Analyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
cybersecurity
digital-forensics
browser-forensics
hindsight
chrome-forensics
chromium
edge
browsing-history
cookies
downloads
cache
web-artifacts
1.0
mahipal
MIT
Analyzing Browser Forensics with Hindsight
Overview
Hindsight is an open-source browser forensics tool designed to parse artifacts from Google Chrome and other Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi). It extracts and correlates data from multiple browser database files to create a unified timeline of web activity. Hindsight can parse URLs, download history, cache records, bookmarks, autofill records, saved passwords, preferences, browser extensions, HTTP cookies, Local Storage (HTML5 cookies), login data, and session/tab information. The tool produces chronological timelines in multiple output formats (XLSX, JSON, SQLite) that enable investigators to reconstruct user web activity for incident response, insider threat investigations, and criminal cases.
Prerequisites
Python 3.8+ with Hindsight installed (pip install pyhindsight)
Access to browser profile directories from forensic image
Browser profile data (not encrypted with OS-level encryption)
Timeline Explorer or spreadsheet application for analysis
# Basic analysis of a Chrome profile
hindsight.exe -i "C:\Evidence\Users\suspect\AppData\Local\Google\Chrome\User Data\Default" -o C:\Output\chrome_analysis
# Specify browser type
hindsight.exe -i "/path/to/profile" -o /output/analysis -b Chrome
# JSON output format
hindsight.exe -i "C:\Evidence\Chrome\Default" -o C:\Output\chrome --format jsonl
# With cache parsing (slower but more complete)
hindsight.exe -i "C:\Evidence\Chrome\Default" -o C:\Output\chrome --cache
Web UI
# Start Hindsight web interface
hindsight_gui.exe
# Navigate to http://localhost:8080# Upload or point to browser profile directory# Configure output format and analysis options# Generate and download report
importsqlite3importosimportjsonimportsysfromdatetimeimportdatetime,timedeltaCHROME_EPOCH=datetime(1601,1,1)defchrome_time_to_datetime(chrome_ts:int):"""Convert Chrome timestamp to datetime."""ifchrome_ts==0:returnNonetry:returnCHROME_EPOCH+timedelta(microseconds=chrome_ts)except(OverflowError,OSError):returnNonedefanalyze_chrome_history(profile_path:str,output_dir:str)->dict:"""Analyze Chrome History database for forensic evidence."""history_db=os.path.join(profile_path,"History")ifnotos.path.exists(history_db):return{"error":"History database not found"}os.makedirs(output_dir,exist_ok=True)conn=sqlite3.connect(f"file:{history_db}?mode=ro",uri=True)# URL visits with timestampscursor=conn.cursor()cursor.execute("""
SELECT u.url, u.title, v.visit_time, u.visit_count,
v.transition & 0xFF as transition_type
FROM visits v JOIN urls u ON v.url = u.id
ORDER BY v.visit_time DESC LIMIT 5000
""")visits=[{"url":r[0],"title":r[1],"visit_time":str(chrome_time_to_datetime(r[2])),"total_visits":r[3],"transition":r[4]}forrincursor.fetchall()]# Downloadscursor.execute("""
SELECT target_path, tab_url, start_time, end_time,
received_bytes, total_bytes, mime_type, state
FROM downloads ORDER BY start_time DESC LIMIT 1000
""")downloads=[{"path":r[0],"source_url":r[1],"start_time":str(chrome_time_to_datetime(r[2])),"end_time":str(chrome_time_to_datetime(r[3])),"received_bytes":r[4],"total_bytes":r[5],"mime_type":r[6],"state":r[7]}forrincursor.fetchall()]# Keyword searchescursor.execute("""
SELECT k.term, u.url, k.url_id
FROM keyword_search_terms k JOIN urls u ON k.url_id = u.id
ORDER BY u.last_visit_time DESC LIMIT 1000
""")searches=[{"term":r[0],"url":r[1]}forrincursor.fetchall()]conn.close()report={"analysis_timestamp":datetime.now().isoformat(),"profile_path":profile_path,"total_visits":len(visits),"total_downloads":len(downloads),"total_searches":len(searches),"visits":visits,"downloads":downloads,"searches":searches}report_path=os.path.join(output_dir,"browser_forensics.json")withopen(report_path,"w")asf:json.dump(report,f,indent=2)returnreportdefmain():iflen(sys.argv)<3:print("Usage: python process.py <chrome_profile_path> <output_dir>")sys.exit(1)analyze_chrome_history(sys.argv[1],sys.argv[2])if__name__=="__main__":main()