Artifacts of Google Chrome Operating System in Developer Mode

During a forensic investigation sometimes an examiner needs to log into the suspects device and try to capture whatever data they can manually as the device may not provide another means to capture it without logging into it. This section covers a manual walkthrough to reveal discovered forensic artifacts on the Acer c720 Chromebook. These next Figures reveal what is
on the Chromebook using the Chrome browser running on it. Figure 18 displays the directory contents for the logged in user’s home directory. The data displayed in the browser in the following Figures of this section comes from this directory of the Chromebook synchronized with Google when the account logged into the Google Gmail server.

Figure 18. Listing of User directory in Crosh.

Figure 18. Listing of User directory in Crosh.

When using the Chrome browser on any computer, the browser history is viewable by directing the browser to the URL chrome://history/. Figure 19 shows what the Chrome browser on the Chromebook when directed to load that URL provides.

Figure 19. Chromebook browser History.

Figure 19. Chromebook browser History.

When opening the Bookmark Manager in the Chrome browser on the Chromebook, the contents shown in Figure 20. This is consistent with what the tool in the previous section showed.

Figure 20. Chromebook browser Bookmarks

Figure 20. Chromebook browser Bookmarks

Figure 21 shows the cookie listing that is available from the browser through the Settings interface.

Figure 21. Chromebook browser Cookies

Figure 21. Chromebook browser Cookies

Figure 22 shows the contents of the local directory where the Chrome browser places downloaded files. This listing shows a file named “Crouton” which is used in Developer Mode to download and install a Linux operating system covered later in analysis.

Figure 22. Chromebook browser Downloads directory

Figure 22. Chromebook browser Downloads directory

Figure 23 displays Browser history when you point the browser to the URL http://history.google.com/history/.

Figure 23: Chromebook browser Search History

Figure 23: Chromebook browser Search History

Figure 24 displays the Login history for the google Gmail account used to login into the Chromebook. Login occurs every time the Chromebook is opened and the account logged into from any other browser at any time.

Figure 24: Chromebook browser Login History

Figure 24: Chromebook browser Login History

Figure 25 it is displayed the most visited sites displayed whenever a new tab in the Chrome browser is open. The data revealed in this view changes as the user surfing habits change.

Figure 25: Chromebook browser Most Visited Sites

Figure 25: Chromebook browser Most Visited Sites

Figure 26 shows the browser cache listing. This listing is viewable from any Chrome browser logged into the user account and pointed at the URL chrome://cache/.

Figure 26: Chromebook browser Cache

Figure 26: Chromebook browser Cache

Figure 27 show the contents of the Google Drive folder as viewed on the Chromebook computer. These files are also available from any other computer logged into the user account.

Figure 27: Chromebook browser Google Drive Contents

Figure 27: Chromebook browser Google Drive Contents