The Relevance of Google Chrome Operating System Artifacts
Today’s Information Technology industry innovates rapidly by developing and releasing new products that require testing and research to understand the artifact. The expectation is that forensic examiners keep themselves up-to-date in the latest technologies. Chromebooks based upon the Google Chrome Operating System are one such innovation, which is an attractive new technology. Just a year ago (2013), at the Intel Developer Forum, Jason Mick reported that Intel was beginning to distance themselves from Microsoft (MS) over problems they have been having with Windows 8 adoption and moving to grow their presence in the Chromebook subsector of personal computers. At the time, Intel announced the approaching availability of more power efficient processors in low cost personal computing devices such as Google Chromebooks and other Google Chrome Operating System based devices (Mick, 2013). As reported by Frederic Lardinois of TechCrunch.com, Google and its partners sold 1 million Chromebooks in the fiscal quarter of April through June 2014 (Lardinois, 2014). With this high level of consumer adoption, it is inevitable that a device using the Google Chrome Operating System will find its way into an investigation requiring a forensic investigator to collect artifacts during the course of their work. For the examiners who would have had no formal training or experience with the Google Chrome Operating System, this paper identified and explained the various artifacts. Criminals use what tools they have access to and the low price point of around $200 USD for a Chromebook makes the devices attractive as a communication tool used for the Internet (Lardinois, 2014). Packed with features to address modern Information Technology security problems, combined with a very competitive price-point for new and low-income users, Chromebooks are quickly becoming a prolific presence in consumer households (Fang, Hanus, & Zheng, 2011). These features include encryption of network traffic, encryption of data on the device and stored in the Cloud, constant checks for updates, verified boot that detects system changes when it launches the operating system, and provides a secure way to backup and restore the system. Chromebooks have been available since June 15, 2011, when Acer and Samsung began shipping their first models (Efrati & Sherr, 2011). Schools buy them for just $20 per device per month using the Chromebooks for Education program offered by Google (Chromebooks for Education, 2013). Further enhancing their popularity, hromebooks provide a personal computer experience without requiring installation and maintenance of software. This is possible since the
applications connect to the user’s Chromebook ID and executes the applications within the Chrome web browser. This function is very similar to how MS Windows Remote Desktop operates. Google refers to this as Chrome Remote Desktop. However, not all users are the same. Some will use Chromebooks in ways unintended by their designers producing unusual challenges to forensic examiners and will use Chromebooks in support of illicit endeavors. Cyber criminals are likely to utilize Shromebooks due to the encryption features, low price, and since it is still relatively new, they leverage the limited Chrome Operating System forensic experience of Law Enforcement to support, conceal, and execute their illegal activities. While the use of Chromebooks is spreading quickly, a thorough Internet search has produced no papers or articles specifically covering the forensic artifacts of the Google Chrome Operating System (Lardinois, 2014). Scholarly research and forensic manuals only include materials to handle the data stored inside of the Cloud such as Google Drive, which is the Cloud service Chrome Operating System uses to store user files (Ackerman, 2013). This lack of useful research is wholly inadequate in light of the popularity of Chromebooks and their fast growing market share of low-end personal computers. Without this kind of research, forensic examiners would have to expend additional time doing this research themselves. Extra time used by the examiner prolongs the investigation and possibly results in a failure to prosecute in a timely manner. While the Google Chrome Operating System is technically a Linux based operating system, it is divergent enough from other distributions that an examiner needs to treat it as a completely new device. As a new device, an examiner would be required to discover artifacts present, understand them scientifically, and identify their origin and value to the overall operating system. Research which identifies these artifacts, how to collect them, how to analyze them, and finally how to incorporate them into an investigation is of tremendous value to the forensic community. This paper initiates production of this body of research and includes suggestions for additional complimentary research and development. Cold capture is the first effort an examiner uses ince typically evidence arrives on their examination table as powered down electronic devices. It is very likely that a powered down Chromebook or the Solid State Drive (SSD) will require data captured and analyzed (Rogers, Goldman, Mislan, Wedge, & Debrota, 2006). While cold capture readily enables an investigator to capture data and analyze digital copies of the data, it introduces a weakness to the investigation. A running computer may have applications running which have valuable data inside of memory that the application is using. Active memory can reveal useful data in an investigation. While a computer is running, applications in memory maintain the data in memory unencrypted, even when encrypted on the remote system. Furthermore, if there are any running applications connected to a remote system, credentials required to access those remote sources are available in an open and readable format for collection. These credentials may include userids, passwords, and keys for encryption and decryption. For instance, when a user connects to a Cloud service, such as Google Drive, the data resides in memory unencrypted and encrypted when stored in the remote Google Drive directory. Being able to capture this live memory can provide unencrypted data and re-usable credentials to further the investigation. A computer which is shut down does not have programs running in memory and the only useful data will be that which is stored onto local storage media such as a Hard Disk Drive (HDD), Universal Serial Bus (USB) flash drives, or optical storage media such as CD’s and DVD’s. In terms of Google Chrome Operating System based devices, encryption is heavily used and when the computer is shutdown, the encrypted user data is beyond reach of an investigator via typical cold capture (Fang et al., 2011; Panchal, 2013). Due to the heavy use of Cloud technologies in Google services, the user data maintained by Google within the Gmail account is an important part of properly understanding the forensic artifacts associated with the Google Chrome Operating System installation (Fournier, 2014). For this reason, the Chrome Browser artifacts were included in this research for comparison and depth of understanding to the analysis. In order to understand the data that is available from the Chrome Browser, this investigation included processing Chrome Browser artifacts on a Windows XP Virtual Machine (VM) which has been logged into the Google Gmail account used for the other parts of this investigation. Investigators are required to process computer systems used by suspected computer hackers who were attracted to the advanced encryption features of the Google Chrome Operating System (Fang et al., 2011). Understanding advanced features of the Google Chrome Operating System, and the impact user features have on the artifacts discoverable is important to a forensic investigator. This research delved into a ChromeBook configured into Developer Mode, and examined Ubuntu Linux installed using an emulator virtualization program (Cipriani, 2014; Bhartiya, 2014). An investigator should know the additional artifacts available as well as the applications that may be of use to their investigation.