Difference between pages "Google Chrome" and "Windows XML Event Log (EVTX)"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Example queries)
 
 
Line 1: Line 1:
Google Chrome is a [[Web Browser|web browser]] developed by Google Inc.
+
{{expand}}
  
== Configuration ==
+
The Windows XML Event Log (EVTX) format was introduces in [[Windows|Windows Vista]] as a replacement for the [[Windows Event Log (EVT)]] format.
The Google Chrome configuration can be found in the '''Preferences''' file.
+
  
On Linux
+
== Event Viewer ==
<pre>
+
On Windows the event logs can be managed with "Event Viewer" (eventvwr.msc) or "Windows Events Command Line Utility" (wevtutil.exe). Event Viewer can represent the EVTX files in both "general view" (or formatted view) and "details view" (which has both a "friendly view" and "XML view"). Note that the formatted view can hide significant event data that is stored in the event record and can be seen in the detailed view.
/home/$USER/.config/google-chrome/Default/Preferences
+
</pre>
+
  
On MacOS-X
+
If you export an event log from Event Viewer additional "display information" can be exported. This display information is stored in a corresponding file named:
 
<pre>
 
<pre>
/Users/$USER/Library/Application Support/Google/Chrome/Default/Preferences
+
LocaleMetaData\%FILENAME%_%LCID%.MTA
 
</pre>
 
</pre>
  
On Windows XP
+
Where LCID is the "locale identifier" [http://msdn.microsoft.com/en-us/goglobal/bb964664.aspx].
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
+
</pre>
+
  
On Windows Vista and later
+
== See Also ==
<pre>
+
* [[Windows Event Log (EVT)]]
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Preferences
+
* [[Windows]]
</pre>
+
  
Or for '''Chromium'''
+
== External Links ==
 +
=== File Format ===
 +
* [http://msdn.microsoft.com/en-us/library/cc231282(v=prot.10).aspx EventLog Remoting Protocol Version 6.0 Specification], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/cc231354.aspx Simple BinXml Example], by [[Microsoft]]
 +
* [http://computer.forensikblog.de/mt/mt-search.cgi?IncludeBlogs=3&tag=Evtx&limit=20 int for(ensic){blog;} - results tagged Evtx], by [[Andreas Schuster]]
 +
* [http://www.dfrws.org/2007/proceedings/p65-schuster_pres.pdf Introducing the Microsoft Vista Event Log File Format], by [[Andreas Schuster]] in 2007
 +
* [http://computer.forensikblog.de/en/2010/10/linking-event-messages-and-resource-dlls.html Linking Event Messages and Resource DLLs], by [[Andreas Schuster]] in 2010
 +
* [http://code.google.com/p/libevtx/downloads/detail?name=Windows%20XML%20Event%20Log%20%28EVTX%29.pdf Windows XML Event Log (EVTX) format], by the [[libevtx|libevtx project]]
  
On Linux
+
=== Event Identifiers ===
<pre>
+
* [http://eventid.net/ EventID.net]
/home/$USER/.config/chromium/Default/Preferences
+
</pre>
+
  
On MacOS-X
+
=== Windows Vista/2008 ===
<pre>
+
* [http://support.microsoft.com/kb/947226 Description of security events in Windows Vista and in Windows Server 2008]
/Users/$USER/Library/Application Support/Chromium/Default/Preferences
+
</pre>
+
  
On Windows XP
+
=== Windows 7 ===
<pre>
+
* [http://msdn.microsoft.com/en-us/magazine/ee412263.aspx Core OS Events in Windows 7, Part 1]
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Chromium\User Data\Default\Preferences
+
* [http://msdn.microsoft.com/en-us/magazine/ee358703.aspx Core Instrumentation Events in Windows 7, Part 2]
</pre>
+
  
On Windows Vista and later
+
== Tools ==
<pre>
+
* [http://computer.forensikblog.de/files/evtx/Parse-Evtx-current.zip Evtx Parser]
C:\Users\%USERNAME%\AppData\Local\Chromium\User Data\Default\Preferences
+
* [[libevtx]]
</pre>
+
* [[log2timeline]]
 
+
* [http://technet.microsoft.com/en-us/library/cc749339.aspx wevtutil]
=== Plugins ===
+
* [http://www.microsoft.com/en-us/download/details.aspx?id=24659 LogParser]
 
+
* [http://www.williballenthin.com/evtx/ python-evtx]
Information about plugins can be found under the "plugins section" of the Preferences file.
+
 
+
=== DNS Prefetching ===
+
 
+
DNS is prefetched for related sites, e.g. links on the page.
+
This behavior is controlled by the setting "Predict network actions to improve page load performance", which is enabled by default.
+
 
+
If enabled the Preferences file contains:
+
<pre>
+
  "dns_prefetching": {
+
      "enabled": true,
+
</pre>
+
 
+
If disabled the Preferences file contains:
+
<pre>
+
  "dns_prefetching": {
+
      "enabled": false,
+
</pre>
+
 
+
== Start-up DNS queries ==
+
 
+
When Chrome starts it queries for several non-existing hostnames that consists of a 10 random characters, E.g.
+
<pre>
+
ttrgoiknff.mydomain.com
+
bxjhgftsyu.mydomain.com
+
yokjbjiagd.mydomain.com
+
</pre>
+
 
+
This is used to determine if your ISP is hijacking NXDOMAIN results [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en].
+
 
+
== Disk Cache ==
+
The Google Chrome disk cache can be found in:
+
 
+
On Linux
+
<pre>
+
/home/$USER/.config/google-chrome/Default/Application Cache/Cache/
+
</pre>
+
 
+
On MacOS-X
+
<pre>
+
/Users/$USER/Caches/Google/Chrome/Default/Cache/
+
</pre>
+
 
+
On Windows XP
+
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Cache\
+
</pre>
+
 
+
On Windows Vista and later
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Cache\
+
</pre>
+
 
+
The Chrome Cache contains different files with the following file names:
+
* index
+
* data_#; where # contains a decimal digit.
+
* f_######; where # contains a hexadecimal digit.
+
 
+
For more info see Chrome developers site [http://www.chromium.org/developers/design-documents/network-stack/disk-cache].
+
 
+
== History ==
+
Chrome stores the history of visited sites in a file named '''History'''. This file uses the [[SQLite database format]].
+
 
+
The '''History''' file can be found in same location as the '''Preferences''' file.
+
 
+
There is also '''Archived History''' that predates information in the '''History''' file.
+
Note that the '''Archived History''' only contains visits.
+
 
+
=== Timestamps ===
+
The '''History''' file uses the different timestamps.
+
 
+
==== visits.visit_time ====
+
 
+
The '''visits.visit_time''' is in (the number of) microseconds since January 1, 1601 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1601, 1, 1 )
+
            + datetime.timedelta( microseconds=timestamp )
+
</pre>
+
 
+
Note that this timestamp is not the same as a Windows filetime which is (the number of) 100 nanoseconds since January 1, 1601 UTC
+
 
+
==== downloads.start_time ====
+
 
+
The '''downloads.start_time''' is in (the number of) seconds since January 1, 1970 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1970, 1, 1 )
+
            + datetime.timedelta( seconds=timestamp )
+
</pre>
+
 
+
=== Example queries ===
+
Some example queries:
+
 
+
To get an overview of the visited sites:
+
<pre>
+
SELECT datetime(((visits.visit_time/1000000)-11644473600), "unixepoch"), urls.url, urls.title FROM urls, visits WHERE urls.id = visits.url;
+
</pre>
+
 
+
Note that the visit_time conversion looses precision.
+
 
+
To get an overview of the downloaded files:
+
<pre>
+
SELECT datetime(downloads.start_time, "unixepoch"), downloads.url, downloads.full_path, downloads.received_bytes, downloads.total_bytes FROM downloads;
+
</pre>
+
 
+
How the information of the downloaded files is stored in the database can vary per version of Chrome as of version 26:
+
<pre>
+
SELECT datetime(((downloads.start_time/1000000)-11644473600), "unixepoch"), downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes \
+
FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id;
+
</pre>
+
 
+
== See Also ==
+
 
+
* [[SQLite database format]]
+
 
+
== External Links ==
+
* [http://en.wikipedia.org/wiki/Google_Chrome Wikipedia article on Google Chrome]
+
* [http://www.chromium.org/user-experience/user-data-directory The Chromium Projects - User Data Directory]
+
* [http://www.chromium.org/developers/design-documents/network-stack/disk-cache Chrome Disk Cache]
+
* [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en Chrome support forum article random 10 character hostnames on startup]
+
* [http://computer-forensics.sans.org/blog/2010/01/21/google-chrome-forensics/ Google Chrome Forensics] by [[Kristinn Guðjónsson]]
+
* [http://www.useragentstring.com/pages/Chrome/ Chrome User Agent strings]
+
* [http://linuxsleuthing.blogspot.ch/2013/02/cashing-in-on-google-chrome-cache.html?m=1 Cashing in on the Google Chrome Cache], [[John Lehr]], February 24, 2013
+
  
[[Category:Applications]]
+
[[Category:File Formats]]
[[Category:Web Browsers]]
+

Revision as of 11:28, 22 April 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

The Windows XML Event Log (EVTX) format was introduces in Windows Vista as a replacement for the Windows Event Log (EVT) format.

Contents

Event Viewer

On Windows the event logs can be managed with "Event Viewer" (eventvwr.msc) or "Windows Events Command Line Utility" (wevtutil.exe). Event Viewer can represent the EVTX files in both "general view" (or formatted view) and "details view" (which has both a "friendly view" and "XML view"). Note that the formatted view can hide significant event data that is stored in the event record and can be seen in the detailed view.

If you export an event log from Event Viewer additional "display information" can be exported. This display information is stored in a corresponding file named:

LocaleMetaData\%FILENAME%_%LCID%.MTA

Where LCID is the "locale identifier" [1].

See Also

External Links

File Format

Event Identifiers

Windows Vista/2008

Windows 7

Tools