Sunday, March 30, 2014

When Seconds Matter, Accurate Chrome History is Only Minutes Away

Chrome Funrensics

With Google Chrome's surge of popularity since its inception, even the bad guys are using it. There are several great free tools out there that make Chrome history analysis pretty simple. There was one main issue though with the most comprehensive tool I was able to find, and I'll let you know how to get around it.

This post is intended to be beginner friendly and is built on the SANS blog post http://digital-forensics.sans.org/blog/2010/01/21/google-chrome-forensics/.

Locating Chrome Artifacts

According to the SANS post above, the Chrome History file is an SQLite database that can be found in the following locations:


  • Vista and 7
    •  C:\Users\[USERNAME]\AppData\Local\Google\Chrome\
  • XP
    • C:\Documents and Settings\[USERNAME]\Local Settings\Application Data\Google\Chrome\
I was able to then find the History file in the User Data\Default\ directory inside the Chrome directory.

Let's open up this directory on our Windows 7 test system with FTK Imager. You can see there are a bunch of evidence files, but we're going to focus on the file simply named History.



After exporting this file to an evidence directory, we'll get started with the tools.

NirSoft Chrome History View

First up, NirSoft has two great tools out there that do very specific tasks. This is a blessing and a curse as each tool is very comprehensive for its purpose, but some valuable information gets missed such as downloads and autofill data.

Chrome History View does a great job of doing just what its name implies. It will provide a detailed list of  of each website saved in the History file including the URL, Title, Timestamp, Visit Count, how many times the user manually typed the URL, Referrer if available, and a Visit ID.

Selecting Options > Advanced Options, we can have the tool open up the extracted History file instead of the running system's Chrome history.



All the fields mentioned above are then shown for all visited websites.


From this view, the data is easily selected with your favorite selection techniques including Ctrl + A, Shift + Click, and Ctrl + Click. You can then Ctrl + C or right click to copy and paste the data right into Excel for powerful manipulation.

NirSoft Chrome History View can be downloaded from http://www.nirsoft.net/utils/chrome_history_view.html for free.

NirSoft also offers a tool called Browser History View that can be downloaded from  http://www.nirsoft.net/utils/browsing_history_view.html. This tool is capable of grabbing history from FireFox, Chrome, IE, and more all at once from a running system, just a user on the running system, or an evidence folder containing the evidence files.

NirSoft Chrome Cache View

NirSoft's other Chrome specific tool is able to parse Chrome's cache of webpage objects saved from the user's browsing activity.

The Chrome cache can be found in the following location inside the Chrome folder:

  • Chrome\User Data\Default\Cache

This directory should contain several files named data_0, data_1, and so on; many files named f_000001, f_000002, and so on; and a file named index. Looking at the objects in this directory with a forensic tool will allow you to see the file signatures and contents. Quick analysis shows the f_ files are the webpage objects while the data_ and index files contain metadata apparently for the f_ files.


Firing up Chrome Cache View, it's important to remember the tool also allows you to choose an exported evidence cache directory with the same advanced options menu as Chrome Browser View.


Chrome Cache View will parse the metadata for each f_ file and provide information such as File Name, URL, Content Type, Size of the File, Last Accessed, Server Time, Server Last Modified Timestamp, Expiration Time, Server Name, the Server's HTTP Response, Detected Encoding, the related f_ file name, and more cache related data.

Basically, the tool parses the metadata and tells you which f_ file was downloaded when and from where. With this information, it is possible to locate that f_ file for further investigation with your forensics tool or copy the files out using the Copy Selected Cache Files To... option shown below for manual analysis.


Sometimes analysis of the cache can show files downloaded or browsing content not found in the History file.

Chrome Cache View can be downloaded from http://www.nirsoft.net/utils/chrome_cache_view.html for free.

Browsing history and cache files are great and all, but there's definitely more information we want to find!

Woanware ChromeForensics 

Woanware's ChromeForensics tool provides even more great Chrome data.

After a quick installation, you can load the chrome history files from your evidence directory. This tool appears to parse multiple, if not all files, from the User Data directory, so load that directory or an exported copy of it.


This tool will provide information for Web Page Visits similar to Chrome History View, Search Terms used with Google.com, Downloaded Files, Autofill Entries, Cookies, Favicons, Thumbnails, and a History Index.


You can see now that even more information is provided by this tool. History of downloaded files can be especially useful in an investigation.

This tool is not quite perfect though. One minor annoyance is a clunky GUI when manipulating column positions. A bigger problem for me concerns the timestamps provided not including a seconds field. There must be some way to get the seconds field at least, right?

ChromeForensics can be downloaded at http://www.woanware.co.uk/forensics/chromeforensics.html for free.

When Seconds Count

We know information about seconds are available from the NirSoft tools, so why doesn't ChromeForensics provide these details? I'm not sure, but taking a suggestion from the SANS post and remembering how the History file is just an SQLite database, we can just use an SQLite database browser GUI such as the one found at http://sourceforge.net/projects/sqlitebrowser/ for free.

