Google Chrome Browser Profile (Windows 2000, Windows XP, Windows Server 2003)

Posted by:  /  Tags: , , ,  /  Comments: 2

Author Name
Joe Garcia

Artifact Name
Google Chrome Browser Profile Folder

Artifact/Program Version
Windows 2000/Win XP/Windows Server 2003

As part of a lot of Digital Forensics investigations, obtaining information of the user’s browsing habits is an important step.  We see lots of articles on IE & Firefox, but what about Google’s Chrome Browser?  Like Firefox before it, Chrome is steadily gaining in the browser market share.  This post looks to point out where to find the Chrome user’s Profile folder.  Most times, this will be saved as “Default”, but be on the look out for multiple profiles.  Once you locate and extract the Chrome Profile folder (listed below) from your image, you can use tools like ChromeAnalysis or ChromeForensics to assist you in parsing out the information stored within it.  You will get the following data, which is stored in SQLite files:

History (Web, bookmarks, downloads and search terms)


Web Logins

Archived History (Web History and search terms)

Bookmarks (This is in a non-SQLite format)

File Locations
HardDrive\Documents and Settings\USERNAME\Local Settings\Application Data\Google\Chrome\User Data\Default

Research Links
Get Google’s Chrome Browser HERE

Forensic Programs of Use
ChromeAnalysis from

ChromeForensics by Woanware:



[…] This post was mentioned on Twitter by azhtcia, Forensic Artifacts. Forensic Artifacts said: Google Chrome Browser Profile (Windows 2000, Windows XP, Windows Server 2003) […]

Mark McKinnon

February 22, 2011


Here is some SQL to create some reports based on the information in the Chrome database files. The format is database file name, type of information, SQL Statement.

History File

Internet Activity:

select a.url, title, visit_count, typed_count, (substr(last_visit_time,1,11)-11644473600) LAST_VISIT_TIME,
(substr(visit_time,1,11)-11644473600) VISIT_TIME,
from urls a, visits b
where b.url = order by a.url;

KeyWord Searches

SELECT url, lower_term, term,
from urls a, keyword_search_terms b
where url_id = id;


select full_path, url, start_time, received_bytes, total_bytes
from downloads;



select url, b.title, (substr(date_added,1,11)-11644473600) DATE_ADDED,
case when date_modified 0 then (substr(date_modified,1,11)-11644473600) else date_modified end DATE_MODIFIED
from urls a, starred b
where = b.URL_ID;

Web Data

Internet Logins:

select origin_url, action_url, username_element, username_value,
password_element, password_value, submit_element, signon_realm, date_created
from logins;



select a.url_id, boring_score, last_updated, a.url_id||’.jpg’, data from thumbnails a;



select (substr(creation_utc,1,11)-11644473600) CREATE_Date, name, value,
case when substr(host_key,1,1) = ‘.’ then ‘www’||host_key else host_key end,
path, (substr(expires_utc,1,11)-11644473600) EXPIRATION_DATE
from cookies;

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment