±Forensic Focus Partners

Become an advertising partner

±Your Account


Forgotten password/username?

Site Members:

New Today: 1 Overall: 34081
New Yesterday: 3 Visitors: 88

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

Chromebook forensics

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page 1, 2  Next 

Chromebook forensics

Post Posted: Tue Nov 22, 2011 10:22 am

Hi all,

Just wondering if anyone has done some research on a Chromebook? The only one you can get in the UK at the moment is the Samsung Series 5 I believe, but do correct me if I'm wrong.

Would be good to get hold of one of these and see how easy it is to access the small SSD that is inside them, and if any data is stored locally.

Has anyone looked at one of these?


Senior Member

Re: Chromebook forensics

Post Posted: Tue Mar 12, 2013 6:16 pm

I had a Samsung XE500C21 Chromebook come across my desk.

Researching online is showing pretty much nothing. If anyone has information or experiences, I would be greatful.  

Senior Member

Re: Chromebook forensics

Post Posted: Wed Jun 04, 2014 8:08 pm

I have a similar problem right now.

First Chromebook that has gotten to us happens to be a series 3 Samsung Chromebook. According to ifixit step 8 here: www.ifixit.com/Teardow...down/12225 it is on a chip that is soldered on the board. Does this require a chip-off shop?

My understanding is that you can boot to a Linux enviro. and image the chip to an exteral HDD if you can put the chromebook into development mode. However if you put the chromebook into development mode it will wipe the drive, which obviously isn't an option.

Anyone have any suggestions?  


Re: Chromebook forensics

Post Posted: Thu Jun 05, 2014 7:10 am

I had one of these recently and also discovered the rather large problem regarding development mode!

The only way I could do it was to rig up a camera and film the screen whilst I navigated my way around it. Not the best solution in the world I know but the only one that I could realistically use.

In an ideal world chip-off would be the solution but time/money will play a part in whether that's an option.



Senior Member

Re: Chromebook forensics

Post Posted: Thu Jun 05, 2014 9:58 am

Even if you could get the contents of the SSD, I don't believe it would help you much.

According to this article (Protecting Cached User Data) it is mandatory for all user data to be encrypted when a Chomebook device is in its power off state...  


Re: Chromebook forensics

Post Posted: Thu Jun 05, 2014 1:00 pm

The bottom line with Chromebooks/Chrome OS is that you'll need the login email/password to get anything of value. The user data is on a separate partition that is encrypted so chipoffs won't help, and even if you can get an image created (via developer mode), the user data on that image will still be encrypted.

Your best bet is to take screenshots (see this page for an easy way to save screenshots to JPG files and then you can copy them to a USB drive: www.omgchrome.com/take...-chromeos/ ) or if you're lucky enough to get a Chromebook that's already in Developer Mode, get to a shell (Ctrl-Alt-T, then type 'shell') and copy out the Chrome/user files to a USB drive.

Hope that helps,


Chromebook forensics

Post Posted: Thu Jun 05, 2014 1:32 pm

I understand installing applications to a running machine is generally not preferred due to the changes that might/will occur, but Chromebooks seem to be falling into a similar category as smartphones in terms of encryption of user data.

I am curious if Chromebooks might eventually be accessible in the way that some forensic programs capture Android devices: by installing a local application on removable media.

I only work in civil litigation, so generally speaking the user name and password are always made available when possible.

Also, I am wondering if a software package could be developed that, once installed to an SD card on a Chromebook, for example, could create and write an .ISO file or VMWare .VMK file to removable media of the entire Chromebook device contents.

I would assume the resulting .ISO file or .VMK would still have the same encryption in place on stored user data, but then one could run the .ISO or .VMK file on another machine for examination.  

Senior Member

Page 1 of 2
Go to page 1, 2  Next