Have a big number (or hex value) you found and think might be a timestamp? Drop it in `unfurl` in the terminal and see what comes out!
(add -d or --detailed if you want the type of timestamp, or run without it if you just want the value)
#DFIR #BF4SA #Unfurl πΏ
There's a new Hindsight release! v2026.01 brings new features, including:
π Parsing Sync Data
β¨οΈ Updated terminal interface
π Improved output formats
βοΈ Many fixes and enhancements
Read more at dfir.blog/hindsight-v2... or download the new version from GitHub: github.com/obsidianfore...
A new Unfurl release (unfurl.link) is here! v2025.08 has:
π Parsing more from TikTok IDs (millisecond timestamp, entity type (user account, device, live session, or video), and more). Thanks to Benjamin Steel for the paper arxiv.org/abs/2504.13279
π Full release notes: github.com/obsidianfore...
This story is absolutely insane. And we don't usually get a front-row seat to insider threat investigations
Spy got tricked by a honeypot and implicated the most senior leaders at the victim's biggest competitors.
I go through it all here: youtu.be/tDG1WfbSZFo
Unfurl v2025.03 is live and adds new features, including:
π Parsing #Google Search's UDM parameter
π Recognizing #Mastodon usernames and parsing forks (like truthsocial[.]com and gab[.]com)
π§Ή Utility parser to "clean up" inputs
Try it: unfurl.link
Blog post: dfir.blog/unfurl-parse...
#DFIR #OSINT
There's a new Hindsight release!
Hindsight v2025.03 focuses on Extensions - parsing more activity and state records, highlighting Extension permissions, and making it easier to examine Manifests.
π Blog: dfir.blog/hindsight-pa...
π οΈ Tool download: hindsig.ht/release
#DFIR #Chrome #Extensions
A new Unfurl release is here! v2025.02 adds:
π Parsing encoded/obfuscated IP addresses
π¦ Resolving #Bluesky handles to their identifiers (DIDs) and looking up their creation timestamps
π Bug fixes & better bulk parsing
Blog: dfir.blog/unfurl-parse...
Code: github.com/obsidianfore...
#DFIR #OSINT
Unfurl can do this as well - the timestamp is embedded in the ID in the URL, so no login/etc needed, just the URL.
Example: dfir.blog/unfurl/?url=...
Want to break down what is in a URL? Try Unfurl from Ryan Benson and gain further insights! dfir.blog/unfurl/
#DFIR
A Google Search Results Page (SERP) from the Netflix movie Carry-On
Over the winter holiday, I was watching Netflix's Carry-On and got a bit nerd-sniped by a real Google Search URL on-screen... and then proceeded to "authenticate" it.
dfir.blog/authenticati...
#DFIR #OSINT #Unfurl #Netflix
The Raiders canβt even be good at being badβ¦
Unless they fundamentally change how tweets work (which seems unlikely), the timestamp can be extracted from the URL (no API needed).
Taking your tweet about the timestamps as an example, a tool like Unfurl can show it was sent at 2024-12-04 21:13:20.296 UTC.
Example: dfir.blog/unfurl/?url=...
CTFs present challenges that you likely havenβt seen before. Iβve taken away new skills from every CTF Iβve ever participated in.
Since I'm trying out #Bluesky, I figured I should add in support for it in Unfurl!
The v2024.11.20 release has some minor updates, but the biggest feature is the ability to parse a timestamp from Bluesky post IDs (or atproto TIDs).
Example: dfir.blog/unfurl/?url=...
Give it a try at unfurl.link!
New Timesketch release is out. Two highlights:
- Unfurl [1] integration, get information from URLs directly in your timeline.
- DFIQ [2] support with context aware SearchHistory.
Changelog: timesketch.org/changelog/#v...
[1] dfiq.org
[2] dfir.blog/introducing-...
Oh hi everyone! I've missed what #DFIR Twitter used to be - here's to hoping we can get something similar going here!
