Chrome Nuts And Bolts: ChromeOS / Chromebook Forensics

Jessica Hyde discusses her research on Google Chrome at DFRWS EU 2019.

Jessica: Hey, everyone. Good morning. So we’re going to be talking about forensics of Chromebooks, as Hans just mentioned. Just a little bit about me, I work as Director of Forensics at Magnet Forensics, and I also teach mobile device forensics at George Mason University. (That is a really old picture of me, like twenty years ago.) And I also did all this work with our CTO, Jad Saliba, so we did this research together.

So what are we going to be talking about today? We’re going to be talking a little about what [a] Chromebook operating system is, why we care about it, what issues we have in the analysis of Chromebook forensics, what we learned in this, what we can recover, a lot about how it compares to data you may be able to get via other methods, and what the differences are. And then we’ll wrap it up.

So, what is a Chromebook? For those people who aren’t familiar, Chromebooks are a computer that has an operating system of Google Chrome OS. Chromebooks actually are on prescribed hardware that Google approves. It’s been around since 2011. It’s a Linux-based operating system, and it’s designed to be used when connected to the internet.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


They are very economical, which is one of their major selling points, ranging from $150 to $999. And there are two different operating systems that can exist in this ecosystem. So true Chromebooks have the Chrome operating system. This has to be on Google-approved hardware. There are many manufacturers who are approved, including Samsung, ASUS, LG, Google itself makes their own Chromebooks.

And it’s going to support three major types of applications: Chrome apps, themselves; then in 2016 they added the ability to run Android apps from the Google Play Store, and then in May of 2018, more recently, you can now run Linux desktop apps using a VM called Crostini. (I don’t know if I’m pronouncing that correctly.)

What is very interesting about Chromebooks is they’re going to automatically update because they’re so connected, so they will always be on the current version. And they can actually support a hard drive, which is something people don’t always realize.

So Chromium OS is different. This is the open source version. It was actually released back in 2009, two years before Chrome OS was available. And it’s the open source equivalent. There are some slight differences. You can go ahead and compile this from source code. It does not automatically update, and it does not have some of the same security features, and it can be modified. This can run on any hardware.

In terms of where data is stored, one of the reasons that people haven’t really looked into Chromebook forensics historically is it is assumed, as an internet-connected device, that almost all of the data has been stored in Google Drive. When you purchase a Chromebook, you actually get two years of free 100 gigabytes of data. However, there may be data still stored locally, and that was the purpose of this analysis.

So why do we care about what Chromebooks might store? In primary school or kindergarten through twelfth grade education in [the] US, these are prolific, which means that a lot of instances of cyberbullying, as well as grooming and luring against children happen to occur on these devices, and there are over 25 million students currently working on Chromebooks.

I definitely have received calls of active users, specifically in child exploitation cases, where they’ve seen a Chromebook up and running. And this is a problem because there aren’t traditional forensics techniques to use against these, or to understand what can be pulled.

And then what is a little less known is that Google does offer a Chrome Enterprise package. A lot of major corporations do use these for their front, front end people, salespeople, et cetera, who do not need to do major processing, but really just need to run basic web applications and [be] part of the Google Suite, especially in organizations that are already using the Google Suite for their architecture, so there actually is an enterprise version.

Some interesting things about the Enterprise version is it does allow for Active Directory integration, printer management, single sign-on, and it’s marketed as being one of the key things for security because you don’t have to worry about updates because the updates are automatic.

And the other reason we care is, while PCs are on the decline, the only segment of the PC market that’s being seen to increase right now, actually, is the Chromebook market.

So, what are the issues we have to address? Well, imaging. That’s a problem. The operating system itself, what the artifacts are, and the fact that there’s a complete lack of research and methodologies to deal with these devices.

So when we look at that, what aren’t we going to cover? We’re not going to talk about imaging today. Step One of this project was really to identify if there was forensic value (and hint: there is, otherwise I wouldn’t be up here). [laughs]

Is there forensic value in actually looking at the data on Chromebooks, and when we go into acquisition, it becomes really interesting because there’s such a diversity of hardware. In many ways the way I think about it is, it would be like saying, “Hey, can you make an acquisition technique that works on all encrypted Androids,” right? That’s really the equivalent.

So, what are we going to talk about? We’re going to talk about operating system and data recovered, and we’re going to answer the question, is it really worth solving the encryption problem and the acquisition problem if everything’s in the cloud anyway? (Hint: it’s not.)

