Awesome Forensic Artifacts - Chrome
Updated: Oct 20, 2022
Google Chrome has become unanimous among all computer users and so, it has become a focus for the adversaries and a valuable resource for the DFIR folks. Knowing what information Chrome logs and are embedded within the configuration files can prove to be a critical asset for troubleshooting, forensics, SOC user-profiling use cases, etc. Understanding the web browser state for a defender could mean that they could identify risky users and prevent a potential security incident. On the other hand, an attacker could use the browser state information to craft a spear phishing campaign or lure with an offer that’s too good to be true based on the target’s psychological profile.
Here are some of the data points or “use cases” for Chrome that has helped me in the past during routine threat hunting, user risk profiling and sometimes during a post breach Incident Response situation.
1. C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\History
It’s an SQLite file that has information like browser history (URLs visited), visit count, Keywords searched, last visit time, visit duration, Downloads performed etc. Use a tool like SQLite Viewer to view the contents of this file. Make sure to select the specific table from the database file using the dropdown available. We can match the URL_ID from the URLs table to resolve the Visits table.
Note that the last_visit_time is not in a standard human readable format. Use something similar to EpochConverter to convert the webkit standard time to your time zone. Other information like the dwell time can also be found here.
2. C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\Preferences
The Preferences file is a text file that is dynamically accessed and written by the Chrome browser process threads. You can open the file using any text editors but I prefer using tools like codebeautify or jsonParser as it’s easier on the eye. I personally save all these tools in HTML format and have it in my repository so I can use it on my VMs without needing to have an internet connection.
Malicious chrome extensions, or code injections into legit extensions have become popular recently and you might see suspicious traffic originating from the chrome browser every time a user opens chrome for the first time of a day. You’ll need to collect the extension IDs and verify if they are legit on the Google Chrome Web store.
Collecting Extension IDs
You can collect extension IDs by the following methods:
Through the Chrome Preferences file of that user machine (see image abov
This method of extension ID collection is preferred as the most common resource we (security analysts) have is an EDR (Endpoint Detection and Response) tool and not remote access or GUI of the chrome browser.
Browse to the path: C:\Users\<USERNAME>\AppData\Local\Google\Chrome\User Data\Default\Extensions\<IDs> and the folder names are the extension IDs
Execute on the browser search bar - chrome://extensions/ (if you have physical/remote access to the machine) to display all the extensions and their status if they are enabled or disabled on the Google Chrome UI.
This method is useful for first responders like a service desk analyst or Desktop services teams to perform initial checks. Be cautious that some of the extensions can be hidden and will not be displayed using this method.
Resolving Chrome extension IDs
The easiest way to resolve the IDs collected using the above technique is to have a chrome tab open with the below URL and replace <paste-ID-here> with the IDs and repeat the same process.
The expected behavior for a benign extension is that it takes you to the landing page of that extension. You might also come across extensions that are questionable like: youtube-video-downloader or flash-update which are categorized as PUAs and could interfere or disrupt the user browsing experience with Ads, etc. It’s up to the analyst to determine which ones to flag and which ones are benign based on the organisation’s security or usage policies.
If the URL returns a 404 page for a specific ID, then do further research into them. Usually, they are taken down by chrome due to security / privacy breaches or the extension is no longer on the Chrome Web Store due to the author pulling it. Either reason is a red flag as the code will no longer be vetted by Google and can have exploitable vulnerabilities and or malicious intents.
Note that some of the extensions are now built into chrome and no longer available in the store. Recommend doing your due diligence before flagging a specific extension ID as malicious and the OSINT available on the list of suspicious chrome extensions is outdated and unreliable. Maintain your own list of extension IDs and the respective extension names and build a script to perform the initial 404 return checks and exclude IDs from your list if this is a hunt you suspect will be doing a lot.
3. C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\favicon
Favicons are used in toolbar apps, browser tabs, bookmarks dropdown, browser history, search bar, and search bar recommendations. While it is rare for users to clear these cached image files, the favicon file can be used for recon as the entries in the favicon file is far more than any other history / site_visited files. While this is a long route, the favicons table holds unique entries and can be used to profile users or attribute a traffic originating through chrome user interactions.
4. C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Web Data
Web Data holds some of the most sensitive information regarding the user. An attacker having access to this file could mean that they hold most of the Personally identifiable information (PII) of the target like autofill_addresses, credit_cards and other vital details. Remember Chrome popping up an autofill dialog box for your user_name, credit card number, SSN or addresses ? Well, all those details are fetched from this file and it is in plain text for anyone to read.
5. C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Login Data
As the name suggests, this file has all the credentials of websites that you have allowed chrome to save. While the password column is encrypted, they are not hard to decode 😊
While there are other interesting information that can be extracted from chrome configs and cached files, I hope this article gives you the idea. There are numerous use cases that can be extracted using these artifacts, an EDR like solution and an SIEM to match targeted flags.
If you enjoyed this content, please do leave a like ❤️ and use the comments field to share your thoughts, any relevant information that can help other readers or your findings!