I was looking for a tool that would quickly produce "translated" browser search results; I know there are many tools that will export browsing history, and you can even import the users profile into your current version of chrome (or one from Portableapps.com). I wanted something quick that would dump the information I needed into an easy to read table, enter Hindsight.
Hindsight is a tool used for browser forensics, specifically targeting Google Chrome. With Hindsight having access to the machine the browser is located on is not necessary, if you have copied/saved the "Default" folder from within the users Chrome Profile you can point Hindsight at it.
Chrome Profile Locations:
Windows:
%LOCALAPPDATA%\Google\Chrome\User Data\
Mac:
~/Library/Application Support/Google/Chrome/
Linux:
~/.config/google-chrome/
To run a basic query on Hindsight, you can just run hindsight.exe from the command prompt and it will go after the current users profile. To target a specific user, you will need to use the -i switch:
Example:
hindsight.exe -i "C:\Users\[User Profile]\AppData\Local\Google\Chrome\User Data\Default"
It should produce something like this:
Once completed, it will dump a spreadsheet by default into the directory you ran Hindsight from. You can change the output with the -o switch (Choices: SQLite and JSON).
The spreadsheet has multiple categories, including time spent on the specific website! Here is a screenshot I pulled from one of my test profiles:
Hindsight will also include all cookies found; but keep in mind that Chrome recently began encrypting cookies, and without the users windows logon password you will not be able to view portions of the cookie. See here:
Here are cookies that are not encrypted:
However there are tools that are being built to get around this, I have not tried this one yet but I am not sure it will work with the newer versions of Chrome, as the older ones used one specific encryption instead of a unique, machine based key:
http://stackoverflow.com/questions/21496209/cookie-issue-with-chrome-33-beta
Hindsight download:
https://github.com/obsidianforensics/hindsight
No comments:
Post a Comment