Difference between pages "Google Chrome" and "ALT Linux Rescue"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Disk Cache)
 
m (Intro: 20140430: Forensic mode (UEFI))
 
Line 1: Line 1:
Google Chrome is a [[Web Browser|web browser]] developed by Google Inc.
+
{{Infobox_Software |
 +
  name = ALT Linux Rescue |
 +
  maintainer = Michael Shigorin |
 +
  os = {{Linux}} |
 +
  genre = {{Live CD}} |
 +
  license = {{GPL}}, others |
 +
  website = [http://en.altlinux.org/Rescue en.altlinux.org/rescue] |
 +
}}
  
== Configuration ==
+
'''ALT Linux Rescue''' is yet another sysadmin's [[Live CD]] with some forensic capabilities.
The Google Chrome configuration can be found in the '''Preferences''' file.
+
  
On Linux
+
== Intro ==
<pre>
+
/home/$USER/.config/google-chrome/Default/Preferences
+
</pre>
+
  
On MacOS-X
+
This weekly-updated image is intended to be text-only toolchest for analysis and recovery.
<pre>
+
/Users/$USER/Library/Application Support/Google/Chrome/Default/Preferences
+
</pre>
+
  
On Windows XP
+
It will not try to use swaps or autodetect/mount filesystems unless requested explicitly.
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
+
</pre>
+
  
On Windows Vista and later
+
Forensic mode is available via a separate boot target for BIOS users and a rescue boot option (via F2) for UEFI users.  This will skip activating MDRAID/LVM too.
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Preferences
+
</pre>
+
  
Or for '''Chromium'''
+
Build profile suitable for ALT Linux <tt>mkimage</tt> tool is included as <tt>.disk/profile.tgz</tt>.
  
On Linux
+
== Tools included ==
<pre>
+
/home/$USER/.config/chromium/Default/Preferences
+
</pre>
+
  
On MacOS-X
+
Most of the usual rescue suspects should be there; [[biew]], [[chntpw]], [[dc3dd]]/[[dcfldd]], [[foremost]], [[john]], [[md5deep]], [[nmap]], [[scalpel]], [[sleuthkit]], [[wipefreespace]] to name a few are available either.
<pre>
+
/Users/$USER/Library/Application Support/Chromium/Default/Preferences
+
</pre>
+
  
On Windows XP
+
X11-based software is being considered for an extended version.
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Chromium\User Data\Default\Preferences
+
</pre>
+
  
On Windows Vista and later
+
== Platforms ==
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Chromium\User Data\Default\Preferences
+
</pre>
+
  
=== Plugins ===
+
i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions.
  
Information about plugins can be found under the "plugins section" of the Preferences file.
+
== Deliverables ==
  
=== DNS Prefetching ===
+
Two separate 32/64-bit hybrid ISO images suitable for direct writing onto USB Flash media (or CD-R by chance).
  
DNS is prefetched for related sites, e.g. links on the page.
+
== Forensic issues ==
This behavior is controlled by the setting "Predict network actions to improve page load performance", which is enabled by default.
+
  
If enabled the Preferences file contains:
+
Hardening against rootfs spoofing has been implemented as of 20140423 (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov); previous images are vulnerable to ISO9660-on-device containing a squashfs file with predefined name and specially crafted contents.
<pre>
+
  "dns_prefetching": {
+
      "enabled": true,
+
</pre>
+
  
If disabled the Preferences file contains:
+
MDRAID/LVM2/swaps activation might occur with images before 20140416 or when booted via the default "Rescue" target; booting into "Forensic mode" will skip that (for both early userspace and final environment as of 20140416) and switch <tt>mount-system</tt> script to use <tt>ro,loop,noexec</tt> mount options (as of 20140423).
<pre>
+
  "dns_prefetching": {
+
      "enabled": false,
+
</pre>
+
  
== Start-up DNS queries ==
+
Physical device write blocking hasn't been considered so far.
  
When Chrome starts it queries for several non-existing hostnames that consists of a 10 random characters, E.g.
+
== Credits ==
<pre>
+
ttrgoiknff.mydomain.com
+
bxjhgftsyu.mydomain.com
+
yokjbjiagd.mydomain.com
+
</pre>
+
  
This is used to determine if your ISP is hijacking NXDOMAIN results [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en].
+
* [[User:.FUF]] for [[Forensic Live CD issues]] page, sound advice and early userspace patch
 
+
== Disk Cache ==
+
Google Chrome uses multiple caches, from [http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cache_type.h?view=markup]:
+
<pre>
+
// The types of caches that can be created.
+
enum CacheType {
+
    DISK_CACHE,  // Disk is used as the backing storage.
+
    MEMORY_CACHE,  // Data is stored only in memory.
+
    MEDIA_CACHE,  // Optimized to handle media files.
+
    APP_CACHE,  // Backing store for an AppCache.
+
    SHADER_CACHE, // Backing store for the GL shader cache.
+
    PNACL_CACHE, // Backing store the PNaCl translation cache
+
};
+
</pre>
+
 
+
The Google Chrome disk cache can be found in:
+
 
+
On Linux
+
 
+
<pre>
+
/home/$USER/.cache/google-chrome/Default/Cache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.cache/google-chrome/Default/Media Cache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.cache/google-chrome/PnaclTranslationCache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.config/google-chrome/Default/Application Cache/Cache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.config/google-chrome/Default/Cache/
+
</pre>
+
 
+
On MacOS-X
+
<pre>
+
/Users/$USER/Caches/Google/Chrome/Default/Cache/
+
</pre>
+
 
+
On Windows XP
+
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Cache\
+
</pre>
+
 
+
On Windows Vista and later
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Cache\
+
</pre>
+
 
+
The Chrome Cache contains different files with the following file names:
+
* index
+
* data_#; where # contains a decimal digit.
+
* f_######; where # contains a hexadecimal digit.
+
 
+
For more info see Chrome developers site [http://www.chromium.org/developers/design-documents/network-stack/disk-cache].
+
 
+
== History ==
+
Chrome stores the history of visited sites in a file named '''History'''. This file uses the [[SQLite database format]].
+
 
+
The '''History''' file can be found in same location as the '''Preferences''' file.
+
 
+
There is also '''Archived History''' that predates information in the '''History''' file.
+
Note that the '''Archived History''' only contains visits.
+
 
+
=== Timestamps ===
+
The '''History''' file uses the different timestamps.
+
 
+
==== visits.visit_time ====
+
 
+
The '''visits.visit_time''' is in (the number of) microseconds since January 1, 1601 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1601, 1, 1 )
+
            + datetime.timedelta( microseconds=timestamp )
+
</pre>
+
 
+
Note that this timestamp is not the same as a Windows filetime which is (the number of) 100 nanoseconds since January 1, 1601 UTC
+
 
+
==== downloads.start_time ====
+
 
+
The '''downloads.start_time''' is in (the number of) seconds since January 1, 1970 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1970, 1, 1 )
+
            + datetime.timedelta( seconds=timestamp )
+
</pre>
+
 
+
=== Example queries ===
+
Some example queries:
+
 
+
To get an overview of the visited sites:
+
<pre>
+
SELECT datetime(((visits.visit_time/1000000)-11644473600), "unixepoch"), urls.url, urls.title FROM urls, visits WHERE urls.id = visits.url;
+
</pre>
+
 
+
Note that the visit_time conversion looses precision.
+
 
+
To get an overview of the downloaded files:
+
<pre>
+
SELECT datetime(downloads.start_time, "unixepoch"), downloads.url, downloads.full_path, downloads.received_bytes, downloads.total_bytes FROM downloads;
+
</pre>
+
 
+
How the information of the downloaded files is stored in the database can vary per version of Chrome as of version 26:
+
<pre>
+
SELECT datetime(((downloads.start_time/1000000)-11644473600), "unixepoch"), downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes \
+
FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id;
+
</pre>
+
 
+
== See Also ==
+
 
+
* [[SQLite database format]]
+
  
 
== External Links ==
 
== External Links ==
* [http://en.wikipedia.org/wiki/Google_Chrome Wikipedia article on Google Chrome]
+
* [http://en.altlinux.org/Rescue Project site] (also available in [http://www.altlinux.org/Rescue Russian])
* [http://www.chromium.org/user-experience/user-data-directory The Chromium Projects - User Data Directory]
+
* Part of [http://en.altlinux.org/Regular Regular Builds] based on ALT Linux Sisyphus
* [http://www.chromium.org/developers/design-documents/network-stack/disk-cache Chrome Disk Cache]
+
* [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en Chrome support forum article random 10 character hostnames on startup]
+
* [http://www.useragentstring.com/pages/Chrome/ Chrome User Agent strings]
+
* [http://computer-forensics.sans.org/blog/2010/01/21/google-chrome-forensics/ Google Chrome Forensics] by [[Kristinn Guðjónsson]], January 21, 2010
+
* [http://linuxsleuthing.blogspot.ch/2013/02/cashing-in-on-google-chrome-cache.html?m=1 Cashing in on the Google Chrome Cache], [[John Lehr]], February 24, 2013
+
* [http://www.obsidianforensics.com/blog/history-index-files-removed-from-chrome/ History Index files removed from Chrome v30], by Ryan Benson, October 2, 2013
+
* [https://hindsight-internet-history.googlecode.com/files/Evolution_of_Chrome_Databases.png Evolution of Chrome Databases], by Ryan Benson, November 12, 2013
+
 
+
== Tools ==
+
=== Open Source ===
+
* [https://code.google.com/p/hindsight-internet-history/ hindsight-internet-history]
+
 
+
[[Category:Applications]]
+
[[Category:Web Browsers]]
+

Revision as of 02:49, 30 April 2014

ALT Linux Rescue
Maintainer: Michael Shigorin
OS: Linux
Genre: Live CD
License: GPL, others
Website: en.altlinux.org/rescue

ALT Linux Rescue is yet another sysadmin's Live CD with some forensic capabilities.

Intro

This weekly-updated image is intended to be text-only toolchest for analysis and recovery.

It will not try to use swaps or autodetect/mount filesystems unless requested explicitly.

Forensic mode is available via a separate boot target for BIOS users and a rescue boot option (via F2) for UEFI users. This will skip activating MDRAID/LVM too.

Build profile suitable for ALT Linux mkimage tool is included as .disk/profile.tgz.

Tools included

Most of the usual rescue suspects should be there; biew, chntpw, dc3dd/dcfldd, foremost, john, md5deep, nmap, scalpel, sleuthkit, wipefreespace to name a few are available either.

X11-based software is being considered for an extended version.

Platforms

i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions.

Deliverables

Two separate 32/64-bit hybrid ISO images suitable for direct writing onto USB Flash media (or CD-R by chance).

Forensic issues

Hardening against rootfs spoofing has been implemented as of 20140423 (stage2 squashfs SHA256 check has been contributed by Maxim Suhanov); previous images are vulnerable to ISO9660-on-device containing a squashfs file with predefined name and specially crafted contents.

MDRAID/LVM2/swaps activation might occur with images before 20140416 or when booted via the default "Rescue" target; booting into "Forensic mode" will skip that (for both early userspace and final environment as of 20140416) and switch mount-system script to use ro,loop,noexec mount options (as of 20140423).

Physical device write blocking hasn't been considered so far.

Credits

External Links