Investigating Universal Analytics

Two common questions when investigating web browsing are: how long did a user spend on a website, and what actions did they take while on it We have a number of methods of approximating what the user did and how much time they spent on a page, but browser histories just weren’t designed to comprehensively record all that information. Chrome visit […]

Load Balancer Cookies

Load Balancer Cookie Decoder

I was going through my bookmarks and found a write-up from a few years ago on decoding NetScaler load balancer cookies. Adam Maxwell (@catalyst256) wrote a few blog posts describing his process of figuring out how to decode the cookie and finished it off by releasing a Python script that automates his process. It’s always interesting […]

Upgrading Python’s SQLite

SQLite and Python in DFIR SQLite databases are being used in more and more applications, and thus forensic examiners are increasingly running across them in investigations.  Python seems to be one of the languages of choice for the DFIR community, and so SQLite and Python often intersect.  I’ve developed two open source tools, Hindsight and […]

Hindsight v1.5.0 Graphical User Interface

Hindsight v1.5.0 released + GUI!

I am very excited to announce that Hindsight v1.5.0 is here! Graphical User Interface The core Hindsight functionality continues to see incremental improvements, along with quite a few internal changes to support new features that will appear in subsequent releases. However, the major change is that there is now a graphic interface available for Hindsight, thanks […]