Automating Hindsight Collection via CrowdStrike Fusion SOAR
Comprehensive documentation of the CrowdStrike Fusion SOAR workflow for Hindsight browser forensics collection.
Collecting browser history is a standard but time-consuming step in incident response. This project, Project Hindsight, streamlines this by orchestrating the execution of Hindsight and artifact retrieval via CrowdStrike Fusion SOAR.
Why Hindsight?
Hindsight is a powerful open-source browser forensics tool developed by Obsidian Forensics that parses Chromium-based browser artifacts. It’s particularly valuable for incident response because it can extract and correlate data that traditional forensic tools often miss.
Key Capabilities:
- Comprehensive artifact parsing - Extracts browsing history, downloads, cookies, cache records, bookmarks, autofill data, saved passwords, preferences, and extensions
- Timeline reconstruction - Correlates timestamps across artifact types to build a unified browsing timeline
- Multiple output formats - Exports to XLSX (Excel), SQLite, or JSONL for flexible downstream analysis
- Chromium-wide support - Works with Google Chrome, Microsoft Edge, Brave, Opera, and other Chromium-based browsers
- Locked file handling - Can parse browser databases even while the browser is running (using volume shadow copies or direct parsing)
Why This Matters for DFIR:
Browser artifacts are often critical evidence in investigations involving phishing, credential theft, unauthorized access, and data exfiltration. Traditional collection methods require manual RTR sessions, which don’t scale when you need to collect from multiple endpoints quickly. This automation reduces collection time from manual work per endpoint to a single workflow trigger.
Prerequisites and Permissions
Before implementing this workflow, ensure the following CrowdStrike roles and resources are in place.
Required Falcon Roles:
| Role | Purpose |
|---|---|
| RTR Administrator | Create and manage RTR scripts in the Response Scripts library |
| Workflow Author | Create and configure Fusion SOAR workflows |
| Workflow Executor | Execute workflows on-demand (for analysts/DFIR team) |
Required Resources:
| Resource | Description |
|---|---|
hindsight.exe | Standalone executable from Hindsight releases, uploaded to RTR Put-Files |
| RTR Scripts | Three PowerShell scripts with input/output schemas, shared with workflows |
| Notification Integration | Optional: Email, Slack, or Teams integration for completion alerts |
RTR Script Configuration
Each PowerShell script must be created as an RTR Response Script with proper input/output JSON schemas. This enables the SOAR workflow to pass parameters and consume script outputs.
Script Setup Steps:
- Navigate to Response Scripts & Files → Response Scripts
- Create each script with the corresponding
.ps1content - Define the Input Schema using the
*_input.jsonschema - Define the Output Schema using the
*_output.jsonschema - Enable Share with Workflows to make the script available in Fusion SOAR
Scripts to Create:
| Script Name | Input Schema | Output Schema | Purpose |
|---|---|---|---|
hindsight_preparation | hindsight_preparation_input.json | hindsight_preparation_output.json | Directory setup |
hindsight_processing | hindsight_processing_input.json | hindsight_processing_output.json | Hindsight execution |
hindsight_collection | hindsight_collection_input.json | hindsight_collection_output.json | Artifact compression |
Put-File Setup:
- Navigate to Response Scripts & Files → Put Files
- Upload
hindsight.exefrom the Hindsight releases page - The filename can be renamed to anything—the workflow passes the full
hindsight_executable_pathto the processing script, so the actual filename doesn’t matter
Logic Flow
The following diagram illustrates the complete execution path of the workflow, including decision points, loops, and parallel actions.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
┌─────────────────────────────────────────────────────────────────────────────┐
│ MANUAL TRIGGER │
│ (falcon_sensor_id, target_browser, output_format, target_username) │
└─────────────────────────────────┬───────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────────┐
│ GET DEVICE DETAILS │
│ Output: platform_name, hostname │
└─────────────────────────────────┬───────────────────────────────────────────┘
│
▼
┌─────────────────┐
│ Windows? │
└────────┬────────┘
│
┌────────────┴────────────┐
│ │
▼ ▼
┌───────────┐ ┌─────────────┐
│ Yes │ │ No │
└─────┬─────┘ └──────┬──────┘
│ │
▼ ▼
┌───────────────────────────────┐ ┌───────────────┐
│ CREATE VARIABLES │ │ ABORT │
│ • working_directory_path │ │ (Unsupported)│
│ • compressed_archive_path │ └───────────────┘
└───────────────┬───────────────┘
│
▼
┌───────────────────────────────────────────────────────────────────────────┐
│ PREPARATION SCRIPT │
│ hindsight_preparation.ps1 │
└───────────────┬───────────────────────────────────────────────────────────┘
│
▼
┌───────────────┐
│ Errors? │───Yes──▶ [Error Notification]
└───────┬───────┘
│ No
▼
┌───────────────────────────────────────────────────────────────────────────┐
│ PUT-FILE │
│ Deploy hindsight.exe to working_directory_path │
└───────────────┬───────────────────────────────────────────────────────────┘
│
▼
┌───────────────────────────────────────────────────────────────────────────┐
│ PROCESSING SCRIPT │
│ hindsight_processing.ps1 │
│ Outputs: detected_browser_profiles, output_artifact_paths, │
│ target_hostname, target_browser, resolved_username, │
│ execution_timestamp │
└───────────────┬───────────────────────────────────────────────────────────┘
│
▼
┌───────────────┐
│ Errors? │───Yes──▶ [Error Notification]
└───────┬───────┘
│ No
▼
┌ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┐
│ COLLECTION LOOP │
│ ┌───────────────────────────────────────────────────────────────────────┐ │
│ │ COLLECTION SCRIPT │ │
│ │ hindsight_collection.ps1 │ │
│ │ Validates output_artifact_paths exist, creates ZIP │ │
│ └───────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────┐ │
│ │ has_processing │ │
│ │ _errors? │ │
│ └────────┬────────┘ │
│ │ │
│ ┌───────────────┴───────────────┐ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ true (waiting) │ │ false (ready) │ │
│ └────────┬────────┘ └────────┬────────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ SLEEP │ │ BREAK │ │
│ │ 1 minute │ │ Output: │ │
│ └────────┬────────┘ │ compressed_ │ │
│ │ │ archive_path │ │
│ └──────┐ └────────┬────────┘ │
│ │ │ │
│ ▼ │ │
│ [Loop back] │ │
└ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┼ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┘
│
▼
┌───────────────────────────────────────────────────────────────────────────┐
│ GET-FILE │
│ Retrieve compressed_archive_path from endpoint │
└───────────────────────────────────────────────────────────────────────────┘
│
▼
┌───────────────────────────────────────────────────────────────────────────┐
│ PARALLEL EXECUTION │
│ ┌─────────────────────────────┐ ┌─────────────────────────────────┐ │
│ │ CLEANUP │ │ NOTIFICATION │ │
│ │ Remove-Item │ │ • ${target_hostname} │ │
│ │ working_directory_path │ │ • ${target_browser} │ │
│ │ │ │ • ${resolved_username} │ │
│ │ │ │ • ${detected_browser_profiles} │ │
│ │ │ │ • ${execution_timestamp} │ │
│ └─────────────────────────────┘ └─────────────────────────────────┘ │
└───────────────────────────────────────────────────────────────────────────┘
Implementation Steps
Step 1: Manual Trigger
Action Type: Manual Trigger
The workflow begins with a manual trigger initiated by an analyst. The trigger collects initial parameters needed for the collection.
Trigger Inputs:
| Field | Type | Format | Required | Description |
|---|---|---|---|---|
falcon_sensor_id | string | aid | Yes | CrowdStrike Agent ID (32-char hex) of target endpoint |
target_browser | enum["Google Chrome", "Microsoft Edge", "Brave"] | — | Yes | Chromium-based browser to collect |
output_format | enum["xlsx", "sqlite", "jsonl"] | — | Yes | Hindsight output format |
target_username | string | — | No | Windows username to target (empty = auto-discover active user) |
Step 2: Get Device Details
Action Type: Falcon SOAR - Get Device Details
Retrieves device information from the Falcon platform using the falcon_sensor_id from the trigger.
Key Outputs:
| Field | Description |
|---|---|
platform_name | Operating system of the target endpoint (Windows, Mac, Linux) |
hostname | Device hostname (used for artifact naming and notifications) |
Step 3: Platform Condition Check
Action Type: Condition
Evaluates whether the target endpoint is running Windows, as the PowerShell scripts have a Windows dependency.
Condition Logic:
1
2
3
4
IF platform_name == "Windows"
→ Continue to Step 4
ELSE
→ Abort workflow (unsupported platform)
Step 4: Create Workflow Variables
Action Type: Falcon SOAR - Create Variable (x2)
Creates workflow variables for paths. This approach keeps paths configurable without modifying scripts.
Variables Created:
| Variable Name | Value | Purpose |
|---|---|---|
working_directory_path | C:\hindsight (or configured path) | Working directory for artifacts |
compressed_archive_path | (empty - populated by collection loop) | Output ZIP path for loop output |
Design Decision: Using SOAR variables rather than hardcoding in scripts allows:
- Easy path changes without script modifications
- Environment-specific configurations
- Audit trail of configuration changes
- Loop output variable population
Step 5: Preparation Script Execution
Action Type: RTR - Run Script
Executes hindsight_preparation.ps1 on the target endpoint.
Input Mapping:
| Script Parameter | Type | Format | Source |
|---|---|---|---|
working_directory_path | string | localFilePath | Step 4 variable |
Script Actions:
- Remove existing working directory (ensures clean slate)
- Create fresh working directory
Outputs:
| Field | Type | Description |
|---|---|---|
has_processing_errors | boolean | Flag for workflow branching |
working_directory_path | string | Confirmed path for downstream steps |
exception_messages | array[string] | Error details if failed |
Step 6: Preparation Error Check
Action Type: Condition
Checks if the preparation script completed successfully.
Condition Logic:
1
2
3
4
IF has_processing_errors == false
→ Continue to Step 7
ELSE
→ Error handling path (notify analyst, abort)
Step 7: Put-File (Deploy Hindsight Binary)
Action Type: RTR - Put-File
Uploads the hindsight.exe binary to the working directory on the target endpoint.
Input Mapping:
| Parameter | Source |
|---|---|
| Target Path | {working_directory_path} |
| Source File | Pre-uploaded hindsight.exe from RTR Put-Files |
Outputs:
| Field | Description |
|---|---|
hindsight_executable_path | Full path to deployed binary |
Step 8: Processing Script Execution
Action Type: RTR - Run Script
Executes hindsight_processing.ps1 on the target endpoint. This is the core forensics collection step.
Input Mapping:
| Script Parameter | Type | Format | Source |
|---|---|---|---|
working_directory_path | string | localFilePath | Step 4 variable |
hindsight_executable_path | string | localFilePath | Step 7 output |
output_format | enum["xlsx", "sqlite", "jsonl"] | — | Step 1 trigger input |
target_browser | enum["Google Chrome", "Microsoft Edge", "Brave"] | — | Step 1 trigger input |
target_hostname | string | — | Step 2 device details |
target_username | string | — | Step 1 trigger input (optional) |
Script Actions:
- Resolve target user (explicit or auto-discover via Win32_ComputerSystem)
- Locate browser User Data directory
- Enumerate browser profiles (Default, Profile 1, Profile 2, etc.)
- Launch Hindsight for each profile (fire-and-forget mode)
Outputs:
| Field | Type | Description |
|---|---|---|
has_processing_errors | boolean | Flag for workflow branching |
target_browser | string | Browser name (for notifications) |
target_hostname | string | Endpoint hostname (for notifications) |
resolved_username | string | Resolved Windows username (for notifications) |
detected_browser_profiles | array[string] | Profile names found (e.g., ["Default", "Profile 1"]) |
output_artifact_paths | array[string] | Expected output file paths (for collection loop) |
execution_timestamp | string | UTC timestamp in yyyy-MM-ddTHH-mm format |
working_directory_path | string | Working directory path (for collection loop) |
exception_messages | array[string] | Error details if failed |
Step 9: Processing Error Check
Action Type: Condition
Checks if the processing script completed successfully.
Condition Logic:
1
2
3
4
IF has_processing_errors == false
→ Continue to Step 10 (Collection Loop)
ELSE
→ Error handling path (notify analyst with exception_messages)
Step 10: Collection Loop
Action Type: Loop
A loop structure that repeatedly checks for artifact completion and compresses when ready.
Step 10a: Collection Script
Action Type: RTR - Run Script
Input Mapping:
| Script Parameter | Type | Format | Source |
|---|---|---|---|
expected_artifact_paths | array[string] | — | Step 8 output_artifact_paths |
working_directory_path | string | localFilePath | Step 4 variable |
target_hostname | string | — | Step 2 device details |
target_browser | string | — | Step 1 trigger input |
execution_timestamp | string | — | Step 8 output |
Script Actions:
- Validate all expected artifact files exist
- If any missing → set
has_processing_errors = true - If all present → compress to ZIP, set
has_processing_errors = false
Outputs:
| Field | Type | Description |
|---|---|---|
has_processing_errors | boolean | true if artifacts not ready, false if ZIP created |
compressed_archive_path | string | Path to created ZIP (only valid when has_processing_errors = false) |
exception_messages | array[string] | Details on which files are missing |
Step 10b: Files Ready Condition
Action Type: Condition
Condition Logic:
1
2
3
4
IF has_processing_errors == true
→ Artifacts not ready, go to Sleep (10c)
ELSE
→ ZIP created successfully, go to Break (10d)
Step 10c: Sleep Action
Action Type: Falcon SOAR - Sleep
Pauses execution before retrying artifact check.
| Setting | Value |
|---|---|
| Duration | 1 minute (configurable) |
After sleep, loop returns to Step 10a to re-run collection script.
Step 10d: Break Action
Action Type: Loop - Break
Exits the loop when artifacts are ready and ZIP is created.
Output Variable:
| Variable | Value | Purpose |
|---|---|---|
compressed_archive_path | Path from collection script | Passed to Get-File step |
Step 11: Get-File (Retrieve Archive)
Action Type: RTR - Get-File
Retrieves the compressed ZIP archive from the endpoint.
Input Mapping:
| Parameter | Source |
|---|---|
| File Path | compressed_archive_path from Step 10 loop output |
Outputs:
- File available in Falcon console for analyst download
- Success/failure status for parallel step trigger
Step 12: Parallel Execution (Cleanup + Notification)
Action Type: Parallel
After successful Get-File, two actions execute simultaneously.
Step 12a: Cleanup (Remove Working Directory)
Action Type: RTR - Run Command
Removes the working directory from the endpoint after successful retrieval.
Command:
1
Remove-Item -Path "{working_directory_path}" -Recurse -Force
Step 12b: Send Notification
Action Type: Notification (Email, Slack, Teams, etc.)
Notifies the analyst that collection is complete.
Notification Template:
1
2
3
4
5
6
7
8
9
10
Hindsight Collection Complete
Endpoint: ${target_hostname}
Browser: ${target_browser}
User: ${resolved_username}
Profiles Collected: ${detected_browser_profiles}
Timestamp: ${execution_timestamp}
Archive: ${compressed_archive_path}
The forensic archive is ready for download in the Falcon console.
Error Handling Paths
Preparation Failure
- Notify analyst with
exception_messages - Common causes: Permission denied, invalid path, disk full
Processing Failure
- Notify analyst with
exception_messages - Common causes: User profile not found, browser not installed, no profiles detected
Collection Loop Timeout
- Configure max iterations in the SOAR loop settings to prevent indefinite execution
- Notify analyst that artifacts never became ready
- Common causes: Hindsight crashed, antivirus interference, disk I/O issues
Variable Flow Summary
| Variable | Type | Created At |
|---|---|---|
falcon_sensor_id | string (format: aid) | Trigger |
target_browser | enum["Google Chrome", "Microsoft Edge", "Brave"] | Trigger |
output_format | enum["xlsx", "sqlite", "jsonl"] | Trigger |
target_username | string | Trigger |
platform_name | string | Device Details |
hostname | string | Device Details |
working_directory_path | string (format: localFilePath) | Create Variable |
compressed_archive_path | string | Create Variable (populated by Collection) |
hindsight_executable_path | string (format: localFilePath) | Put-File |
output_artifact_paths | array[string] | Processing |
execution_timestamp | string | Processing |
detected_browser_profiles | array[string] | Processing |
resolved_username | string | Processing |
target_hostname | string | Processing |