Hindsight v2 Released – Web UI and Cache Parsing

Hindsight v2 is here! The new release brings new features, many of which are focused on ease-of-use, along with a refactoring of the code into a Python package pyhindsight. The highlights are:

  • Cross-platform web UI
  • Easier installation on all OSes – now just do pip install pyhindsight
  • Ability to parse multiple Chrome caches
  • Portable EXEs for GUI and cmdline versions

New Web Interface

First, the new web interface (seen below running via hindsight_gui.exe):

Hindsight GUI
New Hindsight Web UI

The only required field is “Profile Path”. This is the location of the browser profile you want to analyze (the default profile paths for different OSes are listed below the entry field). Click “Run” and you’ll be taken to the results page in where you can save the results to a spreadsheet (or other formats).

For those that prefer the command line interface, that still remains and has been updated to support the new features. Both the web UI and cmdline versions are available either as .py files or as PyInstaller-compiled EXEs (available from the GitHub releases page, or in the dist folder of the main repo).

New Python Package: pyhindsight

Hindsight also has been refactored and much of the parsing moved into the new Python package pyhindsight. This also makes installing Hindsight easier; simply run:

pip install pyhindsight

This will install the pyhindsight package (and all relevant dependencies) and place copies of hindsight.py and hindsight_gui.py into the system’s scripts directory. If the scripts folder is on your system $PATH, then you should be able to just run python hindsight.py or python hindsight_gui.py from a terminal.

New Feature: Cache Parsing

v2 also introduces the ability to parse various Chrome caches: Cache, Media Cache, Application Cache, and GPUCache. The code is largely based off the Chromagnon project by Jean-Rémy Bancel (thanks!). Parsing cache entries is a much more involved process than some of the other artifact parsing, so be aware that parsing these records can add minutes to Hindsight’s run time. For those that watched the Forensic Lunch on 2/3, thanks to Dave’s suggestion there is an additional column in the report that has the full HTTP headers for each cache item (if available).

Get Hindsight

There are a few routes to get this newest Hindsight release. The easiest way to get the Python version is to do pip install pyhindsight. If you are on Windows and would prefer the EXE versions of hindsight/hindsight_gui, get them from the GitHub Releases page.

Leave a Reply

Your email address will not be published.