Difference between pages "Google Chrome" and "Afentis forensics"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Extension Cookies)
 
(External Link)
 
Line 1: Line 1:
Google Chrome is a [[Web Browser|web browser]] developed by Google Inc.
 
  
== Configuration ==
+
== Afentis Forensics ==
The Google Chrome configuration can be found in the '''Preferences''' file.
+
  
On Linux
+
Scientific support and investigation practice with expert witnesses providing DNA analysis, fingerprint evaluations, firearm evidence, mobile telephone examinations and Cell Site Analysis (CSA) - from crime scene to court.
<pre>
+
/home/$USER/.config/google-chrome/Default/Preferences
+
</pre>
+
  
On MacOS-X
+
Produce a number of eDiscovery and digital evidence software tools, including:
<pre>
+
/Users/$USER/Library/Application Support/Google/Chrome/Default/Preferences
+
</pre>
+
  
On Windows XP
+
[http://www.facebookforensics.com/ Facebook Forensic Toolkit]
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
+
</pre>
+
  
On Windows Vista and later
+
[http://www.linkedinforensics.com/ LinkedIn Forensic Toolkit]
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Preferences
+
</pre>
+
  
Or for '''Chromium'''
+
[http://www.youtubeforensics.com/ YouTube Forensic Toolkit]
  
On Linux
+
[http://www.tumblrforensics.com/ Tumblr Forensic Toolkit]
<pre>
+
/home/$USER/.config/chromium/Default/Preferences
+
</pre>
+
  
On MacOS-X
 
<pre>
 
/Users/$USER/Library/Application Support/Chromium/Default/Preferences
 
</pre>
 
  
On Windows XP
+
== External Link ==
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Chromium\User Data\Default\Preferences
+
</pre>
+
  
On Windows Vista and later
+
[http://www.afentis.com/ Official Website]
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Chromium\User Data\Default\Preferences
+
</pre>
+
 
+
=== Plugins ===
+
 
+
Information about plugins can be found under the "plugins section" of the Preferences file.
+
 
+
=== DNS Prefetching ===
+
 
+
DNS is prefetched for related sites, e.g. links on the page.
+
This behavior is controlled by the setting "Predict network actions to improve page load performance", which is enabled by default.
+
 
+
If enabled the Preferences file contains:
+
<pre>
+
  "dns_prefetching": {
+
      "enabled": true,
+
</pre>
+
 
+
If disabled the Preferences file contains:
+
<pre>
+
  "dns_prefetching": {
+
      "enabled": false,
+
</pre>
+
 
+
== Start-up DNS queries ==
+
 
+
When Chrome starts it queries for several non-existing hostnames that consists of a 10 random characters, E.g.
+
<pre>
+
ttrgoiknff.mydomain.com
+
bxjhgftsyu.mydomain.com
+
yokjbjiagd.mydomain.com
+
</pre>
+
 
+
This is used to determine if your ISP is hijacking NXDOMAIN results [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en].
+
 
+
== Disk Cache ==
+
Google Chrome uses multiple caches, from [http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cache_type.h?view=markup]:
+
<pre>
+
// The types of caches that can be created.
+
enum CacheType {
+
    DISK_CACHE,  // Disk is used as the backing storage.
+
    MEMORY_CACHE,  // Data is stored only in memory.
+
    MEDIA_CACHE,  // Optimized to handle media files.
+
    APP_CACHE,  // Backing store for an AppCache.
+
    SHADER_CACHE, // Backing store for the GL shader cache.
+
    PNACL_CACHE, // Backing store the PNaCl translation cache
+
};
+
</pre>
+
 
+
The Google Chrome disk cache can be found in:
+
 
+
On Linux
+
 
+
<pre>
+
/home/$USER/.cache/chromium/Default/Cache/
+
/home/$USER/.cache/google-chrome/Default/Cache/
+
/home/$USER/.config/chromium/Default/Cache/
+
/home/$USER/.config/google-chrome/Default/Cache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.cache/chromium/Default/Media Cache/
+
/home/$USER/.cache/google-chrome/Default/Media Cache/
+
/home/$USER/.config/chromium/Default/Media Cache/
+
/home/$USER/.config/google-chrome/Default/Media Cache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.config/chromium/Default/Application Cache/Cache/
+
/home/$USER/.config/google-chrome/Default/Application Cache/Cache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.config/chromium/Default/GPUCache/
+
/home/$USER/.config/google-chrome/Default/GPUCache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.cache/chromium/PnaclTranslationCache/
+
/home/$USER/.cache/google-chrome/PnaclTranslationCache/
+
</pre>
+
 
+
On MacOS-X
+
<pre>
+
/Users/$USER/Caches/Chromium/Default/Cache/
+
/Users/$USER/Caches/Google/Chrome/Default/Cache/
+
</pre>
+
 
+
On Windows XP
+
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Chromium\User Data\Cache\
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Cache\
+
</pre>
+
 
+
On Windows Vista and later
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chromium\Default\Cache\
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Cache\
+
</pre>
+
 
+
The Chrome Cache contains different files with the following file names:
+
* index
+
* data_#; where # contains a decimal digit.
+
* f_######; where # contains a hexadecimal digit.
+
 
+
For more info see Chrome developers site [http://www.chromium.org/developers/design-documents/network-stack/disk-cache].
+
 
+
== History ==
+
Chrome stores the history of visited sites in a file named '''History'''. This file uses the [[SQLite database format]].
+
 
+
The '''History''' file can be found in same location as the '''Preferences''' file.
+
 
+
There is also '''Archived History''' that predates information in the '''History''' file.
+
Note that the '''Archived History''' only contains visits.
+
 
+
=== Timestamps ===
+
The '''History''' file uses the different timestamps.
+
 
+
==== visits.visit_time ====
+
 
+
The '''visits.visit_time''' is in (the number of) microseconds since January 1, 1601 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1601, 1, 1 )
+
            + datetime.timedelta( microseconds=timestamp )
+
</pre>
+
 
+
Note that this timestamp is not the same as a Windows filetime which is (the number of) 100 nanoseconds since January 1, 1601 UTC
+
 
+
==== downloads.start_time ====
+
 
+
The '''downloads.start_time''' is in (the number of) seconds since January 1, 1970 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1970, 1, 1 )
+
            + datetime.timedelta( seconds=timestamp )
+
</pre>
+
 
+
=== Example queries ===
+
Some example queries:
+
 
+
To get an overview of the visited sites:
+
<pre>
+
SELECT datetime(((visits.visit_time/1000000)-11644473600), "unixepoch"), urls.url, urls.title FROM urls, visits WHERE urls.id = visits.url;
+
</pre>
+
 
+
Note that the visit_time conversion looses precision.
+
 
+
To get an overview of the downloaded files:
+
<pre>
+
SELECT datetime(downloads.start_time, "unixepoch"), downloads.url, downloads.full_path, downloads.received_bytes, downloads.total_bytes FROM downloads;
+
</pre>
+
 
+
How the information of the downloaded files is stored in the database can vary per version of Chrome as of version 26:
+
<pre>
+
SELECT datetime(((downloads.start_time/1000000)-11644473600), "unixepoch"), downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes \
+
FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id;
+
</pre>
+
 
+
== Cookies ==
+
Chrome stores the cookies in a file named '''Cookies'''. This file uses the [[SQLite database format]].
+
 
+
=== Extension Cookies ===
+
Chrome stores the cookies used by extensions in a file named '''Extension Cookies'''. This file uses the [[SQLite database format]].
+
 
+
<pre>
+
SELECT datetime(((cookies.creation_utc/1000000)-11644473600), "unixepoch"), cookies.host_key, cookies.name, cookies.value, cookies.path, \
+
datetime(((cookies.expires_utc/1000000)-11644473600), "unixepoch"), cookies.secure, cookies.httponly, datetime(((cookies.last_access_utc/1000000)-11644473600), "unixepoch"), \
+
cookies.has_expires, cookies.persistent, cookies.priority FROM cookies;
+
</pre>
+
 
+
== See Also ==
+
 
+
* [[SQLite database format]]
+
 
+
== External Links ==
+
* [http://en.wikipedia.org/wiki/Google_Chrome Wikipedia article on Google Chrome]
+
* [http://www.chromium.org/user-experience/user-data-directory The Chromium Projects - User Data Directory]
+
* [http://www.chromium.org/developers/design-documents/network-stack/disk-cache Chrome Disk Cache]
+
* [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en Chrome support forum article random 10 character hostnames on startup]
+
* [http://www.useragentstring.com/pages/Chrome/ Chrome User Agent strings]
+
* [http://computer-forensics.sans.org/blog/2010/01/21/google-chrome-forensics/ Google Chrome Forensics] by [[Kristinn Guðjónsson]], January 21, 2010
+
* [http://linuxsleuthing.blogspot.ch/2013/02/cashing-in-on-google-chrome-cache.html?m=1 Cashing in on the Google Chrome Cache], [[John Lehr]], February 24, 2013
+
* [http://www.obsidianforensics.com/blog/history-index-files-removed-from-chrome/ History Index files removed from Chrome v30], by Ryan Benson, October 2, 2013
+
* [https://hindsight-internet-history.googlecode.com/files/Evolution_of_Chrome_Databases.png Evolution of Chrome Databases], by Ryan Benson, November 12, 2013
+
 
+
== Tools ==
+
=== Open Source ===
+
* [https://code.google.com/p/hindsight-internet-history/ hindsight-internet-history]
+
 
+
[[Category:Applications]]
+
[[Category:Web Browsers]]
+

Revision as of 12:36, 26 May 2014

Afentis Forensics

Scientific support and investigation practice with expert witnesses providing DNA analysis, fingerprint evaluations, firearm evidence, mobile telephone examinations and Cell Site Analysis (CSA) - from crime scene to court.

Produce a number of eDiscovery and digital evidence software tools, including:

Facebook Forensic Toolkit

LinkedIn Forensic Toolkit

YouTube Forensic Toolkit

Tumblr Forensic Toolkit


External Link

Official Website