npx skills add mukul975/Anthropic-Cybersecurity-SkillsMITRE ATT&CK
Overview
Hindsight is an open-source browser forensics tool designed to parse artifacts from Google Chrome and other Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi). It extracts and correlates data from multiple browser database files to create a unified timeline of web activity. Hindsight can parse URLs, download history, cache records, bookmarks, autofill records, saved passwords, preferences, browser extensions, HTTP cookies, Local Storage (HTML5 cookies), login data, and session/tab information. The tool produces chronological timelines in multiple output formats (XLSX, JSON, SQLite) that enable investigators to reconstruct user web activity for incident response, insider threat investigations, and criminal cases.
When to Use
- When investigating security incidents that require analyzing browser forensics with hindsight
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques
Prerequisites
- Python 3.8+ with Hindsight installed (
pip install pyhindsight) - Access to browser profile directories from forensic image
- Browser profile data (not encrypted with OS-level encryption)
- Timeline Explorer or spreadsheet application for analysis
Browser Profile Locations
| Browser | Windows Profile Path |
|---|---|
| Chrome | %LOCALAPPDATA%\Google\Chrome\User Data\Default\ |
| Edge | %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\ |
| Brave | %LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Default\ |
| Opera | %APPDATA%\Opera Software\Opera Stable\ |
| Vivaldi | %LOCALAPPDATA%\Vivaldi\User Data\Default\ |
| Chrome (macOS) | ~/Library/Application Support/Google/Chrome/Default/ |
| Chrome (Linux) | ~/.config/google-chrome/Default/ |
Key Artifact Files
| File | Contents |
|---|---|
| History | URL visits, downloads, keyword searches |
| Cookies | HTTP cookies with domain, expiry, values |
| Web Data | Autofill entries, saved credit cards |
| Login Data | Saved usernames/passwords (encrypted) |
| Bookmarks | JSON bookmark tree |
| Preferences | Browser configuration and extensions |
| Local Storage/ | HTML5 Local Storage per domain |
| Session Storage/ | Session-specific storage per domain |
| Network Action Predictor | Previously typed URLs |
| Shortcuts | Omnibox shortcuts and predictions |
| Top Sites | Frequently visited sites |
Running Hindsight
Command Line
# Basic analysis of a Chrome profile
hindsight.exe -i "C:\Evidence\Users\suspect\AppData\Local\Google\Chrome\User Data\Default" -o C:\Output\chrome_analysis
# Specify browser type
hindsight.exe -i "/path/to/profile" -o /output/analysis -b Chrome
# JSON output format
hindsight.exe -i "C:\Evidence\Chrome\Default" -o C:\Output\chrome --format jsonl
# With cache parsing (slower but more complete)
hindsight.exe -i "C:\Evidence\Chrome\Default" -o C:\Output\chrome --cacheWeb UI
# Start Hindsight web interface
hindsight_gui.exe
# Navigate to http://localhost:8080
# Upload or point to browser profile directory
# Configure output format and analysis options
# Generate and download reportArtifact Analysis Details
URL History and Visits
-- Chrome History database schema (key tables)
-- urls table: id, url, title, visit_count, typed_count, last_visit_time
-- visits table: id, url, visit_time, from_visit, transition, segment_id
-- Timestamps are Chrome/WebKit format: microseconds since 1601-01-01
-- Convert: datetime((visit_time/1000000)-11644473600, 'unixepoch')Download History
-- downloads table: id, current_path, target_path, start_time, end_time,
-- received_bytes, total_bytes, state, danger_type, interrupt_reason,
-- url, referrer, tab_url, mime_type, original_mime_typeCookie Analysis
-- cookies table: creation_utc, host_key, name, value, encrypted_value,
-- path, expires_utc, is_secure, is_httponly, last_access_utc,
-- has_expires, is_persistent, priority, samesitePython Analysis Script
import sqlite3
import os
import json
import sys
from datetime import datetime, timedelta
CHROME_EPOCH = datetime(1601, 1, 1)
def chrome_time_to_datetime(chrome_ts: int):
"""Convert Chrome timestamp to datetime."""
