Hindsight is an open source tool for parsing a user’s Chrome browser data and allows you to analyze several different types of web artifacts, including URLs, download history, cache records, bookmarks, preferences, browser extensions, HTTP cookies, and local storage logs in the form of cookies.

The tool is available in the GitHub and pip repositories:

https://github.com/obsidianforensics/hindsight

https://pypi.org/project/pyhindsight/

In this screenshot, we can see the last version of this module:

We can install it with the pip install pyhindsight command.

Once we have installed the module, we can download the source code from the GitHub repository:

https://github.com/obsidianforensics/hindsight

We can execute it in two ways. The first one is using the hindsight.py script, and the second one is by launching the hindsight_gui.py script, which provides a web interface for entering the location where chrome profile is located.

For execution with hindsight.py, we only need to pass as a mandatory parameter (-i,--input) the location of your chrome profile, depending your operating system:

These are the default locations for chrome profile that we need to know for setting the input parameter:

The second way is to run "hindsight_gui.py" and visit http://localhost:8080 in a browser:

The only mandatory field is the profile path:

If we try to run the script with the chrome browser process opened, it will block the process, since we need to close the chrome browser before running it.

This is the error message when you try to execute the script with the chrome process running: