Google Chrome Forensics on Mac

It is not easy to write about forensic analysis of browser artifacts. The frequent upgrade and limited resources available did not make it easier. Please do your own research and testing. I am afterall a practitioner, not a scientist or an engineer. Have fun.

Browser Version: 18.0.1025.163


OS X 10.7 –  ~/Library/Application Support/Google/Chrome/ and  ~/Library/Cache/Google/Chrome/Profile/[profilename]/Cache

Forensic Artifacts:

  • Local State – Profile information, including last used profile
  • Bookmark – user-specified bookmarks
  • Cookies
  • History – browsing history
  • History Index [YYYY-MM] – text-based contents of visited sites
  • Login Data – Saved Username
  • Network Action Predictor – Learn user behavior and probably used to predict user intended web address or search term
  • Shortcuts – One of the feature of Omnibox, offers suggestions for URL or search term
  • Top Sites – feature similar to Safari
  • Web Data – Autofill information
  • Cache

Time-based analysis

Time recorded are mostly recorded in Webkit time format (number of microseconds since 01/01/1601 00:00:00 UTC represented in 64-bit integers).  A simple analysis to convert Webkit time format to Unix time format is:

[timestamp]/1000000 – 11644473600

Useful SQLite statement

Cookies sqlite database: Cookie’s hostname, creation timestamp and last access timestamp:

select host_key, datetime((creation_utc/1000000 – 11644473600), “unixepoch”, “localtime”), datetime((last_access_utc/1000000 – 11644473600), “unixepoch”, “localtime”) from cookies

History sqlite database: Sort history by last visited time

select datetime((last_visit_time/1000000 – 11644473600), “unixepoch”, “localtime”), url, title, typed_count, visit_count from urls

History sqlite database: Sort history by timeline

select datetime((visits.visit_time/1000000 – 11644473600), “unixepoch”, “localtime”), urls.url,urls.title from urls, visits where visits.url = order by visits.visit_time asc

History sqlite database: Search term analysis

select datetime((visits.visit_time/1000000 – 11644473600), “unixepoch”, “localtime”), keyword_search_terms.term, urls.url from keyword_search_terms, urls, visits where keyword_search_terms.url_id = = visits.url order by visits.visit_time asc

History sqlite database: Download files

select datetime(start_time, “unixepoch”, “localtime”), datetime(end_time, “unixepoch”, “localtime”), url, full_path from downloads order by start_time asc