So [laughs], how did we get these images then? For the testing purposes, these were all done in a Chromium VM and then in developer mode. When you are in developer mode, you will have a shell. If the device is not in developer mode, you won’t have a shell.

So the win is, if the bad guy happens to be in developer mode, you can get a shell and you can get a full acquisition! You’re probably not going to run into that situation. “Well, hey Jess,” he says, “[this is] kind of like Android, can I just put it in dev mode and get an acquisition?” Yes, but you’re going to wipe all the user data. So don’t do that. Okay. [laughs]

On older devices there’s actually a switch, a physical switch, under the battery compartment; on newer devices you would follow these commands. But don’t do it! Because you’re going to wipe the device. Unless you’re setting it up to do test acquisitions.

So, Chromium OS, we know it’s Linux-based, and we know it doesn’t have the same security features, so let’s talk about what we’re actually going to find. When we get into the home directory, you’re going to see four directories.

Now the reason that I have four, and I’m going to show you all of the paths for every single piece of data in all four (I’m not going to read them or anything crazy like that) but the reason you have all four is because this was an acquisition of a live, up and running VM. If you’re doing a dead acquisition, where you have, you will not get all four. But that’s okay.

So we’re always going to see, in these instances, the chronos, the root, the user, and the .shadow path, and I will show you where everything is in all four.

So, first is browser history. There is – we expect everything to be Chrome, it is, so there’s going to be a SQLite database that lives in these four locations that’s going to have your browser history, this is what it looks like, don’t worry, I give you a closeup. So you’re going to get the address it went to, the common name for the location. You are also going to get your visit counts and your type counts, just like you’re used to seeing from Chrome.

The browser cache. This is interesting because of course the browser cache is found on the device and not available through the cloud. And so here’s what you’re going to pull from the browser cache. Of note, the browser cache does use a GUID. You also can pull your current tabs, your last tabs, and your current sessions, and your last sessions.

And I’m going to get right to Downloads because this is where we get interesting. So if you do a download in Chrome, this is what your Downloads directory will look like. You’ll see I do have a “dontlookhere” folder (it’s secret). I do have some other documents that were downloaded, and when you go ahead and look in here, you’re going to actually see your browser history.

So we’ve got an epoch time stamp, we’ve got our received bytes, our sent bytes, target path, and so we are able to go see what’s been downloaded. And you can actually tie this to the URL_chains table in the Chrome browser history, so you can do that coordination.

From there, you can actually navigate to the files, they’re going to be under the user directory, followed by the GUID and download, and you’ll see here I actually have all of my documents here. Now, I purposely have that “dontlookhere” thing highlighted. Just as before, you’re going to see them in all four locations. (That’s closeups.)

So that hidden folder. So we actually used an extension because you can add extensions to Chrome to go ahead and do features. So this is very, very common in the Chrome Store.

So we used Hide It Pro, for reasons, and – right? We’ve seen this on some people who were doing child exploitation, and this creates a folder so that when you download things, you can download things using this extension directly into a hidden folder.

So the question is, are these items still stored on device? So looking at that “dontlookhere” folder through the navigation pane because the password’s not there, you don’t see any of the files.

The “dontlookhere” directory is actually where we just saw it in the downloads, but if we go inside that file, we actually have a .ProgramData that actually has the filenames. The filenames are base64 encoded, and if you just base64-decode them, you’re going to actually get the names of the files.

What’s really great is if you look in those files, the password is lovingly appended right to the beginning of the file. [laughs] That was, like, awesome, wasn’t it? It’s one of the best places. That’s okay, they store it in other places, too.

So if you want, so extensions themselves, because we’re using Hide It Pro, you would actually want to find extensions themselves, they are stored and you’re going to want to do extensions, but when you see extensions, all of the names for the extensions are these GUIDs, so how do you determine what those GUIDs are on a Google Chromebook?

Well, you Google it. And the reason that you’re going to Google it is because the actual extension name in both the Play Store and in the Chrome Store is actually in the URL, so you will find it right there. And that is how you locate it, just like bundle IDs for Android and iOS apps, how you can go to the Play Store and look for them.

If you really want to see what’s in an extension and what the, what the preferences are, if you go to the manifest.json file within each extension’s folder, you can get information about that extension including the preferences, which can let you know if that’s something that you want to further investigate.

The Sync App Settings has a lot of other information. For example, in Hide It, for Hide It Pro there was an LDB, by the way, there’s LevelDBs all over this, thank you Google, which I was not as familiar with until this. (Now I am, painfully.) [laughs] So Hide It Pro, there’s a folder in there that has an LDB, and it also had the password for the folder, which was nice and easy.

So what is stored offline? There is offline storage available under the Google Drive directory, and you can move things to your offline storage. So when you move something to your offline storage, you get to those folders via the Gcache\v1\files folder structure, and in there you’re going to see your folders.

Oh, look: all I’ve got to do to see them is export them, but the problem is, they’ve been renamed. But those find – with these GUIDs. See the GUIDs? They’ve been renamed. So the file’s exactly the same, but how do I match it up to its file name?

Well, in the Gcache\v1 metafolder, there’s another lovely LevelDB that allows you to go ahead and coordinate that. There is a free tool called FastoNoSQL, which is a PITA – a pain in the rear – to go ahead and look at LevelDBs.

That said, I was actually talking to Mark McKinnon about this, and he actually just created a quick little tool, which I didn’t put in the slide, so I apologize if you want a link to that, I’m happy to share that with you.

Shell usage! Of course, because this was already in dev mode. If you find it in dev mode, you may want to know what commands have been ran in the shell, and you can find that in the .bash_history file.

Please do not get confused with the .crosh file. The .crosh file is a list of all commands available, not the actual history file. So you’re going to want to look at .bash_history instead, and that will give you a full listing of all of the lovely commands that have been ran in order.

One of the other things you can pull is the avatar associated with the file, which is going to be a PNG format, and it’s going to have the login name as the filename. So aforensiclook@gmail.com was the account we were using to test, and the avatar associated – that picture would be located there. Just a regular PNG.

So. Where are we in terms of what’s the difference between the data that we can acquire from the device itself, versus if we were to look either at a cloud acquisition, or Takeouts acquisition? Because that is, is there value to continuing to pursue acquisition?

Well, there’s actually quite a few differences. So browser history is going to be the same.

• Browser cache: not available in Takeout or in the cloud. You’re going to need a Chromium acquisition.
• Browser current tabs, last tabs, and current sessions and last sessions is kind of weird, because it can be inferred from the history.
• Downloads are going to be available only on the device, not in your Takeout.

So downloads, browser history, the hidden folder, we could not see that in our Takeout, but we could get it on the device.

• The offline storage, we had to get from the device to show the history, that one’s kind of obvious.
• The avatar is weird, I have a question mark here. I was able to find the image. The naming is different and I can’t correlate it the same way, I’ve got to figure out how that’s correlated.
• Pictures: I have an asterisk here. I found the same images with the same content, but they – the naming had changed between the Takeout and the Chromium. I’m not sure why. And there were some additional pictures in each, the counts weren’t exact so they didn’t exactly match, so I would advocate for doing both and especially because task lists, we did not find on device, but we did find in the Takeout, so there are reasons to make sure to do both.

As I mentioned, the – or maybe I didn’t mention it – but the browser history is actually in the same format as it typically is for all Chromium-based browsers. So I spoke to Ryan Benson, gave him the paths, he could add it to Hindsight so if you do have an image, Hindsight, which is a free open source tool for parsing browser history, will go ahead and parse that.

So that brings us to what we do need to do next, which is now that we know that there is valuable information we can get off of Chromebooks that we can’t necessarily get if we just have the login via Takeout or a cloud acquisition, either/or, we really need to both develop a method to image Chromebooks, as well as a method to decrypt them.

So in summary, Chromebooks and Chromium OS are going to become more common and you may see them in your investigation. We need methods to acquire. We need to understand how that data is stored and what you can gain from looking at it, and that Google cloud acquisitions may be your friend when you can’t get into these devices in the interim.

I did do that in my fifteen! Any questions?

Host: Thank you, Jessica. Very interesting. Lots of further research. Anybody here that is already imaging Chromebooks? Might speed up the research?

Jessica Oh, so one. Has anybody seen any Chromebooks, maybe you didn’t image them, but has anybody seen Chromebooks on cases?

Audience: Yep. Yes.

Jessica: Oh, wow, okay, so I thought at least twelve hands went up for seeing them in cases. That’s – and there’s lack of research, so I hope this was of value to you.

Host: Okay.

Jessica: Thank you.

Host: Thank you.

Leave a Comment