Have a big number (or hex value) you found and think might be a timestamp? Drop it in `unfurl` in the terminal and see what comes out!

(add -d or --detailed if you want the type of timestamp, or run without it if you just want the value)

#DFIR #BF4SA #Unfurl 🌿

A new Unfurl release (https://unfurl.link) is here! v2025.08 brings:

🆔 Parsing more out of a TikTok ID
The parser now extracts milliseconds (instead of just seconds), entity type (user account, device, live session, or video), sequence numbers, and machine ID from each ID. Thanks to Benjamin Steel for the help and research paper (https://arxiv.org/abs/2504.13279)!

🪲 Fixed Bug in Google Search EI timestamp parsing
In instances where the microsecond component of an EI timestamp had leading zeros, they were improperly combined with the seconds component (the leading zeros were dropped), which resulted in an incorrect timestamp conversion. Thanks for a user for finding this and reporting it so it could be fixed

🛠️ Other Minor Changes
A few more behind-the-scenes changes are in this version too, including updating the Docker environment.

🌿 Get it!
To get Unfurl with these latest updates, you can:

- use it online at https://dfir.blog/unfurl or unfurl.link
- if using pip, `pip install dfir-unfurl -U` will upgrade your local Unfurl to the latest
- View the release on GitHub (https://github.com/obsidianforensics/unfurl/releases/tag/v2025.08)

..and there's another Unfurl release as well! v2025.03 is live and adds new features and some fixes, including:

🔎 Parsing #Google Search's UDM parameter
🐘 Recognizing #Mastodon usernames and parsing Mastodon forks (like truthsocial[.]com and gab[.]com)
🧹 Utility parser to "clean up" inputs

Try it out at https://unfurl.link or read more about the update https://dfir.blog/unfurl-parses-googe-udm-and-truth-social/

#DFIR #OSINT

There's a new Hindsight release!

Hindsight v2025.03 focuses on Extensions - parsing more activity and state records, highlighting Extension permissions, and making it easier to examine Manifests.

🌐 Blog: https://dfir.blog/hindsight-parses-browser-extensions/
🛠️ Tool download: https://hindsig.ht/release

#DFIR #Chrome #Extensions

A new Unfurl release is here! v2025.02 adds:

🌐 Parsing encoded/obfuscated IP addresses
🦋 Resolving #Bluesky handles to their identifiers (DIDs) and looking up their creation timestamps
🐛 Bug fixes & better bulk parsing

Blog: https://dfir.blog/unfurl-parses-obfuscated-ip-addresses/
Code: https://github.com/obsidianforensics/unfurl

#DFIR #OSINT

Over the winter holiday, I was watching Netflix's Carry-On and got a bit nerd-sniped by a real Google Search URL on-screen... and then proceeded to "authenticate" it.

https://dfir.blog/authenticating-screenshots-from-netflix-carry-on-movie/

#DFIR #OSINT #Unfurl #Netflix

There's a new Hindsight release! v2024.10 adds:

- Parsing of the DIPS (Detect Incidental Party State) database

- Parsing of IndexedDB records

- Moving to using more of Alex Caithness' ccl_chromium_reader library behind the scenes (starting with cache and IndexedDB records)

- Support for up to Chrome 130

- Many minor fixes and updates (see release page for more info)

Get it at https://hindsig.ht/release!