August 31, 2014 by

Volatility Plugin – Chrome History

16 comments

Categories: Forensics, Volatility


As part of the 2014 Volatility Plugin Contest, I created 6 plugins for locating Chrome browser history related artifacts:

They are all in the chromehistory.py module found on my volatility-plugins repo on GitHub.  They also depend on the sqlite_help.py module in the same location, which provides some useful functions for manipulating data in SQLite databases.  Firefox and Chrome both store history and browsing data in SQLite databases.  Depending on the number and type of fields in each table, certain values can be expected in certain positions, which allows us to locate records of a given table.

A sample memory image is available at voltest.zip, and the corresponding History and Cookies files from that image are at chrome_history and chrome_cookies, respectively, for comparison with the plugin output.  I’ve tested the plugins on Chrome 30 and Chrome 37. There are some slight differences between the schemas in these versions and the plugins should handle them, and presumably versions in between.

Like the core Volatility module iehistory, this module adds similar functionality for Chrome browsing history.  It can print output in the default table format or in CSV or bodyfile format.  This is useful for combining with other plugins to create a timeline.  According to W3Schools, Firefox and Chrome make up about 85% of the browser share as of July 2014, so this and my other plugin in the contest help round out Volatility’s browser coverage.

Usage and output for the plugins is below.

chromehistory

The chromehistory plugin extracts records from the Chrome urls table in the History SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. The full output from the sample image is copied below with all 15 records that are in the chrome_history database linked to above, showing the plugin was able to locate them all. The output contains, among other fields, the URL, page title, number of visits, and the last visit time. The URL may occasionally be truncated, but the full URL can be displayed in CSV format. In addition, the last visit timestamp is used in the bodyfile.

The plugin also supports a -N option, for NULLTIME. This will omit any records found with a “null timestamp”. There are no examples in the output below, but sometimes the plugin finds partial records where some data has been overwritten or is incomplete. These often have an invalid timestamp which gets displayed as the epoch time, or 1601/01/01. If these entries are a problem, the -N will omit them from the output.

The history table will just show the last visit to a specific URL along with a count of the number of visits. To see every visit to a URL, see the chromevisits plugin below.

$ vol.py --plugins=plugins/ -f voltest.dmp chromehistory
Volatility Foundation Volatility Framework 2.4
Index  URL                                                                              Title                                                                            Visits Typed Last Visit Time            Hidden Favicon ID
------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ------ ----- -------------------------- ------ ----------
    15 https://www.google.com/webhp?sourceid=c...pv=2&ie=UTF-8#q=What%20is%20Volatliity                                                                                       1     0 2014-08-31 13:09:30.069591      0          0
     8 https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8       Google                                                                                2     0 2014-08-30 19:58:20.439710      0          0
    13 http://www.ubuntu.com/download/desktop/...ou/?version=14.04.1&architecture=amd64 Thanks for downloading Ubuntu Desktop | Ubuntu                                        1     0 2014-08-30 19:56:08.004058      0          0
    14 http://www.ubuntu.com/download/desktop/...=US&version=14.04.1&architecture=amd64 Thanks for downloading Ubuntu Desktop | Ubuntu                                        1     0 2014-08-30 19:56:08.004058      0          0
    12 http://www.ubuntu.com/download/desktop/...te/?version=14.04.1&architecture=amd64 Contribute to Ubuntu | Ubuntu | Ubuntu                                                1     0 2014-08-30 19:56:04.495058      0          0
    11 http://www.ubuntu.com/download/desktop                                           Download Ubuntu Desktop | Download | Ubuntu                                           1     0 2014-08-30 19:56:01.778058      0          0
     9 https://www.google.com/webhp?sourceid=c...=1&espv=2&ie=UTF-8#q=ubuntu%20download                                                                                       1     0 2014-08-30 19:55:46.171058      0          0
     5 http://www.facebook.com/                                                         Welcome to Facebook - Log In, Sign Up or Learn More                                   2     2 2014-08-31 13:09:50.603591      0          0
     7 http://www.cnn.com/                                                              CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News             1     1 2014-08-30 19:55:33.514058      0          0
     6 https://www.facebook.com/                                                        Welcome to Facebook - Log In, Sign Up or Learn More                                   2     0 2014-08-31 13:09:50.603591      0          0
    10 http://www.ubuntu.com/download                                                   Get Ubuntu | Download | Ubuntu                                                        1     0 2014-08-30 19:55:54.285058      0          0
     4 http://www.foxnews.com/                                                          Fox News - Breaking News Updates | Latest News Headlines | Photos & News Videos       1     1 2014-08-18 01:55:04.057529      0          0
     1 http://tools.google.com/chrome/intl/en/welcome.html                              Getting Started                                                                       1     0 2014-08-18 01:53:54.354616      0          0
     3 https://www.google.com/                                                          Google                                                                                1     1 2014-08-18 01:54:43.940616      0          0
     2 https://www.google.com/intl/en/chrome/browser/welcome.html                       Getting Started                                                                       1     0 2014-08-18 01:53:54.354616      0          0

Back to top

chromevisits

The chromevisits plugin extracts records from the Chrome visits table in the History SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. The full output from the sample image is copied below with all 18 records that are in the chrome_history database linked to above, showing the plugin was able to locate them all.

