Hindsight: Internet history forensics for Google Chrome/Chromium
An Open Source tool for analyzing web artifacts.
Hindsight is a open source tool for parsing a user’s Chrome browser data.
Hindsight can parse a number of different types of web artifacts, including URLs, download history, cache records, bookmarks, autofill records, saved passwords, preferences, browser extensions, HTTP cookies, and Local Storage records (HTML5 cookies). Once the data is extracted from each file, it is correlated with data from other history files and placed in a timeline.
The tool is very easy to use, and all you need to do is either point it at the user’s “Default” folder (within the Chrome path), or extract the sqlite3 files and run it locally against the data.
Installation
pip install pyhindsight
Default Profile Paths
The Chrome default profile folder default locations are:
- WinXP: [userdir]Local SettingsApplication DataGoogleChromeUser DataDefault
- Vista/7/8: [userdir]AppDataLocalGoogleChromeUser DataDefault
- Linux: [userdir]/.config/google-chrome/Default
- OS X: [userdir]/Library/Application Support/Google/Chrome/Default
- iOS: Applicationscom.google.chrome.iosLibraryApplication SupportGoogleChromeDefault
- Android: /userdata/data/com.android.chrome/app_chrome/Default
It has a simple web UI — to start it, run “hindsight_gui.py” (or on Windows, the packaged “hindsight_gui.exe”) and visit http://localhost:8080 in a browser:
More information and downloads
[embed]https://www.obsidianforensics.com/blog/hindsight-v2-released-web-ui-cache-parsing[/embed]
[embed]https://www.obsidianforensics.com/blog/hindsight-v2-released-web-ui-cache-parsing[/embed]
Suggested readings
- Cory Altheide e Harlan Carvey: “Digital Forensics with Open Source Tools”