Browsers have evolved beyond just displaying web pages; they now support complex web applications, cloud-based documents, and productivity tools. To make these features work smoothly, websites store increasing amounts of data directly on a user’s device. This client-side storage has grown significantly, often surpassing the traditional browser cache. Despite its importance, forensic investigations have largely overlooked this area because analyzing browser storage can be challenging, and most forensic tools don't fully support it.

--------------------------------------------------------------------------------------------------------

1. Cookies: The Oldest Storage Method

Cookies have been around for decades and remain a critical component of the web. Since web pages don’t have memory on their own, cookies help websites remember user activity, authentication details, and preferences. This is why you don’t have to log in every time you visit a site.

Forensic Value of Cookies:

• They provide timestamps for when a user first and last visited a website.

• They store authentication tokens, session data, and user preferences.

• Even when browser history is deleted, cookies can still retain records of visited sites.

• Some sites use “third-party” cookies to track user activity across different websites.

Cookies in modern browsers like Chrome are stored in a single SQLite database named Cookies.

Chrome's Evolving Storage Locations

Chrome periodically updates how and where it stores data. For example:

• In version 33, Chrome began encrypting cookie values.

• In version 61, LocalStorage moved from SQLite to LevelDB.

• In version 96, the Cookies database was relocated to the Network folder.

----------------------------------------------------------------------------------------------------------

2. HTML5 Web Storage (LocalStorage & SessionStorage)

As web applications became more advanced, cookies were no longer enough. The HTML5 Web Storage API introduced LocalStorage and SessionStorage, offering significantly more storage space (up to 10MB per website).

LocalStorage vs. SessionStorage:

• LocalStorage: Data persists even after the browser is closed.

• SessionStorage: Data is cleared once the browser session ends.

%UserProfile%\AppData\Local\Google\Chrome\User Data\Default\Local Storage/Session Storage

Forensic Value of Web Storage:

• Stores authentication tokens and user settings.

• Can retain session-related data like form inputs or shopping cart items.

• May contain geolocation details and user tracking information.

----------------------------------------------------------------------------------------------------------

3. Local Storage vs IndexedDB – What’s the Difference?

Initially, Local Storage was designed to improve upon cookies. It allowed websites to store more data locally, but it was still limited in structure. Then came IndexedDB, a much more advanced storage system that changed the game.

• Local Storage: A simple key-value store, mostly used for small data like user preferences or session states.

• IndexedDB: A full-fledged database that supports a wide variety of data types, including text, integers, and even binary files.'

IndexedDB allows websites to store much larger amounts of data. For example, Chrome can allocate up to 60% of a user’s disk space per domain! It also enables websites to function offline, making it a prime target for forensic analysis.

Where to Find IndexedDB Data in Chrome:

%UserProfile%\AppData\Local\Google\Chrome\User Data\<Profile>\IndexedDB

IndexedDB doesn’t maintain a single database. Instead, each website (or domain) gets its own LevelDB database. This makes forensic investigation complex.

----------------------------------------------------------------------------------------------------------

4. Why Is IndexedDB Hard to Analyze?

One major challenge with IndexedDB forensics is that no good free tools exist for easy analysis. Since every website has its own LevelDB database, you could be looking at thousands of small databases spread across gigabytes of data.

Another complication is that websites can store binary blobs (files) inside IndexedDB, including images, documents, or even databases. Some of these files are compressed using the Snappy algorithm, making it harder to retrieve meaningful information without proper decompression.

----------------------------------------------------------------------------------------------------------

3. The "WebStorage" and "Storage Buckets" Mystery

Newer versions of Chrome have introduced a WebStorage folder, which contains additional IndexedDB and browser cache data.

Experts believe this is tied to a feature called Storage Buckets, where sites can assign priorities to stored data and delete them selectively. This means forensic analysts now need to check yet another location when searching for persistent browser artifacts.

----------------------------------------------------------------------------------------------------------

4. Chrome’s File System API – Another Hidden Storage Mechanism

In addition to Local Storage and IndexedDB, Chrome also implements the File System API, allowing sites to store larger files. This is particularly useful for:

• Cloud-based services like Google Docs (for offline access)

• File-sharing platforms like Mega.nz (for temporary storage)

Forensic analysis of the File System API starts with the Origins folder, which tracks which websites have stored files and where they are located.

This structure means websites can store user files without them being easily detectable, making forensic recovery more challenging but also valuable for investigations.

----------------------------------------------------------------------------------------------------------

5. How to Analyze Browser Storage?

Since IndexedDB and LevelDB data are tricky to parse, investigators rely on a few specialized tools:

• Hindsight (by Ryan Benson): Parses Local Storage, Session Storage, and some LevelDB data.

