The reason for this change is to enable sandboxing of Chrome's network service, so it can only access files on the file system that it needs. This would make it so any compromised network service can't access other files in the user's profile directory. Because of how ACLs work on Windows, to accomplish this the files needed by network services have moved from the user's profile directory to a
Network-related files that have/will be moved are:
- Cookies (SQLite)
- Network Persistent State (JSON)
- Reporting and NEL (SQLite)
- TransportSecurity (JSON)
- Trust Tokens (SQLite)
The "Cache" directory (HTTP cache) is also included in the sandbox, but it was already in its own directory so it didn't need to move.
This migration is starting with Windows, and is eventually planned to happen on macOS, Linux, Android and ChromeOS. Other operating systems might be included later (but not iOS).
Forensic Tools Impact
Plaso & log2timeline - no impact. log2timeline parses every file independent of its path, so this change to Chrome has no impact.
Hindsight - impacted. Hindsight currently uses file paths to find files to parse, so this change to Chrome caused problems (the Cookies database and TransportSecurity file would not be parsed). A new Hindsight release (2021.12) is available now that fixes this.