Difference between pages "Google Chrome" and "Windows Job File Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Disk Cache)
 
(variable-length section)
 
Line 1: Line 1:
Google Chrome is a [[Web Browser|web browser]] developed by Google Inc.
+
{{expand}}
  
== Configuration ==
+
== Overview ==
The Google Chrome configuration can be found in the '''Preferences''' file.
+
On [[Windows]] a .JOB file specifies task configuration. A .JOB file consists of two main sections, fixed-length and variable-length.
  
On Linux
+
=== fixed-length section ===
<pre>
+
/home/$USER/.config/google-chrome/Default/Preferences
+
</pre>
+
  
On MacOS-X
+
The fixed-length section is 68 bytes in size and consists of:
<pre>
+
{| class="wikitable"
/Users/$USER/Library/Application Support/Google/Chrome/Default/Preferences
+
|-
</pre>
+
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| 0
 +
| 2
 +
|
 +
| Product version
 +
|-
 +
| 2
 +
| 2
 +
|
 +
| File version
 +
|-
 +
| 4
 +
| 16
 +
|
 +
| Job UUID (or GUID)
 +
|-
 +
| 20
 +
| 2
 +
|
 +
| Application name size offset <br> The offset is relative from the start of the file.
 +
|-
 +
| 22
 +
| 2
 +
|
 +
| Trigger offset <br> The offset is relative from the start of the file.
 +
|-
 +
| 24
 +
| 2
 +
|
 +
| Error Retry Count
 +
|-
 +
| 26
 +
| 2
 +
|
 +
| Error Retry Interval
 +
|-
 +
| 28
 +
| 2
 +
|
 +
| Idle Deadline
 +
|-
 +
| 30
 +
| 2
 +
|
 +
| Idle Wait
 +
|-
 +
| 32
 +
| 4
 +
|
 +
| Priority
 +
|-
 +
| 36
 +
| 4
 +
|
 +
| Maximum Run Time
 +
|-
 +
| 40
 +
| 4
 +
|
 +
| Exit Code
 +
|-
 +
| 44
 +
| 4
 +
|
 +
| Status
 +
|-
 +
| 48
 +
| 4
 +
|
 +
| Flags
 +
|-
 +
| 52
 +
| 16
 +
|
 +
| Last run time <br> Consists of a SYSTEMTIME
 +
|}
  
On Windows XP
+
==== SYSTEMTIME ====
<pre>
+
{| class="wikitable"
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
+
|-
</pre>
+
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| 0
 +
| 2
 +
|
 +
| Year
 +
|-
 +
| 2
 +
| 2
 +
|
 +
| Month
 +
|-
 +
| 4
 +
| 2
 +
|
 +
| Weekday
 +
|-
 +
| 6
 +
| 2
 +
|
 +
| Day
 +
|-
 +
| 8
 +
| 2
 +
|
 +
| Hour
 +
|-
 +
| 10
 +
| 2
 +
|
 +
| Minute
 +
|-
 +
| 12
 +
| 2
 +
|
 +
| Second
 +
|-
 +
| 14
 +
| 2
 +
|
 +
| Milli second
 +
|}
  
On Windows Vista and later
+
==== Priority ====
<pre>
+
{| class="wikitable"
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Preferences
+
|-
</pre>
+
! Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0x00800000
 +
| REALTIME_PRIORITY_CLASS
 +
| The task can run at the highest possible priority. The threads of a real-time priority class process preempt the threads of all other processes, including operating system processes performing important tasks.
 +
|-
 +
| 0x01000000
 +
| HIGH_PRIORITY_CLASS
 +
| The task performs time-critical tasks that can be executed immediately for it to run correctly. The threads of a high-priority class process preempt the threads of normal or idle priority class processes.
 +
|-
 +
| 0x02000000
 +
| IDLE_PRIORITY_CLASS
 +
| The task can run in a process whose threads run only when the machine is idle, and are preempted by the threads of any process running in a higher priority class.
 +
|-
 +
| 0x04000000
 +
| NORMAL_PRIORITY_CLASS
 +
| The task has no special scheduling requirements.
 +
|}
  
Or for '''Chrome SxS''' (Chrome side-by-side)
+
==== Status ====
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Identifier
 +
! Description
 +
|-
 +
| 0x00041300
 +
| SCHED_S_TASK_READY
 +
| Task is not running but is scheduled to run at some time in the future.
 +
|-
 +
| 0x00041301
 +
| SCHED_S_TASK_RUNNING
 +
| Task is currently running.
 +
|-
 +
| 0x00041305
 +
| SCHED_S_TASK_NOT_SCHEDULED
 +
| The task is not running and has no valid triggers.
 +
|}
  
<pre>
+
==== Flags ====
C:\Users\%USERNAME%\AppData\Local\Google\Chrome SxS\User Data\Default\Preferences
+
See: [http://msdn.microsoft.com/en-us/library/cc248283.aspx Flags]
</pre>
+
  
Or for '''Chromium'''
+
=== variable-length section ===
 +
The variable-length section contains the following values:
 +
* Running Instance Count
 +
* Application Name; Unicode string
 +
* Parameters; Unicode string
 +
* Working Directory; Unicode string
 +
* Author; Unicode string
 +
* Comment; Unicode string
 +
* User Data; Unicode string
 +
* Reserved Data
 +
* Triggers
 +
* Job Signature
  
On Linux
+
==== Unicode string ====
<pre>
+
{| class="wikitable"
/home/$USER/.config/chromium/Default/Preferences
+
|-
</pre>
+
! offset
 
+
! size
On MacOS-X
+
! value
<pre>
+
! description
/Users/$USER/Library/Application Support/Chromium/Default/Preferences
+
|-
</pre>
+
| 0
 
+
| 2
On Windows XP
+
|
<pre>
+
| Number of characters <br> The value will be 0 if the string is empty.
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Chromium\User Data\Default\Preferences
+
|-
</pre>
+
| 2
 
+
| 2
On Windows Vista and later
+
|
<pre>
+
| String <br> UTF-16 little-endian with end-of-string character
C:\Users\%USERNAME%\AppData\Local\Chromium\User Data\Default\Preferences
+
|}
</pre>
+
 
+
=== Plugins ===
+
 
+
Information about plugins can be found under the "plugins section" of the Preferences file.
+
 
+
=== DNS Prefetching ===
+
 
+
DNS is prefetched for related sites, e.g. links on the page.
+
This behavior is controlled by the setting "Predict network actions to improve page load performance", which is enabled by default.
+
 
+
If enabled the Preferences file contains:
+
<pre>
+
  "dns_prefetching": {
+
      "enabled": true,
+
</pre>
+
 
+
If disabled the Preferences file contains:
+
<pre>
+
  "dns_prefetching": {
+
      "enabled": false,
+
</pre>
+
 
+
== Start-up DNS queries ==
+
 
+
When Chrome starts it queries for several non-existing hostnames that consists of a 10 random characters, E.g.
+
<pre>
+
ttrgoiknff.mydomain.com
+
bxjhgftsyu.mydomain.com
+
yokjbjiagd.mydomain.com
+
</pre>
+
 
+
This is used to determine if your ISP is hijacking NXDOMAIN results [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en].
+
 
+
== Disk Cache ==
+
Google Chrome uses multiple caches, from [http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cache_type.h?view=markup]:
+
<pre>
+
// The types of caches that can be created.
+
enum CacheType {
+
    DISK_CACHE,  // Disk is used as the backing storage.
+
    MEMORY_CACHE,  // Data is stored only in memory.
+
    MEDIA_CACHE,  // Optimized to handle media files.
+
    APP_CACHE,  // Backing store for an AppCache.
+
    SHADER_CACHE, // Backing store for the GL shader cache.
+
    PNACL_CACHE, // Backing store the PNaCl translation cache
+
};
+
</pre>
+
 
+
<b>Note that $PROFILE (or %PROFILE%) the paths below is the profile dependent subdirectory which is normally Default but also could be Profile1, Profile2, etc.</b>
+
 
+
The Google Chrome disk cache can be found in:
+
 
+
On Linux
+
 
+
<pre>
+
/home/$USER/.cache/chromium/$PROFILE/Cache/
+
/home/$USER/.cache/google-chrome/$PROFILE/Cache/
+
/home/$USER/.config/chromium/$PROFILE/Cache/
+
/home/$USER/.config/google-chrome/$PROFILE/Cache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.cache/chromium/$PROFILE/Media Cache/
+
/home/$USER/.cache/google-chrome/$PROFILE/Media Cache/
+
/home/$USER/.config/chromium/$PROFILE/Media Cache/
+
/home/$USER/.config/google-chrome/$PROFILE/Media Cache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.config/chromium/$PROFILE/Application Cache/Cache/
+
/home/$USER/.config/google-chrome/$PROFILE/Application Cache/Cache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.config/chromium/$PROFILE/GPUCache/
+
/home/$USER/.config/google-chrome/$PROFILE/GPUCache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.cache/chromium/PnaclTranslationCache/
+
/home/$USER/.cache/google-chrome/PnaclTranslationCache/
+
</pre>
+
 
+
On MacOS-X
+
<pre>
+
/Users/$USER/Library/Caches/Chromium/$PROFILE/Cache
+
/Users/$USER/Library/Caches/Google/Chrome/$PROFILE/Cache
+
</pre>
+
 
+
<b>TODO confirm the following paths</b>
+
<pre>
+
/Users/$USER/Caches/Chromium/$PROFILE/Cache/
+
/Users/$USER/Caches/Google/Chrome/$PROFILE/Cache/
+
</pre>
+
 
+
<pre>
+
/Users/$USER/Library/Caches/Chromium/$PROFILE/Media Cache
+
/Users/$USER/Library/Caches/Google/Chrome/$PROFILE/Media Cache
+
</pre>
+
 
+
<pre>
+
/Users/$USER/Library/Application Support/Chromium/$PROFILE/Application Cache/Cache/
+
/Users/$USER/Library/Application Support/Google/Chrome/$PROFILE/Application Cache/Cache/
+
</pre>
+
 
+
<pre>
+
/Users/$USER/Library/Application Support/Chromium/$PROFILE/GPUCache/
+
/Users/$USER/Library/Application Support/Google/Chrome/$PROFILE/GPUCache/
+
</pre>
+
 
+
<pre>
+
/Users/$USER/Library/Caches/Chromium/PnaclTranslationCache/
+
/Users/$USER/Library/Caches/Google/Chrome/PnaclTranslationCache/
+
</pre>
+
 
+
On Windows XP
+
 
+
<b>TODO confirm the following paths</b>
+
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Chromium\User Data\Cache\
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Cache\
+
</pre>
+
 
+
On Windows Vista and later
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chromium\%PROFILE%\Cache\
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\%PROFILE%\Cache\
+
</pre>
+
 
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chromium\%PROFILE%\Application Cache\Cache\
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\%PROFILE%\Application Cache\Cache\
+
</pre>
+
 
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chromium\%PROFILE%\Media Cache\
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\%PROFILE%\Media Cache\
+
</pre>
+
 
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chromium\%PROFILE%\GPUCache\
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\%PROFILE%\GPUCache\
+
</pre>
+
 
+
The Chrome Cache contains different files with the following file names:
+
* index
+
* data_#; where # contains a decimal digit.
+
* f_######; where # contains a hexadecimal digit.
+
 
+
For more info see [[Chrome Disk Cache Format]].
+
 
+
== History ==
+
Chrome stores the history of visited sites in a file named '''History'''. This file uses the [[SQLite database format]].
+
 
+
The '''History''' file can be found in same location as the '''Preferences''' file.
+
 
+
There is also '''Archived History''' that predates information in the '''History''' file.
+
Note that the '''Archived History''' only contains visits.
+
 
+
=== Timestamps ===
+
The '''History''' file uses the different timestamps.
+
 
+
==== visits.visit_time ====
+
 
+
The '''visits.visit_time''' is in (the number of) microseconds since January 1, 1601 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1601, 1, 1 )
+
            + datetime.timedelta( microseconds=timestamp )
+
</pre>
+
 
+
Note that this timestamp is not the same as a Windows filetime which is (the number of) 100 nanoseconds since January 1, 1601 UTC
+
 
+
==== downloads.start_time ====
+
 
+
The '''downloads.start_time''' is in (the number of) seconds since January 1, 1970 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1970, 1, 1 )
+
            + datetime.timedelta( seconds=timestamp )
+
</pre>
+
 
+
=== Example queries ===
+
Some example queries:
+
 
+
To get an overview of the visited sites:
+
<pre>
+
SELECT datetime(((visits.visit_time/1000000)-11644473600), "unixepoch"), urls.url, urls.title FROM urls, visits WHERE urls.id = visits.url;
+
</pre>
+
 
+
Note that the visit_time conversion looses precision.
+
 
+
To get an overview of the downloaded files:
+
<pre>
+
SELECT datetime(downloads.start_time, "unixepoch"), downloads.url, downloads.full_path, downloads.received_bytes, downloads.total_bytes FROM downloads;
+
</pre>
+
 
+
How the information of the downloaded files is stored in the database can vary per version of Chrome as of version 26:
+
<pre>
+
SELECT datetime(((downloads.start_time/1000000)-11644473600), "unixepoch"), downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes \
+
FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id;
+
</pre>
+
 
+
== Cookies ==
+
Chrome stores the cookies in a file named '''Cookies'''. This file uses the [[SQLite database format]].
+
 
+
=== Extension Cookies ===
+
Chrome stores the cookies used by extensions in a file named '''Extension Cookies'''. This file uses the [[SQLite database format]].
+
 
+
<pre>
+
SELECT datetime(((cookies.creation_utc/1000000)-11644473600), "unixepoch"), cookies.host_key, cookies.name, cookies.value, cookies.path, \
+
datetime(((cookies.expires_utc/1000000)-11644473600), "unixepoch"), cookies.secure, cookies.httponly, datetime(((cookies.last_access_utc/1000000)-11644473600), "unixepoch"), \
+
cookies.has_expires, cookies.persistent, cookies.priority FROM cookies;
+
</pre>
+
  
 
== See Also ==
 
== See Also ==
 
+
* [[Windows]]
* [[SQLite database format]]
+
  
 
== External Links ==
 
== External Links ==
* [http://en.wikipedia.org/wiki/Google_Chrome Wikipedia article on Google Chrome]
+
* [http://msdn.microsoft.com/en-us/library/cc248285.aspx .JOB File Format], by [[Microsoft]]
* [http://www.chromium.org/user-experience/user-data-directory The Chromium Projects - User Data Directory]
+
* [http://www.chromium.org/developers/design-documents/network-stack/disk-cache Chrome Disk Cache]
+
* [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en Chrome support forum article random 10 character hostnames on startup]
+
* [http://www.useragentstring.com/pages/Chrome/ Chrome User Agent strings]
+
* [http://computer-forensics.sans.org/blog/2010/01/21/google-chrome-forensics/ Google Chrome Forensics] by [[Kristinn Guðjónsson]], January 21, 2010
+
* [http://linuxsleuthing.blogspot.ch/2013/02/cashing-in-on-google-chrome-cache.html?m=1 Cashing in on the Google Chrome Cache], [[John Lehr]], February 24, 2013
+
* [http://www.obsidianforensics.com/blog/history-index-files-removed-from-chrome/ History Index files removed from Chrome v30], by Ryan Benson, October 2, 2013
+
* [https://hindsight-internet-history.googlecode.com/files/Evolution_of_Chrome_Databases.png Evolution of Chrome Databases], by Ryan Benson, November 12, 2013
+
 
+
== Tools ==
+
=== Open Source ===
+
* [https://code.google.com/p/hindsight-internet-history/ hindsight-internet-history]
+
  
[[Category:Applications]]
+
[[Category:File Formats]]
[[Category:Web Browsers]]
+

Revision as of 10:52, 5 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Overview

On Windows a .JOB file specifies task configuration. A .JOB file consists of two main sections, fixed-length and variable-length.

fixed-length section

The fixed-length section is 68 bytes in size and consists of:

offset size value description
0 2 Product version
2 2 File version
4 16 Job UUID (or GUID)
20 2 Application name size offset
The offset is relative from the start of the file.
22 2 Trigger offset
The offset is relative from the start of the file.
24 2 Error Retry Count
26 2 Error Retry Interval
28 2 Idle Deadline
30 2 Idle Wait
32 4 Priority
36 4 Maximum Run Time
40 4 Exit Code
44 4 Status
48 4 Flags
52 16 Last run time
Consists of a SYSTEMTIME

SYSTEMTIME

offset size value description
0 2 Year
2 2 Month
4 2 Weekday
6 2 Day
8 2 Hour
10 2 Minute
12 2 Second
14 2 Milli second

Priority

Value Identifier Description
0x00800000 REALTIME_PRIORITY_CLASS The task can run at the highest possible priority. The threads of a real-time priority class process preempt the threads of all other processes, including operating system processes performing important tasks.
0x01000000 HIGH_PRIORITY_CLASS The task performs time-critical tasks that can be executed immediately for it to run correctly. The threads of a high-priority class process preempt the threads of normal or idle priority class processes.
0x02000000 IDLE_PRIORITY_CLASS The task can run in a process whose threads run only when the machine is idle, and are preempted by the threads of any process running in a higher priority class.
0x04000000 NORMAL_PRIORITY_CLASS The task has no special scheduling requirements.

Status

Value Identifier Description
0x00041300 SCHED_S_TASK_READY Task is not running but is scheduled to run at some time in the future.
0x00041301 SCHED_S_TASK_RUNNING Task is currently running.
0x00041305 SCHED_S_TASK_NOT_SCHEDULED The task is not running and has no valid triggers.

Flags

See: Flags

variable-length section

The variable-length section contains the following values:

  • Running Instance Count
  • Application Name; Unicode string
  • Parameters; Unicode string
  • Working Directory; Unicode string
  • Author; Unicode string
  • Comment; Unicode string
  • User Data; Unicode string
  • Reserved Data
  • Triggers
  • Job Signature

Unicode string

offset size value description
0 2 Number of characters
The value will be 0 if the string is empty.
2 2 String
UTF-16 little-endian with end-of-string character

See Also

External Links