The visits tables doesn’t contain the actual URLs that were visited; those are stored in the urls table, so a SQL JOIN is needed to combine the two. The default behavior of the plugin is to call the chromehistory plugin internally, then search for visits records and combine the data before printing. If only the data from the visits table is desired, the -Q, for QUICK, option can be given. This will run much faster, but will have a limited amount of information.

The visits table contains the URL id, the last visit time, and the “transition” field. Details of the transition field values can be found at the following links:

In the full output, there are two last visit times. The first is from the visits table and will be the time for that visit; the second is the time from the urls table, so it will correspond to the most recent visit, even when displayed on an earlier visit. The URL field in the full output may occasionally be truncated, but the full URL can be displayed in CSV format. In addition, the last visit timestamp is used in the bodyfile.

visits – QUICK
$ vol.py --plugins=plugins/ -f voltest.dmp chromevisits -Q
Volatility Foundation Volatility Framework 2.4
Visit ID URL ID Visit Time                 From Visit Transition                                                   Segment ID Is Indexed Visit Duration
-------- ------ -------------------------- ---------- ------------------------------------------------------------ ---------- ---------- --------------
      18      6 2014-08-31 13:09:50.603591         17 TYPED;CHAIN_END;SERVER_REDIRECT;                                      0 n/a            2994192297
      17      5 2014-08-31 13:09:50.603591          0 TYPED;CHAIN_START;                                                    3 n/a                     0
      14     14 2014-08-30 19:56:08.004058         13 LINK;CHAIN_END;SERVER_REDIRECT;                                       0 n/a           62001879533
      15      8 2014-08-30 19:58:20.439710          0 GENERATED;FROM_ADDRESS_BAR;CHAIN_START;                               0 n/a                     0
      12     12 2014-08-30 19:56:04.495058         11 FORM_SUBMIT;CHAIN_START_END;                                          0 n/a               3509000
      11     11 2014-08-30 19:56:01.778058         10 LINK;CHAIN_START_END;                                                 0 n/a               2717000
      10     10 2014-08-30 19:55:54.285058          0 LINK;CHAIN_START_END;                                                 0 n/a               7493000
      13     13 2014-08-30 19:56:08.004058         12 LINK;CHAIN_START;                                                     0 n/a                     0
       7      7 2014-08-30 19:55:33.514058          0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END;                               4 n/a              12962000
       9      9 2014-08-30 19:55:46.171058          8 LINK;CHAIN_END;CLIENT_REDIRECT;                                       0 n/a                     0
       8      8 2014-08-30 19:55:41.021058          0 GENERATED;FROM_ADDRESS_BAR;CHAIN_START;                               0 n/a                     0
      16     15 2014-08-31 13:09:30.069591         15 LINK;CHAIN_END;CLIENT_REDIRECT;                                       0 n/a                     0
       4      4 2014-08-18 01:55:04.057529          0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END;                               2 n/a              13520000
       2      2 2014-08-18 01:53:54.354616          1 START_PAGE;CHAIN_END;SERVER_REDIRECT;                                 0 n/a              83221913
       5      5 2014-08-30 19:55:26.138058          0 TYPED;CHAIN_START;                                                    3 n/a                     0
       3      3 2014-08-18 01:54:43.940616          0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END;                               1 n/a                     0
       6      6 2014-08-30 19:55:26.138058          5 TYPED;CHAIN_END;SERVER_REDIRECT;                                      0 n/a                     0
       1      1 2014-08-18 01:53:54.354616          0 START_PAGE;CHAIN_START;                                               0 n/a                     0
visits – FULL
$ vol.py --plugins=plugins/ -f voltest.dmp chromevisits
Volatility Foundation Volatility Framework 2.4
Visit ID URL ID Visit Time                 From Visit Transition                                                   Segment ID Is Indexed Visit Duration URL                                                                              Title                                                                            Visits Typed Last Visit Time            Hidden Favicon ID
-------- ------ -------------------------- ---------- ------------------------------------------------------------ ---------- ---------- -------------- -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ------ ----- -------------------------- ------ ----------
      18      6 2014-08-31 13:09:50.603591         17 TYPED;CHAIN_END;SERVER_REDIRECT;                                      0 n/a            2994192297 https://www.facebook.com/                                                        Welcome to Facebook - Log In, Sign Up or Learn More                                   2     0 2014-08-31 13:09:50.603591      0          0
      17      5 2014-08-31 13:09:50.603591          0 TYPED;CHAIN_START;                                                    3 n/a                     0 http://www.facebook.com/                                                         Welcome to Facebook - Log In, Sign Up or Learn More                                   2     2 2014-08-31 13:09:50.603591      0          0
