In 2008 Google released most of Chrome’s source code as a project called Chromium under a BSD license. Chromium is essentially the same browser as Chrome, but lacks built-in automatic updates and Google branding [Chromium Developer Website].
Assuming the computer is running Windows XP, the Chrome default path to user data is:
C:\Documents and Settings\<User Name>\Local Settings\Application Data\Google\Chrome\User Data
For Windows Vista and Windows 7, the default path is:
C:\Users\<User Name>\AppData\Local\Google\Chrome\User Data
Chrome uses SQLite databases similar to Firefox but with notable differences explained below. All databases are stored in the directory Default, with history and web data being the most important databases stored here. Chrome does not add extensions to its files; but fortunately SQLite databases have a file header of “SQLite format 3” making them easy to recognise.
Chrome is not consistent with which datetime format it uses, some tables use standard Unix Epoch time (microseconds since 1st January 1970) whilst in others it uses its own variation of Windows Filetime (100 nanosecond intervals since 1st January, 1601 UTC divided by 10).
Similar to places.sqlite in Firefox, history contains a table of unique URLS visited called urls, and a table for each unique visit called visits. Also like Firefox, it is possible to trace a user’s exact path on the internet as Chrome also stores the referring URL and the visit type, which Chrome names transition. Tables below show the fields in urls and visits respectively.
|id||The table’s primary key. This is used in a lot of other tables to reference this table.|
|url||Stores a unique visited URL.|
|title||Stores the URLs page title.|
|visit_count||Stores the total visit count for this URL.|
|typed_count||Stores the number of times the URL was typed manually.|
|last_visit_time||Stores the last time the URL was visited. This is stored in Google’s own variation of time.|
|hidden||Indicates if the URL will be displayed by the autocomplete function. A value of 1 will keep it hidden and 0 will display it.|
|favicon_id||A foreign key to the favicon table which stores the favicon for each URL.|
|id||The table’s primary key.|
|url||Stores a foreign key to the urls table.|
|visit_time||Stores the time the URL was visited in Google’s own variation of time.|
|from_visit||Stores the id from where the URL came from originally. If the URL does not have a referring URL this value is 0.|
|transition||Shows how the URL has been accessed. Unlike Firefox which just gives a number to represent the type of transition, Chrome has some additional information such as whether or not this was a client or server redirect and if this is a beginning or end of a navigation chain. The transition is a long number, so to extract just the transition type number the variable CORE_MASK (0xFF) has to be used to AND with the transition value.|
There are 11 page transition types, such as 0 – user followed a link, 1 – user typed in the URL and 6 – this is the user’s homepage/startpage.
|segment_id||Stores the segment id. It is not clear what ‘segments’ are. There are tables called segments and segment_usage also in history, and they appear to store the domain names of accessed URLs along with a total visit count.|
To see how these tables relate, see my earlier blog post on how Firefox stores web history.
web data stores logins and autofill data. The table logins stores usernames and passwords for URLs the user has asked to save data for. Only the password is stored encrypted. The table autofill stores values the user has used in forms. This is joined to autofill_dates which stores the last used date for the data. There are also tables called autofill_profiles and credit_cards which contain the user’s details and credit card information so they can be automatically added to web forms.
HISTORY INDEX FILES
In the same folder are files named History-Index-YYYY-MM which stores the text-based contents of any website visited. This is used when the user searches through web history with key words. Chrome will search over the history index files to find any webpages that match. Over time these files can grow very large, to tens of Gigabytes. This has been issued as a bug in the browser, but can be of importance to a forensic investigator who can also do key word searches to get an idea of the contents of the pages the user was visiting.