The Chrome history was cleared! Now what? (part 1)
Settings and Bookmarks
Ok, so for the sake of this post, let's assume that the answer to the question posed in the previous part ("Was the history cleared?") was yes, it was. That totally wipes out all traces of any browsing activity. Right? Well, not so fast… Even after checking all the boxes on the 'Clear browsing data' screen and selecting to 'Obliterate the following items from the beginning of time' (nice wording), data that may be of interest and can shed light on a user's browsing habits still remains. This post will examine what information we can glean from settings and bookmarks.
Content Settings
The user can select what broad classes of information they would like to clear via Chrome's "Clear browsing data" menu. However, the Chrome developers make a distinction between "browsing activity" and "content settings". Many of these settings are much more difficult to clear, and still can be of help during an investigation. Recent versions of Chrome explicitly notify the user of this at the bottom of the clearing data screen:
If you click the link at the bottom for 'content settings' (or go to chrome://settings/content), you can see the different categories of settings: Cookies, Images, JavaScript, Handlers, Plug-ins, Pop-ups, Location, Notifications, Fullscreen, Mouse Cursor, Protected Content, Media, Unsandboxed plug-in access, Automatic Downloads, and Zoom Levels. Under each category are options to turn it on or off, and in most cases a 'Manage' button. Each 'Manage' screen allows you to view, add or remove sites from the exception list, as well as change the allowed behaviors.
The data for most of the content settings mentioned above are stored in the Chrome Preferences file at profile.content_settings.pattern_pairs. Under each hostname pattern is a set of key/value pairs; the key is the content setting ("plugins", "geolocation", "media-stream-mic", etc), and the value is an integer (1=allow, 2=block). Any hostnames that do not match any of the patterns will have the default content settings applied. A shortened example is below:
"profile": { "content_settings": { "pattern_pairs": { "[*.]webcourses.ucf.edu,*": { "plugins": 1, "popups": 1 }, "[*.]www.obsidianforensics.com,*": { "plugins": 1 }, "[*.]www.youtube.com,*": { "fullscreen": 1 ...
Hindsight will parse out these values from the Chrome Preferences file and place them on the 'Preferences' tab, under the heading 'Profile Content Settings'.
Per Host Zoom Levels
The Per Host Zoom Levels is technically a content setting and could be placed above, but I thought it deserved its own section. This setting tracks how much a user zooms in or out on a particular website in order to allow Chrome to use that same zoom level on subsequent visits. It is also located in the Chrome Preferences file, in either profile.per_host_zoom_levels or partition.per_host_zoom_levels.
I was first made aware of this artifact, and the fact that it persists when a user clears their history, by Jesse Kornblum in a blog post he wrote. He mentions a similar issue with DNS prefetch information not being cleared, but that was fixed by the Chrome developers in short order. The 'Per Host Zoom Levels' setting still cannot be cleared via the 'Clear browsing data' screen (but users can clear it via chrome://settings/contentExceptions#zoomlevels). This Chromium issue is interesting reading, as various Chromium developers discuss the zoom levels and if they should be cleared or not.
Shortly after Jesse's post, I built a parser for these values in the old Perl version of Hindsight. The new Python version also parses these values out, and places them on the 'Preferences' tab.
Bookmarks
Bookmarks are one of those items for which there isn't a box to check to delete them on the 'Clear browsing data' screen. You can manually delete bookmarks of course, but there isn't an easy way to delete them all en masse via the UI.
Chrome records the timestamp the bookmark item or folder was created, so we can build a rough timeline with that information. Hindsight does this automatically, and places the bookmarks in the main 'Timeline' tab, interspersed with the other browsing records.
Favicons
I've noticed that favicons are also not completely cleared when all history is deleted. From testing, it appears that if an item had been bookmarked, the corresponding favicon is kept. This makes sense, as Chrome displays the favicon next to each bookmark that is part of the 'Bookmarks Bar'. However, there appears to be more items saved than just what was bookmarked; these extra items can have interesting information. From what I can tell, some entries in the 'icon_mapping' table of the 'Favicons' SQLite database are not deleted when they should be. See the example below:
The entry in the red box (https://www.reddit.com/r/computerforensics) is the only page I had bookmarked. For my testing, I bookmarked that page, browsed around a bit, did some searches, then used the 'Clear browsing data' dialog to clear everything I could. From this and other tests it appears to me that information on bookmarked pages, as well as some other pages on the same domain, can remain in this table. I think entries like the cached search result (RecNo 1028 above), could be potentially be particularly useful in an investigation.
Ok, so what?
Any one of these artifacts by itself may be not be particularly useful, but all of them combined may prove valuable in reconstructing activity that a user was attempting to hide. Unfortunately, most of them (except bookmarks) lack timestamp information, but if the user claims they never have visited a particular site, you very well might find evidence to contrary in one of these locations, even after the Chrome history was cleared.
Stay tuned for future posts, examining other ways to reconstruct information about Chrome browsing activities.