I posted on Autopsy Help but so far no answer. I thought maybe that was the wrong category. I am posting here in case this will get some traction. Thank you all in advance.
I recently started having trouble ingesting Chrome history files. These used to get pulled in by the Recent Activity module and would show up under Web History.
The files themselves can be read by Autopsy, but do not ingest. I can browse to them and view them using the built-in viewer.
I’m running Windows 10 and using Autopsy version 4.19.3 (the latest as of this writing).
Not sure what I’m doing wrong or if this is something that needs to be fixed in Autopsy.
Are your history files in the “Chrome/User Data/Default” folder?
Hello @apriestman yes, that’s correct.
If you go to the following location C:\Users<username>\AppData\Local\Google\Chrome\User Data\Default and look at the file named history you can see if there is data in the file. I do not remember if application viewer will pop up for this or not for sqlite. Look to see if there is data in the table.
Thank you and I appreciate the response.
The table does contain data and Autopsy can parse/read it. And, from Autopsy, it can be extracted and imported into an sqlite browser and queried/read or each table can be exported from Autopsy as CSV.
However, the data used to get pulled in by the Recents module and put into “Web History” in Autopsy. This no longer occurs.
I guess the next step would be to include the Autopsy.log file for the recent activity ingest run.
I just ran an image with Chrome history on Autopsy 4.19.2 and 4.19.3 and got the same Web History results each time, so I don’t believe the feature is broken.
Thank you all. I am sorry but it just came to me that this was run on an OSX (not Windows) image. I’m not sure if this changes anything or not. I’ll provide the logs in short order.
@apriestman @Mark_McKinnon Very sorry for the misleading statements earlier in the thread. Here is the log file run on an OSX image using Autopsy version 4.19.3. (Recents module run only.) The Chrome history file is located in
/Users/User1/Library/Application Support/Google/Chrome/Default/ on this machine. The file contains history data, as explained earlier. The Recents module output Safari history only.
Thank you again.
Ok, so I think that explains it. We look for history files in the “Chrome/User Data/Default” folder which doesn’t appear to match the format on OSX. If you want to try to process the history file, this should work:
- Browse to it in Autopsy, right-click and select “Extract File(s)” to save it to disk. Copy any other associated database files as well (.wal, etc) since I think they also get read.
- Make a new folder somewhere on your system. Create a subfolder named “Chrome”, then “User Data”, then “Default” to simulate the expected hierarchy. Put your extracted History file(s) in the Default folder.
- Add a new logical file data source to your case and add the new folder created in the last step (This would be “HistoryTest” in the screenshot). Run the Recent Activity module. It should try to process the History file.
Well, that is a good work around and does the trick. Thank you very much!
Is adding functionality to read OSX Chrome files something that might be considered?
Hello @apriestman @Mark_McKinnon ,
Something new came upon this same topic (thanks again for the previous assistance provided).
It seems that sometimes “Chrome/User Data/Default” doesn’t contain all of the history, etc. data. For instance, I recently found there is a “Profile X” folder, in this case “Chrome/User Data/Profile 1” it contains all the same folders/files/artifacts that “Default” contains. This data did not get picked up by the Recents ingest module.
I figure I could just rename “Profile 1” it to “Default.” But if there is data both in “Default” and in “Profile 1,” it seems this could get messy (in this specific case, there is data in “Default” and in “Profile 1.”
Thanks for your time and assistance.
Yes, the code will not work for this. Profiles were not taken into consideration. I will make a fix to Autopsy and my Macos RA Module to fix this and get back with you shortly with the fix.
Thank you @Mark_McKinnon. Very appreciated!
And just to ensure I was being clear, I am experiencing the above Profiles issue on Windows. I haven’t run into this on MACOS…yet. Not sure if this is even an issue.
Yes, that is where I am fixing it first on Autopsy. I will next fix it on my Macos RA NBM plugin as I see that you can also have profiles on Macos as well. I will check to see if this functionality is also on Linux as well.
Thanks for clarifying Mark. Sounds great. In the mean time I renamed “Profile 1” to “Default” and imported it into the project as a separate data source. A bit messy, but it works.
PR # 7625 has been submitted with the fixes for the Chrome Profiles. I also checked and Linux has the same functionality as well.
Not to be a pest, and whenever you get around to the Macos RA NBM, I suppose you’ll DM it to me or do I get it from Github?
I will just reply here and put a version of the NBM out in my repo so you can grab it from there.
Hi! Same for me, no infos on a Chrome folder on a W10 image… The location of the database is there :
\Users\XXXXXX\AppData\Local\Google\Chrome\User Data\System Profile\History
I did it with DBbrowser, but RA is a real help!
Is it possible to test some results from the favicons. In a brief we had, we’ve had nice result while history was empty.
In my office, they have notice that RA get no infos from Brave and Opera. Parsing those two could be very nice.
Thanx for all the good job!!!