Hindsight v2.3 Finds and Parses Multiple Chrome Profiles
Hindsight v2.3.0 adds input path searching, support for newer versions of Chrome, and minor fixes. The short version is:
- Supports Chrome versions 1 - 73
- The --input (-i) parameter now searches for all Chrome profiles at or below the given path. Pointing -i to the "Default" directory will still work as before, but now if you specify a directory higher up the hierarchy (C:\Users for example) Hindsight will search and parse all profiles contained inside that directory.
- Parsing of the LevelDB section of Local Storage.
- Get it on GitHub
More Details
There haven't been any huge changes to Chrome since the Hindsight v2.2 release, so most of the changes to Hindsight are enhancements or small fixes. The biggest change is how Hindsight handles the --input
directory that the user specifies. It now uses that input directory as the base and searches for Chrome profiles beneath it, and will process all it finds. It's backwards compatible, in the respect that if you give it a Profile directory directly it will still work just fine. It also will make integrating with other tools that bundle and use Hindsight a little easier (aka KAPE, POSH-Triage, or BriMor Labs Live Response Collection).
This feature has been requested in one form or another many times, and I'm excited that it's finally here. Many Chrome installations have multiple profiles for the same user, and I'm always a little worried that an investigator will just look at the "Default" profile and miss important information in a different profile.
Investigators also often have access to past snapshots of the same browser profile (via VSS, Time Machine, or some other backup software) and this new feature makes it easier to integrate all that into one view. You still need to copy/mount/etc the different snapshots of data, but once you have them all in a directory structure, just point Hindsight at the root and it will parse all of them.
I think it's helpful to have all that browsing information in one timeline, not scattered across multiple files that you then need to combine. To facilitate this, I've added a Profile attribute to entries in Hindsight to show where an artifact came from.
Get the New Version
Both the GUI and command line versions of this release are available as:
- compiled exes (attached to the release or in the dist/ folder)
- .py versions are available by
pip install pyhindsight
or downloading/cloning the GitHub repo.