Cache objects not found in Chrome on macOS

[sidney]

I ran both hindsight_gui.py and the command line version hindsight.py to test this issue, with identical results.

Running from git master at commit 13b7a64 (when run, it announces v20201120) in macOS Catalina under Python 3.9.0 with target browser macOS Catalina Chrome Version 87.0.4280.141, it found 0 cache records.

I specified Input Path: /Users/sidney/Library/Application Support/Google/Chrome/Default and Cache Path: /Users/sidney/Library/Caches/Google/Chrome/Default/Cache/.

I ran hindsight_gui.py and entered the above paths in the browser GUI window, then clicked Run.
For the command line form of the test, I used the command

python hindsight.py -i "/Users/sidney/Library/Application Support/Google/Chrome/Default" -o ~/tmp/hindsight -b Chrome -l hindsight.log -c "/Users/sidney/Library/Caches/Google/Chrome/Default/Cache/" --temp_dir hindsight_tmp

Here are the first lines of Parsed Artifacts in the Results page in the GUI version

Detected Chrome version: | 87 | 
URL records: | 21068 | 
Download records: | 958 | 
Cache records: | 0 | 

The command line version output the same numbers.

I expected to get more than 0 cache records.

When I looked in hindsight.log I found (snipping out timestamps for brevity)

| I | Cache items from /Users/sidney/Library/Caches/Google/Chrome/Default/Cache/:
| E |  - Failed to parse index block file

Steps to reproduce:

1. In macOS Catalina (didn't try elsewhere) with Chrome version 87, run Chrome so there should be something in its cache.
2. Either run the hindsight.py command line as shown above, or follow the rest of these steps for the GUI version
3. Start up hindsght_gui from the command line using python 3.9.0
4. In a browser, go to http://localhost:8080/ to access the hindsight GUI
5. Enter /Users/YOURUSERNAME/Library/Application Support/Google/Chrome/Default in the Input Path box
6. Enter /Users/YOURUSERNAME/Library/Caches/Google/Chrome/Default/Cache in the Cache Path box
7. Click on the Run button

Expected results: more than 0 cache records found
Actual results: 0 cache records found, and hindsight.log shows an error Failed to parse index block file

[sidney]

The error message in the log file comes from an exception that is raised in the initialization of class CacheBlock in chrome.py when it fails to find a magic number in the file named index. The most recent version of Chrome for macOS that I found that used that format for Cache/index was Chrome version 69 from September, 2018. The next version I could test was version 72 from March 2019. That one and all versions since use a very different index format which has index being a small 24 byte file, and the actual cache index data being in a file in a subdirectory, Cache/index-dir/the-real-index

Some relevant links about the newer cache format
libyal/dtformats#10
https://www.programmersought.com/article/36261620192/

[obsidianforensics]

Hey there, thanks for the report! I've seen this "new" SimpleCache in Linux for a while, but hadn't seen it in macOS before. I'll open an issue here to track it, as if it's getting more prevalent, I need to prioritize getting it into Hindsight.

Thanks again.