search

obsidianforensics / hindsight

Web browser forensics for Google Chrome/Chromium
https://dfir.blog/hindsight/
Apache License 2.0
1.09k stars 145 forks source link

Crashes after run : KeyError('2401') #196

Open demireng opened 5 hours ago

demireng commented 5 hours ago

Describe the problem I am having an error while trying to run the tool.

Screenshots or Console Output Traceback (most recent call last): File "/Users/johndoe2/Downloads/hindsight-main/myenv/lib/python3.13/site-packages/bottle.py", line 995, in _handle out = route.call(*args) File "/Users/johndoe2/Downloads/hindsight-main/myenv/lib/python3.13/site-packages/bottle.py", line 2025, in wrapper rv = callback(a, **ka) File "/Users/johndoe2/Downloads/hindsight-main/hindsight_gui.py", line 170, in do_run run_status = analysis_session.run() File "/Users/johndoe2/Downloads/hindsight-main/pyhindsight/analysis.py", line 527, in run browser_analysis.process()


  File "/Users/johndoe2/Downloads/hindsight-main/pyhindsight/browsers/chrome.py", line 2544, in process
    self.get_file_system(self.profile_path, 'File System')
    ~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/Users/johndoe2/Downloads/hindsight-main/pyhindsight/browsers/chrome.py", line 2165, in get_file_system
    path_nodes[path_nodes[entry_id].get('parent')]['children'][entry_id] = path_nodes[entry_id]
    ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
KeyError: '2401'

**To Reproduce**
Everytime I run the tool, getting same error.

**hindsight.log Snippet**
[error.log](https://github.com/user-attachments/files/17970482/error.log)

**System Details**
 - Analysis System OS (your forensic workstation): MacOS Ventura 13.6.7
 - Method of Running Hindsight: both hindsight.py and hindsgiht_gui using Python 3.13.0 on macOS
 - Hindsight version: Latest one (main repo)
 - Target System OS: (the OS you pulled the browser files from): MacOS Ventura 13.6.7
 - Target Browser: Official last Intel based Chrome version. 
 - Target Browser Version: Latest one.

**Additional context**
I am having this error, my old sessions/history were and trying to recover them. (both history is deleted, and my sessions were stored in a leveldb db In an extension, which is now gone as well.)

I am trying to recover my last 1 year of work. probably, due to the not enough storage, the databases deleted themselves. 

Could you help me to fix the problem ? Thanks
obsidianforensics commented 2 hours ago

Hey there, thanks for reporting the issue. It looks like there's something going on when parsing the File System artifact; the other parts were able to be parsed and return at least some data. If what you are most interested in is History and some data stored in an extension, for a quick work around you can have Hindsight skip parsing the File System directory. You could do this in a few ways:

  1. Copy all the files in the Chrome profile somewhere else, delete the File System folder in the copy, and run Hindsight against the copy.
  2. Rename the actual File System directory in the Chrome profile (to anything else is fine, like _File System; Hindsight will only try to parse it if it's named File System exactly.

I'll take a look at the File System parsing code and make it more robust, so it won't crash Hindsight at least, but I can't provide an ETA on that.

Good luck, and I'm happy to answer other questions if I can.