Have a big number (or hex value) you found and think might be a timestamp? Drop it in `unfurl` in the terminal and see what comes out!
(add -d or --detailed if you want the type of timestamp, or run without it if you just want the value)
#DFIR #BF4SA #Unfurl 🌿
There's a new Hindsight release! v2026.01 brings new features, including:
🔄 Parsing Sync Data
⌨️ Updated terminal interface
📂 Improved output formats
⚙️ Many fixes and enhancements
Read more at dfir.blog/hindsight-v2... or download the new version from GitHub: github.com/obsidianfore...
A new Unfurl release (unfurl.link) is here! v2025.08 has:
🆔 Parsing more from TikTok IDs (millisecond timestamp, entity type (user account, device, live session, or video), and more). Thanks to Benjamin Steel for the paper arxiv.org/abs/2504.13279
📝 Full release notes: github.com/obsidianfore...
This story is absolutely insane. And we don't usually get a front-row seat to insider threat investigations
Spy got tricked by a honeypot and implicated the most senior leaders at the victim's biggest competitors.
I go through it all here: youtu.be/tDG1WfbSZFo
Unfurl v2025.03 is live and adds new features, including:
🔎 Parsing #Google Search's UDM parameter
🐘 Recognizing #Mastodon usernames and parsing forks (like truthsocial[.]com and gab[.]com)
🧹 Utility parser to "clean up" inputs
Try it: unfurl.link
Blog post: dfir.blog/unfurl-parse...
#DFIR #OSINT
There's a new Hindsight release!
Hindsight v2025.03 focuses on Extensions - parsing more activity and state records, highlighting Extension permissions, and making it easier to examine Manifests.
🌐 Blog: dfir.blog/hindsight-pa...
🛠️ Tool download: hindsig.ht/release
#DFIR #Chrome #Extensions
A new Unfurl release is here! v2025.02 adds:
🌐 Parsing encoded/obfuscated IP addresses
🦋 Resolving #Bluesky handles to their identifiers (DIDs) and looking up their creation timestamps
🐛 Bug fixes & better bulk parsing
Blog: dfir.blog/unfurl-parse...
Code: github.com/obsidianfore...
#DFIR #OSINT
Unfurl can do this as well - the timestamp is embedded in the ID in the URL, so no login/etc needed, just the URL.
Example: dfir.blog/unfurl/?url=...
Want to break down what is in a URL? Try Unfurl from Ryan Benson and gain further insights! dfir.blog/unfurl/
#DFIR
A Google Search Results Page (SERP) from the Netflix movie Carry-On
Over the winter holiday, I was watching Netflix's Carry-On and got a bit nerd-sniped by a real Google Search URL on-screen... and then proceeded to "authenticate" it.
dfir.blog/authenticati...
#DFIR #OSINT #Unfurl #Netflix
The Raiders can’t even be good at being bad…
Unless they fundamentally change how tweets work (which seems unlikely), the timestamp can be extracted from the URL (no API needed).
Taking your tweet about the timestamps as an example, a tool like Unfurl can show it was sent at 2024-12-04 21:13:20.296 UTC.
Example: dfir.blog/unfurl/?url=...
CTFs present challenges that you likely haven’t seen before. I’ve taken away new skills from every CTF I’ve ever participated in.
A new episode is live now of @dfnpodcast.bsky.social www.youtube.com/live/4H9TLL8...
Since I'm trying out #Bluesky, I figured I should add in support for it in Unfurl!
The v2024.11.20 release has some minor updates, but the biggest feature is the ability to parse a timestamp from Bluesky post IDs (or atproto TIDs).
Example: dfir.blog/unfurl/?url=...
Give it a try at unfurl.link!
New Timesketch release is out. Two highlights:
- Unfurl [1] integration, get information from URLs directly in your timeline.
- DFIQ [2] support with context aware SearchHistory.
Changelog: timesketch.org/changelog/#v...
[1] dfiq.org
[2] dfir.blog/introducing-...
Oh hi everyone! I've missed what #DFIR Twitter used to be - here's to hoping we can get something similar going here!