Opening the History file with this Database Browser displays the structure which is also described by SANS.


By changing to the Browse Data Tab, we can choose the database table we'd like to check out. Let's look at that useful downloads table.


We can see the start time and finish time shown in this table.

Now things get weird.

While examining a Windows Server 2003 system with an older version of chrome, this timestamp was formatted as Unix Epoch. It could be decoded simply at http://www.epochconverter.com/. That site also contains formulas for converting these timestamps in various programming languages and a super useful excel formula.

On my test system running Windows 7, the timestamp provided isn't so straightforward. I'm not sure what the differences are in how the timestamps are generated, but I think I know how to decode them.

The first step of converting the timestamps is to get the data out of the SQLite Browser. Unfortunately this tool does not support intuitive copy and paste. You must double click the timestamp and copy it out from the edit window one... at... a... time...


So this isn't the most efficient way to get the data, but it works. It gets even weirder though, to convert this timestamp, you have to copy the value into http://www.silisoftware.com/tools/date.php, add a 0 onto the end of the number (effectively multiplying it by 10), choose the filetime option, and click convert.


The correct timestamp, down to the second, is then shown in the Text Date row.

Wrapping Up

I hope you enjoyed reading this mix of tutorial and personal findings. I know using the different Chrome tools, the SQLite Browser, and the sometimes strange time conversion process isn't beautiful, but it can be done!

The good news though is that a Chrome forensics python script is on my to do list that will hopefully provide easy reporting of the important information and may even dig into other Chrome artifacts such as the Preferences file.

Thanks for reading!

-Dave
Posted by at

3 comments:

  1. UnknownOctober 12, 2014 at 12:40 AM

    This comment has been removed by the author.

    ReplyDelete
  2. UnknownOctober 12, 2014 at 12:44 AM

    This is a well-written and informative post, David! I would like to share a more efficient method of converting the visited times. You can use the SQLite Database Browser, or you can use the SQLite Manager plugin for Firefox, which is what I used. https://addons.mozilla.org/en-US/firefox/addon/sqlite-manager/

    After importing the History database file into SQLite Manager, there are nine tables, two of which are the downloads and urls tables. After opening the urls table, click on the Browse & Search tab to see the table. You may notice the last_visit_time has timestamps.

    To convert the timestamps to UTC time and date, we would need to execute SQL queries. Click on the Execute SQL tab and type the following SQL query:

    SELECT datetime(last_visit_time/1000000-11644473600, 'unixepoch') from urls;


    You may wonder what the number 11644473600 means. It is the number of seconds between January 1, 1601 and January 1, 1970.
    It turns out that the last_visit_time column in the urls table uses a WebKit Format time in which the timestamps are the number of microseconds since January 1, 1601. Therefore, when executing the SQL command, the times in the last_visit_time column are divided by 1 million to convert microseconds to seconds, which are later subtracted by 11644473600 in order to get UNIX time, which is later converted to UTC. (see the first answer in http://stackoverflow.com/questions/2141537/convert-datetime-fields-in-chrome-history-file-sqlite-to-readable-format and http://timothycomeau.info/chrome-history )


    To print the timestamps in last_visit_time in a UTC column and a local time column as well as printing the rest of the table, execute the following SQL command:

    SELECT datetime(last_visit_time/1000000-11644473600, 'unixepoch'), datetime(last_visit_time/1000000-11644473600, 'unixepoch', 'localtime'), * from urls;

    With this logic in mind, you can convert the other timestamps in the Chrome History table to UTC or local time. For example, the SQL query to convert the start_time in the downloads table to UTC time/date is shown in the following:

    SELECT datetime(start_time/1000000-11644473600, 'unixepoch') from downloads;

    If you wish to convert to local date and time:

    SELECT datetime(start_time/1000000-11644473600, 'unixepoch', 'localtime'), * from downloads;

    If you want to display the rest of the table, include the * wildcard.

    ReplyDelete
  3. Spam LeadsJune 3, 2020 at 3:41 PM

    Hi All!

    I'm selling fresh & genuine SSN Leads, with good connectivity. All data properly checked & verified.
    Headers in Leads:

    First Name | Last Name | SSN | Dob | Address | State | City | Zip | Phone Number | Account Number | Bank Name | DL Number | Routing Number | IP Address | Reference | Email | Rental/Owner |

    *You can ask for sample before any deal
    *Each lead will be cost $1
    *Premium Lead will be cost $5
    *If anyone wants in bulk I will negotiate
    *Sampling is just for serious buyers

    Hope for the long term deal
    For detailed information please contact me on:

    Whatsapp > +923172721122
    email > leads.sellers1212@gmail.com
    telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete

Subscribe to: Post Comments (Atom)