Johan Berggren
@jbn.the4711.net
Digital Forensics and Incident Response
@Google :: I write open source tools :: Creator of OpenRelik and Timesketch
https://openrelik.org/
https://timesketch.org/
#DFIR • Posts are my own • he/him
@Google :: I write open source tools :: Creator of OpenRelik and Timesketch
https://openrelik.org/
https://timesketch.org/
#DFIR • Posts are my own • he/him
Great stuff from Maarten and the Timesketch team!
Using Timesketch for timeline analysis? We recently added a new feature: LLM summaries of up to 500 events in view. Example below uses Gemini Flash, but you can just as easily use a local Ollama model. Setup guide: timesketch.org/guides/user/...
June 19, 2025 at 6:55 PM
Great stuff from Maarten and the Timesketch team!
Reposted by Johan Berggren
🚀 Just launched: DetectionForge — a purpose-built platform for crafting, testing & validating @limacharlie.io detection rules.
Perform detection unit tests & multi-org backtesting + import/export IaC
🔗 Try it: detectionforge.ddi.sh
💻 GitHub: github.com/Digital-Defe... #detectionengineering #secops
Perform detection unit tests & multi-org backtesting + import/export IaC
🔗 Try it: detectionforge.ddi.sh
💻 GitHub: github.com/Digital-Defe... #detectionengineering #secops
DetectionForge
DetectionForge - A comprehensive detection engineering environment for crafting, validating, and testing LimaCharlie detection rules
detectionforge.ddi.sh
June 19, 2025 at 1:14 AM
🚀 Just launched: DetectionForge — a purpose-built platform for crafting, testing & validating @limacharlie.io detection rules.
Perform detection unit tests & multi-org backtesting + import/export IaC
🔗 Try it: detectionforge.ddi.sh
💻 GitHub: github.com/Digital-Defe... #detectionengineering #secops
Perform detection unit tests & multi-org backtesting + import/export IaC
🔗 Try it: detectionforge.ddi.sh
💻 GitHub: github.com/Digital-Defe... #detectionengineering #secops
Great summary of a great paper. Worth a read if you are building LLM agents systems.
"Design Patterns for Securing LLM Agents against Prompt Injections" is an excellent new paper that provides six design patterns to help protect LLM tool-using systems (call them "agents" if you like) against prompt injection attacks
Here are my notes on the paper simonwillison.net/2025/Jun/13/...
Here are my notes on the paper simonwillison.net/2025/Jun/13/...
Design Patterns for Securing LLM Agents against Prompt Injections
This a new paper by 11 authors from organizations including IBM, Invariant Labs, ETH Zurich, Google and Microsoft is an excellent addition to the literature on prompt injection and LLM …
simonwillison.net
June 13, 2025 at 1:45 PM
Great summary of a great paper. Worth a read if you are building LLM agents systems.
Great stuff from Eric and Whitney.
Here are the slides/resources from our #SecurityFest talk on "Modernizing Incident Response Using Techniques that Scale"
Talk: www.youtube.com/live/Znl7TBF...
Talk: www.youtube.com/live/Znl7TBF...
Security Fest 2025 - Day 2
YouTube video by Security Fest
www.youtube.com
June 5, 2025 at 11:20 PM
Great stuff from Eric and Whitney.
Reposted by Johan Berggren
Here are the slides/resources from our #SecurityFest talk on "Modernizing Incident Response Using Techniques that Scale"
Talk: www.youtube.com/live/Znl7TBF...
Talk: www.youtube.com/live/Znl7TBF...
Security Fest 2025 - Day 2
YouTube video by Security Fest
www.youtube.com
June 5, 2025 at 5:58 PM
Here are the slides/resources from our #SecurityFest talk on "Modernizing Incident Response Using Techniques that Scale"
Talk: www.youtube.com/live/Znl7TBF...
Talk: www.youtube.com/live/Znl7TBF...
Reposted by Johan Berggren
Some excellent work by @craiggidney.bsky.social that reduces the number of qubits (in a quantum computer) required to break RSA by 20-fold. If you don’t have a migration plan to safe algorithms, now is the time to start one!
I'm often asked if I'll redo the 2019 quantum factoring estimate. Denser storage by yokes, smaller magic factories by cultivation, slimmer approx arithmetic by Chevignard et al… surely the cost is lower now?
Yes, it's lower now.
security.googleblog.com/2025/05/trac...
arxiv.org/abs/2505.15917
Yes, it's lower now.
security.googleblog.com/2025/05/trac...
arxiv.org/abs/2505.15917
May 23, 2025 at 4:23 PM
Some excellent work by @craiggidney.bsky.social that reduces the number of qubits (in a quantum computer) required to break RSA by 20-fold. If you don’t have a migration plan to safe algorithms, now is the time to start one!
Reposted by Johan Berggren
tested #openrelik, #hayabusa, #timesketch and #splunk4dfir using #thedfirreport recent analyst case. was a lot fun! will definitely use those tools more now 🚀
April 30, 2025 at 3:19 PM
tested #openrelik, #hayabusa, #timesketch and #splunk4dfir using #thedfirreport recent analyst case. was a lot fun! will definitely use those tools more now 🚀
Hey #DFIR people! New #OpenRelik release just dropped. Some cool new features and a bunch of bug fixes.
New #OpenRelik release 0.5.0 is here with some cool new additions:
* Import files directly from Google Cloud Storage
* Updated AI summary visuals
* Glob filtering support when extracting archives
* BlockDevice support for mounting disk images and partitions
Changelog: openrelik.org/changelog/#050
* Import files directly from Google Cloud Storage
* Updated AI summary visuals
* Glob filtering support when extracting archives
* BlockDevice support for mounting disk images and partitions
Changelog: openrelik.org/changelog/#050
Changelog
0.5.0 ℹ️ We are moving to semantic versioning from this release in order to better track compatibility aross all components. Server
Added a health check endpoint for service monitoring. Implemented a ...
openrelik.org
February 26, 2025 at 4:32 PM
Hey #DFIR people! New #OpenRelik release just dropped. Some cool new features and a bunch of bug fixes.
Reposted by Johan Berggren
A new Unfurl release is here! v2025.02 adds:
🌐 Parsing encoded/obfuscated IP addresses
🦋 Resolving #Bluesky handles to their identifiers (DIDs) and looking up their creation timestamps
🐛 Bug fixes & better bulk parsing
Blog: dfir.blog/unfurl-parse...
Code: github.com/obsidianfore...
#DFIR #OSINT
🌐 Parsing encoded/obfuscated IP addresses
🦋 Resolving #Bluesky handles to their identifiers (DIDs) and looking up their creation timestamps
🐛 Bug fixes & better bulk parsing
Blog: dfir.blog/unfurl-parse...
Code: github.com/obsidianfore...
#DFIR #OSINT
unfurl
Extract and Visualized Data from URLs
unfurl.link
February 19, 2025 at 2:47 PM
A new Unfurl release is here! v2025.02 adds:
🌐 Parsing encoded/obfuscated IP addresses
🦋 Resolving #Bluesky handles to their identifiers (DIDs) and looking up their creation timestamps
🐛 Bug fixes & better bulk parsing
Blog: dfir.blog/unfurl-parse...
Code: github.com/obsidianfore...
#DFIR #OSINT
🌐 Parsing encoded/obfuscated IP addresses
🦋 Resolving #Bluesky handles to their identifiers (DIDs) and looking up their creation timestamps
🐛 Bug fixes & better bulk parsing
Blog: dfir.blog/unfurl-parse...
Code: github.com/obsidianfore...
#DFIR #OSINT
Reposted by Johan Berggren
Hayabusa - A sigma-based threat hunting and fast forensics 🔎 timeline generator for Windows event logs.
It can easily be integrated with other hunting & DFIR tools such as Velociraptor & OpenRelik.
Check it out 🔥🔥:
github.com/Yamato-Secur...
#threathunting #DFIR #sigma #cybersecurity #infosec
It can easily be integrated with other hunting & DFIR tools such as Velociraptor & OpenRelik.
Check it out 🔥🔥:
github.com/Yamato-Secur...
#threathunting #DFIR #sigma #cybersecurity #infosec
GitHub - Yamato-Security/hayabusa: Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs.
Hayabusa (隼) is a sigma-based threat hunting and fast forensics timeline generator for Windows event logs. - Yamato-Security/hayabusa
github.com
January 12, 2025 at 11:43 PM
Hayabusa - A sigma-based threat hunting and fast forensics 🔎 timeline generator for Windows event logs.
It can easily be integrated with other hunting & DFIR tools such as Velociraptor & OpenRelik.
Check it out 🔥🔥:
github.com/Yamato-Secur...
#threathunting #DFIR #sigma #cybersecurity #infosec
It can easily be integrated with other hunting & DFIR tools such as Velociraptor & OpenRelik.
Check it out 🔥🔥:
github.com/Yamato-Secur...
#threathunting #DFIR #sigma #cybersecurity #infosec
Reposted by Johan Berggren
This is absolute insanity.
Fellow NSA - National Security Agency veterans. Look at what’s happened at the National Cryptologic Museum. They covered up with brown paper the photos of Women in American Cryptology. All in response to President Trump’s anti-diversity executive order.
February 2, 2025 at 3:28 PM
This is absolute insanity.
Reposted by Johan Berggren
It's easy to lose sight of the fact that, from a tech perspective, we're absolutely living in the future. Our CEO and co-founder @apenwarr.ca looks at just how powerful our modern machines are — and what that means for all of us
Living in the future, by the numbers
Instead of making the traditional New Year predictions, let’s talk instead about the beautiful technological future we live in: the one that exists right now but we don’t always notice.
tailscale.com
January 8, 2025 at 6:46 PM
It's easy to lose sight of the fact that, from a tech perspective, we're absolutely living in the future. Our CEO and co-founder @apenwarr.ca looks at just how powerful our modern machines are — and what that means for all of us
Wooden satellite.. amazing. And built without nails or glue. Oh Japan, never change ♥️
www.theregister.com/2025/01/08/j...
www.theregister.com/2025/01/08/j...
Japan's wooden satellite leaves International Space Station
Carefully crafted wooden box, LignoSat, is on its own
www.theregister.com
January 8, 2025 at 6:40 PM
Wooden satellite.. amazing. And built without nails or glue. Oh Japan, never change ♥️
www.theregister.com/2025/01/08/j...
www.theregister.com/2025/01/08/j...
I had a look at #OpenRelik last year and wrote a couple workers that might be useful:
* github.com/tomchop/open...: Scan memory images using @volatilityfoundation.org plugins. Supports Yara rules
* github.com/tomchop/open... - Run Yara rules on a directory. Supports third-party systems like #Yeti!
* github.com/tomchop/open...: Scan memory images using @volatilityfoundation.org plugins. Supports Yara rules
* github.com/tomchop/open... - Run Yara rules on a directory. Supports third-party systems like #Yeti!
January 7, 2025 at 6:07 PM
Great summary of last year of databases.
Buckle up because we're banging into the new year with my annual retrospective of the last year in databases! Highlights include license change blowback, Databricks vs. Snowflake gangwar, @duckdb.org's shotgun weddings, and buying a quarterback to impress your lover: www.cs.cmu.edu/~pavlo/blog/...
Databases in 2024: A Year in Review
Andy rises from the ashes of his dead startup and discusses what happened in 2024 in the database game.
www.cs.cmu.edu
January 1, 2025 at 8:52 PM
Great summary of last year of databases.
Reposted by Johan Berggren
Here's my end-of-year review of things we learned out about LLMs in 2024 - we learned a LOT of things simonwillison.net/2024/Dec/31/...
Table of contents:
Table of contents:
December 31, 2024 at 6:10 PM
Here's my end-of-year review of things we learned out about LLMs in 2024 - we learned a LOT of things simonwillison.net/2024/Dec/31/...
Table of contents:
Table of contents:
In Sweden you have to take every opportunity to surf, regardless of the weather and season.. this one is for @halvarflake.bsky.social
(In Swedish, but the picture really tells the whole story :)
www.svt.se/nyheter/loka...
(In Swedish, but the picture really tells the whole story :)
www.svt.se/nyheter/loka...
Snöstorm i Jämtland – då surfade Årebor i Kallsjön
Vanligtvis brukar nysnö locka ut människor i backar och skidspår så här års. Men i veckan var det annat som lockade för ett gäng Årebor. Istället för att ta till vara på vinterns första ordentliga snö...
www.svt.se
December 22, 2024 at 12:01 PM
In Sweden you have to take every opportunity to surf, regardless of the weather and season.. this one is for @halvarflake.bsky.social
(In Swedish, but the picture really tells the whole story :)
www.svt.se/nyheter/loka...
(In Swedish, but the picture really tells the whole story :)
www.svt.se/nyheter/loka...
Home Assistant is an amazing OSS project. I'll excited to build on the new Voice device. I will get mine in a few days, and I can finally talk to my house! Build any automation I can imagen. Custom wake word (ok computer 🖖). LLM function calling anyone...
www.youtube.com/live/ZgoaoTp...
www.youtube.com/live/ZgoaoTp...
YouTube
Share your videos with friends, family, and the world
www.youtube.com
December 21, 2024 at 7:57 PM
Home Assistant is an amazing OSS project. I'll excited to build on the new Voice device. I will get mine in a few days, and I can finally talk to my house! Build any automation I can imagen. Custom wake word (ok computer 🖖). LLM function calling anyone...
www.youtube.com/live/ZgoaoTp...
www.youtube.com/live/ZgoaoTp...
