Hindsight Hindsight v2021.12 Hindsight v2021.12 adds parsing of more preference items, site settings (including HSTS records), Session Storage, and more!
Chrome Cookies Database Moving in Chrome 96 To support stronger security for Chrome, some network-related files - including the Cookies database - are moving locations on disk.
Visualizations Keystroke Flow from Chrome Omnibox I take saved keystrokes from Chrome's Omnibox and graph them in a Sankey flow diagram.
Hindsight New Hindsight Release: Better LevelDB parsing, New Web UI View, & More! Latest Hindsight version (2021.01.16) brings exciting new features: improved LevelDB parsing (including deleted!), viewing Hindsight results in the web UI, and more!
Chrome New "Media History" File Added to Chrome There's a new database added in Chrome 86, dedicated to tracking media playback. Here's a first look at its contents!
Tools Unfurl... in 3D Unfurl has been a fun tool, but I've heard you: it's boring. This update to Unfurl will change all that!
Web Browsers Google "ved" Parameter Versions The "ved" parameter in Google URLs contains valuable link context. I've found a new version ("v2") with more info!
Tools Introducing Unfurl Unfurl takes a URL and expands ("unfurls") it into a directed graph, extracting every bit of information from the URL and exposing the obscured. It does this by breaking up
Web Browsers Deciphering Browser Hieroglyphics: FileSystem (Part 3) Part 3 in the Deciphering Browser Hieroglyphics series examines LevelDB databases and Chrome's FileSystem.
Web Browsers Deciphering Browser Hieroglyphics: LocalStorage (Part 2) The second post in "Deciphering Browser Hieroglyphics" discusses LocalStorage and using CyberChef to decode it.
Open Source Tools Hindsight v2.4 Adds JSONL Output Hindsight v2.4.0 add JSONL output, support for the newest versions of Chrome (1-76), and other small fixes.
Web Browsers Deciphering Browser Hieroglyphics: Intro (Part 1) In this first post in "Deciphering Browser Hieroglyphics" I introduce Chromotopia and our artifact deciphering approach.
Web Browsers A First Look at Chromium-Based Edge A quick (forensic) look at the new Chromium-based Edge web browser. TL;DR: it looks a lot like Chrome.
Open Source Tools Hindsight v2.3 Finds and Parses Multiple Chrome Profiles Hindsight v2.3.0 adds input path searching, parsing of LocalStorage LevelDB files, support for newer versions of Chrome (1-73), and minor fixes.
Web Browsers Chrome Values Lookup Tables I've fielded a few questions recently about what some value buried in a Chrome artifact means. I find myself going to the Hindsight source on GitHub and drilling down into
Chrome Capturing Chrome's Evolution When I was pretty fresh in the field of digital forensics, I picked this new thing called Google Chrome to dig into. There weren't a lot of tools out there
Tools Chrome Evolution Chrome has evolved in many aspects since its release: the browser's appearance, capabilities, and how it stores data have all changed greatly since 2008. This page lets you explore how
Tools Hindsight Hindsight is a free tool for analyzing web artifacts. It started with the browsing history of the Google Chrome web browser and has expanded to support other Chromium-based applications -
Presentations & Interviews Video of "Efficiently Summarizing Web Browsing Activity" at SANS DFIR Summit 2018 I spoke at the SANS DFIR Summit 2018 on "Efficiently Summarizing Web Browsing Activity" in Austin, TX. My abstract was: Reviewing web browsing activity is relevant in a wide variety
Presentations & Interviews Ryan Benson Interviewed by BBC Click about Web Browsers I was interviewed by BBC Click for their "What is GDPR?" episode. I'm not really sure what the personal information web browsers are storing on your computer has to do
Open Source Tools Hindsight v2.2 Parses More Chrome Preference Items Hindsight v2.2.0 adds parsing of more preference items and support for newer versions of Chrome. The quick version is: Support for Chrome versions 1 - 66Preference items with
Presentations & Interviews Deciphering Browser Hieroglyphics I spoke about "Deciphering Browser Hieroglyphics" at the SANS DFIR Summit 2017 in Austin, TX. I talked about how to "decipher" different kinds of information stored in web browsers, using
Open Source Tools Hindsight v2 Adds a Web UI and Cache Parsing Hindsight v2 is here! The new release brings new features, many of which are focused on ease-of-use, along with a refactoring of the code into a Python package pyhindsight. The
Web Browsers Investigating Universal Analytics Two common questions when investigating web browsing are: (1) how long did a user spend on a website, and (2) what actions did they take while on it? We have
Web Browsers Load Balancer Cookie Decoder I was going through my bookmarks and found a write-up from a few years ago on decoding NetScaler load balancer cookies. Adam Maxwell (@catalyst256) wrote a few blog posts describing