Difference between pages "Google Chrome" and "Chaosreader"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Disk Cache)
 
(Replaced link to patches with Git repository)
 
Line 1: Line 1:
Google Chrome is a [[Web Browser|web browser]] developed by Google Inc.
+
{{Infobox_Software |
 +
  name = Chaosreader |
 +
  maintainer = Brendan Gregg |
 +
  os = {{Linux}}, {{Windows}}, {{Solaris}} |
 +
  genre = Network forensics |
 +
  license = {{GPL}} |
 +
  website = [http://chaosreader.sourceforge.net/ chaosreader.sourceforge.net] |
 +
}}
  
== Configuration ==
+
== Overview ==
The Google Chrome configuration can be found in the '''Preferences''' file.
+
  
On Linux
+
'''Chaosreader''' A freeware tool to trace TCP/UDP/... sessions and fetch application data from snoop or tcpdump logs. This is a type of "any-snarf" program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs. A html index file is created that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions; and reports such as image reports and HTTP GET/POST content reports. Chaosreader can also run in standalone mode - where it invokes tcpdump or snoop (if they are available) to create the log files and then processes them.
<pre>
+
/home/$USER/.config/google-chrome/Default/Preferences
+
</pre>
+
  
On MacOS-X
+
== External Links  ==
<pre>
+
/Users/$USER/Library/Application Support/Google/Chrome/Default/Preferences
+
</pre>
+
  
On Windows XP
+
* [http://www.brendangregg.com/chaosreader.html Chaosreader author's website]
<pre>
+
* [https://github.com/brendangregg/Chaosreader Git repository]
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
+
</pre>
+
  
On Windows Vista and later
+
[[Category:Network Forensics]]
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Preferences
+
</pre>
+
 
+
Or for '''Chrome SxS''' (Chrome side-by-side)
+
 
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome SxS\User Data\Default\Preferences
+
</pre>
+
 
+
Or for '''Chromium'''
+
 
+
On Linux
+
<pre>
+
/home/$USER/.config/chromium/Default/Preferences
+
</pre>
+
 
+
On MacOS-X
+
<pre>
+
/Users/$USER/Library/Application Support/Chromium/Default/Preferences
+
</pre>
+
 
+
On Windows XP
+
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Chromium\User Data\Default\Preferences
+
</pre>
+
 
+
On Windows Vista and later
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Chromium\User Data\Default\Preferences
+
</pre>
+
 
+
=== Plugins ===
+
 
+
Information about plugins can be found under the "plugins section" of the Preferences file.
+
 
+
=== DNS Prefetching ===
+
 
+
DNS is prefetched for related sites, e.g. links on the page.
+
This behavior is controlled by the setting "Predict network actions to improve page load performance", which is enabled by default.
+
 
+
If enabled the Preferences file contains:
+
<pre>
+
  "dns_prefetching": {
+
      "enabled": true,
+
</pre>
+
 
+
If disabled the Preferences file contains:
+
<pre>
+
  "dns_prefetching": {
+
      "enabled": false,
+
</pre>
+
 
+
== Start-up DNS queries ==
+
 
+
When Chrome starts it queries for several non-existing hostnames that consists of a 10 random characters, E.g.
+
<pre>
+
ttrgoiknff.mydomain.com
+
bxjhgftsyu.mydomain.com
+
yokjbjiagd.mydomain.com
+
</pre>
+
 
+
This is used to determine if your ISP is hijacking NXDOMAIN results [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en].
+
 
+
== Disk Cache ==
+
Google Chrome uses multiple caches, from [http://src.chromium.org/viewvc/chrome/trunk/src/net/base/cache_type.h?view=markup]:
+
<pre>
+
// The types of caches that can be created.
+
enum CacheType {
+
    DISK_CACHE,  // Disk is used as the backing storage.
+
    MEMORY_CACHE,  // Data is stored only in memory.
+
    MEDIA_CACHE,  // Optimized to handle media files.
+
    APP_CACHE,  // Backing store for an AppCache.
+
    SHADER_CACHE, // Backing store for the GL shader cache.
+
    PNACL_CACHE, // Backing store the PNaCl translation cache
+
};
+
</pre>
+
 
+
<b>Note that $PROFILE (or %PROFILE%) the paths below is the profile dependent subdirectory which is normally Default but also could be Profile1, Profile2, etc.</b>
+
 
+
The Google Chrome disk cache can be found in:
+
 
+
On Linux
+
 
+
<pre>
+
/home/$USER/.cache/chromium/$PROFILE/Cache/
+
/home/$USER/.cache/google-chrome/$PROFILE/Cache/
+
/home/$USER/.config/chromium/$PROFILE/Cache/
+
/home/$USER/.config/google-chrome/$PROFILE/Cache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.cache/chromium/$PROFILE/Media Cache/
+
/home/$USER/.cache/google-chrome/$PROFILE/Media Cache/
+
/home/$USER/.config/chromium/$PROFILE/Media Cache/
+
/home/$USER/.config/google-chrome/$PROFILE/Media Cache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.config/chromium/$PROFILE/Application Cache/Cache/
+
/home/$USER/.config/google-chrome/$PROFILE/Application Cache/Cache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.config/chromium/$PROFILE/GPUCache/
+
/home/$USER/.config/google-chrome/$PROFILE/GPUCache/
+
</pre>
+
 
+
<pre>
+
/home/$USER/.cache/chromium/PnaclTranslationCache/
+
/home/$USER/.cache/google-chrome/PnaclTranslationCache/
+
</pre>
+
 
+
On MacOS-X
+
<pre>
+
/Users/$USER/Library/Caches/Chromium/$PROFILE/Cache
+
/Users/$USER/Library/Caches/Google/Chrome/$PROFILE/Cache
+
</pre>
+
 
+
<b>TODO confirm the following paths</b>
+
<pre>
+
/Users/$USER/Caches/Chromium/$PROFILE/Cache/
+
/Users/$USER/Caches/Google/Chrome/$PROFILE/Cache/
+
</pre>
+
 
+
<pre>
+
/Users/$USER/Library/Caches/Chromium/$PROFILE/Media Cache
+
/Users/$USER/Library/Caches/Google/Chrome/$PROFILE/Media Cache
+
</pre>
+
 
+
<pre>
+
/Users/$USER/Library/Application Support/Chromium/$PROFILE/Application Cache/Cache/
+
/Users/$USER/Library/Application Support/Google/Chrome/$PROFILE/Application Cache/Cache/
+
</pre>
+
 
+
<pre>
+
/Users/$USER/Library/Application Support/Chromium/$PROFILE/GPUCache/
+
/Users/$USER/Library/Application Support/Google/Chrome/$PROFILE/GPUCache/
+
</pre>
+
 
+
<pre>
+
/Users/$USER/Library/Caches/Chromium/PnaclTranslationCache/
+
/Users/$USER/Library/Caches/Google/Chrome/PnaclTranslationCache/
+
</pre>
+
 
+
On Windows XP
+
 
+
<b>TODO confirm the following paths</b>
+
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Chromium\User Data\Cache\
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Google\Chrome\User Data\Cache\
+
</pre>
+
 
+
On Windows Vista and later
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chromium\%PROFILE%\Cache\
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\%PROFILE%\Cache\
+
</pre>
+
 
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chromium\%PROFILE%\Application Cache\Cache\
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\%PROFILE%\Application Cache\Cache\
+
</pre>
+
 
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chromium\%PROFILE%\Media Cache\
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\%PROFILE%\Media Cache\
+
</pre>
+
 
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Google\Chromium\%PROFILE%\GPUCache\
+
C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\%PROFILE%\GPUCache\
+
</pre>
+
 
+
The Chrome Cache contains different files with the following file names:
+
* index
+
* data_#; where # contains a decimal digit.
+
* f_######; where # contains a hexadecimal digit.
+
 
+
For more info see Chrome developers site [http://www.chromium.org/developers/design-documents/network-stack/disk-cache].
+
 
+
== History ==
+
Chrome stores the history of visited sites in a file named '''History'''. This file uses the [[SQLite database format]].
+
 
+
The '''History''' file can be found in same location as the '''Preferences''' file.
+
 
+
There is also '''Archived History''' that predates information in the '''History''' file.
+
Note that the '''Archived History''' only contains visits.
+
 
+
=== Timestamps ===
+
The '''History''' file uses the different timestamps.
+
 
+
==== visits.visit_time ====
+
 
+
The '''visits.visit_time''' is in (the number of) microseconds since January 1, 1601 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1601, 1, 1 )
+
            + datetime.timedelta( microseconds=timestamp )
+
</pre>
+
 
+
Note that this timestamp is not the same as a Windows filetime which is (the number of) 100 nanoseconds since January 1, 1601 UTC
+
 
+
==== downloads.start_time ====
+
 
+
The '''downloads.start_time''' is in (the number of) seconds since January 1, 1970 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1970, 1, 1 )
+
            + datetime.timedelta( seconds=timestamp )
+
</pre>
+
 
+
=== Example queries ===
+
Some example queries:
+
 
+
To get an overview of the visited sites:
+
<pre>
+
SELECT datetime(((visits.visit_time/1000000)-11644473600), "unixepoch"), urls.url, urls.title FROM urls, visits WHERE urls.id = visits.url;
+
</pre>
+
 
+
Note that the visit_time conversion looses precision.
+
 
+
To get an overview of the downloaded files:
+
<pre>
+
SELECT datetime(downloads.start_time, "unixepoch"), downloads.url, downloads.full_path, downloads.received_bytes, downloads.total_bytes FROM downloads;
+
</pre>
+
 
+
How the information of the downloaded files is stored in the database can vary per version of Chrome as of version 26:
+
<pre>
+
SELECT datetime(((downloads.start_time/1000000)-11644473600), "unixepoch"), downloads.target_path, downloads_url_chains.url, downloads.received_bytes, downloads.total_bytes \
+
FROM downloads, downloads_url_chains WHERE downloads.id = downloads_url_chains.id;
+
</pre>
+
 
+
== Cookies ==
+
Chrome stores the cookies in a file named '''Cookies'''. This file uses the [[SQLite database format]].
+
 
+
=== Extension Cookies ===
+
Chrome stores the cookies used by extensions in a file named '''Extension Cookies'''. This file uses the [[SQLite database format]].
+
 
+
<pre>
+
SELECT datetime(((cookies.creation_utc/1000000)-11644473600), "unixepoch"), cookies.host_key, cookies.name, cookies.value, cookies.path, \
+
datetime(((cookies.expires_utc/1000000)-11644473600), "unixepoch"), cookies.secure, cookies.httponly, datetime(((cookies.last_access_utc/1000000)-11644473600), "unixepoch"), \
+
cookies.has_expires, cookies.persistent, cookies.priority FROM cookies;
+
</pre>
+
 
+
== See Also ==
+
 
+
* [[SQLite database format]]
+
 
+
== External Links ==
+
* [http://en.wikipedia.org/wiki/Google_Chrome Wikipedia article on Google Chrome]
+
* [http://www.chromium.org/user-experience/user-data-directory The Chromium Projects - User Data Directory]
+
* [http://www.chromium.org/developers/design-documents/network-stack/disk-cache Chrome Disk Cache]
+
* [http://www.google.com/support/forum/p/Chrome/thread?tid=3511015c72a7b314&hl=en Chrome support forum article random 10 character hostnames on startup]
+
* [http://www.useragentstring.com/pages/Chrome/ Chrome User Agent strings]
+
* [http://computer-forensics.sans.org/blog/2010/01/21/google-chrome-forensics/ Google Chrome Forensics] by [[Kristinn Guðjónsson]], January 21, 2010
+
* [http://linuxsleuthing.blogspot.ch/2013/02/cashing-in-on-google-chrome-cache.html?m=1 Cashing in on the Google Chrome Cache], [[John Lehr]], February 24, 2013
+
* [http://www.obsidianforensics.com/blog/history-index-files-removed-from-chrome/ History Index files removed from Chrome v30], by Ryan Benson, October 2, 2013
+
* [https://hindsight-internet-history.googlecode.com/files/Evolution_of_Chrome_Databases.png Evolution of Chrome Databases], by Ryan Benson, November 12, 2013
+
 
+
== Tools ==
+
=== Open Source ===
+
* [https://code.google.com/p/hindsight-internet-history/ hindsight-internet-history]
+
 
+
[[Category:Applications]]
+
[[Category:Web Browsers]]
+

Latest revision as of 08:19, 17 June 2014

Chaosreader
Maintainer: Brendan Gregg
OS: Linux,Windows,Solaris
Genre: Network forensics
License: GPL
Website: chaosreader.sourceforge.net

Overview

Chaosreader A freeware tool to trace TCP/UDP/... sessions and fetch application data from snoop or tcpdump logs. This is a type of "any-snarf" program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMTP emails, ... from the captured data inside network traffic logs. A html index file is created that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions; and reports such as image reports and HTTP GET/POST content reports. Chaosreader can also run in standalone mode - where it invokes tcpdump or snoop (if they are available) to create the log files and then processes them.

External Links