Hindsight v2.2 Released – Preference Items

Hindsight v2.2.0 adds parsing of more preference items and support for newer versions of Chrome. The quick version is:

  • Support for Chrome versions 1 – 66
  • Preference items with timestamps now are in the Timeline
  • Improvements to logging

Both the GUI and command line versions of this release are available as:

  • compiled exes (attached to the release or in the dist/ folder)
  • .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

The Detailed Version

The biggest artifact change that came with Chrome v66 was that three columns in the Cookies database were renamed:

  • httponly -> is_httponly
  • persistent -> is_persistent
  • secure -> is_secure

This is a pretty minor thing, but Hindsight used some of those columns to ID what potential versions of Chrome it was processing, so the renaming broke some stuff. Trying to parse data from Chrome v66 or later with Hindsight v2.1.1 or earlier may fail due to Hindsight not being able to figure out the Chrome version. I also made some small changes to enhance the logging that Hindsight does.

Now for the new stuff: I’ve added in support for parsing a wider array of preference items. Hindsight previously parsed out a number of interesting preferences and showed them on a separate ‘Preferences’ tab, since they didn’t have associated timestamps and thus would have been out of place on the primary ‘Timeline’ tab. I’ve added in parsing a few more preference items there, but the bigger news is the addition of some timestamped preferences to the ‘Timeline’ tab.

Chad Tilbury showed that Chrome’s new ‘Mute site’ ability had a corresponding artifact in the Preferences file:

I thought this was pretty cool, and spent a little time digging in to see what other items with timestamps were lurking in Preferences.

Preference Items

I found eight types of preference items with timestamps that looked interesting. I haven’t fully explored all the details, but here examples of each type (including the ‘Mute’ artifact):

Preference Item Path Example
profile.content_settings.exceptions.media_engagement
"http://obsidianforensics.com:80,*": {
    "last_modified": "13160264938091184",
    "setting": {
        "hasHighScore": false,
        "lastMediaPlaybackTime": 0.0,
        "mediaPlaybacks": 0,
        "visits": 1
    }
profile.content_settings.exceptions.site_engagement
"http://aboutdfir.com:80,*": {
    "last_modified": "13162626153701643",
    "setting": {
        "lastEngagementTime": 13162626153701620.0,
        "lastShortcutLaunchTime": 0.0,
        "pointsAddedToday": 4.5,
        "rawScore": 4.5
    }
profile.content_settings.exceptions.notifications
"https://www.youtube.com:443,*": {
    "last_modified": "13161568350592864",
    "setting": 1
   }
profile.content_settings.exceptions.permission_autoblocking_data
"https://www.mapquest.com:443,*": {
    "last_modified": "13161750781018557",
      "setting": {
          "Geolocation": {
              "ignore_count": 1
 }}}
profile.content_settings.exceptions.sound
"https://www.youtube.com:443,*": {
    "last_modified": "13162624224060055",
    "setting": 2
}
extensions.autoupdate
"autoupdate": {
    "last_check": "13162668769688981",
    "next_check": "13162686093672995"
}
signin.signedin_time
"signin": {
    "signedin_time": "13196354823425155"
 }
translate_last_denied_time_for_language
"translate_last_denied_time_for_language": {
   "iw": [1492489197120.853],
   "mt": [1487824811164.411],
   "pt": [1502849632254.548]
 }

Some items, like media_engagement and site_engagement, had more data in them than others, but an immediate use for them doesn’t jump out at me. However, they could be a useful source of context or corroboration, so I included them. permission_autoblocking_data can have different subkeys, depending on the permission and the action, and looks like it can be used to determine if a website requested a particular API (Geolocation, for example). The last preference I wanted to mention are the translate_last_denied_time_for_language keys. Again, I think this artifact is would likely be used as context, but I still think it’s pretty neat to be able to see evidence that a user loaded a page, then dismissed the translation prompt; this at least shows they interacted with the page in some fashion.

Get the New Version

Both the GUI and command line versions of this release are available as:

  • compiled exes (attached to the release or in the dist/ folder)
  • .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

2 Comments

  • Rasmus Reply

    Hi.

    I can get it to work on my running computer. But is there no way of getting it to run on acquired evidence without having to boot it up manually?

    • Ryan Reply

      Hi Rasmus,

      If you copy out the Chrome profile (or mount your evidence file), you can point Hindsight to the browser data that way. For example, if you copied the Chrome data to C:\cases\abc123\Default, you would put that in the “Profile Path” field in the Hindsight web interface, or pass that in with the -i flag on the command line version.

Leave a Reply

Your email address will not be published.