Chrome Autofill

Overview

Chrome stores autofill data in a SQLite database named Web Data within each profile directory. This database contains three main categories of data: individual form field entries (name/value pairs remembered from web forms), structured address profiles (full name, address, phone, email), and credit card metadata (with encrypted card numbers).

Autofill data is a rich source of personally identifiable information (PII). Form entries reveal data the user has typed into web forms, address profiles contain physical addresses and contact information, and credit card records confirm financial account ownership.

File Locations

Database Schema

autofill Table

Stores individual form field name/value pairs. Each row represents a unique combination of field name and value.

CREATE TABLE autofill (
    name VARCHAR,
    value VARCHAR,
    value_lower VARCHAR,
    date_created INTEGER DEFAULT 0,      -- WebKit timestamp
    date_last_used INTEGER DEFAULT 0,    -- WebKit timestamp
    count INTEGER DEFAULT 1,
    PRIMARY KEY (name, value)
);

autofill_profiles Table

Stores structured address profiles for one-click form filling.

CREATE TABLE autofill_profiles (
    guid VARCHAR PRIMARY KEY,
    company_name VARCHAR,
    street_address VARCHAR,
    dependent_locality VARCHAR,
    city VARCHAR,
    state VARCHAR,
    zipcode VARCHAR,
    sorting_code VARCHAR,
    country_code VARCHAR,
    date_modified INTEGER NOT NULL DEFAULT 0,  -- WebKit timestamp
    origin VARCHAR DEFAULT '',
    language_code VARCHAR,
    label VARCHAR,
    initial_creator_id INTEGER DEFAULT 0,
    last_modifier_id INTEGER DEFAULT 0,
    use_count INTEGER NOT NULL DEFAULT 0,
    use_date INTEGER NOT NULL DEFAULT 0,       -- WebKit timestamp
    disallow_settings_visible_updates INTEGER NOT NULL DEFAULT 0
);

autofill_profile_names Table

Stores name components associated with address profiles.

CREATE TABLE autofill_profile_names (
    guid VARCHAR,
    first_name VARCHAR,
    middle_name VARCHAR,
    last_name VARCHAR,
    full_name VARCHAR,
    honorific_prefix VARCHAR,
    first_last_name VARCHAR,
    conjunction_last_name VARCHAR,
    second_last_name VARCHAR,
    honorific_suffix VARCHAR
);

autofill_profile_emails Table

CREATE TABLE autofill_profile_emails (
    guid VARCHAR,
    email VARCHAR
);

autofill_profile_phones Table

CREATE TABLE autofill_profile_phones (
    guid VARCHAR,
    number VARCHAR
);

credit_cards Table

Stores credit card metadata with encrypted card numbers.

CREATE TABLE credit_cards (
    guid VARCHAR PRIMARY KEY,
    name_on_card VARCHAR,
    expiration_month INTEGER,
    expiration_year INTEGER,
    card_number_encrypted BLOB,             -- Encrypted card number
    date_modified INTEGER NOT NULL DEFAULT 0, -- WebKit timestamp
    origin VARCHAR DEFAULT '',
    use_count INTEGER NOT NULL DEFAULT 0,
    use_date INTEGER NOT NULL DEFAULT 0,    -- WebKit timestamp
    billing_address_id VARCHAR,
    nickname VARCHAR
);

Key Fields for Analysis

Autofill Entries

• name: The HTML form field name (e.g., email, username, address, phone, company). Reveals what types of forms the user has filled out.
• value: The value the user typed into the field. Contains actual PII such as email addresses, phone numbers, physical addresses, and names.
• count: How many times this name/value pair was used. High counts indicate frequently used values.
• date_created: When this entry was first saved.
• date_last_used: When this entry was most recently used for autofill.

Address Profiles

• full_name: The user's full name from the autofill_profile_names table.
• street_address, city, state, zipcode, country_code: Physical address components.
• emails: Email addresses linked to the profile (from autofill_profile_emails).
• phones: Phone numbers linked to the profile (from autofill_profile_phones).
• use_count / use_date: How often and when this profile was used, indicating active addresses.
• origin: The website where the profile was created or last modified.

Credit Cards

• name_on_card: Cardholder name (plaintext).
• expiration_month / expiration_year: Card expiration date (plaintext).
• card_number_encrypted: Encrypted card number (never decrypted by macfor).
• nickname: User-assigned card nickname.
• use_count / use_date: Usage frequency and recency.

Timestamps

Analysis Notes

• Autofill entries are one of the richest sources of PII in Chrome artifacts. A single Web Data database may contain the user's email addresses, phone numbers, physical addresses, employer names, and other sensitive data.
• The count field in the autofill table indicates how frequently a value was used. A high count on an email address suggests it is the user's primary email.
• Credit card numbers are encrypted using the same Chrome Safe Storage keychain mechanism as cookies and passwords. macfor reports the encrypted blob size but never attempts decryption.
• The origin field on autofill profiles and credit cards records the website where the data was saved, providing context for when and where the user entered this information.
• Multiple address profiles may indicate different addresses (home, work, shipping) or address changes over time.
• The billing_address_id field on credit cards links to an autofill_profiles.guid, associating a card with a billing address.
• Autofill entries with field names like password, passwd, or pass should be investigated carefully, as they may indicate the user submitted passwords through non-standard forms.

Version Differences

macfor dynamically detects available columns and tables, skipping those not present in older databases.

Tool Support

References

• Chromium Autofill Database Source
• Chrome Autofill Documentation