Google Chrome Forensics: Analyzing History and cache
- Mar 3
- 5 min read
Introduction
Since its release in 2008, Google Chrome has become one of the most widely used web browsers, thanks to its user-friendly interface, seamless integration with Google services, and efficient web rendering capabilities.
From a forensic standpoint, Chrome's artifacts are well-organized and primarily stored within the user’s profile directory, making them a valuable resource for digital investigators.
-------------------------------------------------------------------------------------------------------------
Chrome User Data Storage Locations
Windows XP:
%UserProfile%\Local Settings\Application Data\Google\Chrome\User DataWindows 7 and Later:
%UserProfile%\AppData\Local\Google\Chrome\User DataMost artifacts are stored in SQLite databases or JSON files. While these formats are widely documented, the stored data often requires additional processing for analysis. For example, timestamps and page transition data may not be human-readable at first glance.
-------------------------------------------------------------------------------------------------------------
Analyzing Chrome Browser History
Browser history is an essential artifact in forensic investigations, providing insight into a user’s online activity. Chrome maintains an extensive history of visited websites, with a default retention period of up to 90 days.
Key information extracted from browser history includes:
URLs of visited websites
Page titles and referring sites
Frequency of visits
Timestamps for each visit
User profile associated with the visits
-------------------------------------------------------------------------------------------------------------
Chrome History Database
The History database, stored within User Data\<Profile>, is the primary source for browsing activity. Chrome stores its history in SQLite format, and forensic analysts can extract valuable insights by querying specific tables.
Key SQLite Tables in the History Database:
Table Name | Data Stored |
downloads, downloads_url_chains | Download history, including URLs and file names |
keyword_search_terms | Typed search queries (used for autocomplete) |
segments, segment_usage | Frequently visited sites (for the Most Visited page) |
visit_source | Source of URL information (local, synced, imported) |
urls, visits | Comprehensive browser history, including timestamps and referrer data |
Additional History Artifacts
Top Sites Database: Stores thumbnails and metadata for frequently visited pages.
Archived History: Previously stored older browsing history beyond 90 days (removed in Chrome v37).
History Index YYYY-MM: Used to index page content for searches (removed in Chrome v30).
-------------------------------------------------------------------------------------------------------------
Key Tables in Chrome’s History Database
The primary tables of interest are:
urls – Stores the URL, page title, and the last visit time.
visits – Keeps a detailed log of each visit to a website.
To get a complete picture of a user’s browsing activity, you need to cross-reference both tables.
What Can We Learn from Chrome’s History?
Total Visits: Each time a site is visited, a new entry is made in the visits table.
Last Visit Time: Stored in the urls table, showing the most recent visit.
Visit Count: Tracks how often a particular site was visited.
Typed URLs: URLs that were physically typed or pasted into the address bar get a special typed_count value, indicating intentional user activity.
Visit Duration: Unlike most browsers, Chrome records how long a site was open in the visit_duration field. This data is stored in microseconds, and the tab doesn’t even have to be in focus for the duration to increase.
Hidden URLs: The hidden field in the urls table doesn’t mean the visit was hidden from the user. Instead, it controls whether the URL appears in auto-complete suggestions (0 = visible, 1 = hidden).
-------------------------------------------------------------------------------------------------------------
Understanding Page Transition Types
Every visit entry in Chrome has a transition field, which indicates how the user accessed a website. These values are stored as 32-bit numbers and can look cryptic without decoding. The core types include:
Transition Type | Meaning |
0 | Link click |
1 | Typed URL |
2 | Auto bookmark |
3 | Auto subframe (embedded content) |
4 | Manual subframe |
5 | Omnibox suggestion |
6 | Start page visit |
7 | Form submission |
8 | Page reload |
9 | Keyword search |
10 | Generated keyword search |
These transition types help investigators determine how a website was accessed. For example, a typed transition (1) suggests direct user interaction, whereas a link transition (0) indicates the user clicked a hyperlink.
Check out the article related to Transitions and qualifiers
-------------------------------------------------------------------------------------------------------------
What is an Internet Cache?
The internet cache is a feature designed to speed up web browsing. When you visit a website, your browser downloads and saves parts of the webpage (such as images, scripts, and HTML files) on your device. This way, if you revisit the same site, your browser can load the saved content instead of downloading it again, making things much faster. This is why when you press the back button, the previous page loads instantly—it’s coming from the cache.
Why is Cache Important in Forensics?
From a forensic standpoint, the cache is a goldmine of information about a user's online activity. It stores actual webpage content, meaning investigators can reconstruct what a user saw and interacted with on a website. While browsing history only logs visited URLs, the cache holds more valuable data like images, HTML files, and even downloaded attachments (e.g., in Outlook Web Access).
How is Chrome's Cache Structured?
Chrome stores cached files inside a user’s profile directory. Before version 97, the cache files were stored in the Cache folder. From version 97 onwards, they were moved deeper into Cache\Cache_Data.
The cache consists of at least five key files:
Index file (index): Keeps track of cached entries.
Data files (data_0 to data_3): Store the actual cached content and metadata.
Block files: Organize cached data into fixed-size blocks for efficient storage.
Separate files (f_xx format): Used for storing larger files (above 16 KB).\
What Information Can Be Extracted from Chrome Cache?
Each cached item comes with metadata that gives useful insights, such as:
Metadata Field | Description |
Filename | The name of the file downloaded from the website. |
URL | The web address where the cached file came from. |
Content Type | Type of file (e.g., HTML, JPG, JavaScript). |
File Size | Size of the cached file. |
Last Accessed Time | The last time the cached content was used. |
Server Time | The first time the cached content was saved. |
Response Header | Stores HTTP headers, which help Chrome retrieve cached data efficiently. |
Timestamp Analysis in Chrome Cache
Chrome cache files contain four important timestamps stored in UTC:
Last Accessed – The last time the user viewed the cached content.
Server Time – When the content was first saved to disk.
Server Last Modified – When the content was last updated on the website.
Expire Time – When the cached content is expected to be removed (set by the website).
Additionally, large files stored separately (f_##### files) have filesystem-specific timestamps, including Created, Modified, Accessed, and MFT Change times (for NTFS systems).
Tools for Analyzing Chrome Cache
Manually extracting cache data can be challenging since it’s stored in a structured format. However, tools like NirSoft ChromeCacheView simplify the process by displaying cache details in an easy-to-read table.
I request whitelist the tool to your antivirus because this will get quarantined everytime you will try to run
View cached file metadata.
Extract and save cached files for analysis.
Limitations of Cache Analysis
The cache is dynamic—older files get removed as new ones are stored.
Websites can prevent caching for security reasons (e.g., Gmail doesn’t cache sensitive content).
Cache files corrupt easily, causing loss of data.
Chrome rebuilds the cache if essential files are missing.
Conclusion
Chrome is one of the most data-rich browsers for forensic investigations. Its history database, visit logs, and metadata provide a detailed timeline of a user’s web activity as well Chrome’s cache is also very valuable forensic artifact that helps investigators piece together a user’s browsing activity. By analyzing cache contents and timestamps, forensic experts can understand what sites were visited, what files were downloaded, and even reconstruct webpages. However, cache data is volatile, so timely acquisition and analysis are crucial!
--------------------------------------------------------------------------------------------------------
Stay with me we will continue about Google forensic in next article.
------------------------------------------------Dean------------------------------------------------
Comments