Hi #OSINTSummit folks! 👋 Unfurl is a free, open source tool that you can use to "expand" complicated URLs and find interesting things inside them, like: 🕓 timestamps 🗜️ compressed strings 🔎 search params 🔀 shortlinks Check it out at unfurl.link! #DFIR #OSINT

<Thread> Today on the way to school, I accidentally deep-dived on threat modeling, attacker math, risk acceptance, password management, and ethics with my kids (6 and 4 years old). 6YO started with a simple question: how do we prevent our car from getting stolen? 1/x

For analysts, a few questions related to web browser-forensics... First, how often do you reach for web browser-related forensic evidence in the investigations you work?

On browser forensics in #DFIR: In news.sophos.com/en-us/2022/04/…, just from the URL we can see the attackers installed Chrome the week of 2021-11-01. So much interesting stuff in URLs! Unfurl 🔗: dfir.blog/unfurl/?url=hX… h/t Phill Moore for the article and lots of nice Google research

Wooo! Thanks!

If you need to pull out all the data in complicated URLs, Try the excellent Unfurl tool to extract and visualize each bit in the URLs. dfir.blog/unfurl/ github.com/obsidianforens… Ryan Benson #OSINT #DFIR #BlueTeam #ThreatIntel #intelligence #ThreatHunting #infosec

IP address in the URL? Sure, why not. You never know what you'll find in a URL (until you look 👀). 🔗dfir.blog/unfurl/?url=ht… #DFIR #OSINT

debugging strategy: write a message asking for help

Hey, thanks! Your #DailyOSINT looks really interesting too!

Very cool! #DFIR #Python

If you want a refresher on the benefits of allowlisting vs denylisting, just ask a 5 year old to stop doing something.

Have a long URL to decode? Use dfir.blog/unfurl/. It decodes parameters & values in the URL. Ex: I used Amazon & ran a search, copied URL, pasted into Unfurl. It broke the URL down & revealed "qid" param (2) is a time stamp and a date (3). #osint #cyber #tools

Apparently TikTok uses the same ID scheme for job postings as it does for videos? Random, but kind of interesting.🤷‍♂️ Example: dfir.blog/unfurl/?url=ht… More info on TikTok timestamps: dfir.blog/tinkering-with… #DFIR #TikTok #OSINT

Nice little tidbit here about decoding #LinkedIn profile ids from URLs, then using their sequential nature to estimate profile creation time. I see an unfurl🌿 update in the future! #DFIR #OSINT

A key mindset to grasp as you transition from junior analyst to a more experienced level is that you won't have all the answers, but you can ask the right questions and know where to start looking for the answers.

We are reviewing our MISP (@[email protected]) warning lists and we are looking for a maintained list of hosts which are domain parking. Do you know someone doing such thing? or should we start to build one from scratch? #threatintelligence

With all the uncertainty @Twitter, I've seen more people talking about alternatives like #Mastodon. Like tweets, Mastodon IDs have embedded timestamps in them, and Unfurl can parse them: 🔗dfir.blog/unfurl/?url=ht… #DFIR #OSINT

There's a new Unfurl release! v2022.11 adds: 🔹Parsing #Twitter "s" values - all 71 of them! 🔹Timestamps from #Mastodon IDs 🔹Decoding #LinkedIn identifiers 🔹Expanding #Substack redirect links 🔹Parsing common tracking parameters Blog: dfir.blog/unfurl-parsing… #DFIR #OSINT