As part of the 2014 Volatility Plugin Contest, I created 6 plugins for locating Chrome browser history related artifacts:
They are all in the chromehistory.py module found on my volatility-plugins repo on GitHub. They also depend on the sqlite_help.py module in the same location, which provides some useful functions for manipulating data in SQLite databases. Firefox and Chrome both store history and browsing data in SQLite databases. Depending on the number and type of fields in each table, certain values can be expected in certain positions, which allows us to locate records of a given table.
A sample memory image is available at voltest.zip, and the corresponding History and Cookies files from that image are at chrome_history and chrome_cookies, respectively, for comparison with the plugin output. I’ve tested the plugins on Chrome 30 and Chrome 37. There are some slight differences between the schemas in these versions and the plugins should handle them, and presumably versions in between.
Like the core Volatility module iehistory, this module adds similar functionality for Chrome browsing history. It can print output in the default table format or in CSV or bodyfile format. This is useful for combining with other plugins to create a timeline. According to W3Schools, Firefox and Chrome make up about 85% of the browser share as of July 2014, so this and my other plugin in the contest help round out Volatility’s browser coverage.
Usage and output for the plugins is below.
chromehistory
The chromehistory plugin extracts records from the Chrome urls table in the History SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. The full output from the sample image is copied below with all 15 records that are in the chrome_history database linked to above, showing the plugin was able to locate them all. The output contains, among other fields, the URL, page title, number of visits, and the last visit time. The URL may occasionally be truncated, but the full URL can be displayed in CSV format. In addition, the last visit timestamp is used in the bodyfile.
The plugin also supports a -N option, for NULLTIME. This will omit any records found with a “null timestamp”. There are no examples in the output below, but sometimes the plugin finds partial records where some data has been overwritten or is incomplete. These often have an invalid timestamp which gets displayed as the epoch time, or 1601/01/01. If these entries are a problem, the -N will omit them from the output.
The history table will just show the last visit to a specific URL along with a count of the number of visits. To see every visit to a URL, see the chromevisits plugin below.
$ vol.py --plugins=plugins/ -f voltest.dmp chromehistory
Volatility Foundation Volatility Framework 2.4
Index URL Title Visits Typed Last Visit Time Hidden Favicon ID
------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ------ ----- -------------------------- ------ ----------
15 https://www.google.com/webhp?sourceid=c...pv=2&ie=UTF-8#q=What%20is%20Volatliity 1 0 2014-08-31 13:09:30.069591 0 0
8 https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8 Google 2 0 2014-08-30 19:58:20.439710 0 0
13 http://www.ubuntu.com/download/desktop/...ou/?version=14.04.1&architecture=amd64 Thanks for downloading Ubuntu Desktop | Ubuntu 1 0 2014-08-30 19:56:08.004058 0 0
14 http://www.ubuntu.com/download/desktop/...=US&version=14.04.1&architecture=amd64 Thanks for downloading Ubuntu Desktop | Ubuntu 1 0 2014-08-30 19:56:08.004058 0 0
12 http://www.ubuntu.com/download/desktop/...te/?version=14.04.1&architecture=amd64 Contribute to Ubuntu | Ubuntu | Ubuntu 1 0 2014-08-30 19:56:04.495058 0 0
11 http://www.ubuntu.com/download/desktop Download Ubuntu Desktop | Download | Ubuntu 1 0 2014-08-30 19:56:01.778058 0 0
9 https://www.google.com/webhp?sourceid=c...=1&espv=2&ie=UTF-8#q=ubuntu%20download 1 0 2014-08-30 19:55:46.171058 0 0
5 http://www.facebook.com/ Welcome to Facebook - Log In, Sign Up or Learn More 2 2 2014-08-31 13:09:50.603591 0 0
7 http://www.cnn.com/ CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News 1 1 2014-08-30 19:55:33.514058 0 0
6 https://www.facebook.com/ Welcome to Facebook - Log In, Sign Up or Learn More 2 0 2014-08-31 13:09:50.603591 0 0
10 http://www.ubuntu.com/download Get Ubuntu | Download | Ubuntu 1 0 2014-08-30 19:55:54.285058 0 0
4 http://www.foxnews.com/ Fox News - Breaking News Updates | Latest News Headlines | Photos & News Videos 1 1 2014-08-18 01:55:04.057529 0 0
1 http://tools.google.com/chrome/intl/en/welcome.html Getting Started 1 0 2014-08-18 01:53:54.354616 0 0
3 https://www.google.com/ Google 1 1 2014-08-18 01:54:43.940616 0 0
2 https://www.google.com/intl/en/chrome/browser/welcome.html Getting Started 1 0 2014-08-18 01:53:54.354616 0 0
chromevisits
The chromevisits plugin extracts records from the Chrome visits table in the History SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. The full output from the sample image is copied below with all 18 records that are in the chrome_history database linked to above, showing the plugin was able to locate them all.
