Industry News
Timeline

Chromebook Data Locations

Hi!  This is Jessica Hyde, Forensics Director here at Magnet Forensics.  I recently received an email regarding the data locations for the artifacts I spoke about in the Chromebook forensics presentation at the Magnet Virtual Summit, Taking a Byte of Chromebook Analysis.

The ask was for a summary list of where to find the artifacts discussed in that presentation. I thought it would make sense to share that list here as a reference document. There are multiple locations listed for each artifact type.

Browser History

home/shadow/(GUID)/mount/user/history

home/chronus/user/history

home/chronus/u-(GUID)/history

home/user/(GUID)/history

home/(username)/.config/chromium/Default/history

Browser Cache

home/shadow/(GUID)/mount/user/Cache

home/chronus/user/Cache

home/chronus/u-(GUID)/Cache

home/user/(GUID)/Cache

home/(username)/.config/chromium/Default/Cache/data_1

Browser History – Current Tabs

home/shadow/(GUID)/mount/user/Current Tabs

home/chronus/user/Current Tabs

home/chronus/u-(GUID)/Current Tabs

home/user/(GUID)/Current Tabs

home/(username)/.config/chromium/Default/Current Tabs

Browser History – Last Tabs

home/shadow/(GUID)/mount/user/Last Tabs

home/chronus/user/Last Tabs

home/chronus/u-(GUID)/Last Tabs;

home/user/(GUID)/Last Tabs;

home/(username)/.config/chromium/Default/Last Tabs

Browser History – Current Sessions

home/shadow/(GUID)/mount/user/Current Sessions

home/chronus/user/Current Sessions

home/chronus/u-(GUID)/Current Sessions

home/user/(GUID)/Current Sessions

home/(username)/.config/chromium/Default/Current Sessions

Browser History – Last Sessions

home/shadow/(GUID)/mount/user/Last Sessions

home/chronus/user/Last Sessions

home/chronus/u-(GUID)/Last Sessions

home/user/(GUID)/Last Sessions

home/(username)/.config/chromium/Default/Last Sessions

Downloads

In the browser history, downloads table, e.g. home/chronos/u-(GUID)/downloads/(filename)

AND

home/shadow/(GUID)/mount/user/Downloads

home/chronus/user/Downloads

home/chronus/u-(GUID)/Downloads

home/user/(GUID)/Downloads

home/(username)/Downloads

Also

 downloads_url_chains table in browser history

Extensions

File names are GUIDS. Note – use a search engine for the GUID or check manifest json file (includes name and prefrences)

home/shadow/(GUID)/mount/user/Extensions

home/chronus/user/Extensions

home/chronus/u-(GUID)/Extensions

home/user/(GUID)/Extensions

home/(username)/Extensions

Extensions – manifest.json

home/shadow/(GUID)/mount/user/Extensions/(extensionGUID)/(Version)/manifest.json

home/chronus/user/Extensions/(extensionGUID)/(Version)/manifest.json

home/chronus/u-(GUID)/Extensions/(extensionGUID)/(Version)/manifest.json

home/user/(GUID)/Extensions/(extensionGUID)/(Version)/manifest.json

home/(username)/Extensions/(extensionGUID)/(Version)/manifest.json

Extensions – Sync App Settings

home/shadow/(GUID)/mount/user/Sync App Settings

home/chronus/user/Sync App Settings

home/chronus/u-(GUID)/Sync App Settings

home/user/(GUID)/Sync App Settings

home/(username)/Sync App Settings

Offline Storage

home/shadow/(GUID)/mount/user/gcache/v1/files 

home/chronus/user/gcache/v1/files 

home/chronus/u-(GUID)/gcache/v1/files 

home/user/(GUID)/gcache/v1/files 

home/(username)/gcache/v1/files 

Note – Files  are listed by GUID rather than name and can be associated via gcache/v1/meta/*.ldb

Shell History

home/shadow/(GUID)/mount/user/.bash_history

home/chronus/user/.bash_history

home/chronus/u-(GUID)/.bash_history

home/user/(GUID)/.bash_history

home/(username)/.bash_history

Avatar

home/shadow/(GUID)/mount/user/Accounts/Avatar/Images/(emailadderess)

home/chronus/user/Accounts/Avatar/Images/(emailadderess)

home/chronus/u-(GUID)/Accounts/Avatar/Images/(emailadderess)

home/user/(GUID)/Accounts/Avatar/Images/(emailadderess)

home/(username)/Accounts/Avatar/Images/(emailadderess)

I hope this serves as a quick reference document for your Chromebook analysis. If you are looking for acquisition of Chromebooks, try the method from Daniel Dickerman posted on DFIR Review.

Have you found other artifact locations in your Chromebook analysis? Share them with me by email to jessica.hyde@magnetforensics.com.

Related Resources

Blog

Blog

Magnet User Summit 2024: One for the ages 

It’s our favorite time of the year!

April 18, 2024 • About a 3 minute view
Blog

Blog

Introducing Magnet One: Redefining the pursuit of justice

At Magnet Forensics, we're thrilled to announce Magnet One, the digital forensics platform that aims to redefine the pursuit of justice.

April 16, 2024 • About a 4 minute view
Blog

Blog

Introducing Magnet Nexus: Large-scale investigations, made easy

In today’s workplace, employees and critical business assets are often spread throughout the globe. Employees may be working from home, the office, or a combination of both. To enable a

April 11, 2024 • About a 5 minute view
Resource Center Home

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top