Chrome

Chrome Browser

Overview

Google Chrome is the most widely used web browser globally, making it a high-priority target in forensic investigations. Chrome stores browsing artifacts in a combination of SQLite databases, JSON files, LevelDB key-value stores, and proprietary SNSS binary session files.

Chrome on macOS supports multiple simultaneous profiles, each with its own complete set of artifact databases. This multi-profile architecture is common in enterprise and shared environments and must be accounted for during collection.

Chrome uses the Chromium open-source engine, meaning that other Chromium-based browsers (Microsoft Edge, Brave, Opera, Vivaldi) share similar artifact structures and storage formats, though they use different base directories.

Supported Variants

macfor collects artifacts from three Chrome-related variants on macOS:

VariantBase PathApplication
Google Chrome~/Library/Application Support/Google/Chrome//Applications/Google Chrome.app
Google Chrome Canary~/Library/Application Support/Google/Chrome Canary//Applications/Google Chrome Canary.app
Chromium~/Library/Application Support/Chromium//Applications/Chromium.app

Profile Structure

Chrome supports multiple user profiles within a single installation. Profile metadata is stored in the Local State JSON file at the root of the Chrome data directory.

Profile TypeDirectory Name
DefaultDefault/
Additional profilesProfile 1/, Profile 2/, etc.
GuestGuest Profile/
SystemSystem Profile/

The Local State file contains a profile.info_cache object mapping directory names to profile metadata, including the display name, Google account email, and avatar index.

Artifact Summary

Each profile directory contains the following artifacts:

ArtifactFileFormatForensic Value
HistoryHistorySQLiteBrowsing activity, visits, downloads, search terms
BookmarksBookmarksJSONSites of interest, organisational patterns
CookiesCookiesSQLiteAuthentication tokens, tracking data (encrypted)
Saved PasswordsLogin DataSQLiteCredential metadata (encrypted passwords)
AutofillWeb DataSQLiteForm data, addresses, credit card metadata
ExtensionsExtensions/Directory/JSONInstalled modifications, potential malware
Local StorageLocal Storage/leveldb/LevelDBWeb application data, authentication tokens
SessionsCurrent Session, Last SessionSNSS binaryOpen tabs, window state, navigation history
PreferencesPreferencesJSONUser settings, search engine, startup config

Timestamps

All Chrome timestamps use the WebKit/Chrome format: microseconds since 1601-01-01 00:00:00 UTC.

To convert to Unix epoch:

unix_microseconds = webkit_timestamp - 11644473600000000

A value of 0 indicates an unset or missing timestamp.

Encryption

Chrome on macOS encrypts sensitive values (cookie values, saved passwords, credit card numbers) using the macOS Keychain. The encryption key is stored under:

  • Keychain Service: Chrome Safe Storage
  • Keychain Account: Chrome

The encryption uses AES-128-CBC with PBKDF2 key derivation (1003 iterations, SHA1). macfor collects encrypted values without decryption -- analysts can decrypt using separate tools with proper authorisation.

Collection Order

macfor collects Chrome artifacts in a defined order to ensure consistency:

  1. History (including downloads and search terms)
  2. Bookmarks
  3. Cookies
  4. Login Data
  5. Web Data (autofill)
  6. Extensions
  7. Local Storage
  8. Sessions
  9. Preferences

Version Compatibility

macfor supports Chrome versions 80 and above on macOS 10.12 (Sierra) and later. The collector uses dynamic column detection to handle schema differences across Chrome versions, falling back to sensible defaults when columns are absent in older databases.

Tool Support

ToolSupport
macforFull collection of all artifact types across all profiles
HindsightBrowser history analysis (open source)
DB Browser for SQLiteManual database inspection
ChromeCacheView (NirSoft)Cache file examination
AXIOMCommercial forensic suite with Chrome support

References

Previous
Sessions
Next
History