154 Photos and videos
Pinned Tweet
12 Dec 2019
Here's the blog post on my new tool:
dfir.blog/introducing-unfurl…
Unfurl takes a URL🔗 and expands ("unfurls") it to show all the data it contains. It's amazing how much can be hidden inside URLs!
Take it for a spin and tell me what interesting stuff you find🔗🌿#DFIR #Python
9
321
877
Ryan Benson retweeted
13 Nov 2022
FYI that link in the screenshot is acquired by the user tapping "Copy Link" button from the Twitter app on iPhone. That's what the parameter "s=46" means. It's safe to also drop that from the final URL.
Here's where I got the s-parameter table to look up:
dfir.blog/unfurl-parsing-twi…
1
8
31 Oct 2022
With all the uncertainty @Twitter, I've seen more people talking about alternatives like #Mastodon.
Like tweets, Mastodon IDs have embedded timestamps in them, and Unfurl can parse them:
🔗dfir.blog/unfurl/?url=mastod…
#DFIR #OSINT
1
15
47
Ryan Benson retweeted
We are reviewing our @MISPProject warning lists and we are looking for a maintained list of hosts which are domain parking. Do you know someone doing such thing? or should we start to build one from scratch? #threatintelligence
3
6
20
Ryan Benson retweeted
19 Oct 2022
A key mindset to grasp as you transition from junior analyst to a more experienced level is that you won't have all the answers, but you can ask the right questions and know where to start looking for the answers.
1
15
58
1 Oct 2022
Nice little tidbit here about decoding #LinkedIn profile ids from URLs, then using their sequential nature to estimate profile creation time.
I see an @unfurl_link update in the future! #DFIR #OSINT
30 Sep 2022
All of the profiles listed in the article and this thread were created within days of each other.
jennie-biller-9b631120a
victor-sites-40139b20a
charolette-pare-93b3a220a
vivian-christy-b1246320a
maryann-robles-2924b620a
1/4
1
8
29 Sep 2022
Apparently TikTok uses the same ID scheme for job postings as it does for videos? Random, but kind of interesting.🤷♂️
Example: dfir.blog/unfurl/?url=career…
More info on TikTok timestamps: dfir.blog/tinkering-with-tik…
#DFIR #TikTok #OSINT
2
6
Ryan Benson retweeted
22 Sep 2022
Have a long URL to decode? Use dfir.blog/unfurl/. It decodes parameters & values in the URL. Ex: I used Amazon & ran a search, copied URL, pasted into Unfurl. It broke the URL down & revealed "qid" param (2) is a time stamp and a date (3).
#osint #cyber #tools
2
25
59
11 Sep 2022
If you want a refresher on the benefits of allowlisting vs denylisting, just ask a 5 year old to stop doing something.
1
2
19 Aug 2022
forked @_RyanBenson's awesome unfurl tool and patched the library so it can easily be used in a Jupyter Notebook :) #python
github.com/Droogy/unfurl_jup…
4
29 Jul 2022
Hey, thanks! Your #DailyOSINT looks really interesting too!
28 Jul 2022
Of course I didn't know that when I started but, this guy @_RyanBenson has been doing a #DailyDFIR before I have even thought about it! If u re interested in #DFIR, definitely check out his hashtag! (7/8)
1
7
Ryan Benson retweeted
12 Jul 2022
debugging strategy: write a message asking for help
49
633
3,149
1 Jul 2022
IP address in the URL? Sure, why not.
You never know what you'll find in a URL (until you look 👀).
🔗dfir.blog/unfurl/?url=samsun…
#DFIR #OSINT
ALT A long URL containing an IP address in the query string parsed by Unfurl
12
19
Ryan Benson retweeted
22 Jun 2022
If you need to pull out all the data in complicated URLs,
Try the excellent Unfurl tool to extract and visualize each bit in the URLs.
dfir.blog/unfurl/
github.com/obsidianforensics…
@_RyanBenson
#OSINT #DFIR #BlueTeam #ThreatIntel #intelligence #ThreatHunting #infosec
16
25
8 May 2022
Wooo! Thanks!
2
14 Apr 2022
On browser forensics in #DFIR:
In news.sophos.com/en-us/2022/0…, just from the URL we can see the attackers installed Chrome the week of 2021-11-01. So much interesting stuff in URLs!
Unfurl 🔗: dfir.blog/unfurl/?url=hXXps:…
h/t @phillmoore for the article and lots of nice Google research
46
120
Ryan Benson retweeted
13 Apr 2022
<Thread> Today on the way to school, I accidentally deep-dived on threat modeling, attacker math, risk acceptance, password management, and ethics with my kids (6 and 4 years old).
6YO started with a simple question: how do we prevent our car from getting stolen? 1/x
15
68
358
Ryan Benson retweeted
13 Apr 2022
For analysts, a few questions related to web browser-forensics... First, how often do you reach for web browser-related forensic evidence in the investigations you work?
28%
Very Frequently
34%
Somewhat Frequently
31%
Rarely
6%
Never
127 votes • Final results
1
2
6
Ryan Benson retweeted
7 Apr 2022
Hi #OSINTSummit folks! 👋
Unfurl is a free, open source tool that you can use to "expand" complicated URLs and find interesting things inside them, like:
🕓 timestamps
🗜️ compressed strings
🔎 search params
🔀 shortlinks
Check it out at unfurl.link! #DFIR #OSINT
4
9