Hindsight v0.84 Released

An update to Hindsight is now available!  The new version (0.84) has some bug fixes and increased functionality (specifically regarding download records). Chrome made some significant changes to the way it stores download records in v26 and added in even more fields in v30. In v26, Chrome stopped storing downloads’ URLs in the downloads table […]

History Index files removed from Chrome v30

The new update of Chrome (v30) released yesterday has a number of security fixes, new features, and improvements, but it also unfortunately came with some bad news for forensicators: the History Index files are no more.  These files were SQLite DBs named ‘History Index YYYY-MM’ and had the text content of most websites a user […]

Hindsight User Guide

This is a user guide for Hindsight that covers the basics on how to get the tool installed and running and then interpret the final report.  It also details some Chrome artifacts and explains at a high level what Hindsight extracts from them. A pdf version of this guide is available on the Hindsight Google […]

Announcing Hindsight – A New Free Chrome Forensics Tool

Hindsight is a free tool for extracting, interpreting, and reporting on Google Chrome artifacts. Hindsight can extract useful data from a number of Chrome artifacts, including URLs, archived URLs, the text content of some viewed pages (from Index data), download history, autofill records, normal cookies, and Local Storage records (HTML5 cookies). Once the data is […]

Deleted File Recovery using foremost

For this example a program for Linux called foremost will be used to recover files, both existing and deleted, from a .dd image.  foremost is what is as known as a data-carving utility.  It operates by examining data, bit by bit, and extracting sets of data that meet a defined pattern. foremost references its configuration […]

Write Blocking Using the Windows Registry

It is possible to use the Windows registry to write protect USB mass storage devices.  An investigator can combine this USB write-blocking trick with an USB-IDE or USB-SATA adapter to protect the vast majority of evidence drives that he or she might encounter.  The write-blocking functionality was added with Windows XP SP2, and has worked […]