Google Chrome was the Internet browsing application used by approximately 62% of people in 2018 and is available for desktop and mobile operating systems.
The popularity of Google Chrome means that it is frequently encountered by a computer forensic expert within computer examinations.
Whether on a computer or a mobile phone, Google Chrome automatically stores history within Sqlite databases and Internet cache files, including any web pages and images encountered separately either individually or within data cache files.
Google Chrome also stores session data and login information that can all be of interest or a source of evidence to a digital forensic investigator.
The Examination of Google Chrome
Google Chrome History
The Google Chrome history records are stored within the path \Users\user1\AppData\Local\Google\Chrome\User Data.
The Google Chrome records contain several entries including URLs (the website addresses visited, the frequency of visits and the time/date of visit), Visits (contains records for the same website each time a page is visited, however, not the URL itself), visit source (identifies whether the website ‘visit’ was browsed by the computer, synchronised from another source or imported).
Google Chrome Internet Cache Files
Internet browsing applications automatically store content from a website when it is browsed, including images and the web pages themselves. This is to ensure that the same files are not downloaded each time a web page is visited, particularly if it is visited frequently.
Google Chrome automatically stores these files in data and f_ files within the cache directory. The data files contain the images and pages depending upon their size. If the cached file is small then it will be placed, amongst others, within the data files, however, larger files are stored separately within f_ files.
Google Chrome Syncronised Data
Google Chrome can be used across different devices and multiple platforms and, due to this, it can be synchronised between those devices so that any browsing activity can be found on all devices owned by the user.
This synchronised data can be examined to provide an overview of activity, including bookmarks and browsing history conducted by the user on all other devices configured with the same Google account.
Google Chrome Cookies are created when encountered on web pages during Internet browsing. They can be created to remember user login information or to track movement through a website and can contain information for a computer or mobile phone forensic expert.
A cookie is generated by the site visited by Google Chrome, however, that cookie can be from that site itself or a third party cookie stored on the site but from another.
Therefore, the presence of a cookie file does not necessarily indicate that the browser had accessed that particular site. Additional evidence, such as Internet history should be used to support any observations and findings.
Private Browsing Mode
Google Chrome does not store any information to the hard drive if the user utilises the private browsing mode.
Therefore, any Internet browsing conducted using this mode would only be found within other system generated files such as pagefile or hiberfil or from RAM, if it is possible to examine the system in a live environment.
Google Chrome Forensic Artefacts
Google Chrome Top Sites consists of a display of the most frequently visited web pages within the homepage. These can be selected by the user to visit any of those sites.
Google Chrome Login activity including the user name and password of websites, however, these are frequently encrypted and, therefore can only be identified through ‘live’ examination.
Google Chrome Last Session/Tabs – Google Chrome will store the previous sessions and tabs here – so if Google Chrome was closed, the user can reopen the last session and tabs as it was stored.
Google Chrome Favicons are small icons that are generated when a bookmark is made and the URL is saved. These can also be automatically generated within the address bar when a website is visited.
Google Chrome Bookmarks are pages that have been selected to be stored either by the user or by the software itself so that accessed websites can be revisited easily.
Google Chrome Autofill profiles contain information previously input by the user within a webpage. This can include a user name login or form fill information such as name and address during a purchase.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0330 123 4448 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.