      14     14 2014-08-30 19:56:08.004058         13 LINK;CHAIN_END;SERVER_REDIRECT;                                       0 n/a           62001879533 http://www.ubuntu.com/download/desktop/...=US&version=14.04.1&architecture=amd64 Thanks for downloading Ubuntu Desktop | Ubuntu                                        1     0 2014-08-30 19:56:08.004058      0          0
      15      8 2014-08-30 19:58:20.439710          0 GENERATED;FROM_ADDRESS_BAR;CHAIN_START;                               0 n/a                     0 https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8       Google                                                                                2     0 2014-08-30 19:58:20.439710      0          0
      12     12 2014-08-30 19:56:04.495058         11 FORM_SUBMIT;CHAIN_START_END;                                          0 n/a               3509000 http://www.ubuntu.com/download/desktop/...te/?version=14.04.1&architecture=amd64 Contribute to Ubuntu | Ubuntu | Ubuntu                                                1     0 2014-08-30 19:56:04.495058      0          0
      11     11 2014-08-30 19:56:01.778058         10 LINK;CHAIN_START_END;                                                 0 n/a               2717000 http://www.ubuntu.com/download/desktop                                           Download Ubuntu Desktop | Download | Ubuntu                                           1     0 2014-08-30 19:56:01.778058      0          0
      10     10 2014-08-30 19:55:54.285058          0 LINK;CHAIN_START_END;                                                 0 n/a               7493000 http://www.ubuntu.com/download                                                   Get Ubuntu | Download | Ubuntu                                                        1     0 2014-08-30 19:55:54.285058      0          0
      13     13 2014-08-30 19:56:08.004058         12 LINK;CHAIN_START;                                                     0 n/a                     0 http://www.ubuntu.com/download/desktop/...ou/?version=14.04.1&architecture=amd64 Thanks for downloading Ubuntu Desktop | Ubuntu                                        1     0 2014-08-30 19:56:08.004058      0          0
       7      7 2014-08-30 19:55:33.514058          0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END;                               4 n/a              12962000 http://www.cnn.com/                                                              CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News             1     1 2014-08-30 19:55:33.514058      0          0
       9      9 2014-08-30 19:55:46.171058          8 LINK;CHAIN_END;CLIENT_REDIRECT;                                       0 n/a                     0 https://www.google.com/webhp?sourceid=c...=1&espv=2&ie=UTF-8#q=ubuntu%20download                                                                                       1     0 2014-08-30 19:55:46.171058      0          0
       8      8 2014-08-30 19:55:41.021058          0 GENERATED;FROM_ADDRESS_BAR;CHAIN_START;                               0 n/a                     0 https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8       Google                                                                                2     0 2014-08-30 19:58:20.439710      0          0
      16     15 2014-08-31 13:09:30.069591         15 LINK;CHAIN_END;CLIENT_REDIRECT;                                       0 n/a                     0 https://www.google.com/webhp?sourceid=c...pv=2&ie=UTF-8#q=What%20is%20Volatliity                                                                                       1     0 2014-08-31 13:09:30.069591      0          0
       4      4 2014-08-18 01:55:04.057529          0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END;                               2 n/a              13520000 http://www.foxnews.com/                                                          Fox News - Breaking News Updates | Latest News Headlines | Photos & News Videos       1     1 2014-08-18 01:55:04.057529      0          0
       2      2 2014-08-18 01:53:54.354616          1 START_PAGE;CHAIN_END;SERVER_REDIRECT;                                 0 n/a              83221913 https://www.google.com/intl/en/chrome/browser/welcome.html                       Getting Started                                                                       1     0 2014-08-18 01:53:54.354616      0          0
       5      5 2014-08-30 19:55:26.138058          0 TYPED;CHAIN_START;                                                    3 n/a                     0 http://www.facebook.com/                                                         Welcome to Facebook - Log In, Sign Up or Learn More                                   2     2 2014-08-31 13:09:50.603591      0          0
       3      3 2014-08-18 01:54:43.940616          0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END;                               1 n/a                     0 https://www.google.com/                                                          Google                                                                                1     1 2014-08-18 01:54:43.940616      0          0
       6      6 2014-08-30 19:55:26.138058          5 TYPED;CHAIN_END;SERVER_REDIRECT;                                      0 n/a                     0 https://www.facebook.com/                                                        Welcome to Facebook - Log In, Sign Up or Learn More                                   2     0 2014-08-31 13:09:50.603591      0          0
       1      1 2014-08-18 01:53:54.354616          0 START_PAGE;CHAIN_START;                                               0 n/a                     0 http://tools.google.com/chrome/intl/en/welcome.html                              Getting Started                                                                       1     0 2014-08-18 01:53:54.354616      0          0

Back to top

chromesearchterms

The chromesearchterms plugin extracts records from the Chrome keyword_search_terms table in the History SQLite database file. It supports –output=csv to print in CSV format. There is no timestamp, so the body format is not supported. The full output from the sample image is copied below with the 2 records that are in the chrome_history database linked to above, showing the plugin was able to locate both of them. The output contains the search term and its lowercase representation, along with the URL ID of the url in the url tables (chromehistory plugin) that corresponds to the search, so the full search URL can be referenced.

$ vol.py --plugins=plugins/ -f voltest.dmp chromesearchterms
Volatility Foundation Volatility Framework 2.4
Row ID Keyword ID URL ID Lowercase                                                        Entered Text
------ ---------- ------ ---------------------------------------------------------------- ----------------------------------------------------------------
     2          2     15 what is volatliity                                               What is Volatliity
     1          2      9 ubuntu download                                                  ubuntu download

Back to top

chromedownloads

The chromedownloads plugin extracts records from the Chrome downloads table in the History SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. Since the output of this plugin is rather small in my examples, I’m including the CSV and bodyfile outputs as an example of what most of these plugins provide. The full output from the sample image is copied below with the 2 records that are in the chrome_history database linked to above, showing the plugin was able to locate both of them. The output contains the the path where the file is being saved, the received and total bytes downloaded, and usually the referrer. In addition it includes the start and end times which are used in the body file. Later versions of Chrome (I think around 36) added the two MIME fields, which is why they’re empty in this sample.

Standard Text Output
$ vol.py --plugins=plugins/ -f voltest.dmp chromedownloads
Volatility Foundation Volatility Framework 2.4
Row Id Current Path                                                                     Target Path                                                                      Start Time                 Received     Total Bytes  State Danger Interrupt End Time                   Opened Referer                                                          By Ext ID By Ext Name ETag                     Last Modified                  MIME Type                        Original MIME Type
------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -------------------------- ------------ ------------ ----- ------ --------- -------------------------- ------ ---------------------------------------------------------------- --------- ----------- ------------------------ ------------------------------ -------------------------------- --------------------------------
     2 C:\Users\test\Downloads\npp.6.6.8.Installer.exe                                  C:\Users\test\Downloads\npp.6.6.8.Installer.exe                                  2014-08-31 13:13:32.123849      7920175      7920175     1      4         0 2014-08-31 13:19:06.350249      0                                                                                        "594509918"              Sun, 27 Jul 2014 22:42:03 GMT
     1                                                                                  C:\Users\test\Downloads\ubuntu-14.04.1-desktop-amd64.iso                         2014-08-30 19:56:11.491058     46641733   1028653056     4      0        20 1601-01-01 00:00:00             0 http://www.ubuntu.com/download/...ion=14.04.1&architecture=amd64                       "38d2064-3d...fdb504980" Tue, 22 Jul 2014 22:36:38 GMT
CSV Output
$ vol.py --plugins=plugins/ -f 2014contest/voltest.dmp chromedownloads --output=csv
Volatility Foundation Volatility Framework 2.4
"id","current_path","target_path","start_time","received_bytes","total_bytes","state","danger","interrupt","end_time","opened","referer","by_ext_id","by_ext_name","etag","last_modified","mime_type","original_mime_type"
"2","C:\Users\test\Downloads\npp.6.6.8.Installer.exe","C:\Users\test\Downloads\npp.6.6.8.Installer.exe","2014-08-31 13:13:32.123849","7920175","7920175","1","4","0","2014-08-31 13:19:06.350249","0","","","","""594509918""","Sun, 27 Jul 2014 22:42:03 GMT","",""
"1","","C:\Users\test\Downloads\ubuntu-14.04.1-desktop-amd64.iso","2014-08-30 19:56:11.491058","46641733","1028653056","4","0","20","1601-01-01 00:00:00","0","http://www.ubuntu.com/download/desktop/thank-you?country=US&version=14.04.1&architecture=amd64","","","""38d2064-3d500000-4fecfdb504980""","Tue, 22 Jul 2014 22:36:38 GMT","",""
Bodyfile Output
$ vol.py --plugins=plugins/ -f 2014contest/voltest.dmp chromedownloads --output=body
Volatility Foundation Volatility Framework 2.4
0|[CHROMEDOWNLOADS]  -> C:\Users\test\Downloads\npp.6.6.8.Installer.exe (7920175 bytes|0|---------------|0|0|0|1409491146|1409491146|1409491146|1409490812
0|[CHROMEDOWNLOADS] http://www.ubuntu.com/download/desktop/thank-you?country=US&version=14.04.1&architecture=amd64 -> C:\Users\test\Downloads\ubuntu-14.04.1-desktop-amd64.iso (1028653056 bytes|0|---------------|0|0|0|-11644473600|-11644473600|-11644473600|1409428571

Back to top

chromedownloadchains

The chromedownloadchains plugin extracts records from the Chrome downloads_url_chains table in the History SQLite database file. It supports –output=csv to print in CSV. There is no timestamp, so the bodyfile format is not supported. The full output from the sample image is copied below with the 2 records that are in the chrome_history database linked to above, showing the plugin was able to locate both of them. In this example, there is only one URL in each download chain; however, when there are redirects through multiple URLs, they will all show up and the “Chain ID/Chain Index” combination will be unique for each one.

$ vol.py --plugins=plugins/ -f voltest.dmp chromedownloadchains
Volatility Foundation Volatility Framework 2.4
Row ID Chain ID    Chain Index URL
------ ----------- ----------- ------------------------------------------------------------------------------------------------------------------------
     2           2           0 http://download.tuxfamily.org/notepadplus/6.6.8/npp.6.6.8.Installer.exe
     1           1           0 http://ubuntu-releases.cs.umn.edu/14.04.1/ubuntu-14.04.1-desktop-amd64.iso

Back to top

chromecookies

The chromecookies plugin extracts records from the Chrome cookies table in the Cookies SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. A snippet of the the full output from the sample image is copied below since there are 100s of cookies even from just visiting a few sites. The chrome_cookies file linked above was taken from the machine the memory image was taken from and can be used for comparison, but it will find all the cookies in the SQLite database in the memory image. The output contains the host key, the cookie name, the path, and the value and encrypted value. Chrome started encrypting cookie values early in 2014. Older cookies will still show the unencrypted value though.

Currently, the plugin can decrypt cookies from a Mac or Linux system. The plugin supports the -K option to specify the password. This is only needed for Mac cookies. The password value can be obtained by running the following on the source Mac system to extract the password from Keychain.

security find-generic-password -w -s "Chrome Safe Storage

On Linux, the password has a fixed value of ‘peanuts’ and this is coded into the plugin. This post contains details on decrypting the cookie values and was used in writing this part of the plugin. This post has details on decrypting Windows cookies, but this is not supported in the plugin yet. The plugin also supports the -O option to specify the OS (mac, linux, windows), rather than relying on the profile. This is helpful if running the plugin directly against a Cookies SQLite file.

In addition, the output contains the creation time, last access time, and the expiration time of the cookies, which are all used in the body file output.

Cookies – Basic example
$ vol.py --plugins=plugins/ -f voltest.dmp chromecookies | more
Volatility Foundation Volatility Framework 2.4
Creation Time              Host Key                         Name             Value                                                                            Path                     Expires Time               Secure HttpOnly Last Access Time           Expires Persistent Priority   Encrypted Value
-------------------------- -------------------------------- ---------------- -------------------------------------------------------------------------------- ------------------------ -------------------------- ------ -------- -------------------------- ------- ---------- ---------- --------------------------------------------------------------------------------
2014-08-30 19:55:42.098058 www.cnn.com                      octowebstatid                                                                                     /                        2015-08-30 19:55:42             0        0 2014-08-30 19:55:42.098058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...332d8a688f51cb124c5b0817e6d59ab56696ab
2014-08-30 19:56:08.455058 .ubuntu.com                      __utma                                                                                            /                        2016-08-29 19:56:08             0        0 2014-08-30 19:56:08.455058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...bc7b27ed42f4e8654421f90ca261d0b823216d
2014-08-18 01:53:54.812617 .youtube.com                     VISITOR...1_LIVE                                                                                  /                        2015-04-18 13:46:54.812617      0        0 2014-08-18 01:53:54.812617       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...56ee53d9b5ec43a08e3ef526906e239a1be5d7
2014-08-18 01:53:54.893616 .google.com                      __utma                                                                                            /intl/en/chrome/browser/ 2016-08-17 01:53:54             0        0 2014-08-18 01:54:56.400529       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...dca0f3ff3125021c58eabd5a5c5aa1e39ff31a
2014-08-30 19:55:34.066058 .www.ugdturner.com               ug1                                                                                               /                        2019-08-29 19:55:34.066058      0        0 2014-08-30 19:55:34.066058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...770a74f1e311837ea538744ea7d181c4f1f2de
2014-08-30 19:55:34.067058 www.cnn.com                      ug                                                                                                /                        2015-08-30 19:55:34             0        0 2014-08-30 19:55:34.067058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...a27d86d1efe9652678fb31931f4f5e192bc96f
2014-08-30 19:55:34.067059 www.cnn.com                      ugs                                                                                               /                        2014-08-31 21:55:34             0        0 2014-08-30 19:55:34.067059       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...1b89901d7f7c1774f49cd9b47229e19043f883
2014-08-30 19:55:46.475058 www.cnn.com                      _chartbeat4                                                                                       /                        2014-08-30 20:55:46             0        0 2014-08-30 19:55:46.475058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...885d99442117495160258487a86d42df33973a
2014-08-30 19:55:39.137058 .doubleclick.net                 _drt_                                                                                             /                        2014-08-31 07:55:39.137058      0        1 2014-08-30 19:55:39.137058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...0fc907219965b89c8b1f1250f51af443dc2e05
2014-08-30 19:55:39.406058 .krxd.net                        ServedBy                                                                                          /                        2015-02-27 09:15:39.406058      0        0 2014-08-30 19:55:39.406058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...da32d1ec7ff79594caf486a5f45dd23d78c954
2014-08-30 19:55:39.406059 .krxd.net                        _kuid_                                                                                            /                        2015-02-26 19:55:39.406059      0        0 2014-08-30 19:55:39.406059       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...7c79dac49bed8bcc64b2d4c59cf082427263c8
2014-08-30 19:56:08.455059 .ubuntu.com                      __utmb                                                                                            /                        2014-08-30 20:26:08             0        0 2014-08-30 19:56:08.455059       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...4b6aaeec96ec8a1c3733ee8f4a3ffa124fcdf2
2014-08-30 19:55:36.159058 .cnn.com                         s_vi                                                                                              /                        2016-08-29 19:55:36.159058      0        0 2014-08-30 19:55:36.159058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...e051356b6a9a21ea3db611c21cccdc47ce9830
2014-08-30 19:55:36.797058 .outbrain.com                    _lvs2                                                                                             /                        2015-09-26 19:55:36             0        0 2014-08-30 19:55:36.797058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...9d0008d0566aadc64154f3b946207d1115148a
2014-08-30 19:55:36.915058 .rubiconproject.com              ruid                                                                                              /                        2014-11-28 19:55:36.915058      0        0 2014-08-30 19:55:36.915058       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...34ec6d9be5d8722099eac8e10c39190fbd5c7c
2014-08-18 01:55:10.572529 .tapad.com                       TapAd_TS                                                                                          /                        2014-10-17 01:55:09             0        0 2014-08-18 01:55:10.572529       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...fbb5944c4fb120fc1fdf2e3acbb5f8ab630c91
2014-08-18 01:55:10.565530 .bizographics.com                BizoData                                                                                          /                        2015-02-16 13:55:10.565530      0        0 2014-08-18 01:55:10.565530       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...ddb450d13d95198dd5ff18d05eb31d89e60705
2014-08-18 01:55:10.708529 .demdex.net                      DPM                                                                                               /                        2016-08-17 01:55:09             0        0 2014-08-18 01:55:10.708529       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...169b9472b70057cfc1f0845a12d94cf484b914
2014-08-18 01:55:10.678530 .acxiom-online.com               ACXID                                                                                             /                        2015-08-18 01:55:10.678530      0        0 2014-08-18 01:55:10.678530       1          1          1 01000000d08c9ddf0115d1118c7a00c04fc297e...ffd2e26b6112093ba13ef1cec3ab8c7d0788bf
Cookies – No Decryption

Sample execution against another memory image, without decrypting the cookies.

$ vol.py --profile=MacMavericks_10_9_4_AMDx64 -f mem.macho chromecookies
Volatility Foundation Volatility Framework 2.4
Creation Time              Host Key                         Name             Value                                                                            Path                     Expires Time               Secure HttpOnly Last Access Time           Expires Persistent Priority   Encrypted Value
-------------------------- -------------------------------- ---------------- -------------------------------------------------------------------------------- ------------------------ -------------------------- ------ -------- -------------------------- ------- ---------- ---------- --------------------------------------------------------------------------------
2014-09-04 21:36:14.605479 .sleuthkit.org                   _sm_au_c                                                                                          /                        Never Expires                   0        0 2014-09-04 21:36:14.605479       0          0          1 7631308406dafc56e672450c48985a03152bba6342cd223910827a8db5b6cbf6f5f6ae
2014-09-04 21:36:15.262039 .cs.uno.edu                      _sm_au_c                                                                                          /                        Never Expires                   0        0 2014-09-04 21:42:22.576744       0          0          1 763130460b6ba9333f9cc802ae02f2594b48f8fbc97d1413fa9a4a39b2d9d52561fdbe
2014-09-04 21:36:15.263101 .threat-analytics.com            _sm_au_c                                                                                          /                        Never Expires                   0        0 2014-09-06 20:50:33.270622       0          0          1 763130e10cac14e080087a30697432e03fd9e90058a8fca19477aa2abe29669433dece
2014-09-04 21:36:18.805114 .dfinews.com                     _sm_au_c                                                                                          /                        Never Expires                   0        0 2014-09-05 22:56:26.547288       0          0          1 76313069b9fc355151345fb7772978a63f0b7ee60db4254b786b2a87f0ddc70de2002e
Cookies – Decrypted
Supplying the decryption password on the same sample above successfully decrypts the cookie values. They all start with iMV in the output below.

$ vol.py --profile=MacMavericks_10_9_4_AMDx64 -f mem.macho chromecookies -K "rq2uadV+VvAD+IBiBeJ75a=="
Volatility Foundation Volatility Framework 2.4
Creation Time              Host Key                         Name             Value                                                                            Path                     Expires Time               Secure HttpOnly Last Access Time           Expires Persistent Priority   Encrypted Value
-------------------------- -------------------------------- ---------------- -------------------------------------------------------------------------------- ------------------------ -------------------------- ------ -------- -------------------------- ------- ---------- ---------- --------------------------------------------------------------------------------
2014-09-04 21:36:14.605479 .sleuthkit.org                   _sm_au_c         iMVarAHaqBbHSFFQ0e                                                               /                        Never Expires                   0        0 2014-09-04 21:36:14.605479       0          0          1 7631308406dafc56e672450c48985a03152bba6342cd623910827a8db5b6cbf6f5f6ae
2014-09-04 21:36:15.262039 .cs.uno.edu                      _sm_au_c         iMVarAaaqBBarF5a0b                                                               /                        Never Expires                   0        0 2014-09-04 21:42:22.576744       0          0          1 763130460b6ba9333f9cc802ae02f2594b48f8fbc97d141efa9a4a39b2d9d52561fdbe
2014-09-04 21:36:15.263101 .threat-analytics.com            _sm_au_c         iMVaraH2qBZdJFrQ15                                                               /                        Never Expires                   0        0 2014-09-06 20:50:33.270622       0          0          1 763130e10cac14e080087a30697432e03fd9e90058a8fca19877aa2abe29669433dece
2014-09-04 21:36:18.805114 .dfinews.com                     _sm_au_c         iMVaraH2qB0ZVF0Q0c                                                               /                        Never Expires                   0        0 2014-09-05 22:56:26.547288       0          0          1 76313069b9fc355151345fb7772978a63f0b7ee60db42a4b786b2a87f0ddc70de2002e

Back to top

16 Responses to Volatility Plugin – Chrome History

  1. dimis

    Hey man,

    I am doing a little bit android forensics and just tried out your plugins for Android. They work flawlessly!

    Awesome work !! Thank you very much. You definitely deserved 1st place at the contest :D

    • Mehr

      Hi,
      I am also working on Android forensics as a project in one of my courses, I have downloaded this plugin but it is not working. It creates some errors like:
      Invalid Lime header signature
      or
      Incompatible profile selected, etc.
      Would you please give me some information about how I can make it work on my emulator?

      • superponible Post author

        Do other plugins work against that image? You shouldn’t even need to specify a profile for the Chrome plugins, so I don’t think your problem is specific to this plugin. What’s the full command you’re running?

        • mehr

          I can run other plugins on my android image file perfectly, I have just problem with your plugin. I have tested 4 different dump but the problem steel exist:
          1. for chromecookies my output is noting (I am sure that chrome store some cookie and also i can read it inside of memory by checking the file location)
          2. for “chromehistory”, “chromesearchterms” and “chromedownloads”
          “ERROR : volatility.debug : This command does not support the profile LinuxGolfish-2_6_29ARM”

          Also it is my command :
          “python ../../vol.py –profile=LinuxGolfish-2_6_29ARM -f ~/lime-forensics/lime10.dmp chromecookies”
          I have got the dump with Lime and also my profile is Ok.

