CactusCon

CactusCon13
February 14-15, 2025
Mesa, AZ

Extract and Visualize Data from URLs using Unfurl

Unfurl takes a URL and expands (“unfurls”) it into a directed graph, extracting every bit of information from the URL and exposing the obscured. It does this by breaking up a URL up into components, extracting as much information as it can from each piece, and presenting it all visually. This “show your work” approach (along with embedded references and documentation) makes the analysis transparent to the user and helps them learn about (and discover) semantic and syntactical URL structures.

Unfurl has parsers for URLs from popular search engines, mail services, and chat applications. It also has more generic parsers (timestamps, UUIDs, base64, etc) helpful for exploring new URLs or reverse engineering. It’s also easy to build new parsers, since Unfurl is open source (Python 3) and has an extensible plugin system.

No matter if you extracted a URL from a memory image, carved it from slack space, or pulled it from a browser’s history file, Unfurl can help you get the most out of it.

Ryan Benson

Ryan Benson works at Google doing DFIR and open source tool development. He has previously held DFIR roles at Exabeam, Stroz Friedberg, and Mandiant. He has experience investigating insider threats, responding to intrusions, and performing digital forensics in support of legal proceedings. He is the author of Hindsight, an open source web browser forensics tool, and researches and blogs about DFIR topics with an emphasis on browser forensics.