Chromebook forensic...
 
Notifications
Clear all

Chromebook forensics

13 Posts
10 Users
0 Likes
1,913 Views
(@chrism)
Posts: 97
Trusted Member
Topic starter
 

Hi all,

Just wondering if anyone has done some research on a Chromebook? The only one you can get in the UK at the moment is the Samsung Series 5 I believe, but do correct me if I'm wrong.

Would be good to get hold of one of these and see how easy it is to access the small SSD that is inside them, and if any data is stored locally.

Has anyone looked at one of these?

Chris.

 
Posted : 22/11/2011 3:22 pm
(@twjolson)
Posts: 417
Honorable Member
 

I had a Samsung XE500C21 Chromebook come across my desk.

Researching online is showing pretty much nothing. If anyone has information or experiences, I would be greatful.

 
Posted : 12/03/2013 11:16 pm
(@scotchbroth)
Posts: 10
Active Member
 

I have a similar problem right now.

First Chromebook that has gotten to us happens to be a series 3 Samsung Chromebook. According to ifixit step 8 here http//www.ifixit.com/Teardown/Samsung+Chromebook+11.6+Teardown/12225 it is on a chip that is soldered on the board. Does this require a chip-off shop?

My understanding is that you can boot to a Linux enviro. and image the chip to an exteral HDD if you can put the chromebook into development mode. However if you put the chromebook into development mode it will wipe the drive, which obviously isn't an option.

Anyone have any suggestions?

 
Posted : 05/06/2014 2:08 am
(@chris55728)
Posts: 49
Eminent Member
 

I had one of these recently and also discovered the rather large problem regarding development mode!

The only way I could do it was to rig up a camera and film the screen whilst I navigated my way around it. Not the best solution in the world I know but the only one that I could realistically use.

In an ideal world chip-off would be the solution but time/money will play a part in whether that's an option.

Cheers,

Chris

 
Posted : 05/06/2014 1:10 pm
(@unicron)
Posts: 36
Eminent Member
 

Even if you could get the contents of the SSD, I don't believe it would help you much.

According to this article (Protecting Cached User Data) it is mandatory for all user data to be encrypted when a Chomebook device is in its power off state…

 
Posted : 05/06/2014 3:58 pm
MagnetForensics
(@magnetforensics)
Posts: 40
Eminent Member
 

The bottom line with Chromebooks/Chrome OS is that you'll need the login email/password to get anything of value. The user data is on a separate partition that is encrypted so chipoffs won't help, and even if you can get an image created (via developer mode), the user data on that image will still be encrypted.

Your best bet is to take screenshots (see this page for an easy way to save screenshots to JPG files and then you can copy them to a USB drive http//www.omgchrome.com/take-screenshot-chromebook-chromeos/ ) or if you're lucky enough to get a Chromebook that's already in Developer Mode, get to a shell (Ctrl-Alt-T, then type 'shell') and copy out the Chrome/user files to a USB drive.

Hope that helps,
Jad

 
Posted : 05/06/2014 7:00 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

I understand installing applications to a running machine is generally not preferred due to the changes that might/will occur, but Chromebooks seem to be falling into a similar category as smartphones in terms of encryption of user data.

I am curious if Chromebooks might eventually be accessible in the way that some forensic programs capture Android devices by installing a local application on removable media.

I only work in civil litigation, so generally speaking the user name and password are always made available when possible.

Also, I am wondering if a software package could be developed that, once installed to an SD card on a Chromebook, for example, could create and write an .ISO file or VMWare .VMK file to removable media of the entire Chromebook device contents.

I would assume the resulting .ISO file or .VMK would still have the same encryption in place on stored user data, but then one could run the .ISO or .VMK file on another machine for examination.

 
Posted : 05/06/2014 7:32 pm
(@athulin)
Posts: 1156
Noble Member
 

Would be good to get hold of one of these and see how easy it is to access the small SSD that is inside them, and if any data is stored locally.

There are a number of net articles on how to run Chrome OS in a virtual machine. If that works as advertised, you should be able to get an idea of what actually is stored on that SSD, and particularly if anything of interest can be found. If there's nothing there of interest, accessing it may not be an important problem.

 
Posted : 06/06/2014 8:57 pm
 Mobo
(@mobo)
Posts: 15
Active Member
 

I'm trying to recover data from a Chromebook. As part of the case I have a second [Windows] laptop from which I have recovered a Gmail account and password. I tried it on the Chromebook and I have got beyond the 'splash screen'.

There are only a few emails in the Gmail account and nothing on the drive, which wasn't what i was expecting.

I fear now that I have effectively got into the Chromebook with a valid Gmail account, but not necessarily the one that was used for the 'wrong doings'!! I assume then, that I could logon to any Chromebook with my own personal Gmail account?

My train of thought though, whilst I cannot see the user data I was after [assuming I am in the wrong account], then I am thinking I could take an 'image' of the SSD?? If so, with what?

Whilst I accept that any relevant user data is encrypted, I'm hoping there maybe some cached data that could be examined!

Any ideas appreciated! 😯

 
Posted : 20/02/2015 11:16 pm
(@twjolson)
Posts: 417
Honorable Member
 

I am not a lawyer, and I don't know what your search warrant says, but

Did you search the Chromebook, or did you search Google's servers? Where you in a Faraday bag/box/tent? Was it in offline mode?

This is an unknown area of the law currently (or at least last time I checked). What you found, if anything, is open to attack by the opposing counsel - including possibly getting the evidence thrown out as fruit of the poisonous tree.

Conservatively, the only 'search' of a Chromebook you can do would be the information contained on the login screen. Beyond that, you can't really be sure that you are searching the Chromebook or Google's servers.

 
Posted : 21/02/2015 3:19 am
Page 1 / 2
Share: