Recent releases for hindsight

hindsight v1.5.0

2015-11-15T16:27:01+00:00

Initial version using GitHub releases. v1.5.0 debuts the graphical interface for Hindsight, compiled as a Windows executable. Also included are the Python version (hindsight.py) and the PyInstaller-compiled command line executable (hindsight.exe). ![hindsight_gui](https://cloud.githubusercontent.com/assets/4984680/11167533/948c53f4-8b1a-11e5-8980-1aa6acab3c39.PNG) The GUI version (hindsightGUI.exe) is portable and can be used by itself. hindsight.exe and hindsight.py both will look for a 'plugins' directory in the same location as Hindsight; extract plugins.zip to the same directory to use the complete set of Hindsight plugins. More complete changelogs will be maintained with releases going forward. The biggest changes between v.1.4.9 and v1.5.0 are: - Support for detecting and parsing all current versions of Chrome (1-46) - Better exception handling around malformed input files (for example, if one of the Chrome files has been partially overwritten) - Made get_cookies() function more flexible; now parses 'Extension Cookies' database as well - Added compiled GUI version and updated compiled command line version to v1.5.0

hindsight v2.0.0

2017-03-05T06:09:51+00:00

Hindsight v2.0.0 brings new features, many of which are focused on ease-of-use. The highlights are: * Cross-platform web UI * Easier installation on all OSes - now just do `pip install pyhindsight` * Ability to parse multiple Chrome caches * Portable EXEs for GUI and cmdline versions First, the web interface (seen below running via hindsight_gui.exe): ![hindsight_gui](https://github.com/obsidianforensics/hindsight/blob/master/documentation/interface-v2.gif?raw=true) For those that prefer the command line interface, that still remains and has been updated to support the new features. Both the web UI and cmdline versions are available either as .py files or as PyInstaller-compiled EXEs (available at the bottom of this page, or in the `dist` folder of the main repo). Hindsight also has been refactored and much of the parsing moved into the new Python package **pyhindsight**. This also makes installing Hindsight easier; simply run: ``` pip install pyhindsight ``` This will install the pyhindsight package (and all relevant dependencies) and place copies of hindsight.py and hindsight_gui.py into the system's scripts directory. v2 also introduces the ability to parse various Chrome caches: Cache, Media Cache, Application Cache, and GPUCache. The code is largely based off the [Chromagnon](https://github.com/JRBANCEL/Chromagnon) project by Jean-Rémy Bancel (thanks!).

hindsight v2.1.1

2017-08-25T16:03:44+00:00

Hindsight v2.1.1 is a smaller update, mostly focused on making processing more robust. - Support for Chrome versions 1 - 60 - Added more error checking / catching in the cache parsing section - Updated Hindsight plugin search to better handle combinations of local plugins and the default plugins when installed via pip Both the GUI and command line versions of this release are available as: - compiled exes attached to this release or in the dist/ folder - .py versions are available by `pip install pyhindsight` or downloading/cloning the GitHub repo.

hindsight v2.2.0

2018-05-04T04:15:02+00:00

Hindsight v2.2.0 adds parsing of more preference items and support for newer versions of Chrome. - Support for Chrome versions 1 - 66 - Preference items with timestamps now are in Timeline - Improvements to logging Both the GUI and command line versions of this release are available as: - compiled exes attached to this release or in the dist/ folder - .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

hindsight v2.3.0

2019-03-15T04:12:01+00:00

Hindsight v2.3.0 adds input path searching, support for newer versions of Chrome, and minor fixes. - Supports Chrome versions 1 - 73 - The --input (-i) parameter now searches for all Chrome profiles at or below the given path. Pointing -i to the "Default" directory will still work as before, but now if you specify a directory higher up the hierarchy (C:\Users for example) Hindsight will search and parse all profiles contained inside that directory. - Parsing of the LevelDB section of Local Storage. Both the GUI and command line versions of this release are available as: - compiled exes attached to this release or in the dist/ folder - .py versions are available by `pip install pyhindsight` or downloading/cloning the GitHub repo.

hindsight v2.4.0

2019-08-01T02:35:12+00:00

Hindsight v2.4.0 add JSONL output, support for the newest versions of Chrome, and other small fixes. * Supports Chrome versions 1 - 76 * Adds JSONL output format, which is **compatible with [Timesketch](https://github.com/google/timesketch)**. The field names in this output type are aligned with Plaso/Timesketch (other output formats remain unchanged). * Parses other Chrome files, even if History file is absent (as in the case of Time Machine backups) Both the GUI and command line versions of this release are available as: * compiled exes attached to this release or in the dist/ folder * .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

hindsight 20200607

2020-06-10T02:24:38+00:00

Hindsight v20200607 is the first Python 3 release. This involved lots of code refactoring and clean-up. Things should generally run better and faster. It also includes support for the newest versions of Chrome and other small fixes. Both the GUI and command line versions of this release are available as: - compiled exes attached to this release or in the dist/ folder - .py versions are available by `pip install pyhindsight` or downloading/cloning the GitHub repo.

hindsight 2021.01.16

2021-01-18T18:21:21+00:00

![hindsight-2021.01.16-banner](https://dfir.blog/content/images/2021/01/hindsight-2021.01.16-banner-small.png) The **2021.01.16** release of Hindsight adds some new features, including improved LevelDB parsing (including deleted!), viewing Hindsight results in the web UI, and more! [Blog post](https://dfir.blog/hindsight-better-leveldb-and-new-web-ui/) with more info. **Details:** - Switch to using CCL Forensics' LevelDB parsing code; makes parsing use less dependencies & allows recovery of some deleted records - Add ability to view results of parsing in the Hindsight web UI, using a SQL-like interface - Add parsing of new `Media History` database - Add support for Chrome 84 - 87 - Parse additional login items using the `stats` table - Improve Bookmarks parsing to include synced bookmarks - Add flag (enabled by default) for copying SQLite databases to a temp directory before opening them - Change default logging & output directories to be the current working directory Both the GUI and command line versions of this release are available as: - compiled exes attached to this release or in the dist/ folder - .py versions are available by `pip install pyhindsight` or by downloading/cloning the GitHub repo. *EDIT: Windows Defender has been flagging the EXEs as malware, presumably because they were packaged with PyInstaller*. The Python script versions are not being flagged. If you'd like to build the EXEs from the Python code yourself, all I did was: `pyinstaller --distpath .\dist .\spec\hindsight.spec` from the root of the repo.

hindsight v2021.04.26

2021-04-27T23:26:06+00:00

The **2021.04.26** release of Hindsight is here! Read on for details on the changes: ## 🚀 Features - Parse "Site Characteristics Database" LevelDB @obsidianforensics (#73) - Add plugin to run Unfurl across Local Storage values @obsidianforensics (#77) - Add support for Chrome 88 - 90 (#72, #79) ## 🛠️ Minor Changes & Fixes - Update Chrome Extensions parser to work on updated artifact types. @obsidianforensics (#82) - Added additional download interrupt\_reason codes. Minor style fixes. @obsidianforensics (#81) - Add more exception handling around LevelDB records in case of corruption @obsidianforensics (#78) - Add check to ensure duration values in Media History are plausible @obsidianforensics (#75) - Fix bug in per\_host\_zoom\_levels parsing @obsidianforensics (#74) - If autofill values are encrypted (as Edge's are), replace the encrypted bytes with a placeholder @obsidianforensics (#70) - Add new visit\_source values to Update chrome.py @chadtilbury (#68) Both the GUI and command line versions of this release are available as: - compiled exes attached to this release or in the dist/ folder - .py versions are available by `pip install pyhindsight` or by downloading/cloning the GitHub repo.

hindsight v2021.12

2021-12-16T23:25:08+00:00

## What's Changed ### 🚀 Features * Support for Chrome 91-96 by @obsidianforensics in https://github.com/obsidianforensics/hindsight/pull/107, https://github.com/obsidianforensics/hindsight/pull/117 * Add parsing of TransportSecurity file (HSTS settings). * Add parsing of Session Storage #102 * Adds new "Site Setting" record type, which includes settings and preferences that are site-specific, including zoom, mute, hsts, engagement, and potentially more. https://github.com/obsidianforensics/hindsight/pull/100 * More parsing of Preference items: network_prediction_options, password_manager, sessions.event_log, and sync settings. https://github.com/obsidianforensics/hindsight/pull/101 ### 🛠️ Minor Changes & Fixes * Fix for case with missing Brave version by @cteodor in https://github.com/obsidianforensics/hindsight/pull/99 * Update embedded ccl_chromium_indexeddb by @obsidianforensics in https://github.com/obsidianforensics/hindsight/pull/102 * Timestamp sorting bug caused by incorrectly interpreting microsecond timestamps by @obsidianforensics in https://github.com/obsidianforensics/hindsight/pull/103 * When searching for Profiles, don't follow symlinks (reports of loops,… by @obsidianforensics in https://github.com/obsidianforensics/hindsight/pull/104 * Add try/except around reading Session Storage records in case of Leve… by @obsidianforensics in https://github.com/obsidianforensics/hindsight/pull/106 * Two small quality of life improvements by @kumavis in https://github.com/obsidianforensics/hindsight/pull/111 * chmod +x hindsight_gui.py by @kumavis in https://github.com/obsidianforensics/hindsight/pull/112 * Report analysis session error by @kumavis in https://github.com/obsidianforensics/hindsight/pull/113 * Add support for new Network subdirectory and files moved within it by @obsidianforensics in https://github.com/obsidianforensics/hindsight/pull/116 **Full Changelog**: https://github.com/obsidianforensics/hindsight/compare/v2021.04.26...v2021.12 ## New Contributors * @cteodor made their first contribution in https://github.com/obsidianforensics/hindsight/pull/99 * @kumavis made their first contribution in https://github.com/obsidianforensics/hindsight/pull/111 ## Both the GUI and command line versions of this release are available as: * compiled exes attached to this release or in the dist/ folder * .py versions are available by `pip install pyhindsight` or by downloading/cloning the GitHub repo.

hindsight v2023.03

2023-03-29T23:41:39+00:00

This is the first release in a while and it's a relatively minor one. It's mainly bug fixes and updating the version detection for Chrome versions that have come out since the last release. I hope to have time to work on a more substantial update in the future, but for now, here's **v2023.03**! ## What's Changed ### 🛠️ Minor Changes & Fixes * Add Session Storage records to SQLite output by @obsidianforensics in https://github.com/obsidianforensics/hindsight/pull/119 * Update built list of HSTS `host` hashes to include domains from cookies by @obsidianforensics in https://github.com/obsidianforensics/hindsight/pull/121 * Fix some packaging issues (line endings, including lib files, other small fixes) by @obsidianforensics in https://github.com/obsidianforensics/hindsight/pull/122 * Fix bug where when a version rollback occurs more than once, it doesn… by @obsidianforensics in https://github.com/obsidianforensics/hindsight/pull/138 * Fixes issue 125, where failing to decode an extension manifest caused… by @obsidianforensics in https://github.com/obsidianforensics/hindsight/pull/139 ### Other Changes * Account for relocated files in newer Chrome versions (97-100) by @obsidianforensics in https://github.com/obsidianforensics/hindsight/pull/124 * Update README.md by @obsidianforensics in https://github.com/obsidianforensics/hindsight/pull/132 * Update version detection to include Chrome 101-111 by @obsidianforensics in https://github.com/obsidianforensics/hindsight/pull/140 * Update Hindsight version prior to release and remove Unfurl plugin (u… by @obsidianforensics in https://github.com/obsidianforensics/hindsight/pull/142 **Full Changelog**: https://github.com/obsidianforensics/hindsight/compare/v2021.12...v2023.03 ## Both the GUI and command line versions of this release are available as: * compiled exes attached to this release or in the dist/ folder * .py versions are available by `pip install pyhindsight` or by downloading/cloning the GitHub repo.