          • mehr

            If you run the command without profile: (nothing for all plugin except chromecookies)
            $python ../../vol.py -f ~/lime-forensics/lime8.dmp chromehistory
            Volatility Foundation Volatility Framework 2.5
            Index URL Hidden Favicon ID
            —– — —— ——– —

            but for chromecookies: (lots of error)
            $ python ../../vol.py -f ~/lime-forensics/lime8.dmp chromecookies
            Volatility Foundation Volatility Framework 2.5
            No suitable address space mapping found
            Tried to open image as:
            MachOAddressSpace: mac: need base
            LimeAddressSpace: lime: need base
            WindowsHiberFileSpace32: No base Address Space
            WindowsCrashDumpSpace64BitMap: No base Address Space
            WindowsCrashDumpSpace64: No base Address Space
            HPAKAddressSpace: No base Address Space
            VirtualBoxCoreDumpElf64: No base Address Space
            VMWareMetaAddressSpace: No base Address Space
            VMWareAddressSpace: No base Address Space
            QemuCoreDumpElf: No base Address Space
            WindowsCrashDumpSpace32: No base Address Space
            AMD64PagedMemory: No base Address Space
            IA32PagedMemoryPae: No base Address Space
            IA32PagedMemory: No base Address Space
            OSXPmemELF: No base Address Space
            MachOAddressSpace: MachO Header signature invalid
            MachOAddressSpace: MachO Header signature invalid
            LimeAddressSpace: Invalid Lime header signature
            WindowsHiberFileSpace32: No xpress signature found
            WindowsCrashDumpSpace64BitMap: Header signature invalid
            WindowsCrashDumpSpace64: Header signature invalid
            HPAKAddressSpace: Invalid magic found
            VirtualBoxCoreDumpElf64: ELF Header signature invalid
            VMWareMetaAddressSpace: VMware metadata file is not available
            VMWareAddressSpace: Invalid VMware signature: 0x6f747475
            QemuCoreDumpElf: ELF Header signature invalid
            WindowsCrashDumpSpace32: Header signature invalid
            AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
            IA32PagedMemoryPae: No valid DTB found
            IA32PagedMemory: No valid DTB found
            OSXPmemELF: ELF Header signature invalid
            FileAddressSpace: Must be first Address Space
            ArmAddressSpace: No valid DTB found

          • superponible Post author

            The “nothing” output for all except cookies where it’s just showing the header columns means it’s working and not finding any matches.

            For the chromecookies plugin, that one does check for a profile so it knows the format for decrypting cookies. You should be able to get around the check by adding “-O linux” to the end of your command.

          • mehr

            -O linux options show this output :

            $ python ../../vol.py -f ~/lime-forensics/lime12.dmp chromecookies -O linux
            Volatility Foundation Volatility Framework 2.5
            Creation Time Host Key Name Value Path Expires Time Secure HttpOnly Last Access Time Expires Persistent Priority Encrypted Value
            ————————–

            have you ever test your plugin on Android memory dump?

  2. Bernhard Kotnig

    Dear Sir, when I try to use “chromehistory” I get:
    ERROR: __main__ you must specify something to do
    The command is:
    python Scripts\vol.py -d –plugins=plug\ -f C:\!Volat\WIE_SATA_SSD.001 chromehistory

    A command like
    python Scripts\vol.py -f C:\!Volat\WIE_SATA_SSD.001 imageinfo
    seems to work. Where I’m wrong?
    Kind regards
    Bernhard Kontig

    • superponible Post author

      Try putting the plugins argument first, so something like

      python Scripts\vol.py –plugins=plug\ … then the rest. Also, make sure you use two dashes with plugins.

  3. Philipp Crouch

    Hey,

    I try the firefoxhistory and the chromehistory plugin.
    Nice work :)
    My Mission with firefoxhistory succeed, but with chrome it fails.

    “*** Failed to import volatility.plugins.chromehistory (ImportError: No module named Protocol.KDF)”

    I’ll try both Plugins with Python 2.7 in Windows CMD.

    Greetings

  4. Kamil

    Hi, I tried to run these plugins on the latest versions of Chrome/Firefox, but It seems not to work at all. Does it work only on version between 30-37 as you stated?
    Thanks for help in advance.

    • superponible Post author

      It definitely looks like there have been some changes to the SQLite schemas, but just testing against Chrome, I do get results from some of the plugins. These worked for me on Chrome v55: chromesearchterms, chromedownloadchains. The others I’ll have to take a look at and see what changed. Thanks for letting me know.

Leave a Reply

Your email address will not be published. Required fields are marked *