Hindsight v1.2.0 is out! This update adds two bigger new features and many small ones/fixes. The two big additions are decrypting some cookies and logging.
Cookie Decryption: As of v33, Chrome encrypts cookie values on Windows, Mac, and Linux. The cookies table in ‘Cookies’ database file now has both an value and an encrypted_value column, only one of which should have data. The encryption is done differently depending on the host OS, with the Windows and Mac OS implementations leveraging user-specific crypto APIs and Linux using a static salt and password (salt = ‘saltysalt‘ and password = ‘peanuts‘). Fortunately, Python libraries exist to access Mac’s keychain (keyring) and the Windows encryption API (win32crypt) and the PyCrypto set of tools lets us decrypt the Linux cookies. Nathan Henrie’s post “Decrypt Chrome Cookies with Python” provided me the base for decrypting Mac/Linux cookies, and Jordan Wright’s chrome_extract.py did the same for Windows. Many thanks to both of them for posting their research online for others to use!
The reason why Hindsight can only decrypt some cookies is those user APIs. If you are analyzing the encrypted cookies on their native system under the user account that generated them, Hindsight can use the APIs to decrypt them. I know this leaves a vast number of cases where Hindsight won’t be able to decrypt the cookies, but it’s a start. I believe Hindsight should be able to decrypt cookies from a Linux system on any system that has the required Python modules installed, as the static password/salt aren’t very good protection.
I’ve tested the Windows decryption the most and I’ve fixed all the bugs I can find. The Linux version also seems to work as well in my limited testing. I don’t have a Mac to test on, so please consider decryption on Mac “alpha” (and please let me know if you encounter any issues). The decryption piece requires a number of new Python modules to be installed and I’ve added some logic in the import block to detect when some modules aren’t present. If some are missing, Hindsight will warn the user and keep going, leaving any cookies it can’t decrypt with a value of “<encrypted>“.
Logging: Having logging in a forensic tool is a good thing for many reasons. Logs provide a running account of what the tool did, as well as any errors or anomalies it encountered. They let an examiner look back a year from the time of analysis and find an accurate record of what they did. They also help tool developers pinpoint bugs :).
I’ve added logging into Hindsight. By default, the log is saved to hindsight.log in the same directory as hindsight.py, but the user can change the path with -l or –log. Hindsight will append new log entries to the end of the log file. I’ve had the program generate logs at a number of places that made sense to me, but I’m sure as I go I’ll find more opportunities to expand the logging. If you have any suggestions on something you’d like to see logged that isn’t, please let me know and I can add it.
As always, you can get the new version of Hindsight from https://github.com/obsidianforensics/hindsight. To get all the files, click the ‘Download ZIP’ button in the bottom right of the page and extract all the files from the resulting archive.