From 9263111b90c9080fcdf28206950dd2ffef0527e6 Mon Sep 17 00:00:00 2001
From: Ryan <ryan@obsidianforensics.com>
Date: Wed, 29 Mar 2023 16:20:32 -0700
Subject: [PATCH] Update Hindsight version prior to release and remove Unfurl
 plugin (until slowness issue can be fixed).

---
 pyhindsight/__init__.py                      |  2 +-
 pyhindsight/plugins/__init__.py              |  2 +-
 pyhindsight/plugins/unfurl_interpretation.py | 93 --------------------
 pyhindsight/templates/inputs_selector.tpl    |  2 +-
 requirements.txt                             |  5 +-
 spec/file_version_info_cmd.txt               | 10 +--
 spec/file_version_info_gui.txt               | 10 +--
 7 files changed, 15 insertions(+), 109 deletions(-)
 delete mode 100644 pyhindsight/plugins/unfurl_interpretation.py

diff --git a/pyhindsight/__init__.py b/pyhindsight/__init__.py
index d8f558e..c06138e 100644
--- a/pyhindsight/__init__.py
+++ b/pyhindsight/__init__.py
@@ -1,3 +1,3 @@
 __author__ = "Ryan Benson"
-__version__ = "2021.12"
+__version__ = "2023.03"
 __email__ = "ryan@dfir.blog"
diff --git a/pyhindsight/plugins/__init__.py b/pyhindsight/plugins/__init__.py
index 5e1862e..4d97aa0 100644
--- a/pyhindsight/plugins/__init__.py
+++ b/pyhindsight/plugins/__init__.py
@@ -1,3 +1,3 @@
 __all__ = ['chrome_extensions', 'generic_timestamps', 'google_analytics',
            'google_searches', 'load_balancer_cookies', 'quantcast_cookies',
-           'query_string_parser', 'time_discrepancy_finder', 'unfurl_interpretation']
+           'query_string_parser', 'time_discrepancy_finder']
diff --git a/pyhindsight/plugins/unfurl_interpretation.py b/pyhindsight/plugins/unfurl_interpretation.py
deleted file mode 100644
index d5bdc5f..0000000
--- a/pyhindsight/plugins/unfurl_interpretation.py
+++ /dev/null
@@ -1,93 +0,0 @@
-###################################################################################################
-#
-# unfurl_interpretation.py
-#   Run storage values through Unfurl to (hopefully) make some more clear.
-#
-# Plugin Author: Ryan Benson (ryan@dfir.blog)
-#
-###################################################################################################
-
-from unfurl import core
-import unfurl
-import logging
-# Disable most Unfurl logs, as we're about to shove a lot of garbage at it
-# and don't want to swamp the Hindsight log.
-try:
-    unfurl.log.setLevel(logging.CRITICAL)
-except Exception:
-    pass
-
-# Config
-friendlyName = "Unfurl"
-description = "Run storage values through Unfurl"
-artifactTypes = ["local storage", "session storage"]  # Artifacts that this plugin processes
-remoteLookups = 1  # if this plugin will query online sources/databases
-browser = "Chrome"  # browsers that the plugin applies to
-browserVersion = 1  # browser versions that the plugin applies to
-version = "20210424"  # version of the plugin (use the date)
-parsedItems = 0  # count of items that the plugin parsed; initialized to 0
-
-
-def plugin(target_browser):
-
-    # Setting up our return variable
-    global parsedItems
-    parsedItems = 0
-
-    for item in target_browser.parsed_storage:
-        # If the item isn't of a type we want to parse, go to the next one.
-        if item.row_type not in artifactTypes:
-            continue
-
-        # Otherwise, try to parse the item's value with Unfurl
-        try:
-            u = core.Unfurl()
-            u.add_to_queue(data_type='url', key=None, value=item.value)
-            u.parse_queue()
-            u_json = u.generate_json()
-
-        # Many varieties of exceptions are expected here, as we're shoving
-        # all kinds of data into Unfurl, many of types it isn't designed
-        # to handle. That's fine; keep moving.
-        except:
-            continue
-
-        # Case where Unfurl was not able to parse anything meaningful from input
-        if u_json['summary'] == {}:
-            continue
-
-        # Case where the Unfurl graph is just two nodes; first is just the input again.
-        # Display the second as the interpretation in a more compact form.
-        if len(u_json['nodes']) == 2:
-            item.interpretation = f"{u_json['nodes'][1]['label']}"
-
-            # Try to get a description of the transform Unfurl did
-            desc = u_json['nodes'][1].get('title', None)
-            if not desc:
-                desc = u_json['edges'][0].get('title', None)
-            if desc:
-                item.interpretation += f' ({desc})'
-
-            item.interpretation += f' [Unfurl]'
-
-        # Cases for UUIDs
-        elif len(u_json['nodes']) == 3 and u_json['nodes'][2]['label'].startswith('Version 4 UUID'):
-            item.interpretation = 'Value is a Version 4 UUID (randomly generated)'
-
-        elif len(u_json['nodes']) == 3 and u_json['nodes'][2]['label'].startswith('Version 5 UUID'):
-            item.interpretation = 'Value is a Version 5 UUID (generated based on a namespace and a name, ' \
-                                  'which are combined and hashed using SHA-1)'
-
-        elif len(u_json['nodes']) == 6 and u_json['nodes'][2]['label'].startswith('Version 1 UUID'):
-            item.interpretation = f"{u_json['nodes'][5]['label']} (Time Generated); " \
-                                  f"{u_json['nodes'][4]['label']} (MAC address); " \
-                                  f"Value is a Version 1 UUID (based on time and MAC address) [Unfurl]"
-
-        # Lastly, the generic Unfurl case. Stick the whole "ASCII-art" tree into the Interpretation field.
