±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35514
New Yesterday: 1 Visitors: 101

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Google Chrome Forensics

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

pajkow
Senior Member
 

Google Chrome Forensics

Post Posted: Jan 03, 17 18:18

Hi,
First of all, Happy New Year Everyone!

I am doing some detailed research regarding Google Chrome and I wonder whether anyone has done any research regarding reconstructing history in terms of how the websites were accessed to reconstruct any detailed action of the user. E.G website was typed, suggested by google, opened from a link from a bookmark or simply was a pop up.

Most of us should know how the history is stored so I am not going to bother with that, but in the SQL database it seems that the instances how the websites were accessed is described in visits table in transitions column. As far as tested it, they are stored in decimal values, then they are converted into Hex, next by using some sort of masking only the last byte I think is responsible to describe/flag the transition type:

Dec 838860805, Hex = 32000005 is responsible for searched URL
Dec 805306368, Hex = 30000000 is responsible for link
Dec 838860801, Hex = 32000001 is responsible for typed website address.

So far I have not discovered where or whether at all google records whether the website was opened in new pane or page.

My questions are:

Has anyone done any research regarding this?

Two main articles I have found so far are:

kb.digital-detective.n...ransitions
developer.chrome.com/e...ns/history

I've based my findings over testes and those two articles but having more info would be very useful.

There is none detailed documentations, tests etc… Anyone?
Laughing  
 
  

mcman
Senior Member
 

Re: Google Chrome Forensics

Post Posted: Jan 03, 17 20:44

Hey pajkow,

Another good place for this type of information is the "visit_source" table and the "source" column which will list how data might have been sync'ed from other devices or browsers. I believe the Chromium source lists the following 6 values for that column:
SOURCE_SYNCED = 0, // Synchronized from somewhere else.
SOURCE_BROWSED = 1, // User browsed.
SOURCE_EXTENSION = 2, // Added by an extension.
SOURCE_FIREFOX_IMPORTED = 3, //Firefox Import
SOURCE_IE_IMPORTED = 4, //IE Import
SOURCE_SAFARI_IMPORTED = 5 //Safari Import

cs.chromium.org/chromi...ry_types.h

I don't have anything around listing whether something was opened in a new window vs. tab, etc. beyond the simple transitions that you list above and in the sources you list. I'll use the redirects to help identify potential stuff that the user wasn't explicitly trying to access but that can vary since you can still be re-directed to the site you were trying to get to.

Hope that helps.

Jamie  
 
  

pajkow
Senior Member
 

Re: Google Chrome Forensics

Post Posted: Jan 03, 17 21:45

mcman

Thanks for this. Those tests were performed on a “clean” machines so there should not be any other sources, however thank you for your suggestion. Artefacts and sources such as from an on-line profile(s) will be tested later on.  
 
  

randomaccess
Senior Member
 

Re: Google Chrome Forensics

Post Posted: Jan 26, 17 08:11

- pajkow

So far I have not discovered where or whether at all google records whether the website was opened in new pane or page.


I've done a bit of research into this, but not extensively

Regarding Google searches, yes you can tell when they've been opened in a new windows/tab
Generally you'll see something like this: google.com/url?....url=$url

This is fairly untested, but I noticed in the cache when I opened a new tab it would create the thumbnails for the most commonly accessed website that you can see sometimes.  
 
  

demir
Newbie
 

Re: Google Chrome Forensics

Post Posted: Apr 17, 18 05:15

- mcman
Hey pajkow,

Another good place for this type of information is the "visit_source" table and the "source" column which will list how data might have been sync'ed from other devices or browsers. I believe the Chromium source lists the following 6 values for that column:
SOURCE_SYNCED = 0, // Synchronized from somewhere else.
SOURCE_BROWSED = 1, // User browsed.
SOURCE_EXTENSION = 2, // Added by an extension.
SOURCE_FIREFOX_IMPORTED = 3, //Firefox Import
SOURCE_IE_IMPORTED = 4, //IE Import
SOURCE_SAFARI_IMPORTED = 5 //Safari Import

cs.chromium.org/chromi...ry_types.h

I don't have anything around listing whether something was opened in a new window vs. tab, etc. beyond the simple transitions that you list above and in the sources you list. I'll use the redirects to help identify potential stuff that the user wasn't explicitly trying to access but that can vary since you can still be re-directed to the site you were trying to get to.

Hope that helps.

Jamie



My question is about Chrome Sync Data,

On Chrome Sync Data, I saw sessions belong to Facebook usernames. When I had a look up to source. Soure was device "AppData\Local\Google\Chrome\User Data\Default\Sync Data\SyncData.sqlite3" path.

So Can I say that these facebook sessions logged in on that PC.

Best Regards.  
 

Page 1 of 1