top of page
Writer's picturemalwrr

Awesome Forensic Artifacts - Chrome

Updated: Nov 12



Google Chrome has become unanimous among all computer users and so, it has become a focus for the adversaries and a valuable resource for the DFIR folks. Knowing what information Chrome logs and are embedded within the configuration files can prove to be a critical asset for troubleshooting, forensics, SOC user-profiling use cases, etc. Understanding the web browser state for a defender could mean that they could identify risky users and prevent a potential security incident. On the other hand, an attacker could use the browser state information to craft a spear phishing campaign or lure with an offer that’s too good to be true based on the target’s psychological profile.

Here are some of the data points or “use cases” for Chrome that has helped me in the past during routine threat hunting, user risk profiling and sometimes during a post breach Incident Response situation.



1. C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\History

It’s an SQLite file that has information like browser history (URLs visited), visit count, Keywords searched, last visit time, visit duration, Downloads performed etc. Use a tool like SQLite Viewer to view the contents of this file. Make sure to select the specific table from the database file using the dropdown available. We can match the URL_ID from the URLs table to resolve the Visits table.

Note that the last_visit_time is not in a standard human readable format. Use something similar to EpochConverter to convert the webkit standard time to your time zone. Other information like the dwell time can also be found here.



2. C:\Users\<USER>\AppData\Local\Google\Chrome\User Data\Default\Preferences

The Preferences file is a text file that is dynamically accessed and written by the Chrome browser process threads. You can open the file using any text editors but I prefer using tools like codebeautify or jsonParser as it’s easier on the eye. I personally save all these tools in HTML format and have it in my repository so I can use it on my VMs without needing to have an internet connection.

Extensions”

Malicious chrome extensions, or code injections into legit extensions have become popular recently and you might see suspicious traffic originating from the chrome browser every time a user opens chrome for the first time of a day. You’ll need to collect the extension IDs and verify if they are legit on the Google Chrome Web store.


Collecting Extension IDs

You can collect extension IDs by the following methods:

  • Through the Chrome Preferences file of that user machine (see image abov

This method of extension ID collection is preferred as the most common resource we (security analysts) have is an EDR (Endpoint Detection and Response) tool and not remote access or GUI of the chrome browser.

  • Browse to the path: C:\Users\<USERNAME>\AppData\Local\Google\Chrome\User Data\Default\Extensions\<IDs> and the folder names are the extension IDs

  • Execute on the browser search bar - chrome://extensions/ (if you have physical/remote access to the machine) to display all the extensions and their status if they are enabled or disabled on the Google Chrome UI.

This method is useful for first responders like a service desk analyst or Desktop services teams to perform initial checks. Be cautious that some of the extensions can be hidden and will not be displayed using this method.


Resolving Chrome extension IDs

The easiest way to resolve the IDs collected using the above technique is to have a chrome tab open with the below URL and replace <paste-ID-here> with the IDs and repeat the same process.

https://chrome.google.com/webstore/category/extensions/<paste-ID-here>

The expected behavior for a benign extension is that it takes you to the landing page of that extension. You might also come across extensions that are questionable like: youtube-video-downloader or flash-update which are categorized as PUAs and could interfere or disrupt the user browsing experience with Ads, etc. It’s up to the analyst to determine which ones to flag and which ones are benign based on the organisation’s security or usage policies.

If the URL returns a 404 page for a specific ID, then do further research into them. Usually, they are taken down by chrome due to security / privacy breaches or the extension is no longer on the Chrome Web Store due to the author pulling it. Either reason is a red flag as the code will no longer be vetted by Google and can have exploitable vulnerabilities and or malicious intents.


Note that some of the extensions are now built into chrome and no longer available in the store. Recommend doing your due diligence before flagging a specific extension ID as malicious and the OSINT available on the list of suspicious chrome extensions is outdated and unreliable. Maintain your own list of extension IDs and the respective extension names and build a script to perform the initial 404 return checks and exclude IDs from your list if this is a hunt you suspect will be doing a lot.



3. C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\favicon

Favicons are used in toolbar apps, browser tabs, bookmarks dropdown, browser history, search bar, and search bar recommendations. While it is rare for users to clear these cached image files, the favicon file can be used for recon as the entries in the favicon file is far more than any other history / site_visited files. While this is a long route, the favicons table holds unique entries and can be used to profile users or attribute a traffic originating through chrome user interactions.