The visits tables doesn’t contain the actual URLs that were visited; those are stored in the urls table, so a SQL JOIN is needed to combine the two. The default behavior of the plugin is to call the chromehistory plugin internally, then search for visits records and combine the data before printing. If only the data from the visits table is desired, the -Q, for QUICK, option can be given. This will run much faster, but will have a limited amount of information.
The visits table contains the URL id, the last visit time, and the “transition” field. Details of the transition field values can be found at the following links:
- https://github.com/jedesah/Chromium/blob/master/content/public/common/page_transition_types.h
- https://developer.chrome.com/extensions/history
In the full output, there are two last visit times. The first is from the visits table and will be the time for that visit; the second is the time from the urls table, so it will correspond to the most recent visit, even when displayed on an earlier visit. The URL field in the full output may occasionally be truncated, but the full URL can be displayed in CSV format. In addition, the last visit timestamp is used in the bodyfile.
visits – QUICK
$ vol.py --plugins=plugins/ -f voltest.dmp chromevisits -Q
Volatility Foundation Volatility Framework 2.4
Visit ID URL ID Visit Time From Visit Transition Segment ID Is Indexed Visit Duration
-------- ------ -------------------------- ---------- ------------------------------------------------------------ ---------- ---------- --------------
18 6 2014-08-31 13:09:50.603591 17 TYPED;CHAIN_END;SERVER_REDIRECT; 0 n/a 2994192297
17 5 2014-08-31 13:09:50.603591 0 TYPED;CHAIN_START; 3 n/a 0
14 14 2014-08-30 19:56:08.004058 13 LINK;CHAIN_END;SERVER_REDIRECT; 0 n/a 62001879533
15 8 2014-08-30 19:58:20.439710 0 GENERATED;FROM_ADDRESS_BAR;CHAIN_START; 0 n/a 0
12 12 2014-08-30 19:56:04.495058 11 FORM_SUBMIT;CHAIN_START_END; 0 n/a 3509000
11 11 2014-08-30 19:56:01.778058 10 LINK;CHAIN_START_END; 0 n/a 2717000
10 10 2014-08-30 19:55:54.285058 0 LINK;CHAIN_START_END; 0 n/a 7493000
13 13 2014-08-30 19:56:08.004058 12 LINK;CHAIN_START; 0 n/a 0
7 7 2014-08-30 19:55:33.514058 0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END; 4 n/a 12962000
9 9 2014-08-30 19:55:46.171058 8 LINK;CHAIN_END;CLIENT_REDIRECT; 0 n/a 0
8 8 2014-08-30 19:55:41.021058 0 GENERATED;FROM_ADDRESS_BAR;CHAIN_START; 0 n/a 0
16 15 2014-08-31 13:09:30.069591 15 LINK;CHAIN_END;CLIENT_REDIRECT; 0 n/a 0
4 4 2014-08-18 01:55:04.057529 0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END; 2 n/a 13520000
2 2 2014-08-18 01:53:54.354616 1 START_PAGE;CHAIN_END;SERVER_REDIRECT; 0 n/a 83221913
5 5 2014-08-30 19:55:26.138058 0 TYPED;CHAIN_START; 3 n/a 0
3 3 2014-08-18 01:54:43.940616 0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END; 1 n/a 0
6 6 2014-08-30 19:55:26.138058 5 TYPED;CHAIN_END;SERVER_REDIRECT; 0 n/a 0
1 1 2014-08-18 01:53:54.354616 0 START_PAGE;CHAIN_START; 0 n/a 0
visits – FULL
$ vol.py --plugins=plugins/ -f voltest.dmp chromevisits
Volatility Foundation Volatility Framework 2.4
Visit ID URL ID Visit Time From Visit Transition Segment ID Is Indexed Visit Duration URL Title Visits Typed Last Visit Time Hidden Favicon ID
-------- ------ -------------------------- ---------- ------------------------------------------------------------ ---------- ---------- -------------- -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ------ ----- -------------------------- ------ ----------
18 6 2014-08-31 13:09:50.603591 17 TYPED;CHAIN_END;SERVER_REDIRECT; 0 n/a 2994192297 https://www.facebook.com/ Welcome to Facebook - Log In, Sign Up or Learn More 2 0 2014-08-31 13:09:50.603591 0 0
17 5 2014-08-31 13:09:50.603591 0 TYPED;CHAIN_START; 3 n/a 0 http://www.facebook.com/ Welcome to Facebook - Log In, Sign Up or Learn More 2 2 2014-08-31 13:09:50.603591 0 0
14 14 2014-08-30 19:56:08.004058 13 LINK;CHAIN_END;SERVER_REDIRECT; 0 n/a 62001879533 http://www.ubuntu.com/download/desktop/...=US&version=14.04.1&architecture=amd64 Thanks for downloading Ubuntu Desktop | Ubuntu 1 0 2014-08-30 19:56:08.004058 0 0
15 8 2014-08-30 19:58:20.439710 0 GENERATED;FROM_ADDRESS_BAR;CHAIN_START; 0 n/a 0 https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8 Google 2 0 2014-08-30 19:58:20.439710 0 0
12 12 2014-08-30 19:56:04.495058 11 FORM_SUBMIT;CHAIN_START_END; 0 n/a 3509000 http://www.ubuntu.com/download/desktop/...te/?version=14.04.1&architecture=amd64 Contribute to Ubuntu | Ubuntu | Ubuntu 1 0 2014-08-30 19:56:04.495058 0 0
11 11 2014-08-30 19:56:01.778058 10 LINK;CHAIN_START_END; 0 n/a 2717000 http://www.ubuntu.com/download/desktop Download Ubuntu Desktop | Download | Ubuntu 1 0 2014-08-30 19:56:01.778058 0 0
10 10 2014-08-30 19:55:54.285058 0 LINK;CHAIN_START_END; 0 n/a 7493000 http://www.ubuntu.com/download Get Ubuntu | Download | Ubuntu 1 0 2014-08-30 19:55:54.285058 0 0
13 13 2014-08-30 19:56:08.004058 12 LINK;CHAIN_START; 0 n/a 0 http://www.ubuntu.com/download/desktop/...ou/?version=14.04.1&architecture=amd64 Thanks for downloading Ubuntu Desktop | Ubuntu 1 0 2014-08-30 19:56:08.004058 0 0
7 7 2014-08-30 19:55:33.514058 0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END; 4 n/a 12962000 http://www.cnn.com/ CNN.com - Breaking News, U.S., World, Weather, Entertainment & Video News 1 1 2014-08-30 19:55:33.514058 0 0
9 9 2014-08-30 19:55:46.171058 8 LINK;CHAIN_END;CLIENT_REDIRECT; 0 n/a 0 https://www.google.com/webhp?sourceid=c...=1&espv=2&ie=UTF-8#q=ubuntu%20download 1 0 2014-08-30 19:55:46.171058 0 0
8 8 2014-08-30 19:55:41.021058 0 GENERATED;FROM_ADDRESS_BAR;CHAIN_START; 0 n/a 0 https://www.google.com/webhp?sourceid=chrome-instant&ion=1&espv=2&ie=UTF-8 Google 2 0 2014-08-30 19:58:20.439710 0 0
16 15 2014-08-31 13:09:30.069591 15 LINK;CHAIN_END;CLIENT_REDIRECT; 0 n/a 0 https://www.google.com/webhp?sourceid=c...pv=2&ie=UTF-8#q=What%20is%20Volatliity 1 0 2014-08-31 13:09:30.069591 0 0
4 4 2014-08-18 01:55:04.057529 0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END; 2 n/a 13520000 http://www.foxnews.com/ Fox News - Breaking News Updates | Latest News Headlines | Photos & News Videos 1 1 2014-08-18 01:55:04.057529 0 0
2 2 2014-08-18 01:53:54.354616 1 START_PAGE;CHAIN_END;SERVER_REDIRECT; 0 n/a 83221913 https://www.google.com/intl/en/chrome/browser/welcome.html Getting Started 1 0 2014-08-18 01:53:54.354616 0 0
5 5 2014-08-30 19:55:26.138058 0 TYPED;CHAIN_START; 3 n/a 0 http://www.facebook.com/ Welcome to Facebook - Log In, Sign Up or Learn More 2 2 2014-08-31 13:09:50.603591 0 0
3 3 2014-08-18 01:54:43.940616 0 TYPED;FROM_ADDRESS_BAR;CHAIN_START_END; 1 n/a 0 https://www.google.com/ Google 1 1 2014-08-18 01:54:43.940616 0 0
6 6 2014-08-30 19:55:26.138058 5 TYPED;CHAIN_END;SERVER_REDIRECT; 0 n/a 0 https://www.facebook.com/ Welcome to Facebook - Log In, Sign Up or Learn More 2 0 2014-08-31 13:09:50.603591 0 0
1 1 2014-08-18 01:53:54.354616 0 START_PAGE;CHAIN_START; 0 n/a 0 http://tools.google.com/chrome/intl/en/welcome.html Getting Started 1 0 2014-08-18 01:53:54.354616 0 0
chromesearchterms
The chromesearchterms plugin extracts records from the Chrome keyword_search_terms table in the History SQLite database file. It supports –output=csv to print in CSV format. There is no timestamp, so the body format is not supported. The full output from the sample image is copied below with the 2 records that are in the chrome_history database linked to above, showing the plugin was able to locate both of them. The output contains the search term and its lowercase representation, along with the URL ID of the url in the url tables (chromehistory plugin) that corresponds to the search, so the full search URL can be referenced.
$ vol.py --plugins=plugins/ -f voltest.dmp chromesearchterms
Volatility Foundation Volatility Framework 2.4
Row ID Keyword ID URL ID Lowercase Entered Text
------ ---------- ------ ---------------------------------------------------------------- ----------------------------------------------------------------
2 2 15 what is volatliity What is Volatliity
1 2 9 ubuntu download ubuntu download
chromedownloads
The chromedownloads plugin extracts records from the Chrome downloads table in the History SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. Since the output of this plugin is rather small in my examples, I’m including the CSV and bodyfile outputs as an example of what most of these plugins provide. The full output from the sample image is copied below with the 2 records that are in the chrome_history database linked to above, showing the plugin was able to locate both of them. The output contains the the path where the file is being saved, the received and total bytes downloaded, and usually the referrer. In addition it includes the start and end times which are used in the body file. Later versions of Chrome (I think around 36) added the two MIME fields, which is why they’re empty in this sample.
Standard Text Output
$ vol.py --plugins=plugins/ -f voltest.dmp chromedownloads
Volatility Foundation Volatility Framework 2.4
Row Id Current Path Target Path Start Time Received Total Bytes State Danger Interrupt End Time Opened Referer By Ext ID By Ext Name ETag Last Modified MIME Type Original MIME Type
------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -------------------------- ------------ ------------ ----- ------ --------- -------------------------- ------ ---------------------------------------------------------------- --------- ----------- ------------------------ ------------------------------ -------------------------------- --------------------------------
2 C:\Users\test\Downloads\npp.6.6.8.Installer.exe C:\Users\test\Downloads\npp.6.6.8.Installer.exe 2014-08-31 13:13:32.123849 7920175 7920175 1 4 0 2014-08-31 13:19:06.350249 0 "594509918" Sun, 27 Jul 2014 22:42:03 GMT
1 C:\Users\test\Downloads\ubuntu-14.04.1-desktop-amd64.iso 2014-08-30 19:56:11.491058 46641733 1028653056 4 0 20 1601-01-01 00:00:00 0 http://www.ubuntu.com/download/...ion=14.04.1&architecture=amd64 "38d2064-3d...fdb504980" Tue, 22 Jul 2014 22:36:38 GMT
CSV Output
$ vol.py --plugins=plugins/ -f 2014contest/voltest.dmp chromedownloads --output=csv Volatility Foundation Volatility Framework 2.4 "id","current_path","target_path","start_time","received_bytes","total_bytes","state","danger","interrupt","end_time","opened","referer","by_ext_id","by_ext_name","etag","last_modified","mime_type","original_mime_type" "2","C:\Users\test\Downloads\npp.6.6.8.Installer.exe","C:\Users\test\Downloads\npp.6.6.8.Installer.exe","2014-08-31 13:13:32.123849","7920175","7920175","1","4","0","2014-08-31 13:19:06.350249","0","","","","""594509918""","Sun, 27 Jul 2014 22:42:03 GMT","","" "1","","C:\Users\test\Downloads\ubuntu-14.04.1-desktop-amd64.iso","2014-08-30 19:56:11.491058","46641733","1028653056","4","0","20","1601-01-01 00:00:00","0","http://www.ubuntu.com/download/desktop/thank-you?country=US&version=14.04.1&architecture=amd64","","","""38d2064-3d500000-4fecfdb504980""","Tue, 22 Jul 2014 22:36:38 GMT","",""
Bodyfile Output
$ vol.py --plugins=plugins/ -f 2014contest/voltest.dmp chromedownloads --output=body Volatility Foundation Volatility Framework 2.4 0|[CHROMEDOWNLOADS] -> C:\Users\test\Downloads\npp.6.6.8.Installer.exe (7920175 bytes|0|---------------|0|0|0|1409491146|1409491146|1409491146|1409490812 0|[CHROMEDOWNLOADS] http://www.ubuntu.com/download/desktop/thank-you?country=US&version=14.04.1&architecture=amd64 -> C:\Users\test\Downloads\ubuntu-14.04.1-desktop-amd64.iso (1028653056 bytes|0|---------------|0|0|0|-11644473600|-11644473600|-11644473600|1409428571
chromedownloadchains
The chromedownloadchains plugin extracts records from the Chrome downloads_url_chains table in the History SQLite database file. It supports –output=csv to print in CSV. There is no timestamp, so the bodyfile format is not supported. The full output from the sample image is copied below with the 2 records that are in the chrome_history database linked to above, showing the plugin was able to locate both of them. In this example, there is only one URL in each download chain; however, when there are redirects through multiple URLs, they will all show up and the “Chain ID/Chain Index” combination will be unique for each one.
$ vol.py --plugins=plugins/ -f voltest.dmp chromedownloadchains
Volatility Foundation Volatility Framework 2.4
Row ID Chain ID Chain Index URL
------ ----------- ----------- ------------------------------------------------------------------------------------------------------------------------
2 2 0 http://download.tuxfamily.org/notepadplus/6.6.8/npp.6.6.8.Installer.exe
1 1 0 http://ubuntu-releases.cs.umn.edu/14.04.1/ubuntu-14.04.1-desktop-amd64.iso
chromecookies
The chromecookies plugin extracts records from the Chrome cookies table in the Cookies SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. A snippet of the the full output from the sample image is copied below since there are 100s of cookies even from just visiting a few sites. The chrome_cookies file linked above was taken from the machine the memory image was taken from and can be used for comparison, but it will find all the cookies in the SQLite database in the memory image. The output contains the host key, the cookie name, the path, and the value and encrypted value. Chrome started encrypting cookie values early in 2014. Older cookies will still show the unencrypted value though.
Currently, the plugin can decrypt cookies from a Mac or Linux system. The plugin supports the -K option to specify the password. This is only needed for Mac cookies. The password value can be obtained by running the following on the source Mac system to extract the password from Keychain.
security find-generic-password -w -s "Chrome Safe Storage
On Linux, the password has a fixed value of ‘peanuts’ and this is coded into the plugin. This post contains details on decrypting the cookie values and was used in writing this part of the plugin. This post has details on decrypting Windows cookies, but this is not supported in the plugin yet. The plugin also supports the -O option to specify the OS (mac, linux, windows), rather than relying on the profile. This is helpful if running the plugin directly against a Cookies SQLite file.
In addition, the output contains the creation time, last access time, and the expiration time of the cookies, which are all used in the body file output.
Cookies – Basic example
$ vol.py --plugins=plugins/ -f voltest.dmp chromecookies | more Volatility Foundation Volatility Framework 2.4 Creation Time Host Key Name Value Path Expires Time Secure HttpOnly Last Access Time Expires Persistent Priority Encrypted Value -------------------------- -------------------------------- ---------------- -------------------------------------------------------------------------------- ------------------------ -------------------------- ------ -------- -------------------------- ------- ---------- ---------- -------------------------------------------------------------------------------- 2014-08-30 19:55:42.098058 www.cnn.com octowebstatid / 2015-08-30 19:55:42 0 0 2014-08-30 19:55:42.098058 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...332d8a688f51cb124c5b0817e6d59ab56696ab 2014-08-30 19:56:08.455058 .ubuntu.com __utma / 2016-08-29 19:56:08 0 0 2014-08-30 19:56:08.455058 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...bc7b27ed42f4e8654421f90ca261d0b823216d 2014-08-18 01:53:54.812617 .youtube.com VISITOR...1_LIVE / 2015-04-18 13:46:54.812617 0 0 2014-08-18 01:53:54.812617 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...56ee53d9b5ec43a08e3ef526906e239a1be5d7 2014-08-18 01:53:54.893616 .google.com __utma /intl/en/chrome/browser/ 2016-08-17 01:53:54 0 0 2014-08-18 01:54:56.400529 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...dca0f3ff3125021c58eabd5a5c5aa1e39ff31a 2014-08-30 19:55:34.066058 .www.ugdturner.com ug1 / 2019-08-29 19:55:34.066058 0 0 2014-08-30 19:55:34.066058 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...770a74f1e311837ea538744ea7d181c4f1f2de 2014-08-30 19:55:34.067058 www.cnn.com ug / 2015-08-30 19:55:34 0 0 2014-08-30 19:55:34.067058 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...a27d86d1efe9652678fb31931f4f5e192bc96f 2014-08-30 19:55:34.067059 www.cnn.com ugs / 2014-08-31 21:55:34 0 0 2014-08-30 19:55:34.067059 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...1b89901d7f7c1774f49cd9b47229e19043f883 2014-08-30 19:55:46.475058 www.cnn.com _chartbeat4 / 2014-08-30 20:55:46 0 0 2014-08-30 19:55:46.475058 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...885d99442117495160258487a86d42df33973a 2014-08-30 19:55:39.137058 .doubleclick.net _drt_ / 2014-08-31 07:55:39.137058 0 1 2014-08-30 19:55:39.137058 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...0fc907219965b89c8b1f1250f51af443dc2e05 2014-08-30 19:55:39.406058 .krxd.net ServedBy / 2015-02-27 09:15:39.406058 0 0 2014-08-30 19:55:39.406058 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...da32d1ec7ff79594caf486a5f45dd23d78c954 2014-08-30 19:55:39.406059 .krxd.net _kuid_ / 2015-02-26 19:55:39.406059 0 0 2014-08-30 19:55:39.406059 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...7c79dac49bed8bcc64b2d4c59cf082427263c8 2014-08-30 19:56:08.455059 .ubuntu.com __utmb / 2014-08-30 20:26:08 0 0 2014-08-30 19:56:08.455059 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...4b6aaeec96ec8a1c3733ee8f4a3ffa124fcdf2 2014-08-30 19:55:36.159058 .cnn.com s_vi / 2016-08-29 19:55:36.159058 0 0 2014-08-30 19:55:36.159058 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...e051356b6a9a21ea3db611c21cccdc47ce9830 2014-08-30 19:55:36.797058 .outbrain.com _lvs2 / 2015-09-26 19:55:36 0 0 2014-08-30 19:55:36.797058 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...9d0008d0566aadc64154f3b946207d1115148a 2014-08-30 19:55:36.915058 .rubiconproject.com ruid / 2014-11-28 19:55:36.915058 0 0 2014-08-30 19:55:36.915058 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...34ec6d9be5d8722099eac8e10c39190fbd5c7c 2014-08-18 01:55:10.572529 .tapad.com TapAd_TS / 2014-10-17 01:55:09 0 0 2014-08-18 01:55:10.572529 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...fbb5944c4fb120fc1fdf2e3acbb5f8ab630c91 2014-08-18 01:55:10.565530 .bizographics.com BizoData / 2015-02-16 13:55:10.565530 0 0 2014-08-18 01:55:10.565530 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...ddb450d13d95198dd5ff18d05eb31d89e60705 2014-08-18 01:55:10.708529 .demdex.net DPM / 2016-08-17 01:55:09 0 0 2014-08-18 01:55:10.708529 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...169b9472b70057cfc1f0845a12d94cf484b914 2014-08-18 01:55:10.678530 .acxiom-online.com ACXID / 2015-08-18 01:55:10.678530 0 0 2014-08-18 01:55:10.678530 1 1 1 01000000d08c9ddf0115d1118c7a00c04fc297e...ffd2e26b6112093ba13ef1cec3ab8c7d0788bf
Cookies – No Decryption
Sample execution against another memory image, without decrypting the cookies.
