Monday, August 31, 2015

Quick Hindsight Run-through (browser forensics)

Review of Obsidian Forensics' "Hindsight" -

I was looking for a tool that would quickly produce "translated" browser search results; I know there are many tools that will export browsing history, and you can even import the users profile into your current version of chrome (or one from Portableapps.com). I wanted something quick that would dump the information I needed into an easy to read table, enter Hindsight.

Hindsight is a tool used for browser forensics, specifically targeting Google Chrome. With Hindsight having access to the machine the browser is located on is not necessary, if you have copied/saved the "Default" folder from within the users Chrome Profile you can point Hindsight at it.

Chrome Profile Locations:

Windows:
%LOCALAPPDATA%\Google\Chrome\User Data\

Mac:
~/Library/Application Support/Google/Chrome/

Linux:
~/.config/google-chrome/

To run a basic query on Hindsight, you can just run hindsight.exe from the command prompt and it will go after the current users profile. To target a specific user, you will need to use the -i switch:

Example:
hindsight.exe -i "C:\Users\[User Profile]\AppData\Local\Google\Chrome\User Data\Default"

It should produce something like this:


Once completed, it will dump a spreadsheet by default into the directory you ran Hindsight from. You can change the output with the -o switch (Choices: SQLite and JSON).

The spreadsheet has multiple categories, including time spent on the specific website! Here is a screenshot I pulled from one of my test profiles:



Hindsight will also include all cookies found; but keep in mind that Chrome recently began encrypting cookies, and without the users windows logon password you will not be able to view portions of the cookie. See here:


Here are cookies that are not encrypted:



However there are tools that are being built to get around this, I have not tried this one yet but I am not sure it will work with the newer versions of Chrome, as the older ones used one specific encryption instead of a unique, machine based key:

http://stackoverflow.com/questions/21496209/cookie-issue-with-chrome-33-beta

Hindsight download:

https://github.com/obsidianforensics/hindsight