Permalink
Browse files

Added CrOS paths to help doc. Added version detection for up to v69. …

…Bumped Hindsight version to 2.2.1.
  • Loading branch information...
obsidianforensics committed Oct 1, 2018
1 parent 24024ea commit 2f4668b785fdf5a5c541c0cd86553ce2427a8002
Showing with 8 additions and 5 deletions.
  1. +2 −1 hindsight.py
  2. +1 −1 pyhindsight/__init__.py
  3. +5 −3 pyhindsight/browsers/chrome.py
@@ -41,11 +41,12 @@ def parse_arguments(analysis_session):
The Chrome data folder default locations are:
WinXP: <userdir>\Local Settings\Application Data\Google\Chrome
\User Data\Default\\
Vista/7/8: <userdir>\AppData\Local\Google\Chrome\User Data\Default\\
Vista/7/8/10: <userdir>\AppData\Local\Google\Chrome\User Data\Default\\
Linux: <userdir>/.config/google-chrome/Default/
OS X: <userdir>/Library/Application Support/Google/Chrome/Default/
iOS: \Applications\com.google.chrome.ios\Library\Application Support
\Google\Chrome\Default\\
Chromium OS: \home\user\<GUID>\\
'''
class MyParser(argparse.ArgumentParser):
@@ -1,3 +1,3 @@
__author__ = "Ryan Benson"
__version__ = "2.2.0"
__version__ = "2.2.1"
__email__ = "ryan@obsidianforensics.com"
@@ -88,7 +88,7 @@ def determine_version(self):
Based on research I did to create "The Evolution of Chrome Databases Reference Chart"
(http://www.obsidianforensics.com/blog/evolution-of-chrome-databases-chart/)
"""
possible_versions = range(1, 67)
possible_versions = range(1, 70)
def trim_lesser_versions_if(column, table, version):
"""Remove version numbers < 'version' from 'possible_versions' if 'column' isn't in 'table', and keep
@@ -119,6 +119,7 @@ def trim_lesser_versions(version):
log.debug(" - Starting possible versions: {}".format(possible_versions))
if 'visits' in self.structure['History'].keys():
trim_lesser_versions_if('visit_duration', self.structure['History']['visits'], 20)
trim_lesser_versions_if('incremented_omnibox_typed_score', self.structure['History']['visits'], 68)
if 'visit_source' in self.structure['History'].keys():
trim_lesser_versions_if('source', self.structure['History']['visit_source'], 7)
if 'downloads' in self.structure['History'].keys():
@@ -156,6 +157,7 @@ def trim_lesser_versions(version):
trim_lesser_versions_if('validity_bitfield', self.structure['Web Data']['autofill_profiles'], 63)
if 'autofill_sync_metadata' in self.structure['Web Data'].keys():
trim_lesser_versions(57)
trim_lesser_versions_if('model_type', self.structure['Web Data']['autofill_sync_metadata'], 69)
if 'web_apps' not in self.structure['Web Data'].keys():
trim_lesser_versions(38)
if 'credit_cards' in self.structure['Web Data'].keys():
@@ -1740,8 +1742,8 @@ def process(self):
# Workaround to cap the version at 65 for Extension Cookies, as until that
# point it has the same database format as Cookies
ext_cookies_version = self.version
if min(self.version) > 65:
ext_cookies_version.insert(0, 65)
# if min(self.version) > 65:
# ext_cookies_version.insert(0, 65)
self.get_cookies(self.profile_path, 'Extension Cookies', ext_cookies_version)
self.artifacts_display['Extension Cookies'] = "Extension Cookie records"

0 comments on commit 2f4668b

Please sign in to comment.