In today's digital world, web browsers are a goldmine of information for forensic investigators. With many users relying on Chromium-based browsers like Google Chrome, Microsoft Edge, and Brave for daily activities, understanding how to analyze browser data is crucial.
-------------------------------------------------------------------------------------------------------------
Understanding Browser Profiles
One of the most important things to know when analyzing a Chromium-based browser is that it supports multiple user profiles. This feature allows users to keep their "work" and "personal" data separate. However, from a forensic perspective, it means there could be multiple sets of browser data that need to be examined.
-------------------------------------------------------------------------------------------------------------
Where to Find Profiles?
Location:
%UserProfile%\AppData\Local\Google\Chrome\User Data\The Default folder contains the original Chrome profile.
Additional profiles are stored in folders named "Profile 1," "Profile 2," etc.
A Guest Profile exists, which functions like Incognito mode and doesn't leave traces after the session ends.
Microsoft Edge allows profiles without an associated email, but they are still tied to a Windows user account.
-------------------------------------------------------------------------------------------------------------
Key Artifacts in the Preferences File
Each profile has a Preferences file, a JSON-formatted file that records key information like:
Associated email address (if provided)
Profile name
Installed extensions
Homepage and pinned tabs
Privacy and synchronization settings
-------------------------------------------------------------------------------------------------------------
Recovering Deleted Browser Data
When a user deletes a profile, its folder and associated databases are removed on the next reboot. However, forensic tools can often recover these files from unallocated disk space. So, even if a user tries to erase their browser history, traces may still be available for analysis.
-------------------------------------------------------------------------------------------------------------
Best Tools for Chromium-Based Browser Forensics
Forensic investigators have several powerful tools to extract and analyze browser artifacts. Here are some of the most effective ones:
1. Hindsight
Hindsight, created by Ryan Benson, is one of the best open-source tools for parsing Chromium browser data.
Parses SQLite databases used by Chrome
Supports LevelDB to extract Web Storage and File System artifacts
Analyzes cache files (Cache, Media Cache, GPUCache, etc.)
Outputs data in Excel (XLSX) or SQLite format
Supports plugins to analyze Google Analytics cookies, search history, and more
How to Use Hindsight?
Hindsight runs via the command line:
hindsight -i "C:\Users\Username\AppData\Local\Google\Chrome\User Data"
Output:
This command extracts data from all profiles in the User Data folder. You can also specify individual profile folders for a more focused analysis.
2. NirSoft ChromeHistoryView
NirSoft provides a lightweight, easy-to-use tool called ChromeHistoryView.
Extracts browsing history from Chrome databases
Displays a simple timeline of visited websites
Works on newer browser versions faster than some other tools
While it doesn’t provide as much detail as Hindsight, it's a good backup tool for quick investigations.
-------------------------------------------------------------------------------------------------------------
Key Browser Artifacts to Investigate
Chromium-based browsers store vast amounts of user data. Here are some of the most valuable artifacts:
*********************************************************************************************************************
Browser Forensic Analysis Book
Chapter 1: Determining Sites Visited
Understanding a user's browsing activity begins with reviewing history data and associated artifacts.
Key Steps:
Review History Data: Extract visited URLs, timestamps, and search keywords.
Review Transition Info: Identify typed URLs versus redirected links.
Document Top Sites: Rank frequently visited websites for behavioral insights.
Audit Preferences File: Check for visited sites, auto-fill data, and sync settings.
Parse Download History: Identify downloaded files and potential malicious payloads.
Audit Bookmarks: Retrieve saved and backup bookmarks (JSON format).
Look for Other Profiles: Detect additional Chrome user profiles to expand the scope of analysis.
Relevant Files & Formats:
Artifact | File Location | Format |
History Data | History | SQLite |
Bookmarks | Bookmarks, Bookmarks.bak | JSON |
Download History | History | SQLite |
Preferences | Preferences file | JSON |
Chapter 2: Filling in Evidence Gaps
This phase focuses on less obvious browser artifacts that provide additional context.
Key Steps:
Review Cache Domains: Extract stored website assets and determine access patterns.
Analyze Specific File Types: Identify cached executables, images, and scripts.
Review Cookie Domains: Extract stored cookies and associated metadata.
Search Session Recovery Files: Recover open tabs and recent browser activity.
Analyze Web Data & Shortcuts: Identify autocomplete and stored form data.
Audit Browser Extensions: Extract extension metadata and potential malicious add-ons.
Snapshots Folder: Examine browser snapshots for evidence of activity.
Relevant Files & Formats:
Artifact | File Location | Format |
Cache Data | Cache | N/A |
Cookies | Cookies/IndexedDB | SQLite/LevelDB |
Session Data | Session_, Tabs_ | SNSS |
Web Data | Web Data, Network Action Predictor | SQLite |
Chapter 3: Deep Dive Analysis
Advanced forensic techniques focus on deleted, volatile, and shadowed browser data.
Key Steps:
Search Web Storage: Analyze local storage data for application-based evidence.
Review Sync Data Database: Extract synchronized browsing data across multiple devices.
Audit Chrome Jumplist Entries: Recover recent browser session activities.
Carve Deleted SQLite Entries: Extract deleted history, cookies, and other records.
Review Memory-Based Artifacts: Identify browser-related artifacts in volatile memory.
Focus on Incognito Artifacts: Attempt to recover private browsing data.
Targeted Analysis Using Volume Shadow Copies: Extract historical data from system restore points.
Relevant Files & Formats:
Artifact | File Location | Format |
Web Storage | Local Storage/IndexedDB | LevelDB |
Sync Data | Sync Data Folder | LevelDB |
Deleted Data | Recovered SQLite DBs | SQLite |
Jumplist Entries | JumpList File | N/A |
Tools Recommended:
Chrome Analysis Tools: Hindsight, Belkasoft Evidence Center
SQLite Analysis: DB Browser for SQLite
Memory Analysis: Volatility, Rekall
Volume Shadow Copy Analysis: Shadow Explorer
Staying Ahead in Browser Forensics
Browser updates constantly change data storage methods, so forensic tools need to keep up. It's crucial to test tools regularly and manually verify important artifacts when needed.
By understanding the storage structure, key artifacts, and best tools available, forensic analysts can effectively investigate browser activity and uncover critical evidence.
-------------------------------------------Dean-----------------------------------------
Comentarios