Hal Pomeranz1d ago

jq is super useful, once somebody explains the basics to you. Here I am explaining the basics in a way that's applicable for all you DFIR types.

https://righteousit.com/2026/04/06/jq-for-forensics/

#JSON #DFIR #Linux

jq For Forensics

jq is a great tool for parsing JSON data. But DFIR professionals often apply jq differently from the typical examples you see written for developers.

Righteous IT
Show threadcR0w   8h ago
@hal_pomeranz I don't use jq a lot, but when I do, it's absolutely the right tool. Such a cool tool.
Show threadFennix8h ago

@cR0w @hal_pomeranz

I prefer csvtool.

recedes into the edges of your vision and vanishes

Show threadcR0w   8h ago
@fennix @hal_pomeranz Does that work with json?
Show threadFennix8h ago

@cR0w @hal_pomeranz

No, only the one true anointed file format: CSV.

(Just making bad jokes)

Show threadcR0w   8h ago
@fennix @hal_pomeranz Ah. I get it now. I should check it out though. I still use sed, awk, tr, cut, grep, etc. for csv files. And the stupid tsv files some tools export to with no other format options.
Show threadFennix

@cR0w @hal_pomeranz

If you do have to work with CSVs it's quite good.

1:56pmWeb
Show threadHal Pomeranz7h ago
@fennix @cR0w Yeah, the tricky part about CSVs is that awk/sed/etc appear to work for a time and then fail catastrophically when you get things like quoted fields containing commas.
Show threadcR0w   7h ago
@hal_pomeranz @fennix Absolutely. But for some reason I prefer fighting that to fighting tabs. I blame hardheadedness and inertia.