Hi! This is Jessica Hyde, Forensics Director here at Magnet Forensics. I recently received an email regarding the data locations for the artifacts I spoke about in the Chromebook forensics presentation at the Magnet Virtual Summit, Taking a Byte of Chromebook Analysis.
The ask was for a summary list of where to find the artifacts discussed in that presentation. I thought it would make sense to share that list here as a reference document. There are multiple locations listed for each artifact type.
Browser History – Current Tabs
Browser History – Last Tabs
Browser History – Current Sessions
Browser History – Last Sessions
In the browser history, downloads table, e.g. home/chronos/u-(GUID)/downloads/(filename)
downloads_url_chains table in browser history
File names are GUIDS. Note – use a search engine for the GUID or check manifest json file (includes name and prefrences)
Extensions – manifest.json
Extensions – Sync App Settings
home/shadow/(GUID)/mount/user/Sync App Settings
home/chronus/user/Sync App Settings
home/chronus/u-(GUID)/Sync App Settings
home/user/(GUID)/Sync App Settings
home/(username)/Sync App Settings
Note – Files are listed by GUID rather than name and can be associated via gcache/v1/meta/*.ldb
I hope this serves as a quick reference document for your Chromebook analysis. If you are looking for acquisition of Chromebooks, try the method from Daniel Dickerman posted on DFIR Review.
Have you found other artifact locations in your Chromebook analysis? Share them with me by email to firstname.lastname@example.org.