You might have observed by default browsers store data like search queries, username, password, form data, emails, credit card data and other sensitive information. Also, browsers do contain downloaded media like Images, Videos, Exe’s, documents etc. Bookmarks and browser history gives an idea of the user’s surfing habit and interest. You might have realised the browser stores a lot of sensitive information about the user and its surfing habit. Thus they play a very important role in forensics due to the nature and amount of data they store with them.

Why browser forensics

With the help of Browser Forensics and with the assistance of forensics tools one can extract sensitive data and chosen keywords from most web browsers. One can retrieve deleted data and keywords, check whether history was cleared, retrieve artifacts like Cookies, Downloads data, History, Saved Password, websites visited etc. Also, Browser Forensics helps a lot to understand how an attack on a system was conducted, helping in finding the source of Malwares/Adwares/Spywares, Malicious Emails and Phishing Websites etc. There are many web browsers available like Chrome, Firefox, Safari, IE, Opera etc. depending upon the platform being used. In this post, we will be learning about how to conduct forensics for Google Chrome Browser.

Chrome

Google Chrome is one of the most popular browsers of all the browsers available. It runs on all platforms and has been developed by google. Few salient features offered by chrome –   1)  Can be integrated with all google services 2)  Password synchronization between various devices 3)  Plugins and extensions availability 4)  Incognito mood support Google chrome artifacts An artifact is a remnant or trace left behind on the computer which helps to identify the source of malicious traffic and attack conducted onto the system. Few examples include cache data, History, Downloads etc. Chrome stores these artifacts inside specific folders in the operating system. The file location for every browser is different but the file format remains the same. Following are the common artifacts stored by Chrome –

  1. Navigation History – This reveals navigation history of the user. It can be used to track whether a user has visited any malicious URL or not.
  2. Autocomplete Data – This reveals data that has been used on various forms and search terms etc. It is used with Navigation History for more insight.
  3. Bookmarks – Self Explanatory
  4. Add-ons, Extensions and Plugins – Self Explanatory
  5. Cache – Contains cache data from various websites like Images, Javascript Files etc
  6. Logins – Self Explanatory
  7. Form Data – Self Explanatory
  8. Favicons – Self Explanatory
  9. Session Data – Self Explanatory
  10. Thumbnails – Self Explanatory
  11. Favorites – Self Explanatory
  12. Sensitive data – Self Explanatory

Various artifacts and its location

Following are the location of various artifacts where one can have a look while doing forensics investigation on Chrome –

  1. Profile Path – This contains the majority of the artifacts and profile data of the user. Location – C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefault C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultData
  2. Downloads + Navigation History + Search History – This is stored in SQLite Database form Location – C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataDefaultHistory C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataHistory
  3. Cookies – This is also stored in SQLite Database form Location –  C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultCookies C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataCookies
  4. Cache Location – C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultCache C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataCache
  5. Bookmarks – Stored in JSON Format Location – C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultBookmarks C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataBookmarks
  6. Form History – Stored in SQLite Database Form Location – C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultWeb Data C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataWeb Data
  7. Favicons  – Stored in SQLite Database Form Location – C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultFavicons C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataFavicons
  8. Logins – Stored in SQLite Database Form Location – C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataLogin Data
  9. Sessions Data Location – Current Sessions/Tabs C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultCurrent Session C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataCurrent Session C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultCurrent Tabs C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataCurrent Tabs Last (Previous) Sessions/Tabs C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultLast Session C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataLast Session C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultLast Tabs C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataLast Tabs
  10. Addons + Extensions – Stored in the form of Folders C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultExtensions C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataChromeDefaultDataExtensions 11)Thumbnails – Stored in SQLite Database Form  C:UsersUSER_NAMEAppDataLocalGoogleChromeUser DataDefaultTop Sites C:UsersUSER_NAMEAppDataLocalGoogleChromeUserDataDefaultThumbnails (Older versions)

Tools

Now we know different artifacts and their location let’s see what all tools can be used for performing Browser Forensics –

DB Browser – For opening .sqlite files. Nirsoft – Web Browser Tools BrowsingHistoryView ESEDatabaseView Sysinternals Strings OS Forensics Magnet IEF (Internet Evidence Finder) Browser History Viewer Browser History Examiner (Free Trial) Hindsight libsedb (Library to access the Extensible Storage Engine (ESE) Database File (EDB) format) Web Browser Add-ons View (Use to view installed extensions and add-ons) The Lazagne Project

Sources

Web browser forensics Overview of web browser forensics Web forensics medium Computer science- forensic artifact