Difference between pages "Palm" and "Google Chrome"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Lists should be lists.)
 
(Example queries)
 
Line 1: Line 1:
=Overview=
+
Google Chrome is a [[Web Browser|web browser]] developed by Google Inc.
  
A '''Palm''' is a commonly referred to as a small-scale (hand-held) computer that runs Palm's [[PalmOS]] software.
+
== Configuration ==
 +
The Google Chrome configuration can be found in the '''Preferences''' file.
  
The Palm OS platform is an open architecture that provides a basis for third-party developers and original equipment manufacturers (OEMs) to create mobile computing solutions. The platform consists of five components:<br><br>
+
On Linux
* The reference hardware design<br>  
+
<pre>
* The device operating system called the Palm OS software<br>
+
/home/$USER/.config/google-chrome/Default/Preferences
* The HotSync conduit data synchronization technology<br>
+
</pre>
* The platform component tools including an applications programming interface (API) that enables developers to write applications<br>
+
* The software interface capabilities to support hardware add-ons<br>
+
  
(http://www.palm.com/us/company/pr/2000/092000.html, 2000)
+
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Application Support/Google/Chrome/Default/Preferences
 +
</pre>
  
== History ==
+
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
 +
</pre>
  
Palm Computing was founded by Jeff Hawkins, Donna Dubinsky and Ed Colligan.  The original purpose of the company was to create handwriting recognition software for other devices (Graffiti).  The initial idea for the devices came from Hawkins' habit of carrying a block of wood in his pocket.
+
On Windows Vista and later
 +
<pre>
 +
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Preferences
 +
</pre>
  
The initial Palm device released in 1996 was called the Pilot.  Because Pilot Pen Corporation brought forth a trademark infrigement case, the second generation device released in 1997 was named the PalmPilot. 
+
Or for '''Chromium'''
  
The Palm was not the original PDA device released, but benefited from the failure of Apple's Newton.
+
On Linux
 +
<pre>
 +
/home/$USER/.config/chromium/Default/Preferences
 +
</pre>
  
The Palm OS initially featured personal information management (PIM) tools such as Calendar, Contacts, Memo Pad, Expense and Tasks.  As later versions were released, more features were added.  Here is a list of various Palm OS releases:
+
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Application Support/Chromium/Default/Preferences
 +
</pre>
  
*  Version 3.1, 3.3, 3.5
+
On Windows XP
Added support for color, multiple expansion ports, new processors, etc.
+
<pre>
 +
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Chromium\User Data\Default\Preferences
 +
</pre>
  
*  Version 4.0
+
On Windows Vista and later
Added a standard interface for external FS access
+
<pre>
 +
C:\Users\%USERNAME%\AppData\Local\Chromium\User Data\Default\Preferences
 +
</pre>
  
*  Version 5.0
+
=== Plugins ===
First version to support Acorn Risc Machine (ARM) devices. Later versions which included OS 5.2, featured Graffiti 2. It began the separation of Palm OS and Palm One.
+
  
Presently, version 6.1 of the Palm OS is under development (Cobalt).  Cobalt features a Linux-based kernel.  There are presently no devices released using Palm OS 6.
+
Information about plugins can be found under the "plugins section" of the Preferences file.
  
=Features=
+
=== DNS Prefetching ===
<table>
+
<tr>
+
<td>'''Address Book''': Allows the user to keep track of their contacts.  Synchronized via HotSync manager</td>
+
</tr>
+
<tr>
+
<td>'''Calculator''': Basic 4 function calculator</td>
+
</tr>
+
<tr>
+
<td>'''Datebook''': Track appointments, birthdates and other important times during the year.  Synchronized via HotSync manager</td>
+
</tr>
+
<tr>
+
<td>'''Expenses''': Keep track of your spending habits.</td>
+
</tr>
+
<tr>
+
<td>'''HotSync''': Application that ran on your desktop or portable PC or Mac to allow for calendars and contacts to easily be synchronized with Palm device.</td>
+
</tr>
+
<tr>
+
<td>'''Memo Pad''': Write short notes.</td>
+
</tr>
+
<tr>
+
<td>'''Note Pad''': Scribble notes in your natural writing language.</td>
+
</tr>
+
<tr>
+
<td>'''To Do List''': Create a check list of items to accomplish.  Synchronized via HotSync manager.</td>
+
</tr>
+
<tr>
+
<td>'''Palm Photos''': Photo manager that allows sharing of photos between multiple palm devices.</td>
+
</tr>
+
</table>
+
  
