Google "ved" Parameter Versions
The "ved" parameter in Google URLs contains valuable link context. I've found a new version ("v2") with more info!| dfir.blog
The "ved" parameter in Google URLs contains valuable link context. I've found a new version ("v2") with more info!| dfir.blog
There are many query string parameters in Google Search URLs that hold interesting information. The rlz parameter is no exception, but thankfully it isn't as mysterious as many others; Google explains what the RLZ parameter is and how it functions in a white paper. From the Google Chrome Privacy Whitepaper:| dfir.blog
Chrome has evolved since its release. Use this interactive visualization to explore how!| dfir.blog
Digital forensics, web browsers, visualizations, & open source tools| dfir.blog
When I was pretty fresh in the field of digital forensics, I picked this new thing called Google Chrome to dig into. There weren't a lot of tools out there that could parse it and I thought learning about browser history would be a useful skill for me. I started| dfir.blog
Unfurl v2025.03 adds new features, including parsing Google Search's UDM parameter, support for Mastodon forks (like Truth Social), and a utility parser to "clean up" inputs.| dfir.blog
Hindsight v2025.03 focuses on Extensions - parsing more activity and state records, highlighting Extension permissions, and making it easier to examine Manifests.| dfir.blog
Unfurl v2025.02 adds parsing of obfuscated IP addresses, more Bluesky timestamps, and more!| dfir.blog
I watch Netflix's Carry-On, notice a real Google Search URL on screen, extract lots of data points from it and "authenticate" the screenshot.| dfir.blog
The talk "What Can DFIQ Do For You?" that Jon Brown and I gave at the SANS DFIR Summit 2023 has been posted on YouTube!| dfir.blog
Unfurl v2023.09 adds parsing for JWTs, URLs with encoded DoH (DNS over HTTPS) requests, and more Mastodon servers.| dfir.blog
This "social media edition" Unfurl release includes parsing Twitter sharing codes, timestamps from Mastodon and LinkedIn IDs, expanding Substack redirects, & more!| dfir.blog
Unfurl v2022.02 adds parsing for Google Search's aqs parameter, integrates MISP "warninglists", adds 3x more shortlink expansions, and more!| dfir.blog
Hindsight v2021.12 adds parsing of more preference items, site settings (including HSTS records), Session Storage, and more!| dfir.blog
To support stronger security for Chrome, some network-related files - including the Cookies database - are moving locations on disk.| dfir.blog
A new Unfurl release is here! v2021.06.15 adds decoding of some Metasploit URLs, hash identification and API lookups, more control over remote lookups, better UUID parsing, and a few more shortlink expansions. It also has a number of smaller fixes, code cleanups, and tests.| dfir.blog
I'm happy to announce there is a new Hindsight release available! 2021.04.26 has many small improvements and fixes, including adding support Chrome 88 - 90, but the main new features are an Unfurl plugin and parsing of the Site Characteristics Database! Unfurl Plugin I'm excited that this new| dfir.blog
I take saved keystrokes from Chrome's Omnibox and graph them in a Sankey flow diagram.| dfir.blog
Latest Hindsight version (2021.01.16) brings exciting new features: improved LevelDB parsing (including deleted!), viewing Hindsight results in the web UI, and more!| dfir.blog
A look back at a year of tweeting every day about DFIR topics - including a recap of the most popular tweets, coverage trends, and what's next in 2021.| dfir.blog
There's a new database added in Chrome 86, dedicated to tracking media playback. Here's a first look at its contents!| dfir.blog
My talk "Extract and Visualize Data from URLs using Unfurl" at the SANS DFIR Summit 2020 has been posted on YouTube! I had a great time presenting at the first ever virtual DFIR Summit (yay 2020). Check out the video below and give Unfurl a try!| dfir.blog
I tinker with TikTok - and find a timestamp embedded in video URLs!| dfir.blog
