top of page
Search

Understanding Chrome Synchronization: A Digital Forensics Perspective

  • Mar 6
  • 3 min read

What is Chrome Synchronization?

Chrome synchronization is a feature that allows users to access their browsing data across multiple devices using their Google account. This includes bookmarks, history, passwords, and even open tabs. While this feature is highly convenient for users, it also creates a rich source of forensic artifacts that can be examined during investigations.


How Chrome Sync Works

When a user logs into Chrome with their Google account, synchronization is enabled by default unless they opt out during installation. This means that data from one device can be instantly available on another, even if Chrome is not actively running.


To view the currently synchronized data on a running Chrome instance,


users can visit chrome://sync-internals/ in their browser.

-------------------------------------------------------------------------------------------------------------

Where to Look for Sync Settings?

Chrome stores sync-related preferences in a JSON-based Preferences file.


This file contains a "sync" section that details what is being synchronized and when it was last updated (stored in WebKit time format).


However, many settings are only visible if they have been manually changed from the default.


-------------------------------------------------------------------------------------------------------------

What Data Does Chrome Sync?

Chrome syncs various types of user data, including:


  • Browsing history (only URLs typed directly in the address bar)

  • Bookmarks

  • Preferences

  • Extensions

  • Passwords (Login Data)

  • Auto-complete data (Web Data)

  • Open tabs from other devices

A modern Chrome version (post-2019) uses a LevelDB database within the Chrome Sync Data folder to temporarily store data before syncing it to the cloud. However, this database is not meant to store large amounts of user data.


-------------------------------------------------------------------------------------------------------------


What Data Does Chrome NOT Sync?

Several important artifacts do not get synchronized across devices, including:


  • Download history

  • Cookies

  • Keywords typed into search engines (keyword_search_terms)

  • Omnibox suggestions (Shortcuts database)

  • Prefetched data analytics (Network Action Predictor)

  • Certain Chrome Preferences (e.g., media engagement, per-site zoom levels)


-------------------------------------------------------------------------------------------------------------


How to Identify Synced vs. Local Data

Forensic investigators can determine if a browsing entry was locally created or synced from another device by examining the visit_source table in Chrome’s history database. This table contains:

  • Source 0: Visits synced from other Chrome devices

  • Source 1: Local visits (not typically recorded for efficiency)

  • Source 2: Visits from Chrome extensions

  • Source 3: Data imported from Firefox

  • Source 4: Data imported from Internet Explorer

  • Source 5: Data imported from Safari

  • Source 6: Data imported from Chrome (used by Chromium Edge)

  • Source 7: Data imported from EdgeHTML


Entries that are locally created do not appear in this table, making it easier to distinguish synced data from locally generated browsing history.


-------------------------------------------------------------------------------------------------------------

Does Clearing Browsing Data Remove Synced Data?

If a user clears their browsing data on one device, it does not necessarily mean the data is removed everywhere. The outcome depends on Chrome’s version and the settings chosen by the user.


  • On the local system, most data is deleted, but some settings in the Preferences file and bookmarks remain.

  • On synced devices, nearly all synced data is removed except for non-synced artifacts like cached files, download history, and cookies.

  • Older Chrome versions were not as effective at clearing synced data, leaving residual information in databases like SyncData.sqlite3.


-------------------------------------------------------------------------------------------------------------


What Happens When a User Signs Out?

When a user signs out of their Google account, synchronization stops for that browser instance. However, data remains on the device unless explicitly cleared. Other synced devices retain the browsing history unless the user performs a Reset Sync from their Google Dashboard, a little-known option.


Key Takeaways

  • Chrome sync is a powerful feature that allows users to access their data across multiple devices, but it also leaves behind valuable forensic artifacts.

  • The visit_source table helps identify whether an entry was synced or locally created.

  • Not all Chrome data is synced—download history, cookies, and search terms remain local.

  • Clearing browsing data does not always erase all synchronized data across devices.

  • Signing out of a Google account stops sync but does not delete previously synchronized data from other devices.


Conclusion

Understanding Chrome synchronization is essential for digital forensics. Whether investigating user behavior or tracking historical data, Chrome’s sync feature provides a valuable trail of artifacts. Investigators must be aware of what data is synced, where it is stored, and how it can be distinguished from locally generated data.


---------------------------------------------Dean---------------------------------------------------

 
 
 

Comments

bottom of page