Google Chrome Forensics on Mac

It is not easy to write about forensic analysis of browser artifacts. The frequent upgrade and limited resources available did not make it easier. Please do your own research and testing. I am afterall a practitioner, not a scientist or an engineer. Have fun.

Browser Version: 18.0.1025.163

Locations:

OS X 10.7 –  ~/Library/Application Support/Google/Chrome/ and  ~/Library/Cache/Google/Chrome/Profile/[profilename]/Cache

Forensic Artifacts:

  • Local State – Profile information, including last used profile
  • Bookmark – user-specified bookmarks
  • Cookies
  • History – browsing history
  • History Index [YYYY-MM] – text-based contents of visited sites
  • Login Data – Saved Username
  • Network Action Predictor – Learn user behavior and probably used to predict user intended web address or search term
  • Shortcuts – One of the feature of Omnibox, offers suggestions for URL or search term
  • Top Sites – feature similar to Safari
  • Web Data – Autofill information
  • Cache

Time-based analysis

Time recorded are mostly recorded in Webkit time format (number of microseconds since 01/01/1601 00:00:00 UTC represented in 64-bit integers).  A simple analysis to convert Webkit time format to Unix time format is:

[timestamp]/1000000 – 11644473600

Useful SQLite statement

Cookies sqlite database: Cookie’s hostname, creation timestamp and last access timestamp:

select host_key, datetime((creation_utc/1000000 – 11644473600), “unixepoch”, “localtime”), datetime((last_access_utc/1000000 – 11644473600), “unixepoch”, “localtime”) from cookies

History sqlite database: Sort history by last visited time

select datetime((last_visit_time/1000000 – 11644473600), “unixepoch”, “localtime”), url, title, typed_count, visit_count from urls

History sqlite database: Sort history by timeline

select datetime((visits.visit_time/1000000 – 11644473600), “unixepoch”, “localtime”), urls.url,urls.title from urls, visits where visits.url = urls.id order by visits.visit_time asc

History sqlite database: Search term analysis

select datetime((visits.visit_time/1000000 – 11644473600), “unixepoch”, “localtime”), keyword_search_terms.term, urls.url from keyword_search_terms, urls, visits where keyword_search_terms.url_id = urls.id = visits.url order by visits.visit_time asc

History sqlite database: Download files

select datetime(start_time, “unixepoch”, “localtime”), datetime(end_time, “unixepoch”, “localtime”), url, full_path from downloads order by start_time asc 

`

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s