v2024.10

What's Changed

🚀 Features

• Add parsing of DIPS (Detect Incidental Party State) database by @obsidianforensics in #146
• Add parsing of IndexedDB records. Update included ccl_chrome_indexedd… by @obsidianforensics in #173
• Switch cache parsing code to use ccl_chromium_reader by @obsidianforensics in #182

🛠️ Minor Changes & Fixes

• Add executing a test query when opening databases to catch corrupt da… by @obsidianforensics in #153
• Upgrade protobuf>=4.23 in requirements.txt and regenerate site_data_p… by @obsidianforensics in #154
• In a URLItem, replace the url_id property with visit_id. Update outpu… by @obsidianforensics in #157
• Add try/except around urllib parsing. Modify the HSTS domain parsing … by @obsidianforensics in #163
• Update determine_version() to account for recent Chrome versions (up … by @obsidianforensics in #166
• Catch exception on edge case where downloads table is not present by @obsidianforensics in #167
• Add more exception handling to address issues raised in #169 by @obsidianforensics in #170
• Update DIPS parsing with new columns and popups table by @obsidianforensics in #171
• Fix sorting error when an item is missing tzinfo (and add warning) by @obsidianforensics in #172
• Fix TypeError by @ryneeverett in #174
• sqlite-view: 0.1.8 -> 0.2.0 by @ryneeverett in #175
• Correct inconsistent use of quotation marks in metadata attribute access in webbrowser.py by @notwhickey in #183
• Swap bundled ccl_chromium_indexeddb for newer version pulled from GitHub by @obsidianforensics in #184
• Clean up utils.py (replace deprecated utcfromtimestamp function, fi… by @obsidianforensics in #185
• Switch to ccl_chromium_reader from bundled ccl_* code for session sto… by @obsidianforensics in #186
• Up the max Chrome version to 129. Add get_clean_hostnames function … by @obsidianforensics in #187
• Switch to using origin_url column instead of action_url. Update t… by @obsidianforensics in #190
• Updates for v2024.10 by @obsidianforensics in #191

Other Changes

• Update social logos and contact info by @obsidianforensics in #164
• Adding Windows 11 default path and generic way to find profile under inputs_selector by @Jlcasado in #179

New Contributors

• @Jlcasado made their first contribution in #179
• @notwhickey made their first contribution in #183

Full Changelog: v2023.03...v2024.10

v2023.03

This is the first release in a while and it's a relatively minor one. It's mainly bug fixes and updating the version detection for Chrome versions that have come out since the last release. I hope to have time to work on a more substantial update in the future, but for now, here's v2023.03!

What's Changed

🛠️ Minor Changes & Fixes

• Add Session Storage records to SQLite output by @obsidianforensics in #119
• Update built list of HSTS host hashes to include domains from cookies by @obsidianforensics in #121
• Fix some packaging issues (line endings, including lib files, other small fixes) by @obsidianforensics in #122
• Fix bug where when a version rollback occurs more than once, it doesn… by @obsidianforensics in #138
• Fixes issue 125, where failing to decode an extension manifest caused… by @obsidianforensics in #139

Other Changes

• Account for relocated files in newer Chrome versions (97-100) by @obsidianforensics in #124
• Update README.md by @obsidianforensics in #132
• Update version detection to include Chrome 101-111 by @obsidianforensics in #140
• Update Hindsight version prior to release and remove Unfurl plugin (u… by @obsidianforensics in #142

Full Changelog: v2021.12...v2023.03

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or by downloading/cloning the GitHub repo.

v2021.12

What's Changed

🚀 Features

• Support for Chrome 91-96 by @obsidianforensics in #107, #117
• Add parsing of TransportSecurity file (HSTS settings).
• Add parsing of Session Storage #102
• Adds new "Site Setting" record type, which includes settings and preferences that are site-specific, including zoom, mute, hsts, engagement, and potentially more. #100
• More parsing of Preference items: network_prediction_options, password_manager, sessions.event_log, and sync settings. #101

🛠️ Minor Changes & Fixes

• Fix for case with missing Brave version by @cteodor in #99
• Update embedded ccl_chromium_indexeddb by @obsidianforensics in #102
• Timestamp sorting bug caused by incorrectly interpreting microsecond timestamps by @obsidianforensics in #103
• When searching for Profiles, don't follow symlinks (reports of loops,… by @obsidianforensics in #104
• Add try/except around reading Session Storage records in case of Leve… by @obsidianforensics in #106
• Two small quality of life improvements by @kumavis in #111
• chmod +x hindsight_gui.py by @kumavis in #112
• Report analysis session error by @kumavis in #113
• Add support for new Network subdirectory and files moved within it by @obsidianforensics in #116

Full Changelog: v2021.04.26...v2021.12

New Contributors

• @cteodor made their first contribution in #99
• @kumavis made their first contribution in #111

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or by downloading/cloning the GitHub repo.

Hindsight 2021.04.26

The 2021.04.26 release of Hindsight is here! Check out the blog post or read on for details on the changes:

🚀 Features

• Parse "Site Characteristics Database" LevelDB @obsidianforensics (#73)
• Add plugin to run Unfurl across Local Storage values @obsidianforensics (#77)
• Add support for Chrome 88 - 90 (#72, #79)

🛠️ Minor Changes & Fixes

• Update Chrome Extensions parser to work on updated artifact types. @obsidianforensics (#82)
• Added additional download interrupt_reason codes. Minor style fixes. @obsidianforensics (#81)
• Add more exception handling around LevelDB records in case of corruption @obsidianforensics (#78)
• Add check to ensure duration values in Media History are plausible @obsidianforensics (#75)
• Fix bug in per_host_zoom_levels parsing @obsidianforensics (#74)
• If autofill values are encrypted (as Edge's are), replace the encrypted bytes with a placeholder @obsidianforensics (#70)
• Add new visit_source values to Update chrome.py @chadtilbury (#68)

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or by downloading/cloning the GitHub repo.

Hindsight 2021.01.16

The 2021.01.16 release of Hindsight adds some new features, including improved LevelDB parsing (including deleted!), viewing Hindsight results in the web UI, and more! Blog post with more info.

Details:

• Switch to using CCL Forensics' LevelDB parsing code; makes parsing use less dependencies & allows recovery of some deleted records
• Add ability to view results of parsing in the Hindsight web UI, using a SQL-like interface
• Add parsing of new Media History database
• Add support for Chrome 84 - 87
• Parse additional login items using the stats table
• Improve Bookmarks parsing to include synced bookmarks
• Add flag (enabled by default) for copying SQLite databases to a temp directory before opening them
• Change default logging & output directories to be the current working directory

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or by downloading/cloning the GitHub repo.

EDIT: Windows Defender has been flagging the EXEs as malware, presumably because they were packaged with PyInstaller. The Python script versions are not being flagged. If you'd like to build the EXEs from the Python code yourself, all I did was: pyinstaller --distpath .\dist .\spec\hindsight.spec from the root of the repo.

Hindsight v20200607

Hindsight v20200607 is the first Python 3 release. This involved lots of code refactoring and clean-up. Things should generally run better and faster. It also includes support for the newest versions of Chrome and other small fixes.

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

Hindsight v2.4.0

Hindsight v2.4.0 add JSONL output, support for the newest versions of Chrome, and other small fixes.

• Supports Chrome versions 1 - 76
• Adds JSONL output format, which is compatible with Timesketch. The field names in this output type are aligned with Plaso/Timesketch (other output formats remain unchanged).
• Parses other Chrome files, even if History file is absent (as in the case of Time Machine backups)

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

Hindsight v2.3.0

Hindsight v2.3.0 adds input path searching, support for newer versions of Chrome, and minor fixes.

• Supports Chrome versions 1 - 73
• The --input (-i) parameter now searches for all Chrome profiles at or below the given path. Pointing -i to the "Default" directory will still work as before, but now if you specify a directory higher up the hierarchy (C:\Users for example) Hindsight will search and parse all profiles contained inside that directory.
• Parsing of the LevelDB section of Local Storage.

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

Hindsight v2.2.0

Hindsight v2.2.0 adds parsing of more preference items and support for newer versions of Chrome.

• Support for Chrome versions 1 - 66
• Preference items with timestamps now are in Timeline
• Improvements to logging

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.

Hindsight v2.1.1

Hindsight v2.1.1 is a smaller update, mostly focused on making processing more robust.

• Support for Chrome versions 1 - 60
• Added more error checking / catching in the cache parsing section
• Updated Hindsight plugin search to better handle combinations of local plugins and the default plugins when installed via pip

Both the GUI and command line versions of this release are available as:

• compiled exes attached to this release or in the dist/ folder
• .py versions are available by pip install pyhindsight or downloading/cloning the GitHub repo.