top of page
Search

Understanding Chrome's Data Storage and Session Recovery : What Your Browser Remembers

  • Mar 5
  • 4 min read

Most browsers store some auto-complete data, but Chrome takes this to another level by recording a surprising amount of information. Whether it’s search terms, form data, or login credentials, Chrome’s databases capture nearly everything typed by the user.


-----------------------------------------------------------------------------------------------------------


1. Web Data Database: Storing Autofill Information

This database keeps track of information typed into web forms. It includes details like:

  • Email addresses

  • Names

  • Phone numbers

  • Credit card details

  • Login credentials


The key table here is autofill, which saves data entered into forms.

However, one critical thing to note is that it doesn’t link the data to specific websites. Instead, it connects to the form name, meaning it can be used across different sites with similar form structures.


-----------------------------------------------------------------------------------------------------------


2. Shortcuts Database: Recording Omnibox Activity

The Omnibox (Chrome’s address bar) is more than just a search box; it predicts what a user is looking for based on previous activity. This database records:

  • What was typed in the Omnibox

  • Suggestions given by Chrome

  • Sites visited based on those suggestions

  • Last accessed time and frequency of visits


All this data is stored in the omni_box_shortcuts table, providing a history of how a user interacted with the Omnibox.


-----------------------------------------------------------------------------------------------------------


3. Network Action Predictor: Tracking Typed Characters

When Chrome’s Prefetch feature is enabled (to speed up loading times), this database keeps a letter-by-letter record of:


  • What was typed

  • What sites Chrome preloaded in the background

  • How often the browser correctly predicted user intent


For example, if a user starts typing "cyber," Chrome may suggest relevant sites. If the user selects a suggestion, a hit count is stored. This feature provides insights into past browsing activity even if the user never actually visited a page.


-----------------------------------------------------------------------------------------------------------

4. Login Data Database: Storing User Credentials

This database holds login-related data, including:


  • Websites where a user has saved login credentials

  • Dates when passwords were created and last used

  • Even sites where users chose not to save their passwords!

When a user clicks "Never save password" on a site, the database still records that decision. The blacklisted_by_user field is marked as "1" for these sites.


Chrome encrypts saved passwords using Windows DPAPI, but live forensics tools like NirSoft ChromePass can retrieve them while the user is logged in.

-----------------------------------------------------------------------------------------------------------


5. How Prefetching Can Store Unvisited Pages

If Prefetch is enabled, Chrome may download parts of web pages before a user visits them.


While the History database does not record prefetched pages, cached files and cookies may still exist.

Checking the number_of_hits and number_of_misses fields in the Network Action Predictor database can help determine if a page was auto-loaded or actually visited.


-----------------------------------------------------------------------------------------------------------

Browser Session Recovery

Modern web browsers are designed to be more reliable, especially with the rise of tabbed browsing. One key feature that improves reliability is session recovery . This feature ensures that even if your browser crashes, you can restore your open tabs and continue where you left off.


But did you know that session recovery stores a lot of detailed information about your browsing habits?

What Information Can Be Retrieved from Session Recovery?

When forensic analysts examine session recovery data, they can uncover:


  • A list of open tabs from the last session (and sometimes previous sessions too)

  • A detailed history of websites visited in each tab

  • The referring websites for each page visited

  • Session start and end timestamps (varies by browser)

  • HTML, JavaScript, and even form data entered by the user

  • Additional details like browser window size, pinned tabs, and page transition types (e.g., navigating from search results vs. direct URL entry)


Most browsers automatically enable session recovery by default, meaning they continuously save this data. Some users even expand the feature using options like "Continue where you left off."


How Chrome Handles Session Recovery Data

Chrome stores session recovery data in a structured format, evolving over time:


  • Before Chrome version 86: Data was saved in four files: Current Session, Current Tabs, Last Session, and Last Tabs.

  • From Chrome version 86 onward: These files were moved to a Sessions folder and renamed Session and Tabs, each with a timestamp attached to their filename.


This data is stored in a special format called SNSS (Session Saver Format). The purpose of these files is to help the browser recover in case of a crash, as well as enable features like "Reopen Closed Tab."


What Can Be Found in Chrome’s Session Data?

Since session data records browser activity, it contains valuable information such as:


  • URLs visited

  • Original URLs (in case of redirections)

  • Referring pages

  • Page titles

  • Visit counts

  • Form data entered

  • Page transition types (e.g., typed URL vs. clicked link)

Chrome periodically saves and updates this data, meaning the Current Session and Current Tabs files reflect the most recent activity. On the other hand, Last Session and Last Tabs are usually written when the browser is closed, though there are exceptions.


Extracting and Analyzing Session Data for Investigation

Forensic analysts can extract session recovery data to reconstruct browsing behavior. There are two main ways to do this:


  • Using Open-Source Tools:

    • The Chromagnon project was one of the first open-source tools developed to parse Chrome’s SNSS files. However, it hasn’t been updated in years and lacks full support for timestamps and page titles.


  • Using String Extraction Methods:

    • A simpler way to analyze these files is by extracting strings using tools like SysInternals' strings.exe. However, this method has a downside: it does not preserve metadata or relationships between tabs.


Best commercial tools:
Magnet AXIOM or belkasoft is best tool to parse sessions information

Future of SNSS Parsing

Parsing SNSS files is still an underdeveloped area in Chrome forensics. While commercial tools exist, a more robust open-source solution is needed to improve accuracy and recover additional metadata.


Conclusion

Session recovery is an essential feature in modern browsers, but it also leaves behind a detailed digital footprint. Understanding how Chrome stores and manages session data allows forensic analysts to reconstruct user activity, making it a valuable resource in digital investigations. Whether using open-source tools like Chromagnon or manual string extraction, session data can provide deep insights into a user’s browsing history and behavior.

------------------------------------------------------------------------------------------------------------

Stay with me we will continue about Google forensic in next article.

-----------------------------------------------------------------------------------------------------------


 
 
 
bottom of page