Artifacts

Archive for February, 2011


Google Chrome Browser Profile (Windows Vista/Windows 7)

Posted by:  /  Tags: , , , ,  /  Comments: 2

Author Name
Joe Garcia

Artifact Name
Google Chrome Browser Profile Folder (Windows Vista/Windows 7)

Artifact/Program Version
Windows Vista/Windows 7

Description
As part of a lot of Digital Forensics investigations, obtaining information of the user’s browsing habits is an important step. We see lots of articles on IE & Firefox, but what about Google’s Chrome Browser? Like Firefox before it, Chrome is steadily gaining in the browser market share. This post looks to point out where to find the Chrome user’s Profile folder. Most times, this will be saved as “Default”, but be on the look out for multiple profiles. Once you locate and extract the Chrome Profile folder (listed below) from your image, you can use tools like ChromeAnalysis or ChromeForensics to assist you in parsing out the information stored within it. You will get the following data, which is stored in SQLite files:

History (Web, bookmarks, downloads and search terms)

Cookies

Web Logins

Archived History (Web History and search terms)

Bookmarks (This is in a non-SQLite format)

File Locations
HardDrive\Users\USERNAME\AppData\Local\Google\Chrome\User Data\Default

Research Links
Get Google’s Chrome Browser HERE

Forensic Programs of Use
ChromeAnalysis from forensic-software.co.uk: http://forensic-software.co.uk/chromeanalysis.aspx

ChromeForensics by Woanware: http://www.woanware.co.uk/?page_id=70

Google Chrome Browser Profile (Windows 2000, Windows XP, Windows Server 2003)

Posted by:  /  Tags: , , ,  /  Comments: 2

Author Name
Joe Garcia

Artifact Name
Google Chrome Browser Profile Folder

Artifact/Program Version
Windows 2000/Win XP/Windows Server 2003

Description
As part of a lot of Digital Forensics investigations, obtaining information of the user’s browsing habits is an important step.  We see lots of articles on IE & Firefox, but what about Google’s Chrome Browser?  Like Firefox before it, Chrome is steadily gaining in the browser market share.  This post looks to point out where to find the Chrome user’s Profile folder.  Most times, this will be saved as “Default”, but be on the look out for multiple profiles.  Once you locate and extract the Chrome Profile folder (listed below) from your image, you can use tools like ChromeAnalysis or ChromeForensics to assist you in parsing out the information stored within it.  You will get the following data, which is stored in SQLite files:

History (Web, bookmarks, downloads and search terms)

Cookies

Web Logins

Archived History (Web History and search terms)

Bookmarks (This is in a non-SQLite format)

File Locations
HardDrive\Documents and Settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\Default

Research Links
Get Google’s Chrome Browser HERE

Forensic Programs of Use
ChromeAnalysis from forensic-software.co.uk: http://forensic-software.co.uk/chromeanalysis.aspx

ChromeForensics by Woanware: http://www.woanware.co.uk/?page_id=70

RecentDocs

Posted by:  /  Comments: 2

Author Name
Joe Garcia

Artifact Name
RecentDocs

Operating System
Windows XP, Vista, Win7

Description
When starting a forensic examination, a great first artifact to check out is RecentDocs (or Recently Used Documents).   By default, Windows will display 15 items in the “My Recent Documents” menu option.  This will include .doc, .jpg, .pdf, etc files.  This is a great way to get a quick look at what files the subject of your investigation has opened recently. For example, for Law Enforcement officers, this is a great place to look if you have to investigate a suspicious death.   Your victim may have actually created a suicide note on their computer and this artifact can help you find it.  For Corporate investigators, your subject may have been snooping around for the recipe of your company’s “Secret Sauce” (or whatever proprietary data you wish to insert here).  This artifact might show the document being opened on your subject’s computer.  This can be used to corroborate other evidence obtained during your investigation.

When opening this artifact in a program such as MiTeC’s Windows Registry Recovery or AccessData’s Registry Viewer, you will see the following:

RecentDocs artifact in Windows Registry Recovery by MiTeC


If you look at the Data in the “MRUListEx” Value, it will always start with the document that was opened most recently and work it’s way back. So in this case, document “08” was opened most recently. Each entry in the “MRUListEx” is four bytes in length. So going back four bytes from “08”, we can see that “07” was the next most recent document opened in this example.

You can also use everyone’s favorite registry parsing tool RegRipper to accomplish the same goal (and better might I add). RegRipper displays the RecentDocs in order from last opened to first opened. Again, this is defined by the default max number. Other documents opened earlier on will not be listed here.

RecentDocs displayed in RegRipper


Registry Keys
NTUSER.dat

File Locations
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Research Links
– Default Max Number of Recent Docs (Microsoft TechNet): http://technet.microsoft.com/en-us/library/cc975956.aspx

Forensic Programs of Use
AccessData’s Registry Viewer
Harlan Carvey’s RegRipper
MiTeC’s Windows Registry Recovery

Other Information
Just want to give a shout out to Harlan Carvey here. I just got done reading Chapter 1 of his Windows Registry Forensics book. In that chapter (pp 21-23), he sets out to get the Registry Nomenclature straightened out. I am sure that there are examiners/analysts/etc (myself included) out there that have mixed these terms around. This was a great idea to help get everyone on the same page.

We’re back!

Posted by:  /  Comments: 1

Hey Everyone,

I’d like to apologize for the lengthy layoff that the site has had (3 months). Things had gotten a bit hectic over that time. Matt has found new employment and has less time to contribute as of late. I was on vacation, then out sick in December. Oh and I am still putting out my podcast, Cyber Crime 101 (shameless plug), on a regular basis. My case load at work increased a bit and I had been playing catch up ever since.

Well, things have evened out (at least for me) at work and I realized the lack of attention being paid to this site. With that said, I hope to post here on a regular basis. I am looking to do a post every 2 weeks. I figure this should be a good way to populate the site without stress. Also, I ask that if you have an Artifact that you have good knowledge of that hasn’t been covered here yet, please use the “Submit” page to help contribute back to the Digital Forensics Community. Furthermore, if you see a previous post that you believe might be missing or might have updated information, please contact us and let us know. That way we can get the latest information out to our fellow examiners/analysts/forensicators (whatever title you want to go by).

Thanks,
Joe G.