Hindsight Hindsight v2021.12 Hindsight v2021.12 adds parsing of more preference items, site settings (including HSTS records), Session Storage, and more!
Chrome Cookies Database Moving in Chrome 96 To support stronger security for Chrome, some network-related files - including the Cookies database - are moving locations on disk.
Hindsight Unfurl Plugin and "Site Characteristics" Artifact Added in Hindsight I'm happy to announce there is a new Hindsight release available! 2021.04.26 has many small improvements and fixes, including adding support Chrome 88 - 90, but the main new features are an Unfurl plugin and parsing of the Site Characteristics Database! Unfurl
Visualizations Keystroke Flow from Chrome Omnibox I take saved keystrokes from Chrome's Omnibox and graph them in a Sankey flow diagram.
Hindsight New Hindsight Release: Better LevelDB parsing, New Web UI View, & More! Latest Hindsight version (2021.01.16) brings exciting new features: improved LevelDB parsing (including deleted!), viewing Hindsight results in the web UI, and more!
Chrome New "Media History" File Added to Chrome There's a new database added in Chrome 86, dedicated to tracking media playback. Here's a first look at its contents!
Hindsight Hindsight is 2020 Hindsight is 2020! ... ok, it's actually 20200607, but I've been waiting years to make a bad "Hindsight 2020" joke. There's a new version of Hindsight!
Web Browsers Deciphering Browser Hieroglyphics: FileSystem (Part 3) Part 3 in the Deciphering Browser Hieroglyphics series examines LevelDB databases and Chrome's FileSystem.
Web Browsers Deciphering Browser Hieroglyphics: LocalStorage (Part 2) The second post in "Deciphering Browser Hieroglyphics" discusses LocalStorage and using CyberChef to decode it.
Open Source Tools Hindsight v2.4 Adds JSONL Output Hindsight v2.4.0 add JSONL output, support for the newest versions of Chrome (1-76), and other small fixes.
Web Browsers Deciphering Browser Hieroglyphics: Intro (Part 1) In this first post in "Deciphering Browser Hieroglyphics" I introduce Chromotopia and our artifact deciphering approach.
Open Source Tools Hindsight v2.3 Finds and Parses Multiple Chrome Profiles Hindsight v2.3.0 adds input path searching, parsing of LocalStorage LevelDB files, support for newer versions of Chrome (1-73), and minor fixes.
Web Browsers Chrome Values Lookup Tables I've fielded a few questions recently about what some value buried in a Chrome artifact means. I find myself going to the Hindsight source on GitHub and drilling down into
Chrome Capturing Chrome's Evolution When I was pretty fresh in the field of digital forensics, I picked this new thing called Google Chrome to dig into. There weren't a lot of tools out there
Tools Chrome Evolution Chrome has evolved in many aspects since its release: the browser's appearance, capabilities, and how it stores data have all changed greatly since 2008. This page lets you explore how
Tools Hindsight Hindsight is a free tool for analyzing web artifacts. It started with the browsing history of the Google Chrome web browser and has expanded to support other Chromium-based applications -
Presentations & Interviews Video of "Efficiently Summarizing Web Browsing Activity" at SANS DFIR Summit 2018 I spoke at the SANS DFIR Summit 2018 on "Efficiently Summarizing Web Browsing Activity" in Austin, TX. My abstract was: Reviewing web browsing activity is relevant in a wide variety
Presentations & Interviews Ryan Benson Interviewed by BBC Click about Web Browsers I was interviewed by BBC Click for their "What is GDPR?" episode. I'm not really sure what the personal information web browsers are storing on your computer has to do
Open Source Tools Hindsight v2.2 Parses More Chrome Preference Items Hindsight v2.2.0 adds parsing of more preference items and support for newer versions of Chrome. The quick version is: Support for Chrome versions 1 - 66Preference items with
Presentations & Interviews Deciphering Browser Hieroglyphics I spoke about "Deciphering Browser Hieroglyphics" at the SANS DFIR Summit 2017 in Austin, TX. I talked about how to "decipher" different kinds of information stored in web browsers, using
Open Source Tools Hindsight v2 Adds a Web UI and Cache Parsing Hindsight v2 is here! The new release brings new features, many of which are focused on ease-of-use, along with a refactoring of the code into a Python package pyhindsight. The
Presentations & Interviews Video of "Customized Google Chrome Forensics with Python" at SANS DFIR Summit 2015 I spoke at the SANS DFIR Summit 2015 on "Customized Google Chrome Forensics with Python" in Austin, TX. My presentation introduced Hindsight, an open source tool (written in Python) for
Web Browsers The Chrome history was cleared! Now what? (part 1) Settings and BookmarksOk, so for the sake of this post, let's assume that the answer to the question posed in the previous part ("Was the history cleared?") was yes, it
Web Browsers The Chrome history was cleared! Now what? (part 0) First, let's take a step back. Why do you think that the Chrome history had been cleared? Is it because there are no browsing records at all? Gaps in the
Open Source Tools It's All About Time - Hindsight v1.4 Released Hindsight v1.4.0 is here and it has a number of improvements, all involving time. As usual, you can get the update from Github or grab the zip directly.