v2023.03

This is the first release in a while and it's a relatively minor one. It's mainly bug fixes and updating the version detection for Chrome versions that have come out since the last release. I hope to have time to work on a more substantial update in the future, but for now, here's v2023.03!

What's Changed

🛠️ Minor Changes & Fixes

• Add Session Storage records to SQLite output by @obsidianforensics in #119
• Update built list of HSTS host hashes to include domains from cookies by @obsidianforensics in #121
• Fix some packaging issues (line endings, including lib files, other small fixes) by @obsidianforensics in #122
• Fix bug where when a version rollback occurs more than once, it doesn… by @obsidianforensics in #138
• Fixes issue 125, where failing to decode an extension manifest caused… by @obsidianforensics in #139

Other Changes

• Account for relocated files in newer Chrome versions (97-100) by @obsidianforensics in #124
• Update README.md by @obsidianforensics in #132
• Update version detection to include Chrome 101-111 by @obsidianforensics in #140
• Update Hindsight version prior to release and remove Unfurl plugin (u… by @obsidianforensics in #142

Full Changelog: v2021.12...v2023.03

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or by downloading/cloning the GitHub repo.

v2021.12

What's Changed

🚀 Features

• Support for Chrome 91-96 by @obsidianforensics in #107, #117
• Add parsing of TransportSecurity file (HSTS settings).
• Add parsing of Session Storage #102
• Adds new "Site Setting" record type, which includes settings and preferences that are site-specific, including zoom, mute, hsts, engagement, and potentially more. #100
• More parsing of Preference items: network_prediction_options, password_manager, sessions.event_log, and sync settings. #101

🛠️ Minor Changes & Fixes

• Fix for case with missing Brave version by @cteodor in #99
• Update embedded ccl_chromium_indexeddb by @obsidianforensics in #102
• Timestamp sorting bug caused by incorrectly interpreting microsecond timestamps by @obsidianforensics in #103
• When searching for Profiles, don't follow symlinks (reports of loops,… by @obsidianforensics in #104
• Add try/except around reading Session Storage records in case of Leve… by @obsidianforensics in #106
• Two small quality of life improvements by @kumavis in #111
• chmod +x hindsight_gui.py by @kumavis in #112
• Report analysis session error by @kumavis in #113
• Add support for new Network subdirectory and files moved within it by @obsidianforensics in #116

Full Changelog: v2021.04.26...v2021.12

New Contributors

• @cteodor made their first contribution in #99
• @kumavis made their first contribution in #111

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or by downloading/cloning the GitHub repo.

Hindsight 2021.04.26

The 2021.04.26 release of Hindsight is here! Check out the blog post or read on for details on the changes:

🚀 Features

• Parse "Site Characteristics Database" LevelDB @obsidianforensics (#73)
• Add plugin to run Unfurl across Local Storage values @obsidianforensics (#77)
• Add support for Chrome 88 - 90 (#72, #79)

🛠️ Minor Changes & Fixes

• Update Chrome Extensions parser to work on updated artifact types. @obsidianforensics (#82)
• Added additional download interrupt_reason codes. Minor style fixes. @obsidianforensics (#81)
• Add more exception handling around LevelDB records in case of corruption @obsidianforensics (#78)
• Add check to ensure duration values in Media History are plausible @obsidianforensics (#75)
• Fix bug in per_host_zoom_levels parsing @obsidianforensics (#74)
• If autofill values are encrypted (as Edge's are), replace the encrypted bytes with a placeholder @obsidianforensics (#70)
• Add new visit_source values to Update chrome.py @chadtilbury (#68)

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or by downloading/cloning the GitHub repo.

Hindsight 2021.01.16

The 2021.01.16 release of Hindsight adds some new features, including improved LevelDB parsing (including deleted!), viewing Hindsight results in the web UI, and more! Blog post with more info.

Details:

• Switch to using CCL Forensics' LevelDB parsing code; makes parsing use less dependencies & allows recovery of some deleted records
• Add ability to view results of parsing in the Hindsight web UI, using a SQL-like interface
• Add parsing of new Media History database
• Add support for Chrome 84 - 87
• Parse additional login items using the stats table
• Improve Bookmarks parsing to include synced bookmarks
• Add flag (enabled by default) for copying SQLite databases to a temp directory before opening them
• Change default logging & output directories to be the current working directory

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or by downloading/cloning the GitHub repo.

EDIT: Windows Defender has been flagging the EXEs as malware, presumably because they were packaged with PyInstaller. The Python script versions are not being flagged. If you'd like to build the EXEs from the Python code yourself, all I did was: pyinstaller --distpath .\dist .\spec\hindsight.spec from the root of the repo.

Hindsight v20200607

Hindsight v20200607 is the first Python 3 release. This involved lots of code refactoring and clean-up. Things should generally run better and faster. It also includes support for the newest versions of Chrome and other small fixes.

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

Hindsight v2.4.0

Hindsight v2.4.0 add JSONL output, support for the newest versions of Chrome, and other small fixes.

• Supports Chrome versions 1 - 76
• Adds JSONL output format, which is compatible with Timesketch. The field names in this output type are aligned with Plaso/Timesketch (other output formats remain unchanged).
• Parses other Chrome files, even if History file is absent (as in the case of Time Machine backups)

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

Hindsight v2.3.0

Hindsight v2.3.0 adds input path searching, support for newer versions of Chrome, and minor fixes.

• Supports Chrome versions 1 - 73
• The --input (-i) parameter now searches for all Chrome profiles at or below the given path. Pointing -i to the "Default" directory will still work as before, but now if you specify a directory higher up the hierarchy (C:\Users for example) Hindsight will search and parse all profiles contained inside that directory.
• Parsing of the LevelDB section of Local Storage.

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

Hindsight v2.2.0

Hindsight v2.2.0 adds parsing of more preference items and support for newer versions of Chrome.

• Support for Chrome versions 1 - 66
• Preference items with timestamps now are in Timeline
• Improvements to logging

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

Hindsight v2.1.1

Hindsight v2.1.1 is a smaller update, mostly focused on making processing more robust.

• Support for Chrome versions 1 - 60
• Added more error checking / catching in the cache parsing section
• Updated Hindsight plugin search to better handle combinations of local plugins and the default plugins when installed via pip

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

Hindsight v2.0.0

Hindsight v2.0.0 brings new features, many of which are focused on ease-of-use. The highlights are:

• Cross-platform web UI
• Easier installation on all OSes - now just do pip install pyhindsight
• Ability to parse multiple Chrome caches
• Portable EXEs for GUI and cmdline versions

First, the web interface (seen below running via hindsight_gui.exe):

For those that prefer the command line interface, that still remains and has been updated to support the new features. Both the web UI and cmdline versions are available either as .py files or as PyInstaller-compiled EXEs (available at the bottom of this page, or in the dist folder of the main repo).

Hindsight also has been refactored and much of the parsing moved into the new Python package pyhindsight. This also makes installing Hindsight easier; simply run:

pip install pyhindsight

This will install the pyhindsight package (and all relevant dependencies) and place copies of hindsight.py and hindsight_gui.py into the system's scripts directory.

v2 also introduces the ability to parse various Chrome caches: Cache, Media Cache, Application Cache, and GPUCache. The code is largely based off the Chromagnon project by Jean-Rémy Bancel (thanks!).