I’ve been a big fan of Ryan Benson’s unfurl[1] tool since he released it a little over 5 years ago. Unfurl is a tool that can parse/decode URLs including things like embedded timestamps and IP addresses. It can be run in gui form via a web browser or as a command-line tool (my preference). Well, last week, Ryan released an update to v2025.02[2,3] of unfurl and added the ability to decode BlueSky URLs (among other bugfixes). I’ve also updated my docker container[4] to run the command-line version of unfurl as well.
References:
1. https://dfir.blog/introducing-unfurl/
2. https://dfir.blog/unfurl-parses-obfuscated-ip-addresses/
3. https://github.com/obsidianforensics/unfurl
4. https://hub.docker.com/repository/docker/clausing/dfir-unfurl/general
—————
Jim Clausing, GIAC GSE #26
jclausing –at– isc [dot] sans (dot) edu