$ vol.py --profile=MacMavericks_10_9_4_AMDx64 -f mem.macho chromecookies Volatility Foundation Volatility Framework 2.4 Creation Time Host Key Name Value Path Expires Time Secure HttpOnly Last Access Time Expires Persistent Priority Encrypted Value -------------------------- -------------------------------- ---------------- -------------------------------------------------------------------------------- ------------------------ -------------------------- ------ -------- -------------------------- ------- ---------- ---------- -------------------------------------------------------------------------------- 2014-09-04 21:36:14.605479 .sleuthkit.org _sm_au_c / Never Expires 0 0 2014-09-04 21:36:14.605479 0 0 1 7631308406dafc56e672450c48985a03152bba6342cd223910827a8db5b6cbf6f5f6ae 2014-09-04 21:36:15.262039 .cs.uno.edu _sm_au_c / Never Expires 0 0 2014-09-04 21:42:22.576744 0 0 1 763130460b6ba9333f9cc802ae02f2594b48f8fbc97d1413fa9a4a39b2d9d52561fdbe 2014-09-04 21:36:15.263101 .threat-analytics.com _sm_au_c / Never Expires 0 0 2014-09-06 20:50:33.270622 0 0 1 763130e10cac14e080087a30697432e03fd9e90058a8fca19477aa2abe29669433dece 2014-09-04 21:36:18.805114 .dfinews.com _sm_au_c / Never Expires 0 0 2014-09-05 22:56:26.547288 0 0 1 76313069b9fc355151345fb7772978a63f0b7ee60db4254b786b2a87f0ddc70de2002e
Very nice plugin. Thanks for the hardwork and great tool.
Thanks! Let me know if you have any problems, since I’ve only tested against my own data.
Hey man,
I am doing a little bit android forensics and just tried out your plugins for Android. They work flawlessly!
Awesome work !! Thank you very much. You definitely deserved 1st place at the contest :D
Hi,
I am also working on Android forensics as a project in one of my courses, I have downloaded this plugin but it is not working. It creates some errors like:
Invalid Lime header signature
or
Incompatible profile selected, etc.
Would you please give me some information about how I can make it work on my emulator?
Do other plugins work against that image? You shouldn’t even need to specify a profile for the Chrome plugins, so I don’t think your problem is specific to this plugin. What’s the full command you’re running?
I can run other plugins on my android image file perfectly, I have just problem with your plugin. I have tested 4 different dump but the problem steel exist:
1. for chromecookies my output is noting (I am sure that chrome store some cookie and also i can read it inside of memory by checking the file location)
2. for “chromehistory”, “chromesearchterms” and “chromedownloads”
“ERROR : volatility.debug : This command does not support the profile LinuxGolfish-2_6_29ARM”
Also it is my command :
“python ../../vol.py –profile=LinuxGolfish-2_6_29ARM -f ~/lime-forensics/lime10.dmp chromecookies”
I have got the dump with Lime and also my profile is Ok.
What happens if you don’t specify the profile at all?
If you run the command without profile: (nothing for all plugin except chromecookies)
$python ../../vol.py -f ~/lime-forensics/lime8.dmp chromehistory
Volatility Foundation Volatility Framework 2.5
Index URL Hidden Favicon ID
—– — —— ——– —
but for chromecookies: (lots of error)
$ python ../../vol.py -f ~/lime-forensics/lime8.dmp chromecookies
Volatility Foundation Volatility Framework 2.5
No suitable address space mapping found
Tried to open image as:
MachOAddressSpace: mac: need base
LimeAddressSpace: lime: need base
WindowsHiberFileSpace32: No base Address Space
WindowsCrashDumpSpace64BitMap: No base Address Space
WindowsCrashDumpSpace64: No base Address Space
HPAKAddressSpace: No base Address Space
VirtualBoxCoreDumpElf64: No base Address Space
VMWareMetaAddressSpace: No base Address Space
VMWareAddressSpace: No base Address Space
QemuCoreDumpElf: No base Address Space
WindowsCrashDumpSpace32: No base Address Space
AMD64PagedMemory: No base Address Space
IA32PagedMemoryPae: No base Address Space
IA32PagedMemory: No base Address Space
OSXPmemELF: No base Address Space
MachOAddressSpace: MachO Header signature invalid
MachOAddressSpace: MachO Header signature invalid
LimeAddressSpace: Invalid Lime header signature
WindowsHiberFileSpace32: No xpress signature found
WindowsCrashDumpSpace64BitMap: Header signature invalid
WindowsCrashDumpSpace64: Header signature invalid
HPAKAddressSpace: Invalid magic found
VirtualBoxCoreDumpElf64: ELF Header signature invalid
VMWareMetaAddressSpace: VMware metadata file is not available
VMWareAddressSpace: Invalid VMware signature: 0x6f747475
QemuCoreDumpElf: ELF Header signature invalid
WindowsCrashDumpSpace32: Header signature invalid
AMD64PagedMemory: Incompatible profile WinXPSP2x86 selected
IA32PagedMemoryPae: No valid DTB found
IA32PagedMemory: No valid DTB found
OSXPmemELF: ELF Header signature invalid
FileAddressSpace: Must be first Address Space
ArmAddressSpace: No valid DTB found
The “nothing” output for all except cookies where it’s just showing the header columns means it’s working and not finding any matches.
For the chromecookies plugin, that one does check for a profile so it knows the format for decrypting cookies. You should be able to get around the check by adding “-O linux” to the end of your command.
-O linux options show this output :
$ python ../../vol.py -f ~/lime-forensics/lime12.dmp chromecookies -O linux
Volatility Foundation Volatility Framework 2.5
Creation Time Host Key Name Value Path Expires Time Secure HttpOnly Last Access Time Expires Persistent Priority Encrypted Value
————————–
have you ever test your plugin on Android memory dump?
Hi man. My University project is Android forensics but I can’t get Android memory dump from Android emulator. Can you help me please?
Dear Sir, when I try to use “chromehistory” I get:
ERROR: __main__ you must specify something to do
The command is:
python Scripts\vol.py -d –plugins=plug\ -f C:\!Volat\WIE_SATA_SSD.001 chromehistory
A command like
python Scripts\vol.py -f C:\!Volat\WIE_SATA_SSD.001 imageinfo
seems to work. Where I’m wrong?
Kind regards
Bernhard Kontig
Try putting the plugins argument first, so something like
python Scripts\vol.py –plugins=plug\ … then the rest. Also, make sure you use two dashes with plugins.
Hey,
I try the firefoxhistory and the chromehistory plugin.
Nice work :)
My Mission with firefoxhistory succeed, but with chrome it fails.
“*** Failed to import volatility.plugins.chromehistory (ImportError: No module named Protocol.KDF)”
I’ll try both Plugins with Python 2.7 in Windows CMD.
Greetings
You need the Crypto module installed:
https://stackoverflow.com/questions/30738083/importerror-no-module-named-crypto
Try this:
pip install pycrypto
Hi, I tried to run these plugins on the latest versions of Chrome/Firefox, but It seems not to work at all. Does it work only on version between 30-37 as you stated?
Thanks for help in advance.
It definitely looks like there have been some changes to the SQLite schemas, but just testing against Chrome, I do get results from some of the plugins. These worked for me on Chrome v55: chromesearchterms, chromedownloadchains. The others I’ll have to take a look at and see what changed. Thanks for letting me know.
Hi All,
I am getting below error
Volatility Foundation Volatility Framework 2.6
*** Failed to import volatility.plugins.chromehistory (ImportError: No module n$
*** Failed to import volatility.plugins.malware.zeusscan (ImportError: No modul$
*** Failed to import volatility.plugins.malware.trustrecords (ImportError: No m$
*** Failed to import volatility.plugins.malware.sqlite_help (ImportError: No mo$
*** Failed to import volatility.plugins.malware.prefetch (ImportError: No modul$
*** Failed to import volatility.plugins.malware.apihooksdeep (ImportError: No m$
*** Failed to import volatility.plugins.malware.chromehistory (ImportError: No $
*** Failed to import volatility.plugins.malware.uninstallinfo (ImportError: No $
*** Failed to import volatility.plugins.malware.poisonivy (ImportError: No modu$
*** Failed to import volatility.plugins.malware.idxparser (ImportError: No modu$
*** Failed to import volatility.plugins.malware.firefoxhistory (ImportError: No$
*** Failed to import volatility.plugins.malware.malfinddeep (ImportError: No mo$
*** Failed to import volatility.plugins.malware.ssdeepscan (ImportError: No mod$
*** Failed to import volatility.plugins.malware.psempire (ImportError: No modul$
ERROR : volatility.debug : You must specify something to do (try -h)
Can you paste the full command you ran?
Hi,
The chromehistory plugin doesn’t work at all. I tried all possibilities to get it running but nothing succeeded. I followed your steps like pointing the plugins directory first, i even tried to use the version of Volatility that you used but failed again. I hope you provide us with more details if the plugin still works with new versions chrome or not.
The command that was used:
vol.py –plugins=/home/*****/Desktop/volatility-plugins-master/ -f file_patched.dmp –profile=Win7SP1x86_23418 chromehistory
The output:
ERROR : volatility.debug : You must specify something to do (try -h)
Thank you.
Hi,
Thanks for amazing plugins.
Can you tell me how to use your plugins to get user password from memory dump file?
Thanks!