I was recently creating some slides on Chrome forensics for a class I'm teaching, when I really discovered for the first time just how popular it's actually become. As of last month, according to http://www.w3schools.com/browsers/browsers_stats.asp, Chrome is not only 50% more popular than internet Explorer, but is actually neck and neck with Firefox (36.6% vs. 36.9%).
Despite this, and the fact that Chrome is actually open source, (or technically, I guess Chromium is the open-source project behind Google Chrome) there's significantly less documentation about associated forensic artifacts than there is for equivalent items in IE or even Firefox.
What has gone before...
I was able to find a number of Chrome forensics blog postings, but most dealt more-or-less exclusively with extraction of its web history:
- Google Chrome - Forensics Wiki
- Machor Software - Google Chrome Forensics
- ChromeAnalysis - Chrome Internet History Analysis
- Google Chrome Browser | Forensic Artifacts
- Google Chrome Forensics
- Making It Rain
The really interesting bits, though, were what I found when I really started looking at the files that Chrome puts on a system when you install and use it. According to Digital Forensics with Open Source Tools, by Cory Altheide & Harlan Carvey, Chrome files should have been located under:
- XP: <profile>\Local Settings\Application Data\Google\Chrome\default
- Vista/Win7: <profile>\AppData\Local\Google\Chrome\default
- XP: <profile>\Local Settings\Application Data\Google\Chrome\User Data\Default
- Vista/Win7: <profile>\AppData\Local\Google\Chrome\User Data\Default
In my test install, I observed ten different SQLite database files placed in the Chrome Default folder. Forensics on those is relatively straightforward, and has been covered elsewhere in some detail, so I will skip over that.
In addition to the SQLite databases, there were also nine different files of various types:
- Bookmarks (JSON)
- Bookmarks.bak (JSON)
- Current Session (SNSS)
- Current Tabs (SNSS)
- History Provider Cache (Protocol buffers)
- Last Session (SNSS)
- Last Tabs (SNSS)
- Preferences (JSON)
- Visited Links (unknown binary format)
When I used this utility to extract data from the 'History Provider Cache' file, I got another surprise. Here's a snippet from the output:
The included long number is a Google Chrome timestamp, using the number of microseconds since 1/1/1601. The interesting thing is that I had updated my Realplayer installation a couple of days before I installed Google Chrome. I don't think I even did it using Internet Explorer, but I'm not absolutely positive. In any case, Chrome appears to have pulled some history information from another browser to pre-populate this file upon installation. This could be a forensics bonanza in the right circumstances. I certainly wouldn't have expected this behavior.
Sadly, the format and contents of the 'Visited Links' file still eludes me, though the name certainly suggests some level of forensic utility. This may have something to do with link coloring. Information regarding this is probably buried somewhere in the source.
Finally, the JSON format of the Bookmarks, Bookmarks.bak, and Preferences files lends them well to manual analysis, so I'll forgo detail there as well.
As always, you're welcome to leave commentary if you liked this article or want to call me on the carpet for some inaccuracy. And please do so if you know of something useful that I've missed.