Obsidianforensics Hindsight Versions Save

Web browser forensics for Google Chrome/Chromium

v2023.03

1 year ago

This is the first release in a while and it's a relatively minor one. It's mainly bug fixes and updating the version detection for Chrome versions that have come out since the last release. I hope to have time to work on a more substantial update in the future, but for now, here's v2023.03!

What's Changed

🛠️ Minor Changes & Fixes

Other Changes

Full Changelog: https://github.com/obsidianforensics/hindsight/compare/v2021.12...v2023.03

Both the GUI and command line versions of this release are available as:

  • compiled exes attached to this release or in the dist/ folder
  • .py versions are available by pip install pyhindsight or by downloading/cloning the GitHub repo.

v2021.12

2 years ago

What's Changed

🚀 Features

🛠️ Minor Changes & Fixes

Full Changelog: https://github.com/obsidianforensics/hindsight/compare/v2021.04.26...v2021.12

New Contributors

Both the GUI and command line versions of this release are available as:

  • compiled exes attached to this release or in the dist/ folder
  • .py versions are available by pip install pyhindsight or by downloading/cloning the GitHub repo.

v2021.04.26

3 years ago

The 2021.04.26 release of Hindsight is here! Check out the blog post or read on for details on the changes:

🚀 Features

  • Parse "Site Characteristics Database" LevelDB @obsidianforensics (#73)
  • Add plugin to run Unfurl across Local Storage values @obsidianforensics (#77)
  • Add support for Chrome 88 - 90 (#72, #79)

🛠️ Minor Changes & Fixes

  • Update Chrome Extensions parser to work on updated artifact types. @obsidianforensics (#82)
  • Added additional download interrupt_reason codes. Minor style fixes. @obsidianforensics (#81)
  • Add more exception handling around LevelDB records in case of corruption @obsidianforensics (#78)
  • Add check to ensure duration values in Media History are plausible @obsidianforensics (#75)
  • Fix bug in per_host_zoom_levels parsing @obsidianforensics (#74)
  • If autofill values are encrypted (as Edge's are), replace the encrypted bytes with a placeholder @obsidianforensics (#70)
  • Add new visit_source values to Update chrome.py @chadtilbury (#68)

Both the GUI and command line versions of this release are available as:

  • compiled exes attached to this release or in the dist/ folder
  • .py versions are available by pip install pyhindsight or by downloading/cloning the GitHub repo.

2021.01.16

3 years ago

hindsight-2021.01.16-banner

The 2021.01.16 release of Hindsight adds some new features, including improved LevelDB parsing (including deleted!), viewing Hindsight results in the web UI, and more! Blog post with more info.

Details:

  • Switch to using CCL Forensics' LevelDB parsing code; makes parsing use less dependencies & allows recovery of some deleted records
  • Add ability to view results of parsing in the Hindsight web UI, using a SQL-like interface
  • Add parsing of new Media History database
  • Add support for Chrome 84 - 87
  • Parse additional login items using the stats table
  • Improve Bookmarks parsing to include synced bookmarks
  • Add flag (enabled by default) for copying SQLite databases to a temp directory before opening them
  • Change default logging & output directories to be the current working directory

Both the GUI and command line versions of this release are available as:

  • compiled exes attached to this release or in the dist/ folder
  • .py versions are available by pip install pyhindsight or by downloading/cloning the GitHub repo.

EDIT: Windows Defender has been flagging the EXEs as malware, presumably because they were packaged with PyInstaller. The Python script versions are not being flagged. If you'd like to build the EXEs from the Python code yourself, all I did was: pyinstaller --distpath .\dist .\spec\hindsight.spec from the root of the repo.

20200607

3 years ago

Hindsight v20200607 is the first Python 3 release. This involved lots of code refactoring and clean-up. Things should generally run better and faster. It also includes support for the newest versions of Chrome and other small fixes.

Both the GUI and command line versions of this release are available as:

  • compiled exes attached to this release or in the dist/ folder
  • .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

v2.4.0

4 years ago

Hindsight v2.4.0 add JSONL output, support for the newest versions of Chrome, and other small fixes.

  • Supports Chrome versions 1 - 76
  • Adds JSONL output format, which is compatible with Timesketch. The field names in this output type are aligned with Plaso/Timesketch (other output formats remain unchanged).
  • Parses other Chrome files, even if History file is absent (as in the case of Time Machine backups)

Both the GUI and command line versions of this release are available as:

  • compiled exes attached to this release or in the dist/ folder
  • .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

v2.3.0

5 years ago

Hindsight v2.3.0 adds input path searching, support for newer versions of Chrome, and minor fixes.

  • Supports Chrome versions 1 - 73
  • The --input (-i) parameter now searches for all Chrome profiles at or below the given path. Pointing -i to the "Default" directory will still work as before, but now if you specify a directory higher up the hierarchy (C:\Users for example) Hindsight will search and parse all profiles contained inside that directory.
  • Parsing of the LevelDB section of Local Storage.

Both the GUI and command line versions of this release are available as:

  • compiled exes attached to this release or in the dist/ folder
  • .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

v2.2.0

6 years ago

Hindsight v2.2.0 adds parsing of more preference items and support for newer versions of Chrome.

  • Support for Chrome versions 1 - 66
  • Preference items with timestamps now are in Timeline
  • Improvements to logging

Both the GUI and command line versions of this release are available as:

  • compiled exes attached to this release or in the dist/ folder
  • .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

v2.1.1

6 years ago

Hindsight v2.1.1 is a smaller update, mostly focused on making processing more robust.

  • Support for Chrome versions 1 - 60
  • Added more error checking / catching in the cache parsing section
  • Updated Hindsight plugin search to better handle combinations of local plugins and the default plugins when installed via pip

Both the GUI and command line versions of this release are available as:

  • compiled exes attached to this release or in the dist/ folder
  • .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

v2.0.0

7 years ago

Hindsight v2.0.0 brings new features, many of which are focused on ease-of-use. The highlights are:

  • Cross-platform web UI
  • Easier installation on all OSes - now just do pip install pyhindsight
  • Ability to parse multiple Chrome caches
  • Portable EXEs for GUI and cmdline versions

First, the web interface (seen below running via hindsight_gui.exe):

hindsight_gui

For those that prefer the command line interface, that still remains and has been updated to support the new features. Both the web UI and cmdline versions are available either as .py files or as PyInstaller-compiled EXEs (available at the bottom of this page, or in the dist folder of the main repo).

Hindsight also has been refactored and much of the parsing moved into the new Python package pyhindsight. This also makes installing Hindsight easier; simply run:

pip install pyhindsight

This will install the pyhindsight package (and all relevant dependencies) and place copies of hindsight.py and hindsight_gui.py into the system's scripts directory.

v2 also introduces the ability to parse various Chrome caches: Cache, Media Cache, Application Cache, and GPUCache. The code is largely based off the Chromagnon project by Jean-RĂ©my Bancel (thanks!).