I do #DFIR at Google and work on open source tools. Author of Unfurl and Hindsight.
..and there's another Unfurl release as well! v2025.03 is live and adds new features and some fixes, including:
๐ Parsing #Google Search's UDM parameter
๐ Recognizing #Mastodon usernames and parsing Mastodon forks (like truthsocial[.]com and gab[.]com)
๐งน Utility parser to "clean up" inputs
Try it out at https://unfurl.link or read more about the update https://dfir.blog/unfurl-parses-googe-udm-and-truth-social/
There's a new Hindsight release!
Hindsight v2025.03 focuses on Extensions - parsing more activity and state records, highlighting Extension permissions, and making it easier to examine Manifests.
๐ Blog: https://dfir.blog/hindsight-parses-browser-extensions/
๐ ๏ธ Tool download: https://hindsig.ht/release
A new Unfurl release is here! v2025.02 adds:
๐ Parsing encoded/obfuscated IP addresses
๐ฆ Resolving #Bluesky handles to their identifiers (DIDs) and looking up their creation timestamps
๐ Bug fixes & better bulk parsing
Blog: https://dfir.blog/unfurl-parses-obfuscated-ip-addresses/
Code: https://github.com/obsidianforensics/unfurl
Over the winter holiday, I was watching Netflix's Carry-On and got a bit nerd-sniped by a real Google Search URL on-screen... and then proceeded to "authenticate" it.
https://dfir.blog/authenticating-screenshots-from-netflix-carry-on-movie/
There's a new Hindsight release! v2024.10 adds:
- Parsing of the DIPS (Detect Incidental Party State) database
- Parsing of IndexedDB records
- Moving to using more of Alex Caithness' ccl_chromium_reader library behind the scenes (starting with cache and IndexedDB records)
- Support for up to Chrome 130
- Many minor fixes and updates (see release page for more info)
Get it at https://hindsig.ht/release!
Another @hack_lu โfrequent flyerโ is on stage now, Thomas Chopitea, to present #DFIQ -> codifying digital forensics intelligence
Company: We want everyone to go back to the office because people work better together.
Also Company: We're not going to approve any travel because people can work with each other via Zoom.
After waking up at 3:19am this morning to a test earthquake alert (7 hours earlier than planned), my first thought was "timezones are hard." Glad to know this holds true outside #DFIR as well lol.
Another new Unfurl feature is parsing DoH (DNS over HTTPS) requests! I haven't run into these often in URLs, but hey, it's nice that Unfurl can parse them for you if you do!
Unfurl can parse JSON Web Tokens!
At the highest level, JWTs have three parts: header, payload, and signature. Unfurl first splits a #JWT into those three components, then base64-decodes the header and payload, then parses the resulting JSON objects. While Unfurl could parse all that in one step, it does it in three steps to keep with the "show your work" spirit of the tool.
Here's an example: https://dfir.blog/unfurl/?url=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2Mzh9.gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI
A new Unfurl release is here! v2023.09 adds new features and some fixes. The release adds:
๐น Parsing of JWTs (JSON Web Tokens)
๐น Parsing of DoH (DNS over HTTPS) URLs
๐น More recognized #Mastodon servers
Blog post with more details: https://dfir.blog/unfurl-parsing-jwt-and-doh/
ULID (Universally Unique Lexicographically Sortable Identifier) is another โ๏ธ-like timestamp (and Unfurl ๐ฟ can extract the timestamp from them).
Example: 01ARZ3NDEKTSV4RRFFQ69G5FAV
ULID Features:
๐น Sortable
๐น 26 chars vs UUID's 36
๐น Larger timestamp range
๐ ULID Spec: https://github.com/ulid/spec
๐ Unfurl example: https://dfir.blog/unfurl/?url=01ARZ3NDEKTSV4RRFFQ69G5FAV
@azonenberg I still run into them a surprising amount ๐คทโโ๏ธ. To be fair, I also kinda go looking for them.
Why do we care about timestamps embedded in UUIDs?
A UUIDv1 timestamp often correlates with when the object it represents was created. Extracting this timestamp gives us another point in our timeline (or just more context).
For example, the timestamp from the UUID in this GitHub image = time of image upload โฐ
UUIDv1 has a timestamp & node ID, which can be the MAC address of the machine it was generated on (or random; it depends ๐คทโโ๏ธ).
Unfurl ๐ฟ can extract the timestamp & node ID from a UUIDv1 and look up the vendor if it's a real MAC address.
Unfurl example: https://dfir.blog/unfurl/?url=a28cad70-0d73-11ea-aaef-0800200c9a66
UUIDs (universally unique identifiers) are everywhere online. UUIDv4 is the most common (random), but UUIDv1 (time-based) is still out there.
The 13th digit (or 1st of 3rd group) is a quick way to tell if a UUID holds a timestampโฐ
RFC ๐ : https://datatracker.ietf.org/doc/html/rfc4122#section-4.1.4
One gotcha to look out for is some IDs may claim to be UUIDs... and look like UUIDs... but not adhere to the RFC ๐คทโโ๏ธ.
@4n68r Very early days, for sure. Glad you think it looks useful ๐
Discord is a chat app, but it can send files as attachments too.
File attachment URLs are different from Message URLs, but still contain interesting info. They look like:
https://cdn[.]discordapp[.]com/attachments/622136585277931532/663421350353829929/unfurl.png
We can tell when a file was uploaded to Discord, just from its URL, by looking at the timestamp in the File ID (2nd snowflake โ๏ธ):
Unfurl example: https://dfir.blog/unfurl/?url=https://cdn.discordapp.com/attachments/622136585277931532/663421350353829929/unfurl.png
Another service with timestamps embedded in IDs is #Discord.
A typical Discord message URL contains three IDs, and thus three timestamps. We can extract when the server, channel, and message were created โฐ.
Unfurl example: https://dfir.blog/unfurl/?url=https://discordapp.com/channels/427876741990711298/537760691302563843/643183730227281931
Discord reference: https://discord.com/developers/docs/reference#snowflakes
@abrignoni Thanks for all the kind words for Unfurl โบ๏ธ
