Artifacts

Google Chrome Browser Profile (Windows 2000, Windows XP, Windows Server 2003)

Posted by:  /  Tags: , , ,  /  Comments: 2

Author Name
Joe Garcia

Artifact Name
Google Chrome Browser Profile Folder

Artifact/Program Version
Windows 2000/Win XP/Windows Server 2003

Description
As part of a lot of Digital Forensics investigations, obtaining information of the user’s browsing habits is an important step.  We see lots of articles on IE & Firefox, but what about Google’s Chrome Browser?  Like Firefox before it, Chrome is steadily gaining in the browser market share.  This post looks to point out where to find the Chrome user’s Profile folder.  Most times, this will be saved as “Default”, but be on the look out for multiple profiles.  Once you locate and extract the Chrome Profile folder (listed below) from your image, you can use tools like ChromeAnalysis or ChromeForensics to assist you in parsing out the information stored within it.  You will get the following data, which is stored in SQLite files:

History (Web, bookmarks, downloads and search terms)

Cookies

Web Logins

Archived History (Web History and search terms)

Bookmarks (This is in a non-SQLite format)

File Locations
HardDrive\Documents and Settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\Default

Research Links
Get Google’s Chrome Browser HERE

Forensic Programs of Use
ChromeAnalysis from forensic-software.co.uk: http://forensic-software.co.uk/chromeanalysis.aspx

ChromeForensics by Woanware: http://www.woanware.co.uk/?page_id=70

2 Comments

arrow

[…] This post was mentioned on Twitter by azhtcia, Forensic Artifacts. Forensic Artifacts said: Google Chrome Browser Profile (Windows 2000, Windows XP, Windows Server 2003) http://bit.ly/fBLVAr […]

Mark McKinnon

February 22, 2011

arrow

Here is some SQL to create some reports based on the information in the Chrome database files. The format is database file name, type of information, SQL Statement.

History File

Internet Activity:

select a.url, title, visit_count, typed_count, (substr(last_visit_time,1,11)-11644473600) LAST_VISIT_TIME,
(substr(visit_time,1,11)-11644473600) VISIT_TIME, a.id
from urls a, visits b
where b.url = a.id order by a.url;

KeyWord Searches

SELECT url, lower_term, term,
from urls a, keyword_search_terms b
where url_id = id;

Downloads

select full_path, url, start_time, received_bytes, total_bytes
from downloads;

Bookmarks

Bookmarks:

select url, b.title, (substr(date_added,1,11)-11644473600) DATE_ADDED,
case when date_modified 0 then (substr(date_modified,1,11)-11644473600) else date_modified end DATE_MODIFIED
from urls a, starred b
where a.id = b.URL_ID;

Web Data

Internet Logins:

select origin_url, action_url, username_element, username_value,
password_element, password_value, submit_element, signon_realm, date_created
from logins;

THUMBNAILS

thumbnails:

select a.url_id, boring_score, last_updated, a.url_id||’.jpg’, data from thumbnails a;

COOKIES

cookies:

select (substr(creation_utc,1,11)-11644473600) CREATE_Date, name, value,
case when substr(host_key,1,1) = ‘.’ then ‘www’||host_key else host_key end,
path, (substr(expires_utc,1,11)-11644473600) EXPIRATION_DATE
from cookies;

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment