Brainfoldb4u's Blog

Just another weblog

Archive for January 22nd, 2010

Google Chrome Forensic

Posted by brainfoldb4u on January 22, 2010

This post is actually posted in SANS computer forensic lab by Kristinn under Browser Forensics, Computer Forensics. This is pretty useful information about Google Chrome so i am linking it in here..

Google Chrome stores the browser history in a SQLite database, not unlike Firefox.  Yet the structure of the database file is quite different.

Chrome stores its files in the following locations:

  • Linux: /home/$USER/.config/google-chrome/
  • Linux: /home/$USER/.config/chromium/
  • Windows Vista (and Win 7): C:Users[USERNAME]AppDataLocalGoogleChrome
  • Windows XP: C:Documents and Settings[USERNAME]Local SettingsApplication DataGoogleChrome

There are two different versions of Google Chrome for Linux, the official packets distributed by Google, which stores its data in the google-chrome directory and the Linux distributions version Chromium.

The database file that contains the browsing history is stored under the Default folder as “History” and can be examined using any SQLlite browser there is (such as sqlite3).  The available tables are:

  • downloads
  • presentation
  • urls
  • keyword_search_terms
  • segment_usage
  • visits
  • meta
  • segments

The most relevant tables for browsing history are the “urls” table that contains all the visited URLs, the “visits” table that contains among other information about the type of visit and the timestamps and finally the “downloads” table that contains a list of downloaded files.

If we examine the urls table for instance by using sqlite3 we can see:

sqlite> .schema urls
CREATE INDEX urls_favicon_id_INDEX ON urls (favicon_id);
CREATE INDEX urls_url_index ON urls (url);

And the visits table

sqlite> .schema visits
CREATE INDEX visits_from_index ON visits (from_visit);
CREATE INDEX visits_time_index ON visits (visit_time);
CREATE INDEX visits_url_index ON visits (url);

So we can construct a SQL statement to get some information about user browser habit.

SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, urls.last_visit_time, urls.hidden, visits.visit_time, visits.from_visit, visits.transition
FROM urls, visits
WHERE = visits.url

This SQL statement extracts all the URLs the user visited alongside the visit count, type and timestamps.

If we examine the timestamp information from the visits table we can see they are not constructed in an Epoch format.  The timestamp in the visit table is formatted as the number of microseconds since midnight UTC of 1 January 1601, which other have noticed as well, such as firefoxforensics.

If we take a look at the schema of the downloads table (.schema downloads) we see

start_time INTEGER NOT NULL,received_bytes INTEGER NOT NULL,total_bytes INTEGER NOT NULL,state

And examine the timestamp there (the start_time) we can see that it is stored in Epoch format.

There is one more interesting thing to mention in the “visits” table.  It is the row “transition”.  This value describes how the URL was loaded in the browser.  For full documentation see the source code of page_transition_types or in a shorter version the core parameters are the following:

  • LINK. User go to the page by clicking a link.
  • TYPED. User typed the URL in the URL bar.
  • AUTO_BOOKMARK. User got to this page through a suggestion in the UI, for example,through the destinations page
  • AUTO_SUBFRAME. Any content that is automatically loaded in a non-toplevel frame. User might not realize this is a separate frame so he might not know he browsed there.
  • MANUAL_SUBFRAME. For subframe navigations that are explicitly requested by the user and generate new navigation entries in the back/forward list.
  • GENERATED. User got to this page by typing in the URL bar and selecting an entry that did not look like a URL.
  • START_PAGE. The user’s start page or home page or URL passed along the command line (Chrome started with this URL from the command line)
  • FORM_SUBMIT. The user filled out values in a form and submitted it.
  • RELOAD.  The user reloaded the page, whether by hitting reload, enter in the URL bar or by restoring a session.
  • KEYWORD. The url was generated from a replaceable keyword other than the default search provider
  • KEYWORD_GENERATED. Corresponds to a visit generated for a keyword.

The transition variable contains more information than just the core parameters.  It also stores so called qualifiers such as whether or not this was a client or server redirect and if this a beginning or an end of a navigation chain.

When reading the transition from the database and extracting just the core parameter the variable CORE_MASK has to be used to AND with the value found inside the database.


I’ve created an input module to log2timeline to make things a little bit easier by automating this.  At this time the input module is only available in the nightly builds, but it will be released in version 0.41 of the framework.

An example usage of the script is the following:

log2timeline -f chrome -z local History
0|[Chrome] User: kristinng URL visited: (Get started with Google Chrome) [count: 1] Host: type: [START_PAGE - The start page of the browser] (URL not typed directly)|0|0|0|0|0|1261044829|1261044829|1261044829|1261044829

0|[Chrome] User: kristinng URL visited: (SANS Internet Storm Center; Cooperative Network Security Community - Internet Security) [count: 1] Host: type: [TYPED - User typed the URL in the URL bar] (directly typed)|0|0|0|0|0|1261044989|1261044989|1261044989|1261044989..
The script reads the user name from the directory path the history file was found and then reads the database structure from the History file and prints out the information in a human readable form (this output is in mactime format).  To convert the information found here in CSV using mactime

log2timeline -f chrome -z local History > bodyfile
mactime -b bodyfile -d > body.csv

And the same lines in the CSV file are then:
Thu Dec 17 2009 10:13:49,0,macb,0,0,0,0,[Chrome] User: kristinng URL visited: (Get started with Google Chrome) [count: 1] Host: type: [START_PAGE - The start page of the browser] (URL not typed directly)
Thu Dec 17 2009 10:16:29,0,macb,0,0,0,0,[Chrome] User: kristinng URL visited: (SANS Internet Storm Center; Cooperative Network Security Community - Internet Security) [count: 1] Host: type: [TYPED - User typed the URL in the URL bar] (directly typed)
Original information is published in this link

Posted in Auditing, Browser Security, Hacking | Tagged: , | Leave a Comment »

Online power point presentation tool: Preezo

Posted by brainfoldb4u on January 22, 2010

Where you ever in a situation,you had no Microsoft power point installed and you are restricted to download any additional softwares or plugins but you still wanted to prepare some power point slides? Here is an easy solution called “Preezo” all you needed is an active internet connection and a reasonably popular web browser.

Web app Preezo is a stripped-down version of PowerPoint right inside your web browser. Create, edit, collaborate on and permalink slideshows at Preezo, which isn’t as featureful as PowerPoint proper but has all the essential tools you need to create a full-on presentation minus desktop software. Preezo is ajax based online presentation creator replaces Microsoft power point application and share it over the web without any software or plug-in to install. If you like to spice up your slide shows with a little movement then check out their Slide Transitions feature. Not only can you make your slides wipe, push and fade, but you can also set your slides to advance automatically after a specified amount of time. They have a diagramming features as well that can help you to create rectangles, ellipses, triangles, lines and more.

They have a large collection of transition effects. For example, Box In, Box Out, Cover Down, Cover Left, Cover Right, Cover Up, Cover Left-Down, Cover Left-Up, Cover Right-Down, Cover Right-Up, Cut, Cut Through Black, Fade Smoothly, Fade Through Black, Push Down, Push Left, Push Right, Push Up, Push Left-Down, Push Left-Up, Push Right-Down, Push Right-Up, Random, Split Horizontal In, Split Horizontal Out, Split Vertical In, Split Vertical Out, Uncover Down, Uncover Left, Uncover Right, Uncover Up, Uncover Left-Down, Uncover Left-Up, Uncover Right-Down, Uncover Right-Up, Wipe Down, Wipe Left, Wipe Right, Wipe Up, Wipe Left-Down, Wipe Left-Up, Wipe Right-Down, Wipe Right-Up.

Key Features

– You can create professional quality presentations using an ultra-fast Ajax user interface.

– Access your presentations from any computer with an Internet connection and a modern browser. And there’s no need for dedicated hosting to use Preezo.

– Reuse images or the content of entire slides from easy to use galleries.

– Save time and reduce headache by collaborating on a centralized web document.

– Distribute presentations to clients and colleages without having to email huge PowerPoint files.

Posted in Free but useful tools, Information Security, Open Source | Tagged: , | Leave a Comment »