Chrome Funrensics
With Google Chrome's surge of popularity since its inception, even the bad guys are using it. There are several great free tools out there that make Chrome history analysis pretty simple. There was one main issue though with the most comprehensive tool I was able to find, and I'll let you know how to get around it.This post is intended to be beginner friendly and is built on the SANS blog post http://digital-forensics.sans.org/blog/2010/01/21/google-chrome-forensics/.
Locating Chrome Artifacts
According to the SANS post above, the Chrome History file is an SQLite database that can be found in the following locations:- Vista and 7
- C:\Users\[USERNAME]\AppData\Local\Google\Chrome\
- XP
- C:\Documents and Settings\[USERNAME]\Local Settings\Application Data\Google\Chrome\
I was able to then find the History file in the User Data\Default\ directory inside the Chrome directory.
Let's open up this directory on our Windows 7 test system with FTK Imager. You can see there are a bunch of evidence files, but we're going to focus on the file simply named History.
After exporting this file to an evidence directory, we'll get started with the tools.
NirSoft Chrome History View
First up, NirSoft has two great tools out there that do very specific tasks. This is a blessing and a curse as each tool is very comprehensive for its purpose, but some valuable information gets missed such as downloads and autofill data.Chrome History View does a great job of doing just what its name implies. It will provide a detailed list of of each website saved in the History file including the URL, Title, Timestamp, Visit Count, how many times the user manually typed the URL, Referrer if available, and a Visit ID.
Selecting Options > Advanced Options, we can have the tool open up the extracted History file instead of the running system's Chrome history.
All the fields mentioned above are then shown for all visited websites.
From this view, the data is easily selected with your favorite selection techniques including Ctrl + A, Shift + Click, and Ctrl + Click. You can then Ctrl + C or right click to copy and paste the data right into Excel for powerful manipulation.
NirSoft Chrome History View can be downloaded from http://www.nirsoft.net/utils/chrome_history_view.html for free.
NirSoft also offers a tool called Browser History View that can be downloaded from http://www.nirsoft.net/utils/browsing_history_view.html. This tool is capable of grabbing history from FireFox, Chrome, IE, and more all at once from a running system, just a user on the running system, or an evidence folder containing the evidence files.
NirSoft Chrome Cache View
NirSoft's other Chrome specific tool is able to parse Chrome's cache of webpage objects saved from the user's browsing activity.The Chrome cache can be found in the following location inside the Chrome folder:
- Chrome\User Data\Default\Cache
This directory should contain several files named data_0, data_1, and so on; many files named f_000001, f_000002, and so on; and a file named index. Looking at the objects in this directory with a forensic tool will allow you to see the file signatures and contents. Quick analysis shows the f_ files are the webpage objects while the data_ and index files contain metadata apparently for the f_ files.
Firing up Chrome Cache View, it's important to remember the tool also allows you to choose an exported evidence cache directory with the same advanced options menu as Chrome Browser View.
Chrome Cache View will parse the metadata for each f_ file and provide information such as File Name, URL, Content Type, Size of the File, Last Accessed, Server Time, Server Last Modified Timestamp, Expiration Time, Server Name, the Server's HTTP Response, Detected Encoding, the related f_ file name, and more cache related data.
Basically, the tool parses the metadata and tells you which f_ file was downloaded when and from where. With this information, it is possible to locate that f_ file for further investigation with your forensics tool or copy the files out using the Copy Selected Cache Files To... option shown below for manual analysis.
Sometimes analysis of the cache can show files downloaded or browsing content not found in the History file.
Chrome Cache View can be downloaded from http://www.nirsoft.net/utils/chrome_cache_view.html for free.
Browsing history and cache files are great and all, but there's definitely more information we want to find!
Woanware ChromeForensics
Woanware's ChromeForensics tool provides even more great Chrome data.
After a quick installation, you can load the chrome history files from your evidence directory. This tool appears to parse multiple, if not all files, from the User Data directory, so load that directory or an exported copy of it.
This tool will provide information for Web Page Visits similar to Chrome History View, Search Terms used with Google.com, Downloaded Files, Autofill Entries, Cookies, Favicons, Thumbnails, and a History Index.
You can see now that even more information is provided by this tool. History of downloaded files can be especially useful in an investigation.
This tool is not quite perfect though. One minor annoyance is a clunky GUI when manipulating column positions. A bigger problem for me concerns the timestamps provided not including a seconds field. There must be some way to get the seconds field at least, right?
ChromeForensics can be downloaded at http://www.woanware.co.uk/forensics/chromeforensics.html for free.
When Seconds Count
We know information about seconds are available from the NirSoft tools, so why doesn't ChromeForensics provide these details? I'm not sure, but taking a suggestion from the SANS post and remembering how the History file is just an SQLite database, we can just use an SQLite database browser GUI such as the one found at http://sourceforge.net/projects/sqlitebrowser/ for free.Opening the History file with this Database Browser displays the structure which is also described by SANS.
By changing to the Browse Data Tab, we can choose the database table we'd like to check out. Let's look at that useful downloads table.
We can see the start time and finish time shown in this table.
Now things get weird.
While examining a Windows Server 2003 system with an older version of chrome, this timestamp was formatted as Unix Epoch. It could be decoded simply at http://www.epochconverter.com/. That site also contains formulas for converting these timestamps in various programming languages and a super useful excel formula.
On my test system running Windows 7, the timestamp provided isn't so straightforward. I'm not sure what the differences are in how the timestamps are generated, but I think I know how to decode them.
The first step of converting the timestamps is to get the data out of the SQLite Browser. Unfortunately this tool does not support intuitive copy and paste. You must double click the timestamp and copy it out from the edit window one... at... a... time...
So this isn't the most efficient way to get the data, but it works. It gets even weirder though, to convert this timestamp, you have to copy the value into http://www.silisoftware.com/tools/date.php, add a 0 onto the end of the number (effectively multiplying it by 10), choose the filetime option, and click convert.
The correct timestamp, down to the second, is then shown in the Text Date row.
Wrapping Up
I hope you enjoyed reading this mix of tutorial and personal findings. I know using the different Chrome tools, the SQLite Browser, and the sometimes strange time conversion process isn't beautiful, but it can be done!The good news though is that a Chrome forensics python script is on my to do list that will hopefully provide easy reporting of the important information and may even dig into other Chrome artifacts such as the Preferences file.
Thanks for reading!
-Dave
