Chrome Forensic Artifacts

Google Chrome stores an extraordinarily detailed record of user activity across multiple SQLite databases, LevelDB stores, and JSON files within the user profile directory. From browsing history and download records to cached credentials encrypted with DPAPI, Chrome artifacts provide a comprehensive reconstruction of web-based activity — and several of these artifacts persist even after the user clears their browsing data or uses Incognito mode.

What Are Chrome Forensic Artifacts?

Google Chrome maintains its user data in a structured profile directory containing multiple purpose-specific databases and data stores. Each database serves a distinct function — the History database records URLs visited and files downloaded, the Cookies database stores session tokens and authentication data, the Login Data database retains encrypted credentials, and the Web Data database preserves autofill entries and saved payment information. These are standard SQLite databases that can be opened with any SQLite-compatible tool.

Beyond SQLite, Chrome uses LevelDB stores for its Local Storage and Session Storage APIs (key-value data used by web applications), JSON files for Bookmarks and Preferences, and a proprietary disk_cache format for its HTTP cache. Together, these artifacts create a rich, multi-dimensional record of the user’s interaction with the web: what they browsed, what they searched for, what they downloaded, what credentials they stored, what forms they filled out, and what web applications they used.

Chrome uses a custom timestamp format: microseconds since January 1, 1601 UTC — the same epoch as Windows FILETIME, but expressed in microseconds rather than 100-nanosecond intervals. This means Chrome timestamps are Windows FILETIME values divided by 10. Most forensic parsing tools handle this conversion automatically, but analysts working with raw SQLite queries must account for it.

Location & Format

Profile Directory Paths

If the user has multiple Chrome profiles, additional directories named Profile 1, Profile 2, etc. exist alongside Default. Each profile maintains its own independent set of databases.

Key Databases and Files

Chrome Timestamp Format

What It Reveals

Chrome artifacts answer a broad range of investigative questions spanning browsing behavior, credential exposure, data exfiltration, and social engineering attacks:

• What websites did the user visit and when? — The urls and visits tables in the History database provide a timestamped, visit-by-visit record with URL, page title, visit duration, and transition type (typed, link, redirect, form submission).
• What did the user search for? — The keyword_search_terms table links search queries to specific URL visits, recording the exact search terms entered in Chrome’s omnibox or on search engine sites.
• What files were downloaded, and where were they saved? — The downloads table records the source URL, the full local file path (target_path), file size (received_bytes, total_bytes), download start and end timestamps, and MIME type.
• What credentials are stored in the browser? — The logins table in Login Data contains origin_url, username_value, and password_value (DPAPI-encrypted on Windows). Decryption requires the user’s Windows login context or the DPAPI master key.
• Did the user access a phishing site? — History entries showing visits to credential-harvesting domains (often with URLs mimicking legitimate login portals) provide direct evidence of phishing site access.
• Did the user upload files to cloud storage? — The downloads table also records uploads initiated through browser file dialogs. URLs containing cloud storage domains (drive.google.com, dropbox.com, mega.nz) with upload-related paths indicate data exfiltration via the browser.
• What web applications were used? — Local Storage and Session Storage LevelDB entries reveal web application state, including OAuth tokens, session identifiers, and cached API responses that can reconstruct application usage.
• Which browser extensions are installed? — The Preferences JSON file and the Extensions subdirectory list all installed extensions, including potentially malicious ones used for credential theft or data exfiltration.

Forensic Use Cases

1. Browsing Timeline Reconstruction

An employee is suspected of conducting personal business during working hours. The History database’s visits table provides a complete timestamped browsing timeline with millisecond precision. Each visit record includes the transition type (typed URL, clicked link, form submission, redirect), enabling the investigator to reconstruct not just what was visited but how the user navigated there — distinguishing between deliberate access (typed) and passive navigation (redirect).

2. Credential Theft Investigation

After a business email compromise, investigators need to determine how the attacker obtained credentials. The Chrome History database shows the victim visited a phishing page at login.m1crosoft-verify.com/auth that visually mimicked the legitimate Microsoft login portal. The visits table shows a transition type of “link” (the user clicked a link in an email), and the keyword_search_terms table shows no related searches, confirming the user was directed to the page rather than finding it independently.

3. Cloud Storage Upload Detection

In data exfiltration investigations, Chrome History may show repeated visits to mega.nz, drive.google.com/upload, or send.firefox.com. The downloads table may show the user downloaded the MEGA desktop client or rclone. Local Storage LevelDB entries for mega.nz may contain cached file metadata and transfer state, proving that specific files were uploaded even after the History is cleared.

4. Session Hijacking and Cookie Theft

After an AiTM (Adversary-in-the-Middle) phishing attack, the attacker intercepts session cookies. The Chrome Cookies database preserves the last_access_utc timestamp for each cookie, allowing the investigator to determine when the session token was last used from the victim’s machine versus when it was replayed from the attacker’s infrastructure. A gap between the victim’s last legitimate cookie access and subsequent usage from a different IP (visible in server logs) confirms session hijacking.

5. Drive-by Download Investigation

The downloads table records every file Chrome downloaded, including those initiated automatically by malicious JavaScript. The tab_url field identifies which page triggered the download, the tab_referrer_url shows how the user reached that page, and the danger_type field indicates whether Chrome flagged the download as suspicious. This reconstructs the full kill chain from initial browsing to malware delivery.

Acquisition Methods

Live System — Direct Copy (Chrome Closed)

:: Ensure Chrome is closed, then copy the profile directory
robocopy "C:\Users\jdoe\AppData\Local\Google\Chrome\User Data\Default" ^
         C:\Evidence\Chrome_Profile ^
         History Cookies "Login Data" "Web Data" Bookmarks Favicons "Top Sites" Preferences ^
         /S

:: Also collect WAL/journal files
robocopy "C:\Users\jdoe\AppData\Local\Google\Chrome\User Data\Default" ^
         C:\Evidence\Chrome_Profile ^
         History-journal Cookies-journal "Login Data-journal"

:: Collect Cache directory
robocopy "C:\Users\jdoe\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data" ^
         C:\Evidence\Chrome_Profile\Cache /E

Live System — KAPE Collection

:: Using KAPE to collect all Chrome artifacts
kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target Chrome

:: Using Velociraptor (remote collection)
:: Artifact: Windows.KapeFiles.Targets with target "Chrome"
:: Or: Generic.Forensic.SQLiteHunter for targeted database collection

Forensic Image — Direct Extraction

# Mount the forensic image (read-only)
mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence

# Copy Chrome profile for each user
cp -r "/mnt/evidence/Users/jdoe/AppData/Local/Google/Chrome/User Data/Default/" /analysis/chrome/

# Check for additional profiles
ls -la "/mnt/evidence/Users/jdoe/AppData/Local/Google/Chrome/User Data/" | grep "Profile"

Parsing Tools & Analysis

Parsing with Hindsight

# Install Hindsight
pip install pyhindsight

# Parse the Chrome profile directory
hindsight.py -i /analysis/chrome/Default/ \
              -o /analysis/chrome/hindsight_output \
              -f xlsx

# Output: Excel workbook with sheets for:
#   URLs, Downloads, Cookies, Autofill, Logins,
#   Bookmarks, Cache Records, Local Storage, Preferences

Direct SQLite Queries

-- Top visited URLs with visit count and timestamps
SELECT u.url, u.title, u.visit_count,
       datetime(u.last_visit_time/1000000-11644473600, 'unixepoch') AS last_visit,
       datetime(v.visit_time/1000000-11644473600, 'unixepoch') AS visit_time,
       v.transition
FROM urls u JOIN visits v ON u.id = v.url
ORDER BY v.visit_time DESC LIMIT 50;

-- Downloads with source URL and local file path
SELECT target_path, tab_url, total_bytes,
       datetime(start_time/1000000-11644473600, 'unixepoch') AS download_start,
       datetime(end_time/1000000-11644473600, 'unixepoch') AS download_end,
       mime_type, danger_type
FROM downloads
ORDER BY start_time DESC;

-- Search queries with timestamps
SELECT k.term, u.url,
       datetime(u.last_visit_time/1000000-11644473600, 'unixepoch') AS search_time
FROM keyword_search_terms k JOIN urls u ON k.url_id = u.id
ORDER BY u.last_visit_time DESC;

Analysis Script — Download Activity Summary

# Summarize download activity from Chrome History database

import sqlite3
import pandas as pd
from datetime import datetime, timedelta

conn = sqlite3.connect('/analysis/chrome/Default/History')

query = """
    SELECT target_path, tab_url, total_bytes,
           start_time, end_time, mime_type, danger_type
    FROM downloads
    WHERE total_bytes > 0
    ORDER BY start_time DESC
"""

df = pd.read_sql_query(query, conn)

# Convert Chrome timestamps to datetime
epoch = datetime(1601, 1, 1)
df['start_dt'] = df['start_time'].apply(
    lambda x: epoch + timedelta(microseconds=x) if x > 0 else None
)

# Flag suspicious downloads (executables, archives, scripts)
suspicious_types = ['.exe', '.msi', '.zip', '.7z', '.rar', '.ps1', '.bat', '.vbs']
df['suspicious'] = df['target_path'].str.lower().apply(
    lambda x: any(x.endswith(ext) for ext in suspicious_types) if isinstance(x, str) else False
)

print(df[df['suspicious']][['target_path', 'tab_url', 'total_bytes', 'start_dt']].to_string())

Retention & Persistence

Anti-Forensics Resilience

Chrome artifacts are more vulnerable to anti-forensics than system-level artifacts like SRUM or the Windows Event Logs. Chrome provides a built-in “Clear browsing data” function, and third-party tools can target the Chrome profile directory directly. However, several artifacts resist cleanup, and the act of clearing itself leaves forensic traces.

MITRE ATT&CK Detection Mapping

Chrome forensic artifacts provide evidentiary support for detecting the following MITRE ATT&CK techniques:

Related Artifacts & Cross-References

Corroborating Artifacts

References

1. Chromium Project, “User Data Directory” — https://chromium.googlesource.com
2. Ryan Benson, “Hindsight — Web Browser Forensics for Google Chrome/Chromium” — https://github.com/obsidianforensics/hindsight
3. NirSoft, “ChromeHistoryView / ChromeCacheView” — https://www.nirsoft.net/
4. SANS Institute, “FOR500 — Windows Forensic Analysis: Browser Artifacts” — https://www.sans.org/
5. 13Cubed, “Chrome Browser Forensics” — https://www.13cubed.com/blog
6. Chromium Source Code, “SQLite Schema Definitions” — https://source.chromium.org/
7. DB Browser for SQLite — https://sqlitebrowser.org/
8. ForensicArtifacts.com, “Chrome Artifact Definitions” — https://github.com/ForensicArtifacts/artifacts