Difference between pages "Google Chrome" and "Windows SuperFetch Format"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(MEMO file)
 
Line 1: Line 1:
Google Chrome is a [[Web Browser|web browser]] developed by Google Inc.
+
{{expand}}
  
== Configuration ==
+
== MEMO file ==
The Google Chrome configuration can be found in the '''Preferences''' file.
+
Th MEMO file consists of:
 +
* file header
 +
* compressed blocks
  
On Linux
+
=== File header ===
<pre>
+
The file header is 84 bytes of size and consists of:
/home/$USER/.config/google-chrome/Default/Preferences
+
{| class="wikitable"
</pre>
+
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO")
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
  
On MacOS-X
+
=== Compressed blocks ===
<pre>
+
The file header is followed by compressed blocks:
/Users/$USER/Library/Application Support/Google/Chrome/Default/Preferences
+
{| class="wikitable"
</pre>
+
|-
 
+
! Offset
On Windows XP
+
! Size
<pre>
+
! Value
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
+
! Description
</pre>
+
|-
 
+
| 0
On Windows Vista and later
+
| 4
<pre>
+
|
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Preferences
+
| Compressed data size
</pre>
+
|-
 
+
| 4
Or for '''Chromium'''
+
| ...
 
+
|
On Linux
+
| Compressed data
<pre>
+
|-
/home/$USER/.config/chromium/Default/Preferences
+
|}
</pre>
+
 
+
On MacOS-X
+
<pre>
+
/Users/$USER/Library/Application Support/Chromium/Default/Preferences
+
</pre>
+
 
+
On Windows XP
+
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Chromium\User Data\Default\Preferences
+
</pre>
+
 
+
On Windows Vista and later
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Chromium\User Data\Default\Preferences
+
</pre>
+
 
+
=== Plugins ===
+
 
+
Information about plugins can be found under the "plugins section" of the Preferences file.
+
 
+
=== DNS Prefetching ===
+
 
+
DNS is prefetched for related sites, e.g. links on the page.
+
This behavior is controlled by the setting "Predict network actions to improve page load performance", which is enabled by default.
+
 
+
If enabled the Preferences file contains:
+
<pre>
+
  "dns_prefetching": {
+
      "enabled": true,
+
</pre>
+
 
+
If disabled the Preferences file contains:
+
<pre>
+
  "dns_prefetching": {
+
      "enabled": false,
+
</pre>
+
 
+
== Start-up DNS queries ==
+
 
+
When Chrome starts it queries for several non-existing hostnames that consists of a 10 random characters, E.g.
+
<pre>
+
ttrgoiknff.mydomain.com
+
bxjhgftsyu.mydomain.com
+
yokjbjiagd.mydomain.com
+
</pre>
+
 
+
This is used to determine if your ISP is hijacking NXDOMAIN results [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en].
+
 
+
== Disk Cache ==
+
The Google Chrome disk cache can be found in:
+
 
+
On Linux
+
<pre>
+
/home/$USER/.config/google-chrome/Default/Application Cache/Cache/
+
</pre>
+
 
+
On MacOS-X
+
<pre>
+
/Users/$USER/Caches/Google/Chrome/Default/Cache/
+
</pre>
+
 
+
On Windows XP
+
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Cache\
+
</pre>
+
 
+
On Windows Vista and later
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Cache\
+
</pre>
+
 
+
The Chrome Cache contains different files with the following file names:
+
* index
+
* data_#; where # contains a decimal digit.
+
* f_######; where # contains a hexadecimal digit.
+
 
+
For more info see Chrome developers site [http://www.chromium.org/developers/design-documents/network-stack/disk-cache].
+
 
+
== History ==
+
Chrome stores the history of visited sites in a file named '''History'''. This file uses the [[SQLite database format]].
+
 
+
The '''History''' file can be found in same location as the '''Preferences''' file.
+
 
+
There is also '''Archived History''' that predates information in the '''History''' file.
+
Note that the '''Archived History''' only contains visits.
+
 
+
=== Timestamps ===
+
The '''History''' file uses the different timestamps.
+
 
+
==== visits.visit_time ====
+
 
+
The '''visits.visit_time''' is in (the number of) microseconds since January 1, 1601 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1601, 1, 1 )
+
            + datetime.timedelta( microseconds=timestamp )
+
</pre>
+
 
+
Note that this timestamp is not the same as a Windows filetime which is (the number of) 100 nanoseconds since January 1, 1601 UTC
+
 
+
==== downloads.start_time ====
+
 
+
The '''downloads.start_time''' is in (the number of) seconds since January 1, 1970 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1970, 1, 1 )
+
            + datetime.timedelta( seconds=timestamp )
+
</pre>
+
 
+
=== Example queries ===
+
Some example queries:
+
 
+
To get an overview of the visited sites:
+
<pre>
+
SELECT datetime(((visits.visit_time/1000000)-11644473600), "unixepoch"), urls.url, urls.title FROM urls, visits WHERE urls.id = visits.url;
+
</pre>
+
 
+
Note that the visit_time conversion looses precision.
+
 
+
To get an overview of the downloaded files:
+
<pre>
+
SELECT datetime(downloads.start_time, "unixepoch"), downloads.url, downloads.full_path, downloads.received_bytes, downloads.total_bytes FROM downloads;
+
</pre>
+
 
+
How the information of the downloaded files is stored in the database can vary per version of Chrome as of version 26:
+
<pre>
+
SELECT datetime(((downloads.start_time/1000000)-11644473600), "unixepoch"), downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes \
+
FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id;
+
</pre>
+
  
 
== See Also ==
 
== See Also ==
 
+
* [[SuperFetch]]
* [[SQLite database format]]
+
  
 
== External Links ==
 
== External Links ==
* [http://en.wikipedia.org/wiki/Google_Chrome Wikipedia article on Google Chrome]
+
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification]
* [http://www.chromium.org/user-experience/user-data-directory The Chromium Projects - User Data Directory]
+
* [http://www.chromium.org/developers/design-documents/network-stack/disk-cache Chrome Disk Cache]
+
* [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en Chrome support forum article random 10 character hostnames on startup]
+
* [http://www.useragentstring.com/pages/Chrome/ Chrome User Agent strings]
+
* [http://computer-forensics.sans.org/blog/2010/01/21/google-chrome-forensics/ Google Chrome Forensics] by [[Kristinn Guðjónsson]], January 21, 2010
+
* [http://linuxsleuthing.blogspot.ch/2013/02/cashing-in-on-google-chrome-cache.html?m=1 Cashing in on the Google Chrome Cache], [[John Lehr]], February 24, 2013
+
* [http://www.obsidianforensics.com/blog/history-index-files-removed-from-chrome/ History Index files removed from Chrome v30], by Ryan Benson, October 2, 2013
+
  
[[Category:Applications]]
+
[[Category:File Formats]]
[[Category:Web Browsers]]
+

Revision as of 12:37, 14 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Contents

MEMO file

Th MEMO file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO") Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

See Also

External Links