Autopsy fails to parse Chrome Cache

Hello!

I have an image of a hard drive and I would like Autopsy to parse the Chrome cache. Unfortunately the parsing does not happen, this is what the log has to say about it:

INFO: ChromeCacheExtractor- Now reading Cache index file from path /Users/****/AppData/Local/Google/Chrome/User Data/Default/Cache/
2019-11-07 16:40:34.592 org.sleuthkit.autopsy.recentactivity.RAImageIngestModule process
SEVERE: Exception occurred in Chrome
java.lang.IllegalArgumentException
java.nio.Buffer.position(Buffer.java:244)
org.sleuthkit.autopsy.recentactivity.ChromeCacheExtractor$CacheData.extract(ChromeCacheExtractor.java:1007)
org.sleuthkit.autopsy.recentactivity.ChromeCacheExtractor$CacheEntry.getData(ChromeCacheExtractor.java:1361)
org.sleuthkit.autopsy.recentactivity.ChromeCacheExtractor.processCacheEntry(ChromeCacheExtractor.java:407)
org.sleuthkit.autopsy.recentactivity.ChromeCacheExtractor.processCacheIndexFile(ChromeCacheExtractor.java:345)
org.sleuthkit.autopsy.recentactivity.ChromeCacheExtractor.getCaches(ChromeCacheExtractor.java:270)
org.sleuthkit.autopsy.recentactivity.Chrome.process(Chrome.java:145)
org.sleuthkit.autopsy.recentactivity.RAImageIngestModule.process(RAImageIngestModule.java:127)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$PipelineModule.process(DataSourceIngestPipeline.java:206)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline.process(DataSourceIngestPipeline.java:113)
org.sleuthkit.autopsy.ingest.DataSourceIngestJob.process(DataSourceIngestJob.java:743)
org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:30)
org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:926)
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
java.util.concurrent.FutureTask.run(FutureTask.java:266)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)

I tried this on several machines - Debian 10.1 and Kali 2019.3, also reimaged the drive in a different format - tried both ewf and raw images, still not working. I added my local drive and Autopsy parsed Chrome cache with no issues. In the end I accomplished this task with Axiom but I am wondering, maybe somebody has a clue about what went wrong here? Let me know if more information is needed.

Cheers! :slight_smile:

edit: Maybe this issue occured because the Chrome cache that I am trying to parse was created by an outdated version of Google Chrome (62.0.3202.94) where as the Google Chrome cache that was parsed succesfully was generated by Chrome 77.something. Anyways it’s irrelevant now :slight_smile: