Extracting Google Chrome Using Android Agent

Hey there everyone. It’s Ryan from your Oxygen Forensics training team, and today what we’re going to discuss is using our Android agent to collect Google Chrome data as a third party app on our Android devices. This is going to be best accomplished using our manual Android agent. So to get there, let’s go through a few steps to make sure that we have the right process and the right agent installed on the device so we can affect this extraction appropriately.

So first I’m going to go into my device extractor for my Oxygen Forensic Detective home screen. Once our extractor loads, I’m going to select “my methods”, filter down to Android devices. I’m going to come here to my Android agent. Once in here I’ll validate that the device I want to use this manual Android agent on is supported and to be able to get to the point of using my OTG to put my Android agent on the device, I’m going to select this option down here, this first yellow/orange screen, and it’s asking if you need to extract the data unavailable in an auto extraction mode, meaning down here with our via USB or wifi, “please do it manually via the Android agent”. So if you click this link, it’s going to open up a Windows Explorer and this is where you can copy this APK out and paste it to your OTG device. So that’s what I’m going to do.

I’m going to select this, copy, and then I’m going to move over to my OTG device and paste it here at the root of this device. Once complete, I can close out of this and now I don’t really need my extractor anymore because everything is going to be done manually on the device itself. So let’s go ahead and have a look.

I’m going to make sure I unplug and disconnect my OTG and then I’m going to plug it into my target device. And just like using the manual agent before, I’m going to navigate to my files on this Samsung device. So it’s going to be in its own folder under “my files”. I’m going to go to my USB storage, the plugged in USB that I have, and I’m going to find that APK that I copied to this device. When I select it, I’m going to choose my installer agent and I’m going to choose to install.

Okay, now the agent has finished installing and now I’m just going to select “open”, and now I’m going to grant it its available access to the device so it can collect the appropriate amounts of data. So I’m going to select “allow” for each one of these prompts. And now with the home screen of our Android agent, we’re going to have a couple different options here. We have “extract to internal/external storage”, “take screenshots and record the screen”, “extract third party applications data” (which is the option we’re going to choose today), and then “extract data over wifi”. So first I’m going to go in and select my “extract third party application data”.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Now we have to prepare the device for us to be able to collect this particular amount of data. And as you can see here on the screen, it’s going to give us the options to be able to make these selections. So if there is no check mark within these boxes, we cannot continue with the extraction of third party data. So first I need to choose where I want the data collected to be stored, which I want it to go back to my OTG device. So I’m going to select “change folder” and press “select” again, and then my location selector. Here in the file system of the device, I’m going to navigate back to my plugged in USB, my OTG, and I have an extractions folder here that I’ll use to store that data. Now we have our output folder selected.

When I go “next”, it’s going to bring me back to that preparing stage and I need to ensure that accessibility settings are turned on or enabled. So I’ll go to those settings and it’s going to launch me right into the devices accessibility settings. If I scroll all the way down and find my Android agent, I want to make sure I turn this on. It’s going to give me a warning about what permissions this is going to allow the agent to have. I’m going to select, “okay”, and then I’m going to get back into my Android agent.

Now we have two blue check marks, which means we can go ahead and successfully continue and start selecting the data we want when it comes to our third party applications.

Now we see here it says “select applications to acquire”. If they are bright and highlighted, that means that application and its data is available on the selected device or the targeted device. If it’s grayed out or more pale than the rest, then we’re going to see it like here, Telegram Web. That means I don’t have that application on this phone and there is no data associated with it. So, for this video in this demonstration, we’re going to take a look at our Google Chrome data. So I’m going to select Chrome, and it’s going to let us know some things before the extraction: “do not interact with the device screen till the extraction is complete. Please ignore all incoming notifications and actions that occur on the screen.”

So it doesn’t want us to touch the screen whatsoever because as we’ll see, the screen is going to automatically go through and pull all of that Google Chrome data as it switches between the individual screens. Make sure the device is in airplane mode. Of course, if you have to connect it to a charger, you can do so, and that would be by putting the OTG device, SD card or micro SD card directly into the phone instead of using the charging port. Or if the phone is wireless charging cable, you could place it on a wireless charger just the same. Once we make sure that we’ve taken note of this before extraction steps, we’re going to go into our continue.

And now it’s saying “Android agent will start capturing everything that’s displayed on your screen”. So as it’s being displayed, it’s pulling that data down. And we’ll get to see that here in just a second.

When I select start now, it’s not going to automatically start yet. We have to select the categories of data to extract. As we see here, we have logins and passwords, user info, history, credit cards, and that’s going to be stored credit cards, stored addresses, stored user information, things of that nature, downloads any open and active tabs that the individual has, or I could choose all data. So depending on the scope of your investigation may dictate the specific types of data you’d like to select here. So you could select one, more or all with that all data check.

So I’m going to go with that all data check. I have the option now with the sliding bar here to extract all history or depending on, again, that scope of investigation, I could limit the amount of history down to a specific timeline. So let’s say I want the last 35 days, and there’s another options here. For logins and passwords, you need to include a lock screen code because it helps bypass the encryption of Google Chrome in order to extract the accounts or logins and passwords information.

So, if you have the ability to do so, and the authorization to do so to establish a temporary swipe code on the device, it’s going to allow you to pull that login and password information, and we’re going to do just that. So I’m going to use this link here and go to my settings. And then I’m going to choose a pattern, and of course it’s going to be something simple that I can remember so that I can take it off whenever I’m done, annotating the whole time exactly what I’m doing. We can turn our logs on within the Android agent to ensure that whenever I am collecting all of my data within the agent itself, all of that will be logged during any interaction that I have with the device or with the agent on the device.

Now I’m going to choose “extract logins and passwords”, and now I’m ready to extract my Google Chrome data. So let’s do that. It’s going to say, “please be ready to unlock the device screen”. So some of these third party extractions, with our Google Chrome included, it’s going to ensure or require that you as the examiner or the investigator is present during this extraction. You can’t just set it and forget it. There may be some things that you need to affect on screen in order to ensure you get a full and complete collection.

And now Android agent is going to run in the background and collect this data automatically. And again, we’re waiting for it to get to that accounts and passwords section. So we have to input the swipe pattern that we created in order for it to effectively collect that passwords data. Once in, that’s all the interaction I need to do and I’m going to let the agent continue to collect automatically.

It is important to note that collecting some of this third party data may actually require an active internet connection in order for it to pull those live sessions within that third party application, whether it’s Google Chrome, Signal and so on. So depending on the type of third party application you’re trying to collect against, may absolutely dictate the type of internet access that may be required. So that’s also another consideration to have when collecting this third party data. As we know, connecting a device to the internet could potentially have some negative impacts on the data on the device as it may connect to a cloud storage service, and data may inherently change itself based off the backup settings of the device. So, just something to keep in mind when considering using a third party extraction.

As you see that our extraction here is complete, and there was an error that occurred with Google Chrome itself, so there may have been an update that occurred within the application itself that caused a bit of an instability during the collection process, but as we seen throughout the entire process, everything was collected up until the last point of tabs. At this point, if you notice that there was an error in collection, you know where it left off on, you can go back to our “extract other data” option and choose to take screenshots or record the screen for the Google Chrome tabs itself to see those available open tabs to ensure you get a complete collection.

Even though the third party application data process said that there was an error, all of the data it collected up to that point is still available for import into Detective, and that’s what we’re going to do now. It’s been packaged up into a JSON, and now it’s going to be available for us to pull it from the OTG directly into Detective. So what I’m going to do is unplug this OTG device from my target phone and plug it into my computer and then import this into Detective.

I’m going to find my extractions and I’m going to look for specifically when this extraction occurs based off, of course, its date modified. So I’m going to grab this and what we’re looking for here is my JSON or my JSON_DEVICE_INFO.json. This is going to be pulled directly into Detective.

So if I open up Detective and bring up my extraction, I can drag and drop this directly in to import it, or I could use my import option here on the home screen for our Android agent. So I’m just going to go ahead and drag and drop for ease of use, and now I can adjust any information here within my import wizard and then select “import”. When this import is complete, we’re going to be able to view that extraction and all of the data included from that Chrome third party application extraction with our Android agent.

Okay, our extraction has been imported successfully. Let’s go ahead and open it up, and now we have the option to view all the associated data, mainly here in our file section accounts and passwords, and even that Google Chrome application data here. And now we get to view everything that was collected by our Android agent, third party extraction.

Leave a Comment