==Palm Pilot==
+
DNS is prefetched for related sites, e.g. links on the page.
The original creators of the Palm Pilot were Jeff Hawkins, Donna Dubinsky, and Ed Colligan. The idea of the palm pilot was established by Jeff Hawkins from a block of wood with writing on it.
+
This behavior is controlled by the setting "Predict network actions to improve page load performance", which is enabled by default.
  
<table border="1">
+
If enabled the Preferences file contains:
<tr>
+
<pre>
   <td> </td>
+
   "dns_prefetching": {
  <th>
+
       "enabled": true,
  Palm Pilot 1000
+
</pre>
  </th>
+
  <th>
+
  Palm Pilot 5000
+
  </th>
+
  <th>
+
  Palm Pilot Personal
+
  </th>
+
  <th>
+
  Palm Pilot Professional
+
  </th>
+
</tr>
+
<tr>
+
  <th>Features</th>
+
  <td>
+
       <ul>Motorola 68328 processor</ul>
+
      <ul>128 KB memory</ul>
+
      <ul>Palm OS 1.0</ul>
+
  </td>
+
  <td>
+
      <ul>Dragonball processor</ul>
+
      <ul>512 KB memory</ul>
+
      <ul>Palm OS 1.0</ul>
+
  </td>
+
  <td>
+
      <ul>Dragonball processor</ul>
+
      <ul>512 KB memory</ul>
+
      <ul>Palm OS 2.0</ul>
+
  </td>
+
  <td>
+
      <ul>Dragonball processor</ul>
+
      <ul>1 MB memory</ul>
+
      <ul>Palm OS 2.0</ul>
+
  </td>
+
</tr>
+
</table>
+
  
==3Com Audrey==
+
If disabled the Preferences file contains:
 +
<pre>
 +
  "dns_prefetching": {
 +
      "enabled": false,
 +
</pre>
  
The 3Com Audrey was created to be a kitchen computer in 2000-2001.  It was a mainly a used to access the Internet.  Cisco then bought out 3Com and the Audrey was no more.  One noticeable aspect of the Audrey is how people can hack it.  They have turned it into anything from a web server to a chatting client.  It runs QNX with PalmOS extensions.  This allows it to be hacked extremely easily.
+
== Start-up DNS queries ==
  
It runs on the Intel-compatible Cyrix-MediaGX processor. It uses Palm's HotSync technology to update the address book and date book with up to two Palms simultaneously. It uses a USB Ethernet controller to connect to the Internet. It also has built-in stereo speakers to play digital and streaming music. You can either use the clear pen to input data, or pull out the wireless keyboard. No graffiti is used.
+
When Chrome starts it queries for several non-existing hostnames that consists of a 10 random characters, E.g.
 +
<pre>
 +
ttrgoiknff.mydomain.com
 +
bxjhgftsyu.mydomain.com
 +
yokjbjiagd.mydomain.com
 +
</pre>
  
It was discontinued on March 21, 2001.  However, there is still an Audrey frenzy going on today.
+
This is used to determine if your ISP is hijacking NXDOMAIN results [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en].
  
==Fossil==
+
== Disk Cache ==
This is a very neat model as it is a digital watch with the Palm OS version 4.1 installed. It comes in two brands: Abacus and Fossil.
+
The Google Chrome disk cache can be found in:
  
<table border="1">
+
On Linux
<tr>
+
<pre>
  <th>Operating System</th>
+
/home/$USER/.config/google-chrome/Default/Application Cache/Cache/
  <th>Memory</th>
+
</pre>
  <th>LCD Dimensions</th>
+
  <th>Other Notable Features</th>
+
</tr>
+
<tr>
+
  <td>Palm OS version 4.1</td>
+
  <td>8 MB</td>
+
  <td>160 x 160 with backlight</td>
+
  <td>
+
      <ul>Touch screen</ul>
+
      <ul>3 way rocker and back button</ul>
+
      <ul>USB for Windows and Macintosh</ul>
+
      <ul>Infrared port</ul>
+
      <ul>3 hour lifespan between charges</ul>
+
  </td>
+
</tr>
+
</table>
+
  
==Garmin==
+
On MacOS-X
 +
<pre>
 +
/Users/$USER/Caches/Google/Chrome/Default/Cache/
 +
</pre>
 +
 
 +
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Cache\
 +
</pre>
 +
 
 +
On Windows Vista and later
 +
<pre>
 +
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Cache\
 +
</pre>
 +
 
 +
The Chrome Cache contains different files with the following file names:
 +
* index
 +
* data_#; where # contains a decimal digit.
 +
* f_######; where # contains a hexadecimal digit.
 +
 
 +
For more info see Chrome developers site [http://www.chromium.org/developers/design-documents/network-stack/disk-cache].
 +
 
 +
== History ==
 +
Chrome stores the history of visited sites in a file named '''History'''. This file uses the [[SQLite database format]].
  
==Kyocera==
+
The '''History''' file can be found in same location as the '''Preferences''' file.
  
Kyocera acquired QUALCOMM Incorporated's Code Division Multiple Access (CDMA) wireless phone business in February 2000 and incorporates QUALCOMM's CDMA technology in the development and manufacture of wireless phones. An agreement with Palm Inc. to license the Palm OS platform was reached by Kyocera and Palm after QUALCOMM's acquisition. It is the foundation for a suite of smartphones.
+
There is also '''Archived History''' that predates information in the '''History''' file.
 +
Note that the '''Archived History''' only contains visits.
  
==QualComm==
+
=== Timestamps ===
 +
The '''History''' file uses the different timestamps.
  
In September 1998, QUALCOMM introduced the pdQ smartphone which was the first CDMA digital wireless phone to integrate the Palm OS software. QUALCOMM’s CDMA handset business was later bought by Kyocera in February 2000.
+
==== visits.visit_time ====
  
==Samsung==
+
The '''visits.visit_time''' is in (the number of) microseconds since January 1, 1601 UTC
  
==Sony Cli&Egrave;==
+
Some Python code to do the conversion into human readable format:
 +
<pre>
 +
date_string = datetime.datetime( 1601, 1, 1 )
 +
            + datetime.timedelta( microseconds=timestamp )
 +
</pre>
  
==Symbol==
+
Note that this timestamp is not the same as a Windows filetime which is (the number of) 100 nanoseconds since January 1, 1601 UTC
  
==TapWave==
+
==== downloads.start_time ====
  
==TRG==
+
The '''downloads.start_time''' is in (the number of) seconds since January 1, 1970 UTC
  
==Handspring Visor==
+
Some Python code to do the conversion into human readable format:
 +
<pre>
 +
date_string = datetime.datetime( 1970, 1, 1 )
 +
            + datetime.timedelta( seconds=timestamp )
 +
</pre>
  
The original creators of the PalmPilot, Jeff Hawkins, Donna Dubinsky, and Ed Colligan, left Palm Computing after desputes with the parent company 3com. As a result, the trio founded Handspring in 1998. The first product released in 1999 was called the Handspring Visor, a clone of the original PalmPilot with minor additions, that used the newly created Palm OS. One of it's most prominent features was USB support and an expansion slot for memory cards, both of which were not yet popular at the time.
+
=== Example queries ===
 +
Some example queries:
  
