Extract and Visualize Data from URLs using Unfurl
Unfurl takes a URL and expands ("unfurls") it into a directed graph, extracting every bit of information from the URL and exposing the obscured. It does this by breaking up a URL into components, extracting as much information as it can from each piece, and presenting it all visually. This “show your work” approach (along with embedded references and documentation) makes the analysis transparent to the user and helps them learn about (and discover) semantic and syntactical URL structures.
Unfurl has parsers for URLs, search engines, chat applications, social media sites, and more. It also has more generic parsers (timestamps, UUIDs, etc) helpful for exploring new URLs or reverse engineering. It’s also easy to build new parsers, since Unfurl is open source (Python 3) and has an extensible plugin system.
No matter if you extracted a URL from a memory image, carved it from slack space, or pulled it from a browser’s history file, Unfurl can help you get the most out of it.
How to use Unfurl
- There is an online version at https://dfir.blog/unfurl. Visit that page, enter the URL in the form, and click 'Unfurl!'.
- You can also access the online version using a bookmarklet - create a new bookmark and paste
- Clone or download Unfurl from GitHub.
- Install Python 3 and the modules in
- Browse to localhost:5000/ (editable via config file)
- Enter the URL to unfurl in the form, and 'Unfurl!'
git clone https://github.com/obsidianforensics/unfurl
unfurl.iniwith desired host and port, and
docker-compose.yamlto match port defined in
docker-compose up -d
- All tests are run automatically on each PR by Travis CI. Tests need to pass before merging.
- While not required, it is strongly encouraged to add tests that cover any new features in a PR.
- To manually run all tests (units and integration):
python -m unittest discover -s tests
This is not an officially supported Google product.