Hindsight v1.1.0 is live! This first update since Hindsight migrated to Python about six weeks ago brings a number of improvements, but the biggest news is that Hindsight can now output to JSON and SQLite in addition to the original XLSX format. The added output formats make the tool more flexible, and hopefully more useful to examiners as well as easier to integrate into larger workflows.
Willi Ballenthin (williballenthin.com/blog/2014/02/07/towards-better-tools-part-1/) and Matthew Seyer (forensicmatt.blogspot.com/2014/06/what-makes-great-tool-in-dfir.html) both write about how to make a tool more useful to the community. I haven’t added all the features they outline (yet), but I want to move Hindsight in that direction. If anyone else has any ideas on how I could make Hindsight more useful, please let me know 🙂
The other smaller features added in v1.1.0 include:
- Parsing installed browser extensions and displaying their names/descriptions in the timeline’s Interpretation field.
- Expanding the generic timestamp decoder plugin to look for Webkit as well as epoch timestamps. The timestamp decoder plugin also now searches Local Storage databases (HTML5 cookies) as well as traditional cookies.
- Adding the -m/–mode flag to allow the user to set in advance what Hindsight should do if the output file already exists (to allow better integration into scripts).
Give the new version a spin and tell me what you think! Get it now: