Product Features

Digital Forensics: Artifact Profile – Google Chrome

APPLICATION NAME: Google Chrome
CATEGORY: Web Related
RELATED ARTIFACTS: Chrome Web History, Chrome Web Visits, Chrome Sync Data, Chrome Sync Accounts, Chrome Session/Tabs Carved, Chrome Last Tabs, Chrome Current Tabs, Chrome Last Session, Chrome Current Session, Chrome Top Sites, Chrome Logins, Chrome Searches, Chrome Keyword Search Terms, Chrome History Index, Chrome FavIcons, Chrome Downloads, Chrome Cookies, Chrome Cache Records, Chrome Bookmarks, Chrome Archived Web History, Chrome Archived Keyword Search Terms, Chrome Autofil, Chrome Autofil Profiles, Chrome Saved Credit Cards
OPERATING SYSTEMS: Windows, Android, iOS
SOURCE LOCATION:
Windows – %root%\Users\%username%\AppData\Local\Google\Chrome\User Data\Default
Android – data\data\com.android.chrome\app_chrome\Default iOS – %root%\Library\Application Support\Google\Chrome\Default

 

Importance to Investigators

With 65.9% of all browser usage in September 2015, Google Chrome is the most popular browser used today. It is available for all major platforms and it is very likely examiners willl come across Chrome in one of their investigations, if not most of them.

Like most browsers, Chrome stores much of its history data in a database, while storing cache data such as pictures, webpages, scripts, cookies, etc. in a nearby folder. The history is typically stored in SQLite databases under the user’s AppData folder in Windows and uses a similar format for both iOS and Android. Beyond the history, cache, bookmarks, and cookies you’ll find with most browsers, Google Chrome stores sync data, tab/session data, login information, as well as many other sources of evidence that may be useful to examiners.

Google also offers Chromium as an open source framework that many other third-party browsers use as a back-end. This explains why examiners may notice some similarities between Chrome and other browsers in how the data is stored and what is available to their investigation. Chrome uses the Blink engine, which is shared with certain versions of Opera, Vivaldi, and 360 Safe browsers among others. While being visually different to the user, many of these browsers are the same in the back-end. This is great from an analysis standpoint as they are stored the same way. However, once you start carving deleted records, you might find it hard to ascertain which browser the data came from. This is why you’ll often see carved records for Chrome/Opera/360 all bunched together.

Google Chrome Recovery with Magnet Forensics

Browsing History

The main source of evidence for Google Chrome is the history database located under the Chrome user’s profile and there are several areas of interest to investigators:

URLS – The urls table contains the basic browsing history for Chrome. This will include a single instance for all the URLs visited, a timestamp for the last time visited, and a counter for the number of times visited.

VISITS – The visits table is unique to browsers using Chromium. It will contain multiple records for the same URL for each time the page is visited. A user may have several records for “magnetforensics.com” and the visits table will list each time it was visited along with an additional timestamp for each time the page was visited. The positive value to this is the additional timestamp, however, the challenge is that the actual URL isn’t listed in this table — only a pointer to the matching record in the urls table mentioned above. This means that if you’re manually analyzing the data, the two tables must be joined and any tool that carves deleted records must find the matching record in a separate table, or you may be left with partial results.

VISIT_SOURCE – The visit_source table was only added in later versions of Chrome, but allows you to identify where a given URL came from. Just because a URL was listed in the database does not necessarily mean that it was browsed to on that given computer. Many browsers, including Chrome, allow data to be synchronized across devices so that your browsing experience is uniform whether you’re on your computer or mobile device. The visit_source table must be joined with the urls and visits tables in order to map out the entire history including the source of a given url (whether it was browsed locally, synced from somewhere else, or imported from another browser, etc.)

Chrome Sync Data, Chrome Sync Accounts

Google synchronizes data across multiple devices so that users can consolidate their browsing experience across all their devices such as computers, phones, tablets, etc. This will allow examiners to view bookmarks, history, and other browsing data that might have been created on other devices, not necessarily the one being examined.

Along with the source history information, there is an additional database of value that examiners should make use of called SyncData.sqlite. This will contain additional sync data such as account information and devices being synced through the user’s Google account.

Cached Browsing History

Most web browsers cache content from the sites that users browsed to, it can include pictures, text, html, javascript, etc. Historically this was used to avoid downloading the same images and content repeatedly when the same sites are visited frequently. Chrome stores cache content and information in three types of files: index, data_X, and f_XXXXXX files all under the cache folders. The data_X files will store cached content if the data is small but if it’s a larger image or other content, it will be pushed out to the f_XXXXXX.

Cookies

Chrome Cookies are like any other browser. They are just created when browsing through the Chrome browser.

Google Analytics (GA) cookies are slightly different and can appear in any browser, not just Chrome. They are created from sites using Google Analytics to track their website stats and usage information. GA cookies can contain valuable information for examiners.

Incognito/Private Browsing

Unlike some browsers with a private browsing mode/feature, Chrome never writes the history to disk. That means if the user used incognito mode, the only source of browsing evidence will be found in memory or, by extension, the pagefile or hibernation files. Carving incognito history from memory isn’t difficult as long as you’re actually able to acquire the data from a live system. Memory is volatile and the data will be lost when the system is powered down.

Additional Artifacts of Interest

Chrome Current Session/Tabs – If you are examining a system that still has an active session available, Chrome will store the browsing activity here under current session and if there are multiple tabs open it will store it under current tabs. Here’s a good overview of what’s included in each:

  • Current Session (contains the data from forms in the pages in the current session)
  • Current Tabs (contains a list of URLs for the tabs in the current session)
  • Last Session (same as Current Session, but for the previous session)
  • Last Tabs (same as Current Tabs, but for the previous session)

Chrome Last Session/Tabs – Chrome will store the previous sessions and tabs here – so if Chrome was closed, the user can reopen the last session and tabs as it was stored.

Chrome Top Sites – Chrome shows the user their most frequently visited sites in panels on a homepage, which allows the user to quickly click on a frequently visited site. We recover the data around any URL that is listed as a “Top Site” in Chrome.

Chrome Logins – Chrome often stores username and passwords for some sites so this can be recovered. Often the passwords are encrypted so you might not get those unless you are examining a live system but otherwise this is available if any of the data was saved by the user.

Chrome Searches/Keyword Search Terms – Chrome stores the searches done on a webpage by using the “Find” bar. So if a user hits CTRL+F, and search for a keyword on a webpage, it will be stored here. Depending on the settings in the browser this may or may not be saved across sessions.

Chrome FavIcons – When you create a favourite/bookmark in Chrome, some websites have an icon that gets saved with the URL. FavIcons lists these icons for the users.

Chrome Downloads – These are downloads that the user has initiated through the Chrome browser.

Chrome Bookmarks – Like most browsers, bookmarks are saved pages that either the user or application creates to quickly visit frequently accessed sites.

Chrome Autofil/Autofil Profiles – Chrome stores field data that the user has previously inputted for particular websites here. For example, if you visit “magnetforensics.com” and login to the Customer Portal, browsers will automatically save your username (or other details) so that you don’t have to type it in each time you visit the site. This data is stored in the autofill location and can be useful to help recover usernames and other details that your user has filled out on various sites.