New #OpenRelik release. Task metrics (queue length, completion, failures etc) & new Prometheus exporter. Plus, a new task dashboard for deep dives into task performance.
📝 openrelik.org/changelog/
🔗 discord.gg/hg652gktwX
#DFIR
📝 openrelik.org/changelog/
🔗 discord.gg/hg652gktwX
#DFIR
December 12, 2024 at 11:29 AM
New #OpenRelik release. Task metrics (queue length, completion, failures etc) & new Prometheus exporter. Plus, a new task dashboard for deep dives into task performance.
📝 openrelik.org/changelog/
🔗 discord.gg/hg652gktwX
#DFIR
📝 openrelik.org/changelog/
🔗 discord.gg/hg652gktwX
#DFIR
Reposted by Johan Berggren
Within software architecture, few people shaped the industry as much as @gradybooch.bsky.social. Safe to say he's a true legend.
In today's The Pragmatic Engineer Podcast episode, he shares fascinating stories, insights, observations.
Watch here: newsletter.pragmaticengineer.com/p/software-a...
In today's The Pragmatic Engineer Podcast episode, he shares fascinating stories, insights, observations.
Watch here: newsletter.pragmaticengineer.com/p/software-a...
December 4, 2024 at 7:50 PM
Within software architecture, few people shaped the industry as much as @gradybooch.bsky.social. Safe to say he's a true legend.
In today's The Pragmatic Engineer Podcast episode, he shares fascinating stories, insights, observations.
Watch here: newsletter.pragmaticengineer.com/p/software-a...
In today's The Pragmatic Engineer Podcast episode, he shares fascinating stories, insights, observations.
Watch here: newsletter.pragmaticengineer.com/p/software-a...
When I moved back to Sweden a few years back my team snagged my password in this great tradition. The hack involved ketchup and I was very proud of everyone involved.
bughunters.google.com/blog/6355265...
bughunters.google.com/blog/6355265...
Blog: The Great Google Password Heist: 15 years of hacking passwords to test our security (and build team culture!)
The Leaving Tradition in Google's security team, which could be described as a type of small-scale offensive security exercise, is a great (and fun) example of team culture. Curious? See this blog pos...
bughunters.google.com
December 4, 2024 at 9:47 PM
When I moved back to Sweden a few years back my team snagged my password in this great tradition. The hack involved ketchup and I was very proud of everyone involved.
bughunters.google.com/blog/6355265...
bughunters.google.com/blog/6355265...
🚀 New OpenRelik release
Role-based access control, folder sharing, database improvements, optimisations for file listings, chunked file uploads, bug fixes and refactoring efforts to improve stability.
📝 https://openrelik.org/changelog/
🔗 https://discord.gg/hg652gktwX
#DFIR
Role-based access control, folder sharing, database improvements, optimisations for file listings, chunked file uploads, bug fixes and refactoring efforts to improve stability.
📝 https://openrelik.org/changelog/
🔗 https://discord.gg/hg652gktwX
#DFIR
November 27, 2024 at 3:41 PM
🚀 New OpenRelik release
Role-based access control, folder sharing, database improvements, optimisations for file listings, chunked file uploads, bug fixes and refactoring efforts to improve stability.
📝 https://openrelik.org/changelog/
🔗 https://discord.gg/hg652gktwX
#DFIR
Role-based access control, folder sharing, database improvements, optimisations for file listings, chunked file uploads, bug fixes and refactoring efforts to improve stability.
📝 https://openrelik.org/changelog/
🔗 https://discord.gg/hg652gktwX
#DFIR
Reposted by Johan Berggren
That little countdown on 2FA apps stresses the shit out of me. I feel like I'm diffusing a bomb.
If it gets into the red, I just wait. I can't handle the stress.
If it gets into the red, I just wait. I can't handle the stress.
November 26, 2024 at 4:53 PM
That little countdown on 2FA apps stresses the shit out of me. I feel like I'm diffusing a bomb.
If it gets into the red, I just wait. I can't handle the stress.
If it gets into the red, I just wait. I can't handle the stress.
Interesting read, well done @volexity.com
Probably the most riveting incident report I've read in a long time. I would've so much liked to be part of this investigation!
Kudos to @volexity.com for going into so much detail on this novel network attack technique.
www.volexity.com/blog/2024/11...
Kudos to @volexity.com for going into so much detail on this novel network attack technique.
www.volexity.com/blog/2024/11...
The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access
In early February 2022, notably just ahead of the Russian invasion of Ukraine, Volexity made a discovery that led to one of the most fascinating and complex incident investigations Volexity had ever w...
www.volexity.com
November 26, 2024 at 7:15 PM
Interesting read, well done @volexity.com