Today I am releasing a Python version of Hindsight (a Google Chrome forensics tool). The original version was in Perl, and I learned quite a bit about both Chrome and Perl while developing it. I wanted to learn more about Python (since the DFIR community seems to be shifting to that language) and thought that porting Hindsight over would be a good way to start.
The Python version is not completely identical to the Perl one; I used the rewrite as a chance to change how some things worked behind the scenes. The Python version still keeps with the core concepts of Hindsight; it extracts Chrome artifacts, uses plugins to interpret the data, and produces an easy to read spreadsheet with the results.
I’ve cut out the step of writing the processed artifacts to an intermediary SQLite database. I haven’t heard of anyone using the functionality those DBs enabled (rerunning plugins or adding more data to an existing case), and I plan to eventually implement those features in the new version in a different way. Between the Python rewrite and dropping those databases, Hindsight is an order of magnitude faster in most cases.
I also was inspired by Willi Ballenthin’s excellent blog posts on how to create better tools. I think his ideas are right on the money. Hindsight is not at the point where it meets all his criteria for an ideal tool, but I’m working on it. It is very beneficial for amateur tool developers like me to be able to read an experienced programmer’s thoughts on design, so thanks Willi!
I’m moving Hindsight from Google Code to Github, as Google Code stopping allowing new downloads to be added to projects. The Google Code site will remain up with the last Perl version (v0.84), and GitHub will host the Python version (v1.0) and any future updates.
Lastly, as I mentioned before, I’m relatively new to Python and this is my first project that’s over a few dozen lines of code. Any feedback, ideas, code, or constructive criticism is welcome.
New home for Hindsight on GitHub: