Blog >> Google Chrome

Investigating Google Chrome Web Browser

27/09/2021 Monday

Chrome is an open-source web browser developed by Google. Chrome Web browser is known for its fast performance, security, and privacy. The web browser is available for desktop (Windows, macOS, Linux, OpenBSD, FreeBSD and Fuchsia) and mobile devices (Android and iOS).

Digital Forensics Value of Google Chrome Artifacts

Web browsers’ data can be critical to a digital investigation since they serve as a user's window and access point to the web and the rest of the world. Web browsers have become part of our daily lives, thus, they can reveal a significant amount of information about a user’s internet activities, synced devices, and accounts. As it stores data of every website visited, every search conducted, every image viewed, and so much more.

Location of Google Chrome Artifacts

Chrome web browser creates individual folders (profiles) for each user at the following location: C:\Users\%username%\AppData\Local\Google\Chrome\User Data\%profilename%.default

Structure of Google Chrome Artifacts

The majority of Chrome web browser artifacts are maintained within SQLite database files, each contains multiple tables with information regarding the users’ actions on the software. Such as Chrome autofill, history, and logins; however, some of the artifacts are stored within JSON files such as Chrome bookmarks.

Analyzing Google Chrome Artifacts with ArtiFast Windows

This section will discuss how to use Artifast Windows to extract Chrome browser artifacts from Windows machines and what kind of digital forensic insights can be gained from the artifacts.

After you have created your case and added evidence for the investigation at the Artifact Parser Selection Phase, you can select Chrome web browser artifacts:

ArtiFast can analyze Chrome autofill, bookmarks, cache, cookies, current session, current tabs, downloads, favicons, history, last session, last tabs, logins, search terms, shortcuts, top sites, and visits. For demonstration purposes, all artifacts have been chosen but you have the option to parse artifacts individually as well.

Once ArtiFast parser plugins complete processing artifacts for analysis, they can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Chrome artifacts in ArtiFast software.

Chrome Autofill Artifact

The artifact contains all of the values that the user has saved to fill in fields at a later date and time. The details you can view include:

• Creation Date/Time - The Date/Time when the autofill was created.
• Last Used Date/Time - The Date/Time when the autofill was used.
• Field Name - The name of the field to fill in.
• Field Value - The value typed by the user.
• Count - Indicates the number of times the input was used.

Chrome Bookmarks Artifact

Chrome bookmarks are the shortcuts to the favorite and bookmarked webpages. The details you can view include:

• Added Date/Time - Date/Time when the bookmark was added.
• Modified Date/Time - Date/Time when the bookmark was modified.
• URL - URL of the bookmarked webpage.
• Bookmark ID - Bookmark ID.
• Type - Type of the bookmark.
• Bookmark Title - Title of the bookmark.
• Description - Bookmark description.
• Thumbnail - Bookmark thumbnail.
• Last Desktop Visit Date/Time - Last desktop visit date Date/Time.

Chrome Cache Artifact

This artifact contains the cached entries in the Chrome web browser. Chrome cache information includes:

• Creation Date/Time - The Date/Time when the cached entry was created.
• Cache Entry Last Used Date/Time - The Date/Time when the cached entry was last used.
• Cache Entry Last Modified Date/Time - The Date/Time when the cached entry was last modified.
• Reuse Count - The number of times the use used the cache file.
• State - The state of the cache file.
• Key - The cache entry key.
• Content Size - The size of the cache file.
• Content Type - The type of cache file.
• File Name - Represents the cache file name.
• Payload - Indicates the cache storage location.
• Is Dirty - Indicates whether is dirty or not.
• Refetch Count - Indicates the number of times the cached entry was refetched.
• Long Key Data - Cache long key data.
• HTTP content - HTTP header contents.

Chrome Cookies Artifact

The artifact contains information about all of the cookies saved to the browser such as:

• Creation Date/Time - The Date/Time when the cookie was created.
• Expiration Date/Time - The Date/Time when the extension cookie will expire if it was set to expire.
• Last Access Date/Time - The Date/Time when the cookie was last accessed.
• Host - The host domain of the cookie.
• Name - The name of the cookie.
• Value - The value of the cookie.
• Path - The path to the cookie.
• Is Secure - Indicates whether the connection is secure or not.
• Is HTTP Only - Indicates whether the browser supports HTTP Only or not.

Chrome Current Session Artifact

This artifact stores the browser's current available active session information from Chrome web browser. The details you can view include:

• Date/Time Visited - The Date/Time when the webpage is visited.
• Tab URL - The URL of the webpage.
• Tab Title - The title of the webpage.
• Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
• Original Request URL - Indicates whether a redirect took a place.
• Tab ID - Webpage tab ID.
• Tab Index - Webpage tab index.
• Transition Type - Describes the cause of the navigation to the desired URL.
• Transition Qualifier - Describes how the browser navigated to the desired URL.
• Has Post Data - Indicates whether the webpage has POST data.

Chrome Current Tabs Artifact

This artifact stores the multiple open tabs in the current available active session information from Chrome web browser. The details you can view include:

• Date/Time Visited - The Date/Time when the webpage is visited.
• Tab URL - The URL of the webpage.
• Tab Title - The title of the webpage.
• Transition Type - Describes the cause of the navigation to the desired URL.
• Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
• Original Requested URL - Indicates whether a redirect took a place.
• Tab Id - The webpage tab id.
• Tab Index - The webpage tab index.
• Transition Qualifier - Describes how the browser navigated to the desired URL.
• Has Post Data - Indicates whether the webpage has POST data.

Chrome Downloads Artifact

The artifact contains information about the downloaded files from Chrome web browser. The details you can view include:

• Download Start Date/Time - Date/Time when the item started downloading.
• Download Ended Date/Time - Date/Time when the download ended.
• File Name - The name of the downloaded file.
• Path - The absolute path on the device to the downloaded file.
• Received Bytes - The bytes that were downloaded.
• Total Bytes - The file size of the download.
• State - It indicates the state of the downloaded item (Download Complete, Download in Progress/Paused, Download Failed and Download Interrupted/Cancelled).
• Download Source - The URL of the file that was downloaded.
• URL Chain - The File download URL chain.

Chrome Favicons Artifact

The artifact stores all the small icons associated with a particular webpage that the user has favorited. The details you can view include:

• Last Update Date/Time - The icon last update Date/Time.
• Page URL - The page URL.
• Icon URL - The Icon file URL.

Chrome History Artifact

The artifact contains the history data, which makes up most of the browsing information about a user. The details you can view include:

• Last Visit Date/Time - The Date/Time when the webpage was last visited.
• URL - The URL of the visited webpage.
• Title - The title of the visited webpage.
• Visit Count - The number of times that the user has visited the webpage.
• Typed Count - The number of times that the user has manually typed the web webpage URL.
• Is Hidden - Indicates whether the webpage is hidden.

Chrome Last Session Artifact

This artifact stores the browser’s previous session information from Chrome web browser. The details you can view include:

• Date/Time Visited - The Date/Time when the webpage was last visited.
• Tab URL - The URL of the webpage.
• Tab Title - The title of the webpage.
• Transition Type - Describes the cause of the navigation to the desired URL.
• Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
• Original Requested URL - Indicates whether a redirect took a place.
• Tab ID - The webpage tab ID.
• Tab Index - The webpage tab index.
• Transition Qualifier - Describes how the browser navigated to the desired URL.
• Has Post Data - Indicates whether the webpage has POST data.

Chrome Last Tabs Artifact

This artifact stores the multiple open tabs in the browser's last session from Chrome web browser. The details you can view include:

• Date/Time Visited - The Date/Time when the webpage was last visited.
• Tab URL - The URL of the webpage.
• Tab Title - The title of the webpage.
• Transition Type - Describes the cause of the navigation to the desired URL.
• Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
• Original Requested URL - Indicates whether a redirect took a place.
• Tab Id - The webpage tab Id.
• Tab Index - The webpage tab index.
• Transition Qualifier - Describes how the browser navigated to the desired URL.
• Has Post Data - Indicates whether the webpage has POST data.

Chrome Logins Artifact

This artifact stores a user’s login information. The details you can view include:

• Creation Date/Time - The Date/Time when the data was stored.
• Action URL - Login URL of the website.
• Username Element - Username HTML element.
• Username - The username value.
• Black Listed - Indicates that the password is not saved for this item.
• Origin URL - Base URL of the webpage.
• Password Element - Name of the password field in the webpage.
• Password - Password entered.
• Signon Realm URL - Sign on realm URL.
• Times Used - Number of times the desired credentials were used.

Chrome Search Terms Artifact

This artifact stores the user entered search terms. The details you can view include:

• Last Visit Date/Time - Date/Time when the webpage was last visited.
• Search URL - URL that was invoked because of the search.
• Term - keyword that was searched.
• Page Title - Title of the invoked webpage.
• Visit Count - The number of times that the user accessed the URL.

Chrome Shortcuts Artifact

This artifact contains the shortcuts from Chrome web browser. The details you can view include:

• Last Access Date/Time - Last access time of the shortcut.
• URL - URL of the shortcut.
• Search Term - Search term as interpreted by the browser.
• Original Search Query - Original search query entered by the user.
• Web Page Title - Title of the webpage.
• Transition - Describes the cause of the navigation to the desired URL.
• Hits - Hits of the shortcut.
• Type - Type of shortcut.

Chrome Top Sites Artifact

This artifact stores information about a user’s most frequently visited webpages. The details you can view include:

• Last Update Date/Time - The top sites last update date and time.
• URL - URL to the webpage.
• Title - Title of the webpage.
• URL Rank - Indicates the order of the most visited webpage.
• At Top - At top.
• Redirects - Displays the redirection URL which contains the frequently used file path and parameters.

Chrome Visits Artifact

This artifact contains more information about each time a URL is visited. The details you can view include:

• Visit Date/Time - Date/Time when the webpage was visited.
• Visit URL - Visit URL.
• Visit Title - Visit title.
• Visit Duration - Visit duration in milliseconds.
• Transition - Describes the cause of the navigation to the desired URL.
• Source URL - Source URL.
• Source Title - Source title.
• Segment Name - Segment name.