Cookies Database Moving in Chrome 96
The reason for this change is to enable sandboxing of Chrome's network service, so it can only access files on the file system that it needs. This would make it so any compromised network service can't access other files in the user's profile directory. Because of how ACLs work on Windows, to accomplish this the files needed by network services have moved from the user's profile directory to a Network
subdirectory.
Network-related files that have/will be moved are:
- Cookies (SQLite)
- Network Persistent State (JSON)
- Reporting and NEL (SQLite)
- TransportSecurity (JSON)
- Trust Tokens (SQLite)
The "Cache" directory (HTTP cache) is also included in the sandbox, but it was already in its own directory so it didn't need to move.
You can use my Chrome Evolution visualization to compare files in Chrome 95 vs 96.
This migration is starting with Windows, and is eventually planned to happen on macOS, Linux, Android and ChromeOS. Other operating systems might be included later (but not iOS).
For more details on how the data is moving and why, please see Migration of Network Data by Will Harris (@parityzero) - and thanks to Will for pointing out this change.
Forensic Tools Impact
Plaso & log2timeline - no impact. log2timeline parses every file independent of its path, so this change to Chrome has no impact.
Hindsight - impacted. Hindsight currently uses file paths to find files to parse, so this change to Chrome caused problems (the Cookies database and TransportSecurity file would not be parsed). A new Hindsight release (2021.12) is available now that fixes this.