• Leveldb-py (by Mark McKinnon): Provides a GUI viewer for LevelDB databases.

• Magnet AXIOM: A commercial forensic suite with limited LevelDB support.

----------------------------------------------------------------------------------------------------------

Chrome's Preferences File

Google Chrome stores a lot of user activity data, and one of the most valuable files for forensic analysis is the Preferences file. This file continuously updates as the browser runs, capturing settings, behaviors, and interactions. It is stored in JSON format, making it easy to read with a proper JSON viewer.

Where to Find the Preferences File

The Chrome Preferences file is located in the user’s profile directory:

• Windows: C:\Users\<Username>\AppData\Local\Google\Chrome\User Data\Default\Preferences

• Mac: /Users/<Username>/Library/Application Support/Google/Chrome/Default/Preferences

• Linux: ~/.config/google-chrome/Default/Preferences

Since it’s a JSON file, tools like Notepad++ with JSTool plugin can help visualize the data in a tree format for easier analysis.

or else you can use online Jason viewer

-------------------------------------------------------------------------------------------------------------

Key Information Stored in the Preferences File

The Preferences file contains thousands of entries, some of which can reveal crucial forensic insights. Here are some of the most valuable data points:

1. Evidence of Deleted Data

• clear_data – Tracks whether a user has cleared browsing data.

  • Values:

    • 0 = Last hour

    • 1 = Last 24 hours

    • 2 = Last 7 days

    • 3 = Last 4 weeks

    • 4 = All time

• If this entry is missing, it means no data was cleared.

2. File Interaction

• savefile – The last location where a file was saved.

  

• selectfile – The last file opened from the browser.

  

3. Search and Prediction Data

• search_prefetch – Stores cached search queries to improve future predictions. These can persist even after clearing search history.

  

• zerosuggest – Tracks recent search terms across synced devices. This data is often encoded in Base64 and may include images.

4. Site-Specific Settings and Behavior

• content_settings – This massive section records:

  • Sites visited

  • Parameters saved for those sites

  • Special permissions granted

• per_host_zoom_levels – Tracks sites where the user adjusted the zoom level. This data is not removed when clearing history.

• geolocation – Records which sites have permission to track the user’s location.

• media_engagement – Captures interactions with audio and video content (e.g., how long a video played, if the sound was muted).

• site_engagement – Measures user engagement with websites, including timestamps of the last meaningful interaction.

• sound – Lists websites the user has permanently muted.

• notifications – Stores data on websites that requested notification access, including whether the request was accepted or denied.

• media_stream_camera & media_stream_mic – Tracks websites granted access to the webcam and microphone.

  

5. Google Account and Sync Information

• account_info – Lists Google accounts signed into Chrome.

• signin – Stores authentication data related to the Google account in use.

• last_synced_time – Captures the last time data was synchronized to Google’s cloud services.

-------------------------------------------------------------------------------------------------------------

Why This Data Matters in Forensics

Investigators can extract a timeline of user activity from the Preferences file, even if history has been deleted. For example:

• The per_host_zoom_levels entry shows engagement with specific websites, which can indicate intent.

• clear_data reveals attempts to erase digital traces.

• search_prefetch and zerosuggest help reconstruct search behavior.

-------------------------------------------------------------------------------------------------------------

How to Read WebKit Timestamps

Many timestamps in the Preferences file are stored in WebKit format, which represents the number of seconds since January 1, 1601 (instead of 1970 like UNIX time). Converting these timestamps helps establish precise activity timelines.

-------------------------------------------------------------------------------------------------------------

Mapping Zoom Levels to Actual Zoom Percentage

Users adjusting zoom levels is a sign of engagement with a website. Here’s how zoom levels translate:

If a user returns zoom to 100%, the entry disappears from the Preferences file, which can be useful in investigations.

-------------------------------------------------------------------------------------------------------------

Conclusion

Browser storage has evolved beyond simple cookies into a complex web of databases, binary blobs, and hidden caches. Forensic analysis of modern web storage requires specialized tools and expertise, but it can uncover critical evidence in investigations. Whether it’s IndexedDB, File System API, or Storage Buckets, understanding where and how data is stored is key to unlocking valuable forensic insights.

The Chrome Preferences file is a goldmine for forensic investigations. Even when users attempt to erase their tracks, remnants of their activity often remain. Understanding this file's structure can help forensic analysts uncover critical evidence, reconstruct timelines, and prove user intent. If you’re conducting an investigation, make sure to extract and analyze this file—it could hold the missing piece of the puzzle!

-------------------------------------------------------------------------------------------------------------

-----------------------------------------------Dean------------------------------------------------------