Hal Pomeranz

jq is super useful, once somebody explains the basics to you. Here I am explaining the basics in a way that's applicable for all you DFIR types.

https://righteousit.com/2026/04/06/jq-for-forensics/

#JSON #DFIR #Linux

jq For Forensics

jq is a great tool for parsing JSON data. But DFIR professionals often apply jq differently from the typical examples you see written for developers.

Righteous IT
Apr 6 at 6:41pmWeb
Show threadNullstring 🏴‍☠️1d ago
@hal_pomeranz jq is my boyfriend
Show threadHal Pomeranz1d ago
@0x00string jq is in my "parsing hall of fame" along with awk and tshark.
Show threadMattias Wadman11h ago
@hal_pomeranz @0x00string tried fq? i know some ppl have used it for forensic related things
Show threadHal Pomeranz10h ago
@wader @0x00string Interesting. I’ve not had a use case for that, but it looks cool.
Show threadMattias Wadman9h ago
@hal_pomeranz @0x00string btw one of my favorite things in jq that might be useful for you is construct/destruct shorthands, ex:
.. | {a, $b} is same as {a: .a, b: $b}
.. | . as {$a} is same as {a: $a}
destruct also works with arrays/nested:
.. | . as [$first, {b: $second_inside_object}]
practical example:
$ jq -c '{_HOSTNAME, MESSAGE}' journal.json
Show threadviq6h ago
@wader @hal_pomeranz @0x00string could I ask for a link? I'm failing to find it.
Edit: "fq jq" finds https://github.com/wader/fq
Show threadNullstring 🏴‍☠️5h ago
@wader @hal_pomeranz @viq this a good thread
Show threadSam6h ago
@0x00string @hal_pomeranz okay we are now nemeses
Show threadNullstring 🏴‍☠️5h ago
@0f4d0335 @hal_pomeranz jq is enough for both of us
Show threadcR0w   6h ago
@hal_pomeranz I don't use jq a lot, but when I do, it's absolutely the right tool. Such a cool tool.
Show threadFennix6h ago

@cR0w @hal_pomeranz

I prefer csvtool.

recedes into the edges of your vision and vanishes

Show threadcR0w   6h ago
@fennix @hal_pomeranz Does that work with json?
Show threadFennix6h ago

@cR0w @hal_pomeranz

No, only the one true anointed file format: CSV.

(Just making bad jokes)

Show threadcR0w   6h ago
@fennix @hal_pomeranz Ah. I get it now. I should check it out though. I still use sed, awk, tr, cut, grep, etc. for csv files. And the stupid tsv files some tools export to with no other format options.
Show threadFennix6h ago

@cR0w @hal_pomeranz

If you do have to work with CSVs it's quite good.

Show threadHal Pomeranz5h ago
@fennix @cR0w Yeah, the tricky part about CSVs is that awk/sed/etc appear to work for a time and then fail catastrophically when you get things like quoted fields containing commas.
Show threadcR0w   5h ago
@hal_pomeranz @fennix Absolutely. But for some reason I prefer fighting that to fighting tabs. I blame hardheadedness and inertia.
Show threadHal Pomeranz6h ago
@cR0w I’ve been dealing with a lot of JSON data lately and learning a lot about jq. It’s a different mindset than other tools I use and it took a while to get comfortable with it.
Show threadcR0w   6h ago
@hal_pomeranz I don't use it enough to be comfortable with it, but I have used it enough to have enough examples in my notes to no longer need the help or man page most of the time.
Show threadJess👾6h ago
@hal_pomeranz Also gotta call out yq. For when you need to parse yaml
Show threadJess👾6h ago
@hal_pomeranz and xml and csv and hcl and ...
Show threadmaaneeack6h ago
@hal_pomeranz I used jq to fix an issue at my previous job, after seeing errors about it and reinstalling jq.
Show threadHal Pomeranz5h ago
@maaneeack That’s very meta. Well done!