Announcing Hindsight – A New Free Chrome Forensics Tool

Hindsight is a free tool for extracting, interpreting, and reporting on Google Chrome artifacts.

Hindsight can extract useful data from a number of Chrome artifacts, including URLs, archived URLs, the text content of some viewed pages (from Index data), download history, autofill records, normal cookies, and Local Storage records (HTML5 cookies). Once the data is extracted from each file, it is correlated with data from other history files and placed in a sqlite database. Hindsight can add data from multiple Chrome installations to the same database.

After the data is extracted, Hindsight runs a number of plugins against the data to try to further interpret what it has found. A plugin is a separate Perl file that Hindsight calls that performs a specific action, such as parsing a particular URL or cookie. Plugins could perform actions that just use local resources (such as parsing Google Analytics tracking cookies), as well as connecting to and using remote resources (looking up visited URLs to flag ones associated with malware or phishing). Users can choose which plugins to include, and are welcome to submit ideas for new ones or create their own.

The last piece of Hindsight is the reporting. Once the plugins have run, Hindsight creates a xlsx spreadsheet with the relevant information. The xlsx format was chosen for a number of reasons, including the ability to do advanced filtering and the fact that most end users are already familiar with it. Whenever possible, Hindsight tries to group similar types of data from different browser artifacts into one column to enable the reader to more easily scan the data and quickly understand it.

Hindsight is written in Perl and released under GNU GPLv3 license. It is available via Google Code (http://code.google.com/p/hindsight-internet-history/)

UPDATE: I’ve ported Hindsight to Python and moved it to GitHub. ¬†Version 0.84 is the last Perl version, and version 1.0+ is Python.
Github: https://github.com/obsidianforensics/hindsight

2 Comments

  • Kevin Reply

    Can Hindsight recover deleted Google Chrome cache records? Is Hindsight able to read from common image file formats (E01, DD)?

  • Ryan Reply

    Hindsight only works on live files. As such, it can only process images files that have been mounted with some viewer so the files are accessible to the file system. It also cannot recover deleted cache records (yet).

Leave a Reply

Your email address will not be published.