Caitlin M. Allen

About Contact Documentation Resources

Browser Analysis - Chrome

History

  • Database found in /Users/$user/Library/Application Support/Google/Chrome/Default/History
    • Contains SQLite tables with information such as downloads, metadata, URLs, etc.
  • Similar to the Safari database -> different table names and fields
    • URL ids with timestamps are stored in a visits table and need to be correlated to the id value in the urls table to build a timeline
    • Example sqlite3 query to lookup the plain text URLs in the urls table from the URL field in the visits table
      • SELECT datetime(((v.visit_time/1000000)-11644473600), ‘unixepoch’), u.url FROM visits v INNER JOIN urls u ON u.id = v.url
  • When Chrome is in use, you cannot access this database unless it is copied to a new location or closed

Downloads

  • Located inside the downloads table of Chrome History.db
  • Details of what was downloaded include
    • If the file was opened by Chrome after being downloaded
      • 1 means the file was opened, 0 means not opened by clicking on the file after a completed download
        • Not updated if opened via Finder
    • The danger_type -> if a file was marked as suspicious by Chrome upon download
    • Total bytes
    • Timestamps
      • Stored in Epoch
    • Referrer
      • May be empty depending on the download
        • Can also use the downloads_url_chains table to look up the referring URL
  • Example sqlite3 query to grab timestamp, URL, file location, danger type, and opened value from the downloads table

Other Chrome Files of Interest

  • /Users/$user/Library/Application Support/Google/Chrome/Default/Preferences
    • Contains information on plugins, extensions, sites using geolocation, popups, notifications, DNS prefetching, certificate exceptions, etc.
    • Great place to check if a setting is enabled or not
  • /Users/$user/Library/Application Support/Google/Chrome/Extensions
    • Contains information about extensions
    • Extension IDs are randomized at install time
  • /Users/$user/Library/Application Support/Google/Chrome/Default/Cookies
    • Some data is encrypted in this database
    • Links are not encrypted
      • If user deleted history but not cookies, this can recover some data
  • /Users/$user/Library/Application Support/Google/Chrome/Default/Last Session
  • /Users/$user/Library/Application Support/Google/Chrome/Default/Last Tabs
    • Files contain sites that were active on the browser during the last closure
    • Can view the files with the strings command
  • /Users/$user/Library/Application Support/Google/Chrome/Default/Bookmarks
    • Verbose dictionary of all the sites the user has bookmarked and timestamps for when they were added