Have a big number (or hex value) you found and think might be a timestamp? Drop it in `unfurl` in the terminal and see what comes out!

(add -d or --detailed if you want the type of timestamp, or run without it if you just want the value)

#DFIR #BF4SA #Unfurl 🌿

..and there's another Unfurl release as well! v2025.03 is live and adds new features and some fixes, including:

🔎 Parsing #Google Search's UDM parameter
🐘 Recognizing #Mastodon usernames and parsing Mastodon forks (like truthsocial[.]com and gab[.]com)
🧹 Utility parser to "clean up" inputs

Try it out at https://unfurl.link or read more about the update https://dfir.blog/unfurl-parses-googe-udm-and-truth-social/

#DFIR #OSINT

A new Unfurl release is here! v2025.02 adds:

🌐 Parsing encoded/obfuscated IP addresses
🦋 Resolving #Bluesky handles to their identifiers (DIDs) and looking up their creation timestamps
🐛 Bug fixes & better bulk parsing

Blog: https://dfir.blog/unfurl-parses-obfuscated-ip-addresses/
Code: https://github.com/obsidianforensics/unfurl

#DFIR #OSINT

Over the winter holiday, I was watching Netflix's Carry-On and got a bit nerd-sniped by a real Google Search URL on-screen... and then proceeded to "authenticate" it.

https://dfir.blog/authenticating-screenshots-from-netflix-carry-on-movie/

#DFIR #OSINT #Unfurl #Netflix

Another new Unfurl feature is parsing DoH (DNS over HTTPS) requests! I haven't run into these often in URLs, but hey, it's nice that Unfurl can parse them for you if you do!

Example: https://dfir.blog/unfurl/?url=https://dnsserver.example.net/dns-query?dns=AAABAAABAAAAAAAAA3d3dwdleGFtcGxlA2NvbQAAAQAB

#DFIR #Unfurl #OSINT

Unfurl can parse JSON Web Tokens!

At the highest level, JWTs have three parts: header, payload, and signature. Unfurl first splits a #JWT into those three components, then base64-decodes the header and payload, then parses the resulting JSON objects. While Unfurl could parse all that in one step, it does it in three steps to keep with the "show your work" spirit of the tool.

Here's an example: https://dfir.blog/unfurl/?url=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJsb2dnZWRJbkFzIjoiYWRtaW4iLCJpYXQiOjE0MjI3Nzk2Mzh9.gzSraSYS8EXBxLN_oWnFSRgCzcmJmMjLiuyu5CSpyHI

#DFIR #Unfurl #OSINT

ULID (Universally Unique Lexicographically Sortable Identifier) is another ❄️-like timestamp (and Unfurl 🌿 can extract the timestamp from them).

Example: 01ARZ3NDEKTSV4RRFFQ69G5FAV

ULID Features:
🔹 Sortable
🔹 26 chars vs UUID's 36
🔹 Larger timestamp range

🔗 ULID Spec: https://github.com/ulid/spec
🔗 Unfurl example: https://dfir.blog/unfurl/?url=01ARZ3NDEKTSV4RRFFQ69G5FAV

#DFIR #Unfurl

Why do we care about timestamps embedded in UUIDs?

A UUIDv1 timestamp often correlates with when the object it represents was created. Extracting this timestamp gives us another point in our timeline (or just more context).

For example, the timestamp from the UUID in this GitHub image = time of image upload ⏰

Unfurl: https://dfir.blog/unfurl/?url=https://repository-images.githubusercontent.com/219613650/92534a80-17ab-11ea-9217-fe06f144cdb2?width=441&height=110

#DFIR #OSINT #Unfurl

UUIDv1 has a timestamp & node ID, which can be the MAC address of the machine it was generated on (or random; it depends 🤷‍♂️).

Unfurl 🌿 can extract the timestamp & node ID from a UUIDv1 and look up the vendor if it's a real MAC address.

Unfurl example: https://dfir.blog/unfurl/?url=a28cad70-0d73-11ea-aaef-0800200c9a66

#Unfurl #DFIR #OSINT

UUIDs (universally unique identifiers) are everywhere online. UUIDv4 is the most common (random), but UUIDv1 (time-based) is still out there.

The 13th digit (or 1st of 3rd group) is a quick way to tell if a UUID holds a timestamp⏰

RFC 🔗 : https://datatracker.ietf.org/doc/html/rfc4122#section-4.1.4

One gotcha to look out for is some IDs may claim to be UUIDs... and look like UUIDs... but not adhere to the RFC 🤷‍♂️.

#DFIR