The Visor line includes:
+
To get an overview of the visited sites:
<ul>
+
<pre>
<li>Visor and Visor Deluxe</li>
+
SELECT datetime(((visits.visit_time/1000000)-11644473600), "unixepoch"), urls.url, urls.title FROM urls, visits WHERE urls.id = visits.url;
<li>Visor Prism</li>
+
</pre>
<li>Visor Platinum</li>
+
<li>Visor Edge</li>
+
<li>Visor Neo</li>
+
<li>Visor Pro</li>
+
</ul>
+
  
==Treo==
+
Note that the visit_time conversion looses precision.
Treo manufacturers a variety of devices, including the LifeDrive, Treo 650 and 700w, Palm Z22 and Tx, and the Tungsten E2.  Each of these devices is marketed at a different segment of the market.  For example, the LifeDrive contains a 4GB integrated hard drive and is advertised as a portable multimedia device that plays videos and MP3s.  The LifeDrive Also includes integrated WiFi and Bluetooth capabilities.  The Treo 650 and 700w are the company's Smartphones.  The Treo 650 runs Palm OS, while the 700w runs on Windows Mobile.  The Z22, Tx, and Tungsten E2 are primarily designed to be personal organizers.
+
  
=Forensics=
+
To get an overview of the downloaded files:
Forensics for Palm devices is a nascent field. There are several tools available for the image acquisition and analysis of Palm devices.
+
<pre>
 +
SELECT datetime(downloads.start_time, "unixepoch"), downloads.url, downloads.full_path, downloads.received_bytes, downloads.total_bytes FROM downloads;
 +
</pre>
  
==EnCase==
+
How the information of the downloaded files is stored in the database can vary per version of Chrome a newer variant of the previous query is:
EnCase, published by Guidance Software, is a complete cyber forensics software package that handles all steps of the investigative process, from the acquisition to the report creation. The software includes built-in capabilities for performing MD5 hashing, data carving, deleted file recovery, and many other functions.
+
<pre>
 +
SELECT datetime(((downloads.start_time/1000000)-11644473600), "unixepoch"), downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes \
 +
FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id;
 +
</pre>
  
Although traditionally relegated to the realm of desktop computer forensics investigations, EnCase does support the acquisition and analysis of a limited number of Palm devices.
+
== See Also ==
  
==Paraben==
+
* [[SQLite database format]]
Paraben has a software application that is specifically designed for PDA forensics,PDA Seizure.  This comprehensive tool allows PDA data to be acquired, viewed, and reported on, all within a Windows environment.  The software comes equiped with quite a few key features.  These features include the ability to encrypt saved case files, Blackberry OS support, built-in recovery of Palm passwords, enhanced viewing on file data, complete physical and logical acquisition for Palm PDA devices, and many more.  It has a few draw backs, in that some of the material acquired from the PDAs is hard to interpret by a person that is not computer savi. Although, on the other hand it has features like a search portion that allows you to enter a search term and PDA Seizure will bring up all files that have that term in them.  This allows the investigator to look for case specific information easily and quickly.
+
  
=References=
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Google_Chrome Wikipedia article on Google Chrome]
 +
* [http://www.chromium.org/user-experience/user-data-directory The Chromium Projects - User Data Directory]
 +
* [http://www.chromium.org/developers/design-documents/network-stack/disk-cache Chrome Disk Cache]
 +
* [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en Chrome support forum article random 10 character hostnames on startup]
 +
* [http://computer-forensics.sans.org/blog/2010/01/21/google-chrome-forensics/ Google Chrome Forensics] by [[Kristinn Guðjónsson]]
 +
* [http://www.useragentstring.com/pages/Chrome/ Chrome User Agent strings]
 +
* [http://linuxsleuthing.blogspot.ch/2013/02/cashing-in-on-google-chrome-cache.html?m=1 Cashing in on the Google Chrome Cache], [[John Lehr]], February 24, 2013
  
* http://www.answers.com/topic/palm-os
+
[[Category:Applications]]
* http://www.palm.com/us/
+
[[Category:Web Browsers]]
* http://www.encase.com
+
* http://www.paraben.com
+
* http://en.wikipedia.org/wiki/Palm_(PDA)
+
* http://www.etech4sale.com/products/partinfo-id-116929.html
+
* http://www.noodlebug.demon.co.uk/goingmob/orpilot.htm
+

Revision as of 00:51, 20 April 2013

Google Chrome is a web browser developed by Google Inc.

Configuration

The Google Chrome configuration can be found in the Preferences file.

On Linux

/home/$USER/.config/google-chrome/Default/Preferences

On MacOS-X

/Users/$USER/Library/Application Support/Google/Chrome/Default/Preferences

On Windows XP

C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

On Windows Vista and later

C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Preferences

Or for Chromium

On Linux

/home/$USER/.config/chromium/Default/Preferences

On MacOS-X

/Users/$USER/Library/Application Support/Chromium/Default/Preferences

On Windows XP

C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Chromium\User Data\Default\Preferences

On Windows Vista and later

C:\Users\%USERNAME%\AppData\Local\Chromium\User Data\Default\Preferences

Plugins

Information about plugins can be found under the "plugins section" of the Preferences file.

DNS Prefetching

DNS is prefetched for related sites, e.g. links on the page. This behavior is controlled by the setting "Predict network actions to improve page load performance", which is enabled by default.

If enabled the Preferences file contains:

   "dns_prefetching": {
      "enabled": true,

If disabled the Preferences file contains:

   "dns_prefetching": {
      "enabled": false,

Start-up DNS queries

When Chrome starts it queries for several non-existing hostnames that consists of a 10 random characters, E.g.

ttrgoiknff.mydomain.com
bxjhgftsyu.mydomain.com
yokjbjiagd.mydomain.com

This is used to determine if your ISP is hijacking NXDOMAIN results [1].

Disk Cache

The Google Chrome disk cache can be found in:

On Linux

/home/$USER/.config/google-chrome/Default/Application Cache/Cache/

On MacOS-X

/Users/$USER/Caches/Google/Chrome/Default/Cache/

On Windows XP

C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Cache\

On Windows Vista and later

C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Cache\

The Chrome Cache contains different files with the following file names:

  • index
  • data_#; where # contains a decimal digit.
  • f_######; where # contains a hexadecimal digit.

For more info see Chrome developers site [2].

History

Chrome stores the history of visited sites in a file named History. This file uses the SQLite database format.

The History file can be found in same location as the Preferences file.

There is also Archived History that predates information in the History file. Note that the Archived History only contains visits.

Timestamps

The History file uses the different timestamps.

visits.visit_time

The visits.visit_time is in (the number of) microseconds since January 1, 1601 UTC

Some Python code to do the conversion into human readable format:

date_string = datetime.datetime( 1601, 1, 1 )
            + datetime.timedelta( microseconds=timestamp )

Note that this timestamp is not the same as a Windows filetime which is (the number of) 100 nanoseconds since January 1, 1601 UTC

downloads.start_time

The downloads.start_time is in (the number of) seconds since January 1, 1970 UTC

Some Python code to do the conversion into human readable format:

date_string = datetime.datetime( 1970, 1, 1 )
            + datetime.timedelta( seconds=timestamp )

Example queries

Some example queries:

To get an overview of the visited sites:

SELECT datetime(((visits.visit_time/1000000)-11644473600), "unixepoch"), urls.url, urls.title FROM urls, visits WHERE urls.id = visits.url;

Note that the visit_time conversion looses precision.

To get an overview of the downloaded files:

SELECT datetime(downloads.start_time, "unixepoch"), downloads.url, downloads.full_path, downloads.received_bytes, downloads.total_bytes FROM downloads;

How the information of the downloaded files is stored in the database can vary per version of Chrome a newer variant of the previous query is:

SELECT datetime(((downloads.start_time/1000000)-11644473600), "unixepoch"), downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes \
FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id;

See Also

External Links