-        else:
-            item.interpretation = f"{u.generate_text_tree()} \n[Unfurl]"
-
-        parsedItems += 1
-
-    # Return a count parsed items
-    return f'{parsedItems} values parsed'
diff --git a/pyhindsight/templates/inputs_selector.tpl b/pyhindsight/templates/inputs_selector.tpl
index 9ee31a7..d037672 100644
--- a/pyhindsight/templates/inputs_selector.tpl
+++ b/pyhindsight/templates/inputs_selector.tpl
@@ -106,7 +106,7 @@
                                     <b>Default Locations:</b>
                                     <table>
                                         <tr><td class="input-option">Windows XP:</td><td> \[userdir]\Local Settings\Application Data\Google\Chrome\User Data</td></tr>
-                                        <tr><td class="input-option">Vista/7/8/10:</td><td> \[userdir]\AppData\Local\Google\Chrome\User Data</td></tr>
+                                        <tr><td class="input-option">Vista/7/8/10/11:</td><td> \[userdir]\AppData\Local\Google\Chrome\User Data</td></tr>
                                         <tr><td class="input-option">Linux:</td><td> \[userdir]/.config/google-chrome</td></tr>
                                         <tr><td class="input-option">OSX/macOS:</td><td> \[userdir]/Library/Application Support/Google/Chrome/Default</td></tr>
                                         <tr><td class="input-option">iOS:</td><td> \Applications\com.google.chrome.ios\Library\Application Support\Google\Chrome</td></tr>
diff --git a/requirements.txt b/requirements.txt
index 5702e08..4648fee 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -4,7 +4,6 @@ pycryptodome>=3.9.7
 pycryptodomex>=3.9.7
 xlsxwriter>=3.0.1
 bottle>=0.12.18
-setuptools==65.5.1
+setuptools>=65.5.1
 puremagic~=1.11
-argparse~=1.4.0
-dfir-unfurl
\ No newline at end of file
+argparse~=1.4.0
\ No newline at end of file
diff --git a/spec/file_version_info_cmd.txt b/spec/file_version_info_cmd.txt
index ce6a5cb..8851f59 100644
--- a/spec/file_version_info_cmd.txt
+++ b/spec/file_version_info_cmd.txt
@@ -6,8 +6,8 @@ VSVersionInfo(
   ffi=FixedFileInfo(
     # filevers and prodvers should be always a tuple with four items: (1, 2, 3, 4)
     # Set not needed items to zero 0.
-    filevers=(2021, 12, 0, 0),
-    prodvers=(2021, 12, 0, 0),
+    filevers=(2023, 3, 0, 0),
+    prodvers=(2023, 3, 0, 0),
     # Contains a bitmask that specifies the valid bits 'flags'r
     mask=0x0,
     # Contains a bitmask that specifies the Boolean attributes of the file.
@@ -33,10 +33,10 @@ VSVersionInfo(
         [StringStruct(u'Comments', u'Internet history forensics for Google Chrome/Chromium'),
         StringStruct(u'CompanyName', u'dfir.blog'),
         StringStruct(u'FileDescription', u'Hindsight'),
-        StringStruct(u'LegalCopyright', u'Copyright© 2012 - 2021  Ryan Benson'),
+        StringStruct(u'LegalCopyright', u'Copyright© 2012 - 2023  Ryan Benson'),
         StringStruct(u'ProductName', u'Hindsight'),
-        StringStruct(u'FileVersion', u'2021.12'),
-        StringStruct(u'ProductVersion', u'2021.12'),
+        StringStruct(u'FileVersion', u'2023.03'),
+        StringStruct(u'ProductVersion', u'2023.03'),
         StringStruct(u'InternalName', u'Hindsight'),
         StringStruct(u'OriginalFilename', u'hindsight.exe')])
       ])
diff --git a/spec/file_version_info_gui.txt b/spec/file_version_info_gui.txt
index a24a41c..b8fcfe8 100644
--- a/spec/file_version_info_gui.txt
+++ b/spec/file_version_info_gui.txt
@@ -6,8 +6,8 @@ VSVersionInfo(
   ffi=FixedFileInfo(
     # filevers and prodvers should be always a tuple with four items: (1, 2, 3, 4)
     # Set not needed items to zero 0.
-    filevers=(2021, 12, 0, 0),
-    prodvers=(2021, 12, 0, 0),
+    filevers=(2023, 3, 0, 0),
+    prodvers=(2023, 3, 0, 0),
     # Contains a bitmask that specifies the valid bits 'flags'r
     mask=0x0,
     # Contains a bitmask that specifies the Boolean attributes of the file.
@@ -33,10 +33,10 @@ VSVersionInfo(
         [StringStruct(u'Comments', u'Internet history forensics for Google Chrome/Chromium'),
         StringStruct(u'CompanyName', u'dfir.blog'),
         StringStruct(u'FileDescription', u'Hindsight'),
-        StringStruct(u'LegalCopyright', u'Copyright© 2012 - 2021  Ryan Benson'),
+        StringStruct(u'LegalCopyright', u'Copyright© 2012 - 2023  Ryan Benson'),
         StringStruct(u'ProductName', u'Hindsight'),
-        StringStruct(u'FileVersion', u'2021.12'),
-        StringStruct(u'ProductVersion', u'2021.12'),
+        StringStruct(u'FileVersion', u'2023.03'),
+        StringStruct(u'ProductVersion', u'2023.03'),
         StringStruct(u'InternalName', u'Hindsight'),
         StringStruct(u'OriginalFilename', u'hindsight_gui.exe')])
       ])