4. C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Web Data

Web Data holds some of the most sensitive information regarding the user. An attacker having access to this file could mean that they hold most of the Personally identifiable information (PII) of the target like autofill_addresses, credit_cards and other vital details. Remember Chrome popping up an autofill dialog box for your user_name, credit card number, SSN or addresses ? Well, all those details are fetched from this file and it is in plain text for anyone to read.



5. C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default\Login Data

As the name suggests, this file has all the credentials of websites that you have allowed chrome to save. While the password column is encrypted, they are not hard to decode 😊


While there are other interesting information that can be extracted from chrome configs and cached files, I hope this article gives you the idea. There are numerous use cases that can be extracted using these artifacts, an EDR like solution and an SIEM to match targeted flags.


A list of known benign / suspicious extension IDs mapped to their names:

***the list will be updated continuously***

hdokiejnpimakedhajhdlcegeplioahd - LastPass: Free Password Manager

ghbmnnjooekpmoecnnnilnnbdlolhkhi - Google Docs Offline

felcaaldnbdncclmgdcncolpebgiejap - Sheets

blpcfgokakmgnkcojhhkbfbldkacnbeo - Youtube

apdfllckaahabafndbhieahigkjlhalf - Google Drive

aohghmighlieiainnegkcijnfilokake - Docs

chhjbpecpncaggjpdakmflnfcopglcmi - Rakuten: Get Cash Back For Shopping

nakplnnackehceedgkgkokbgbmfghain = Fakespot Fake Amazon Reviews and eBay Sellers

oocalimimngaihdkbihfgmpkcpnmlaoa - Netflix Party is now Teleparty

efaidnbmnnnibpcajpcglclefindmkaj - Adobe Acrobat: PDF edit, convert, sign tools

nmmhkkegccagdldgiimedpiccmgmieda = Chrome PDF Viewer / Chrome Web Store Payments [HIDDEN] //benign

aapocclcgogkmnckokdopfmhonfmgoek - Slides

pkedcjkdefgpdelpbcmbmeomcjbeemfm - Chromecast

pjkljhegncpnkpknbcohdijeoejaedia - Gmail

glnpjglilkicbckjpbgcfkogebgllemb - Okta Browser Plugin

ecnphlgnajanjnkcmbpancdjoidceilk - Kami for Google Chrome™

nkbihfbeogaeaoehlefnkodbefgpgknn - MetaMask

kbfnbcaeplbcioakkpcpgfkobkghlhen - Grammarly: Grammar Checker and Writing App

hehijbfgiekmjfkfjpbkbammjbdenadd - IE Tab (Display web pages using IE within Chrome)

jlhmfgmfgeifomenelglieieghnjghma - Cisco Webex Extension

aeblfdkhhhdcdjpifhhbdiojplfjncoa - 1Password – Password Manager

gighmmpiobklfepjocnamgkkbiglidom - AdBlock — best ad blocker

efaidnbmnnnibpcajpcglclefindmkaj : Adobe Acrobat

ghbmnnjooekpmoecnnnilnnbdlolhkhi : Google Docs Offline

fkepacicchenbjecpbpbclokcabebhah : iCloud Bookmarks

bfgjjammlemhdcocpejaompfoojnjjfn : PrinterLogic Extension v1.0.5.10

aohghmighlieiainnegkcijnfilokake : Google Docs

felcaaldnbdncclmgdcncolpebgiejap : Google Sheets

aapocclcgogkmnckokdopfmhonfmgoek : Google Slides

cfhdojbkjhnklbpkdaibdccddilifddb : Adblock Plus - free ad blocker

lmjegmlicamnimmfhcmpkclmigmmcbeh : Application Launcher For Drive (by Google)

jlhmfgmfgeifomenelglieieghnjghma : Cisco Webex Extension

bkdgflcldnnnapblkhphbgpggdiikppg : DuckDuckGo Privacy Essentials

ghbmnnjooekpmoecnnnilnnbdlolhkhi : Google Docs Offline

nckgahadagoaajjgafhacjanaoiihapd : Google Hangouts

ndjpnladcallmjemlbaebfadecfhkepb : Office

fbjmgnganbipamiabcghalelihkicnnl : SqueakJS

cencaidajimabeobnfgcapbcidabdnfb : Perfect Maps And Directions

lpcaedmchfhocbbapmcbpinfpgnhiddi : Google Keep Chrome Extension

kgjfgplpablkjnlkjmjdecgdpfankdle : Zoom Scheduler

hgmloofddffdnphfgcellkdfbfbjeloo : Advanced REST client

kbfnbcaeplbcioakkpcpgfkobkghlhen : Grammarly for Chrome

mhkhmbddkmdggbhaaaodilponhnccicb : TubeBuddy

ahfgeienlihckogmohjhadlkjgocpleb : Web Store

neajdppkdcdipfabeoofebfddakdcjhd : Google Network Speech

nkeimhogjdpnpccoofpliimaahmaaome : Google hangouts

,'aapocclcgogkmnckokdopfmhonfmgoek', 'Google Slides')

,'aohghmighlieiainnegkcijnfilokake', 'Google Docs')

,'ejjicmeblgpmajnghnpcppodonldlgfn', 'Google Calendar') #old extension

,'ghbmnnjooekpmoecnnnilnnbdlolhkhi', 'Google Docs')

,'apdfllckaahabafndbhieahigkjlhalf', 'Google Drive')

,'blpcfgokakmgnkcojhhkbfbldkacnbeo', 'Youtube')

,'felcaaldnbdncclmgdcncolpebgiejap', 'Google Sheets')

,'nmmhkkegccagdldgiimedpiccmgmieda', 'Google Chrome Web Store')

,'pjkljhegncpnkpknbcohdijeoejaedia', 'Gmail')

,'pkedcjkdefgpdelpbcmbmeomcjbeemfm', 'Chromecast')

,'coobgpohoikkiipiblmjeljniedjpjpf', 'Google Search')

,'aapbdbdomjkkjkaonfhkkikfgjllcleb', 'Google Translate')

#Password Managers

,'fdjamakpfbbddfjaooikfcpapjohcfmg', 'Dashlane Password Manager')

,'hdokiejnpimakedhajhdlcegeplioahd', 'LastPass Password Manager')

,'lpdfbkehegfmedglgemnhbnpmfmioggj', 'ThinkVantage Password Manager')


#Other 3rd Party Extensions

,'efaidnbmnnnibpcajpcglclefindmkaj', 'Adobe Acrobat')

,'jlhmfgmfgeifomenelglieieghnjghma', 'Cisco Webex')

,'fceempjejlfaadkgdacpfhheknndlcjl', 'Cisco Webex App for Chrome')

,'ceopoaldcnmhechacafgagdkklcogkgd', 'OnlineMapFinder')

,'menkifleemblimdogmoihpfopnplikde', 'Line - Instant Messaging') #https://chrome.google.com/webstore/detail/line/menkifleemblimdogmoihpfopnplikde?hl=en

,'njabckikapfpffapmjgojcnbfjonfjfg', 'Cookies.txt by Genuinous') # https://chrome.google.com/webstore/detail/cookiestxt/njabckikapfpffapmjgojcnbfjonfjfg

#Potential Unwanted Extensions

,'bmnlcjabgnpnenekpadlanbbkooimhnj', 'Honey - Shopping Extension / Honey: Automatic Coupons & Rewards)

,'gihfmmedoddijgnhkgfgnkeohkpbipol', 'Yahoo Web')

,'commhkacjheiacaopdonmodahaoadoln', 'Yahoo Partner')

,'mgkjffcdjblaipglnmhanakilfbniihj', 'Earbits')

,'jafmombbhklnagadfbfplohhgljimdjg', 'Convert to PDF now')

,'aaaaigmelgfmkfjicbbgbkcbagedejhj', 'Ask Networks')

,'aeaeigaepbpgiodmifdpnpdcbelfbmhg', 'Monster Math Flash Cards')

,'boeajhmfdjldchidhphikilcgdacljfm', 'Facebook')

,'dnflpnhpbffehddplcdlohealbgbbamk', 'PDFConverterHQ Toolbar')


#Unwanted Extensions & Hijackers

,'ldhkdaoikclkecocioipjifepiiceeai', 'PUP- Searchpdf.com')

,'oehmgogbegigifcdjcalpcbcjbjfaiee', 'PUP- Spigot')

,'bddikhbjcannknadmcmeikpeiabhfbgl', 'PUP- Mindspark SearchFromOnline')

,'bhfhojbhbnajajgihpicejdalbjlpcep', 'PUP- WebExpEnhanced')

,'dofoafnmdocgkdphpkdooahjkhpmakjd', 'PUP- Dragonboost?')

,'bonccgihhlgaimmpbjfciihkgkoaplkb', 'PUP- Mindspark?')

,'cnllofdfhghjaomdikdlhmkoknfhjdga', 'PUP- Mindspark?')

,'klkbeieajgjehlcnoiflockodlbibaep', 'PUP- Search Encrypt')

,'heiihkmbceipememjjpggkaenngfkkjp', 'PUP- Search Encrypt')

,'fkgedicakildehepikeopegehmojomfk', 'PUP- Free Maps')

,'okkolgldfknecfjnhhglfopimelbaceh', 'PUP- BrowserAir')

,'kgfgkmglngfjihijajckoidgoglmajan', 'PUP- MapBeast by SaferBrowser')

,'panlddknfikdcilhdheajcdlcjndnpcp', 'PUP- ZipFileTab Browser Hijacker')

,'agijeemohccmknhbgdjokbeekmijlbee', 'PUP- search.hwatchtvnow.co')

,'ahigpjeolkfgjdaeodlmaceggigbpeoh', 'PUP - FB Unfriend Finder')

,'aaffhmecfaelkngcbnfdkcckmillnoki', 'PUP- Conduit?')

,'bepbmhgboaologfdajaanbcjmnhjmhfn', 'PUP- bepbmhgboa')

,'apgmlmclgkeaciocpcinelmgaenpobae', 'PUP- Searchpluspro')

,'fhkmacopackahlbnpcfijgphgoimpggb', 'PUP- MapsFrontier')


Very Risky Extensions // hijackers

Autoskip for Youtube lgjdgmdbfhobkdbcjnpnlmhnplnidkkp

Soundboost chmfnmjfghjpdamlofhlonnnnokkpbao

Crystal Ad block lklmhefoneonjalpjcnhaidnodopinib

Brisk VPN ciifcakemmcbbdpmljdohdmbodagmela

Clipboard Helper meljmedplehjlnnaempfdoecookjenph

Maxi Refresher lipmdblppejomolopniipdjlpfjcojob

Quick Translation lmcboojgmmaafdmgacncdpjnpnnhpmei

Easyview Reader view icnekagcncdgpdnpoecofjinkplbnocm

PDF toolbox bahogceckgcanpcoabcdgmoidngedmfo

Epsilon Ad blocker bkpdalonclochcahhipekbnedhklcdnp

Craft Cursors magnkhldhhgdlhikeighmhlhonpmlolk

Alfablocker ad blocker edadmcnnkkkgmofibeehgaffppadbnbi

Zoom Plus ajneghihjbebmnljfhlpdmjjpifeaokc

Base Image Downloader nadenkhojomjfdcppbhhncbfakfjiabp

Clickish fun cursors pbdpfhmbdldfoioggnphkiocpidecmbp

Cursor-A custom cursor hdgdghnfcappcodemanhafioghjhlbpb

Amazing Dark Mode fbjfihoienmhbjflbobnmimfijpngkpa

Maximum Color Changer for Youtube kjeffohcijbnlkgoaibmdcfconakaajm

Awesome Auto Refresh djmpbcihmblfdlkcfncodakgopmpgpgh

Venus Adblock obeokabcpoilgegepbhlcleanmpgkhcp

Adblock Dragon mcmdolplhpeopapnlpbjceoofpgmkahc

Readl Reader mode dppnhoaonckcimpejpjodcdoenfjleme

Volume Frenzy idgncaddojiejegdmkofblgplkgmeipk

Image download center deebfeldnfhemlnidojiiidadkgnglpi

Font Customizer gfbgiekofllpkpaoadjhbbfnljbcimoh

Easy Undo Closed Tabs pbebadpeajadcmaoofljnnfgofehnpeo

Screence screen recorder flmihfcdcgigpfcfjpdcniidbfnffdcf

OneCleaner pinnfpbpjancnbidnnhpemakncopaega

Repeat button iicpikopjmmincpjkckdngpkmlcchold

Leap Video Downloader bjlcpoknpgaoaollojjdnbdojdclidkh

Tap Image Downloader okclicinnbnfkgchommiamjnkjcibfid

Qspeed Video Speed Controller pcjmcnhpobkjnhajhhleejfmpeoahclc

HyperVolume hinhmojdkodmficpockledafoeodokmc

Light picture-in-picture gcnceeflimggoamelclcbhcdggcmnglm


If you enjoyed this content, please do leave a like ❤️ and use the comments field to share your thoughts, any relevant information that can help other readers or your findings!

66 views0 comments

Recent Posts

See All

Comments


bottom of page