Trouble Chrome History & Recent Activity

Hi,

I just added the system profile to the other profile fix. It is in the following PR Add Chrome Profile Support to RA by markmckinnon · Pull Request #7625 · sleuthkit/autopsy · GitHub.

Both Brave and Opera should have results in them, if you have examples where it is not and can share them with me I will see what the issue is.

For the favicons are you thinking just the favicons table or the icon mapping table or both and what about the favicon_bitmap table?

Kind regards.

Mark

In our case, Ccleaner had deleted all but the favicons table. Favicons table is just listing the favicons, but the icons_mapping table lists the visited sites in relations and the favicons bitmaps table can give informations on the last_update or the last_requested dates in relations. It may be not the best clue, but that mean this element came to the machine because the user had probably visited a website.

I’ve run into similar scenarios before with favicon files. I would appreciate hearing of any discoveries that you make.

1 Like

I have added the Favicons to the PR mentioned above so it is just waiting to get approved and Autopsy to create the next version then it will be available to you.

I have to say there at least on my system I used to test with there were quite a few entries in the Favicons table. Great artifact and catch to add to Autopsy.

Thanks a million! Can’t wait for the next update!!! Hope to get this fast! Have a great day!!!

I am sorry but it just came to me that this was run on an OSX (not Windows) image. I’m not sure if this changes anything or not. I’ll provide the logs in short order.. .

You can try this plugin to see if it works for you. It is still in development so there may be issues with it. It should process a OSX for recent activity. Autopsy-NBM-Plugins/recentactivity-macos.v02b.nbm at main · markmckinnon/Autopsy-NBM-Plugins · GitHub

It’s been a while but I just ran into something with Chrome. Something of note in regards to Chrome artifacts. It seems that Chrome does some sort of snapshot, which it stores in Chrome\User Data\Snapshots. These contain Chrome artifacts such as History and others. It seems it might be useful if these too show up in the Recent Activity (i.e. maybe their own entry).

I will have to look into this. From what I have found on this, the copy of the history, etc… is taken when a major upgrade to chrome happens and by default (unless otherwise set) it can contain up to three copies of the artifacts, to figure this out and to also see what happens to profiles as well would be to install a version of chrome after 84 but before 100 and then upgrade chrome to see what happens. Does this sound correct to you. I would also think that the artifacts may have a lot of duplicates unless the user deletes his history. Thoughts about that?

Thanks Mark. Yes I agree, there probably would be duplicates. The only reason it might be useful is if someone did delete their history. In that case it might be invaluable. I’m not totally tracking with how the recents module works under the hood but I assume the artifact data is being stored in a database (sqlite?) If that’s the case potentially the entries could be deduped using a unique primary key. I.e. the id in the chrome history visits table seems to be unique. Upon insert it would reject duplicate keys. Maybe not most efficient or best idea but might work.

Yeah I guess it would require several upgrades and some “usage” on each before upgrade to see if/how this might work/test it.

Thanks a lot Mark.