if chrome_ts == 0:
return None
try:
return CHROME_EPOCH + timedelta(microseconds=chrome_ts)
except (OverflowError, OSError):
return None
def analyze_chrome_history(profile_path: str, output_dir: str) -> dict:
"""Analyze Chrome History database for forensic evidence."""
history_db = os.path.join(profile_path, "History")
if not os.path.exists(history_db):
return {"error": "History database not found"}
os.makedirs(output_dir, exist_ok=True)
conn = sqlite3.connect(f"file:{history_db}?mode=ro", uri=True)
# URL visits with timestamps
cursor = conn.cursor()
cursor.execute("""
SELECT u.url, u.title, v.visit_time, u.visit_count,
v.transition & 0xFF as transition_type
FROM visits v JOIN urls u ON v.url = u.id
ORDER BY v.visit_time DESC LIMIT 5000
""")
visits = [{
"url": r[0], "title": r[1],
"visit_time": str(chrome_time_to_datetime(r[2])),
"total_visits": r[3], "transition": r[4]
} for r in cursor.fetchall()]
# Downloads
cursor.execute("""
SELECT target_path, tab_url, start_time, end_time,
received_bytes, total_bytes, mime_type, state
FROM downloads ORDER BY start_time DESC LIMIT 1000
""")
downloads = [{
"path": r[0], "source_url": r[1],
"start_time": str(chrome_time_to_datetime(r[2])),
"end_time": str(chrome_time_to_datetime(r[3])),
"received_bytes": r[4], "total_bytes": r[5],
"mime_type": r[6], "state": r[7]
} for r in cursor.fetchall()]
# Keyword searches
cursor.execute("""
SELECT k.term, u.url, k.url_id
FROM keyword_search_terms k JOIN urls u ON k.url_id = u.id
ORDER BY u.last_visit_time DESC LIMIT 1000
""")
searches = [{"term": r[0], "url": r[1]} for r in cursor.fetchall()]
conn.close()
report = {
"analysis_timestamp": datetime.now().isoformat(),
"profile_path": profile_path,
"total_visits": len(visits),
"total_downloads": len(downloads),
"total_searches": len(searches),
"visits": visits,
"downloads": downloads,
"searches": searches
}
report_path = os.path.join(output_dir, "browser_forensics.json")
with open(report_path, "w") as f:
json.dump(report, f, indent=2)
return report
def main():
if len(sys.argv) < 3:
print("Usage: python process.py <chrome_profile_path> <output_dir>")
sys.exit(1)
analyze_chrome_history(sys.argv[1], sys.argv[2])
if __name__ == "__main__":
main()References
- Hindsight GitHub: https://github.com/obsidianforensics/hindsight
- Chrome Forensics Guide: https://allenace.medium.com/hindsight-chrome-forensics-made-simple-425db99fa5ed
- Browser Forensics Tools: https://www.cyberforensicacademy.com/blog/browser-forensics-tools-how-to-extract-user-activity
- Chromium Source (History): https://source.chromium.org/chromium/chromium/src/+/main:components/history/
Example Output
$ python hindsight.py -i /evidence/chrome-profile -o /analysis/hindsight_output
Hindsight v2024.01 - Chrome/Chromium Browser Forensic Analysis
================================================================
Profile: /evidence/chrome-profile (Chrome 120.0.6099.130)
OS: Windows 10
[+] Parsing History database...
URL records: 12,456
Download records: 234
Search terms: 567
[+] Parsing Cookies database...
Cookie records: 8,923
Encrypted cookies: 6,712
[+] Parsing Web Data (Autofill)...
Autofill entries: 1,234
Credit card entries: 2 (encrypted)
[+] Parsing Login Data...
Saved credentials: 45 (encrypted)
[+] Parsing Bookmarks...
Bookmark entries: 189
--- Browsing History (Last 10 Entries) ---
Timestamp (UTC) | URL | Title | Visit Count
2024-01-15 14:32:05.123 | https://mail.corporate.com/inbox | Corporate Mail | 45
2024-01-15 14:33:12.456 | https://drive.google.com/file/d/1aBcDe... | Q4_Financial_Report.xlsx | 1
2024-01-15 14:35:44.789 | https://mega.nz/folder/xYz123 | MEGA - Secure Cloud | 3
2024-01-15 14:36:01.234 | https://mega.nz/folder/xYz123#upload | MEGA - Upload | 8
2024-01-15 14:42:15.567 | https://pastebin.com/raw/kL9mN2pQ | Pastebin (raw) | 1
2024-01-15 15:01:33.890 | https://192.168.1.50:8443/admin | Admin Panel | 12
2024-01-15 15:15:22.111 | https://transfer.sh/upload | transfer.sh | 2
2024-01-15 15:30:45.222 | https://vpn-gateway.corporate.com | VPN Login | 5
2024-01-15 16:00:00.333 | https://whatismyipaddress.com | What Is My IP | 1
2024-01-15 16:05:12.444 | https://protonmail.com/inbox | ProtonMail | 3
--- Downloads (Suspicious) ---
Timestamp (UTC) | Filename | URL Source | Size
2024-01-15 14:33:15.000 | Q4_Financial_Report.xlsm | https://phish-domain.com/docs/report | 245 KB
2024-01-15 14:34:02.000 | update_client.exe | https://cdn.evil-updates.com/client.exe | 1.2 MB
--- Cookies (Session Tokens) ---
Domain | Name | Expires | Secure | HttpOnly
.corporate.com | SESSION_ID | 2024-01-16 14:32 | Yes | Yes
.mega.nz | session | Session | Yes | Yes
.protonmail.com | AUTH-TOKEN | 2024-02-15 00:00 | Yes | Yes
Report saved to: /analysis/hindsight_output/Hindsight_Report.xlsxReferences and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 3
api-reference.md2.7 KB
API Reference: Browser Forensics with Hindsight
Hindsight CLI
Syntax
hindsight.py -i <profile_path> # Analyze Chrome profile
hindsight.py -i <path> -o <output_dir> # Save results
hindsight.py -i <path> -f xlsx # Export as Excel
hindsight.py -i <path> -f sqlite # Export as SQLite
hindsight.py -i <path> -b <browser_type> # Specify browser typeBrowser Types
| Flag | Browser |
|---|---|
Chrome |
Google Chrome |
Edge |
Microsoft Edge (Chromium) |
Brave |
Brave Browser |
Opera |
Opera (Chromium) |
Output Artifacts
| Table | Description |
|---|---|
urls |
Browsing history with visit counts |
downloads |
File downloads with source URLs |
cookies |
Cookie values, domains, expiry |
autofill |
Form autofill entries |
bookmarks |
Saved bookmarks |
preferences |
Browser configuration |
local_storage |
Site local storage data |
login_data |
Saved credential metadata |
extensions |
Installed extensions with permissions |
Chrome SQLite Databases
History Database
-- Browsing history
SELECT u.url, u.title, v.visit_time, v.transition
FROM visits v JOIN urls u ON v.url = u.id
ORDER BY v.visit_time DESC;
-- Downloads
SELECT target_path, tab_url, total_bytes, start_time, danger_type, mime_type
FROM downloads ORDER BY start_time DESC;Cookies Database
SELECT host_key, name, value, creation_utc, expires_utc, is_secure, is_httponly
FROM cookies ORDER BY creation_utc DESC;Web Data Database (Autofill)
SELECT name, value, count, date_created, date_last_used
FROM autofill ORDER BY date_last_used DESC;Chrome Timestamp Conversion
Format
Microseconds since January 1, 1601 (Windows FILETIME base)
Python Conversion
import datetime
def chrome_to_datetime(chrome_time):
epoch = datetime.datetime(1601, 1, 1)
return epoch + datetime.timedelta(microseconds=chrome_time)Browser Profile Paths
| OS | Browser | Default Path |
|---|---|---|
| Windows | Chrome | %LOCALAPPDATA%\Google\Chrome\User Data\Default |
| Windows | Edge | %LOCALAPPDATA%\Microsoft\Edge\User Data\Default |
| Linux | Chrome | ~/.config/google-chrome/Default |
| macOS | Chrome | ~/Library/Application Support/Google/Chrome/Default |
Transition Types (visit_transition & 0xFF)
| Value | Type | Description |
|---|---|---|
| 0 | LINK | Clicked a link |
| 1 | TYPED | Typed URL in address bar |
| 2 | AUTO_BOOKMARK | Via bookmark |
| 3 | AUTO_SUBFRAME | Subframe navigation |
| 5 | GENERATED | Generated (e.g., search) |
| 7 | FORM_SUBMIT | Form submission |
| 8 | RELOAD | Page reload |
standards.md0.6 KB
Standards - Browser Forensics with Hindsight
Tools
- Hindsight: https://github.com/obsidianforensics/hindsight
- DB Browser for SQLite: Chrome database inspection
- ChromeCacheView (NirSoft): Cache analysis
Browser Databases
- History: URL visits, downloads, keyword searches
- Cookies: HTTP cookies per domain
- Web Data: Autofill, credit cards
- Login Data: Saved credentials (encrypted)
- Bookmarks: JSON bookmark tree
Timestamp Formats
- Chrome/WebKit: microseconds since 1601-01-01 UTC
- Firefox/Mozilla: microseconds since Unix epoch
- Safari/Mac: seconds since 2001-01-01 UTC
workflows.md0.4 KB
Workflows - Browser Forensics
Workflow: Chrome Profile Analysis
Locate browser profile directory
|
Run Hindsight against profile path
|
Review generated timeline (XLSX/JSON)
|
Analyze URL history for suspicious sites
|
Check downloads for malware/exfiltrated data
|
Review cookies for session hijacking evidence
|
Examine autofill and saved credentials
|
Correlate browser activity with system timelineScripts 2
agent.py9.7 KB
#!/usr/bin/env python3
"""Browser forensics analysis agent using Hindsight concepts.
Parses Chromium-based browser artifacts (Chrome, Edge, Brave) including
history, downloads, cookies, autofill, and extensions from SQLite databases.
"""
import os
import sys
import json
import sqlite3
import datetime
def chrome_time_to_datetime(chrome_time):
"""Convert Chrome timestamp (microseconds since 1601-01-01) to datetime."""
if not chrome_time or chrome_time == 0:
return None
try:
epoch = datetime.datetime(1601, 1, 1)
delta = datetime.timedelta(microseconds=chrome_time)
return (epoch + delta).isoformat() + "Z"
except (OverflowError, OSError):
return None
def find_browser_profiles(base_path=None):
"""Locate Chromium-based browser profile directories."""
if base_path and os.path.isdir(base_path):
return [base_path]
profiles = []
home = os.path.expanduser("~")
candidates = [
os.path.join(home, "AppData", "Local", "Google", "Chrome", "User Data", "Default"),
os.path.join(home, "AppData", "Local", "Microsoft", "Edge", "User Data", "Default"),
os.path.join(home, "AppData", "Local", "BraveSoftware", "Brave-Browser", "User Data", "Default"),
os.path.join(home, ".config", "google-chrome", "Default"),
os.path.join(home, ".config", "chromium", "Default"),
os.path.join(home, ".config", "microsoft-edge", "Default"),
]
for path in candidates:
if os.path.isdir(path):
profiles.append(path)
return profiles
def parse_history(profile_path):
"""Parse browsing history from History SQLite database."""
db_path = os.path.join(profile_path, "History")
if not os.path.exists(db_path):
return []
entries = []
try:
conn = sqlite3.connect(f"file:{db_path}?mode=ro", uri=True)
cursor = conn.cursor()
cursor.execute("""
SELECT u.url, u.title, v.visit_time, v.transition, u.visit_count
FROM visits v JOIN urls u ON v.url = u.id
ORDER BY v.visit_time DESC LIMIT 5000
""")
for url, title, visit_time, transition, count in cursor.fetchall():
entries.append({
"url": url, "title": title or "",
"visit_time": chrome_time_to_datetime(visit_time),
"transition": transition & 0xFF,
"visit_count": count,
})
conn.close()
except sqlite3.Error as e:
entries.append({"error": str(e)})
return entries
def parse_downloads(profile_path):
"""Parse download history from History database."""
db_path = os.path.join(profile_path, "History")
if not os.path.exists(db_path):
return []
downloads = []
try:
conn = sqlite3.connect(f"file:{db_path}?mode=ro", uri=True)
cursor = conn.cursor()
cursor.execute("""
SELECT target_path, tab_url, total_bytes, start_time, end_time,
danger_type, interrupt_reason, mime_type
FROM downloads ORDER BY start_time DESC LIMIT 1000
""")
for row in cursor.fetchall():
downloads.append({
"target_path": row[0], "source_url": row[1],
"total_bytes": row[2],
"start_time": chrome_time_to_datetime(row[3]),
"end_time": chrome_time_to_datetime(row[4]),
"danger_type": row[5], "interrupt_reason": row[6],
"mime_type": row[7],
})
conn.close()
except sqlite3.Error as e:
downloads.append({"error": str(e)})
return downloads
def parse_cookies(profile_path):
"""Parse cookies from Cookies database."""
db_path = os.path.join(profile_path, "Cookies")
if not os.path.exists(db_path):
db_path = os.path.join(profile_path, "Network", "Cookies")
if not os.path.exists(db_path):
return []
cookies = []
try:
conn = sqlite3.connect(f"file:{db_path}?mode=ro", uri=True)
cursor = conn.cursor()
cursor.execute("""
SELECT host_key, name, path, creation_utc, expires_utc,
is_secure, is_httponly, samesite
FROM cookies ORDER BY creation_utc DESC LIMIT 2000
""")
for row in cursor.fetchall():
cookies.append({
"host": row[0], "name": row[1], "path": row[2],
"created": chrome_time_to_datetime(row[3]),
"expires": chrome_time_to_datetime(row[4]),
"secure": bool(row[5]), "httponly": bool(row[6]),
"samesite": row[7],
})
conn.close()
except sqlite3.Error as e:
cookies.append({"error": str(e)})
return cookies
def parse_autofill(profile_path):
"""Parse autofill data from Web Data database."""
db_path = os.path.join(profile_path, "Web Data")
if not os.path.exists(db_path):
return []
entries = []
try:
conn = sqlite3.connect(f"file:{db_path}?mode=ro", uri=True)
cursor = conn.cursor()
cursor.execute("""
SELECT name, value, count, date_created, date_last_used
FROM autofill ORDER BY date_last_used DESC LIMIT 500
""")
for row in cursor.fetchall():
entries.append({
"field_name": row[0], "value": row[1][:50] + "..." if len(row[1]) > 50 else row[1],
"usage_count": row[2],
"created": chrome_time_to_datetime(row[3] * 1000000 if row[3] else 0),
"last_used": chrome_time_to_datetime(row[4] * 1000000 if row[4] else 0),
})
conn.close()
except sqlite3.Error as e:
entries.append({"error": str(e)})
return entries
def parse_extensions(profile_path):
"""Parse installed browser extensions."""
ext_dir = os.path.join(profile_path, "Extensions")
extensions = []
if not os.path.isdir(ext_dir):
return extensions
for ext_id in os.listdir(ext_dir):
ext_path = os.path.join(ext_dir, ext_id)
if os.path.isdir(ext_path):
versions = sorted(os.listdir(ext_path))
manifest_path = os.path.join(ext_path, versions[-1], "manifest.json") if versions else None
name = ext_id
if manifest_path and os.path.exists(manifest_path):
try:
with open(manifest_path, "r", encoding="utf-8") as f:
manifest = json.load(f)
name = manifest.get("name", ext_id)
extensions.append({
"id": ext_id, "name": name,
"version": manifest.get("version", "?"),
"permissions": manifest.get("permissions", [])[:10],
})
except (json.JSONDecodeError, IOError):
extensions.append({"id": ext_id, "name": name, "version": "unknown"})
return extensions
def detect_suspicious_activity(history, downloads):
"""Flag suspicious browsing and download patterns."""
findings = []
suspicious_domains = ["pastebin.com", "ngrok.io", "raw.githubusercontent.com",
"transfer.sh", "file.io", "temp.sh", "anonfiles.com"]
for entry in history:
url = entry.get("url", "").lower()
for domain in suspicious_domains:
if domain in url:
findings.append({
"type": "suspicious_url", "url": entry["url"],
"domain": domain, "time": entry.get("visit_time"),
})
dangerous_mimes = ["application/x-msdownload", "application/x-msdos-program",
"application/x-executable", "application/vnd.ms-excel.sheet.macroEnabled"]
for dl in downloads:
if dl.get("danger_type", 0) > 0:
findings.append({
"type": "dangerous_download", "path": dl.get("target_path"),
"source": dl.get("source_url"), "danger_type": dl.get("danger_type"),
})
if dl.get("mime_type", "") in dangerous_mimes:
findings.append({
"type": "suspicious_mime", "mime": dl.get("mime_type"),
"path": dl.get("target_path"),
})
return findings
if __name__ == "__main__":
print("=" * 60)
print("Browser Forensics Analysis Agent")
print("Chromium history, downloads, cookies, extensions")
print("=" * 60)
target = sys.argv[1] if len(sys.argv) > 1 else None
profiles = find_browser_profiles(target)
if not profiles:
print("\n[!] No browser profiles found.")
print("[DEMO] Usage: python agent.py <profile_path>")
print(" e.g. python agent.py ~/AppData/Local/Google/Chrome/User\\ Data/Default")
sys.exit(0)
for profile in profiles:
print(f"\n[*] Profile: {profile}")
history = parse_history(profile)
print(f" History entries: {len(history)}")
for h in history[:5]:
print(f" {h.get('visit_time', '?')} | {h.get('title', '')[:50]} | {h.get('url', '')[:60]}")
downloads = parse_downloads(profile)
print(f" Downloads: {len(downloads)}")
for d in downloads[:5]:
print(f" {d.get('start_time', '?')} | {d.get('mime_type', '?')} | {os.path.basename(d.get('target_path', ''))}")
cookies = parse_cookies(profile)
print(f" Cookies: {len(cookies)}")
extensions = parse_extensions(profile)
print(f" Extensions: {len(extensions)}")
for ext in extensions[:5]:
print(f" {ext.get('name', '?')} v{ext.get('version', '?')} [{ext.get('id', '')[:20]}]")
findings = detect_suspicious_activity(history, downloads)
print(f"\n --- Suspicious Activity: {len(findings)} findings ---")
for f in findings[:10]:
print(f" [{f['type']}] {f.get('url', f.get('path', ''))}")
process.py1.6 KB
#!/usr/bin/env python3
"""Browser Forensics Analyzer - Parses Chrome History SQLite for investigation."""
import sqlite3, json, os, sys
from datetime import datetime, timedelta
CHROME_EPOCH = datetime(1601, 1, 1)
def chrome_ts(ts):
if not ts: return None
try: return str(CHROME_EPOCH + timedelta(microseconds=ts))
except: return None
def analyze_chrome(profile: str, output_dir: str) -> str:
os.makedirs(output_dir, exist_ok=True)
history_db = os.path.join(profile, "History")
conn = sqlite3.connect(f"file:{history_db}?mode=ro", uri=True)
c = conn.cursor()
c.execute("SELECT u.url, u.title, v.visit_time, u.visit_count FROM visits v JOIN urls u ON v.url=u.id ORDER BY v.visit_time DESC LIMIT 2000")
visits = [{"url": r[0], "title": r[1], "time": chrome_ts(r[2]), "count": r[3]} for r in c.fetchall()]
c.execute("SELECT target_path, tab_url, start_time, total_bytes, mime_type FROM downloads ORDER BY start_time DESC LIMIT 500")
downloads = [{"path": r[0], "url": r[1], "time": chrome_ts(r[2]), "size": r[3], "mime": r[4]} for r in c.fetchall()]
conn.close()
report = {"visits": len(visits), "downloads": len(downloads), "visit_data": visits, "download_data": downloads}
out = os.path.join(output_dir, "browser_forensics.json")
with open(out, "w") as f: json.dump(report, f, indent=2)
print(f"[*] Visits: {len(visits)}, Downloads: {len(downloads)}")
return out
if __name__ == "__main__":
if len(sys.argv) < 3: print("Usage: process.py <chrome_profile> <output>"); sys.exit(1)
analyze_chrome(sys.argv[1], sys.argv[2])