@tomchop.me.bsky.social
Cybersecurity nerd; #DFIR @ Google by day; FOSS, threat intel and malware analysis by night. Investigator, coder, terrible sense of humor. https://yeti-platform.io and more (github.com/tomchop) views are my own • he/him • tomchop.me
Using Timesketch for timeline analysis? We recently added a new feature: LLM summaries of up to 500 events in view. Example below uses Gemini Flash, but you can just as easily use a local Ollama model. Setup guide: timesketch.org/guides/user/...
19.06.2025 18:01 — 👍 6 🔁 4 💬 0 📌 1
01.04.2025 02:50 — 👍 92 🔁 12 💬 4 📌 2
That's not that many cabs.
02.04.2025 10:14 — 👍 5 🔁 0 💬 0 📌 0Well well well, how the turntables...
29.01.2025 10:04 — 👍 4 🔁 0 💬 0 📌 0Great stuff from @tomchop.me! Memory analysis and Yara support in #OpenRelik
#DFIR
Demo of the Volatility 3 worker extracting files and plugin output
Demo of the Yara scanner worker showing matches for a dumb DarkComet rule
I had a look at #OpenRelik last year and wrote a couple workers that might be useful:
* github.com/tomchop/open...: Scan memory images using @volatilityfoundation.org plugins. Supports Yara rules
* github.com/tomchop/open... - Run Yara rules on a directory. Supports third-party systems like #Yeti!
New #OpenRelik release. Task metrics (queue length, completion, failures etc) & new Prometheus exporter. Plus, a new task dashboard for deep dives into task performance.
📝 openrelik.org/changelog/
🔗 discord.gg/hg652gktwX
#DFIR
This is also the reason I never talk publicly about my dog, any favorite foods, or the season we were in < 3 months ago
12.12.2024 09:00 — 👍 3 🔁 0 💬 0 📌 0I made this one, which tracks a bunch of infosec-related keywords (and blocks noisy accounts): bsky.app/profile/did:...
04.12.2024 09:46 — 👍 0 🔁 0 💬 0 📌 0Looks like the kind of manual you could find in The Last of Us that would allow you to upgrade your rifle
29.11.2024 22:59 — 👍 1 🔁 0 💬 0 📌 0Travel budgets are tight yo
27.11.2024 12:49 — 👍 0 🔁 0 💬 0 📌 0
Looks like shit just got real @swiftonsecurity.com
27.11.2024 12:47 — 👍 8 🔁 0 💬 1 📌 0
Probably the most riveting incident report I've read in a long time. I would've so much liked to be part of this investigation!
Kudos to @volexity.com for going into so much detail on this novel network attack technique.
www.volexity.com/blog/2024/11...
This incredible investigation is worth the time you’ll spend reading it #dfir
www.volexity.com/blog/2024/11...
if you have a @github.com profile, can i ask you to update it with your @bsky.app handle? 🙏
👉 it enables some very cool integrations, like auto curated feeds and starter packs for contributors and tech
“i know bsky is an echo chamber because those echo chamber posts keep coming back around and i know what an echo is”
23.11.2024 14:19 — 👍 0 🔁 0 💬 0 📌 0There's probably less content than there was on twitter in 2012, but this already feels much nicer and relevant than what X is right now.
21.11.2024 11:44 — 👍 2 🔁 0 💬 0 📌 0Shiiiiyet, I'm gonna try to not miss this edition! 🤞🏼🤞🏼🤞🏼
19.11.2024 14:35 — 👍 2 🔁 0 💬 0 📌 0Amazing, thanks! skyfeed.app offers a (less polished, more hacky) similar interface but also allows you to create custom feeds
19.11.2024 09:55 — 👍 2 🔁 0 💬 0 📌 0*cue pokémon battle song*
"plaso I choose you!!"
Thanks, this is useful! I also started a feed a long time ago with more generic infosec keywords: bsky.app/profile/did:...
17.11.2024 22:12 — 👍 2 🔁 0 💬 0 📌 0Thinking of coming up with a Bluesky #DFIR Starter Pack with @the4711.org... who should we include?
15.11.2024 11:07 — 👍 6 🔁 0 💬 2 📌 0I'm watching some folks reverse engineer the xz backdoor, sharing some *preliminary* analysis with permission.
The hooked RSA_public_decrypt verifies a signature on the server's host key by a fixed Ed448 key, and then passes a payload to system().
It's RCE, not auth bypass, and gated/unreplayable.
Today, we published this Field Guide to incident response for civil society and media, which I’ve been working on for the past year or so and which I am pretty excited about internews.org/resource/fie...
28.11.2023 17:39 — 👍 9 🔁 3 💬 0 📌 0Yes, for sure. Otherwise does the project even exist?? I tried briefly playing a bit with Dall-E but didn't get any satisfying results :(
14.11.2023 12:30 — 👍 1 🔁 0 💬 1 📌 0We are looking forward to integrating formats such as dfiq.org, shipping tighter integrations with DFIR platform tools like timesketch.org, turbinia.plumbing, and misp-project.org!
14.11.2023 11:47 — 👍 0 🔁 0 💬 0 📌 0Please feel free to use (and tell us when you do! we love hearing about people's use-cases), file lots of bugs, and feel free to contribute: guides, documentation, even cool screenshots, everything is welcome.
14.11.2023 11:46 — 👍 0 🔁 0 💬 1 📌 0
The changes in the codebase have been massive (remember, it's only 2 people working on this): 480 commits to the API server. 139 commits to the frontend SPA.
14.11.2023 11:46 — 👍 0 🔁 0 💬 1 📌 0This version marks the start of a focus shift away from classic CTI and towards a platform for DFIR teams wishing to integrate CTI in their pipelines for incident response, threat hunting, and detection, and to be able to collate "forensics intelligence" to share with other teams
14.11.2023 11:45 — 👍 1 🔁 0 💬 1 📌 0
Screenshot of Yeti showing information on the Scattered Spider intrusion set.
This has been years in the making, literally. @Sebdraven and I are happy to announce the release of #Yeti 2.0 (after we promised an EOM release at @hack_lu last month)
Website: yeti-platform.io
Release: github.com/yeti-platform/yeti
mini-🧵👇🏻
#DFIR #infosec #CTI #cybersec
