZ and EI parameters), more short-link expansions, DuckDuckGo search parsing, mailto link parsing, and a better Docker setup.
Unfurl Unfurl CLI version (and now on PyPI) A new Unfurl version brings a CLI tool & easier installs via PyPI.
Hindsight Hindsight is 2020 Hindsight is 2020! ... ok, it's actually 20200607, but I've been waiting years to make a bad "Hindsight 2020" joke. There's a new version of Hindsight!
Digital Forensics Unfurling Unknown Protobufs With this latest update, Unfurl can now parse protobufs as well! If you hover over a field, Unfurl tries to explain a bit about wire types and possible other data formats.
Tools Unfurl... in 3D Unfurl has been a fun tool, but I've heard you: it's boring. This update to Unfurl will change all that!
Presentations & Interviews Talking about Unfurl on the Forensic Lunch Ryan Benson on Dave Cowen's Forensic Lunch talking about Unfurl (and other DFIR things).
Tools Featured Introducing Unfurl Unfurl takes a URL and expands ("unfurls") it into a directed graph, extracting every bit of information from the URL and exposing the obscured. It does this by breaking up a URL up into components, extracting as much information as it can from each piece, and presenting it
Open Source Tools Hindsight v2.4 Adds JSONL Output Hindsight v2.4.0 add JSONL output, support for the newest versions of Chrome (1-76), and other small fixes.
Open Source Tools Solving Magnet Forensics CTF with Plaso, Timesketch, and Colab The folks at Magnet Forensics had a digital forensics-themed Capture the Flag competition and I wanted to take a crack at it using the open source tools we use/build here at Google: Plaso, Timesketch, and Colab/Python.
Open Source Tools Hindsight v2.3 Finds and Parses Multiple Chrome Profiles Hindsight v2.3.0 adds input path searching, parsing of LocalStorage LevelDB files, support for newer versions of Chrome (1-73), and minor fixes.
Chrome Capturing Chrome's Evolution When I was pretty fresh in the field of digital forensics, I picked this new thing called Google Chrome to dig into. There weren't a lot of tools out there that could parse it and I thought learning about browser history would be a useful skill for me.
Tools Chrome Evolution Show One Level Show Two Levels Show All Version: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41
Tools Hindsight Hindsight is a free tool for analyzing web artifacts. It started with the browsing history of the Google Chrome web browser and has expanded to support other Chromium-based applications - with more to come! Hindsight can parse a number of different types of web artifacts, including URLs, download history, cache
Presentations & Interviews Video of "Efficiently Summarizing Web Browsing Activity" at SANS DFIR Summit 2018 I spoke at the SANS DFIR Summit 2018 on "Efficiently Summarizing Web Browsing Activity" in Austin, TX. My abstract was: Reviewing web browsing activity is relevant in a wide variety of DFIR cases. With many users having multiple devices that may need to be analyzed, we need better
Open Source Tools Hindsight v2.2 Parses More Chrome Preference Items Hindsight v2.2.0 adds parsing of more preference items and support for newer versions of Chrome. The quick version is: * Support for Chrome versions 1 - 66 * Preference items with timestamps now are in the Timeline * Improvements to logging Both the GUI and command line versions of this release
Presentations & Interviews Deciphering Browser Hieroglyphics I spoke about "Deciphering Browser Hieroglyphics" at the SANS DFIR Summit 2017 in Austin, TX. I talked about how to "decipher" different kinds of information stored in web browsers, using a variety of open source tools. A recording of most of the talk is available YouTube
Visualizations Visualizing Activity from Metadata Encrypted iPhone backup? That means it's useless to an investigator (or attacker), right? Not so fast. We can still get an incredible amount of insight into the actions on the devices from the metadata alone. I am currently taking Sarah Edward's FOR518: Mac Forensic Analysis from
