Chrome Extensions - macOS Forensic Artifacts

Overview

Chrome stores installed extensions in a directory structure within each profile, with each extension identified by a 32-character ID and containing version-specific subdirectories. The manifest.json file within each version directory defines the extension's capabilities, permissions, and metadata.

Extensions are forensically significant because they can modify browser behaviour, intercept network traffic, access browsing data, and communicate with external servers. Malicious or compromised extensions are a common attack vector. The permissions requested by an extension reveal its potential capabilities and risk level.

File Locations

Path	Description
`~/Library/Application Support/Google/Chrome/{Profile}/Extensions/`	Installed extension directories
`~/Library/Application Support/Google/Chrome/{Profile}/Extensions/{id}/{version}/manifest.json`	Extension manifest
`~/Library/Application Support/Google/Chrome/{Profile}/External Extensions/`	Externally installed extensions (enterprise policy)
`~/Library/Application Support/Google/Chrome/{Profile}/Extension State/`	Extension state (LevelDB)
`~/Library/Application Support/Google/Chrome/{Profile}/Local Extension Settings/`	Per-extension local storage (LevelDB)

Directory Structure

Extensions/
└── cjpalhdlnbpafiamejdnhcphjbkeiagm/     # Extension ID
    └── 1.56.0_0/                           # Version directory
        ├── manifest.json                    # Extension metadata
        ├── background.js                    # Background script
        ├── content_script.js                # Content script
        └── ...                              # Other extension files

Database Schema / File Format

manifest.json Structure

{
    "name": "Extension Name",
    "version": "1.0.0",
    "description": "Extension description",
    "manifest_version": 3,
    "permissions": ["storage", "tabs"],
    "host_permissions": ["<all_urls>"],
    "optional_permissions": ["history"],
    "content_scripts": [
        {
            "matches": ["*://*.example.com/*"],
            "js": ["content.js"],
            "css": ["styles.css"]
        }
    ],
    "background": {
        "service_worker": "background.js"
    },
    "update_url": "https://clients2.google.com/service/update2/crx"
}

Manifest V2 vs V3

Feature	Manifest V2	Manifest V3
Background	`"background": {"scripts": ["bg.js"]}`	`"background": {"service_worker": "sw.js"}`
Host permissions	Included in `"permissions"`	Separate `"host_permissions"` array
Content security	Inline scripts allowed	Stricter CSP by default
Network interception	`webRequestBlocking` available	Declarative Net Request API

Key Fields for Analysis

extension_id: The 32-character identifier. This can be looked up on the Chrome Web Store (https://chrome.google.com/webstore/detail/{id}) to verify legitimacy.
name: The extension's display name. Names that mimic well-known extensions but with slight spelling variations are a red flag.
manifest_version: Version 2 or 3. MV2 extensions have broader capabilities; MV3 is more restricted. MV2 is being deprecated.
permissions: Declared capabilities. See the high-risk permissions table below.
host_permissions: URL patterns the extension can access.
content_scripts.matches: URL patterns where the extension injects scripts into web pages.
update_url: Where the extension checks for updates. Extensions from the Chrome Web Store use https://clients2.google.com/service/update2/crx. Non-standard update URLs may indicate sideloaded or enterprise extensions.
background: Background script configuration. Extensions with persistent background contexts can operate continuously.

High-Risk Permissions

macfor identifies and flags the following permissions as high-risk:

Permission	Risk
`<all_urls>`	Full access to all websites
`:///*`	Full access to all websites
`webRequest`	Can intercept and observe network requests
`webRequestBlocking`	Can modify or block network requests
`tabs`	Can access browser tab URLs and metadata
`history`	Can read and modify browsing history
`cookies`	Can read and modify cookies
`nativeMessaging`	Can communicate with native applications outside the browser
`debugger`	Can debug other extensions or tabs
`management`	Can manage (enable/disable/uninstall) other extensions
`privacy`	Can modify browser privacy settings
`proxy`	Can modify proxy configuration
`clipboardRead`	Can read clipboard contents
`clipboardWrite`	Can write to clipboard
`downloads`	Can manage file downloads
`geolocation`	Can access geographic location

Analysis Notes

An extension with <all_urls> or *://*/* in its permissions has the ability to read and modify content on every website the user visits. This is the most permissive host access pattern.
Extensions not installed from the Chrome Web Store (identifiable by a non-standard update_url) deserve extra scrutiny. These may be enterprise-deployed, developer-loaded, or potentially malicious.
The External Extensions directory contains JSON configuration files for extensions installed by enterprise policy or other external mechanisms. The filename (without .json) is the extension ID.
Content script match patterns reveal which sites the extension targets. An extension claiming to be a shopping tool but with <all_urls> access is suspicious.
Extensions with nativeMessaging permission can communicate with programs installed on the local system, potentially serving as a bridge for data exfiltration.
The management permission allows an extension to disable or remove other extensions, which is a technique used by malicious extensions to remove security tools.
macfor enumerates all version directories for each extension and collects the manifest from the most recent version.

Version Differences

Chrome extensions have transitioned from Manifest V2 to Manifest V3:

Timeline	Change
Pre-Chrome 88	MV2 only
Chrome 88-127	MV2 and MV3 coexist
Chrome 127+	MV2 deprecation begins

The permission model and background script architecture differ significantly between MV2 and MV3. macfor handles both formats.

Tool Support

Tool	Capability
macfor	Enumerates extensions, parses manifests, identifies high-risk permissions, detects non-Web Store sources
CRXcavator	Online extension security analysis service
Extension Source Viewer	Chrome extension for viewing other extensions' source code
VirusTotal	Can scan extension packages for known malware