Internet Browser Forensics
Accessing Google Chrome browsing history for forensic examination.
Google Chrome is the world’s most popular browser, with over 50% market share across all devices globally. Browser data can be critical to a digital investigation and Chrome stores both typical internet usage data as well as some data that is unique to this browser. A forensic examination of Chrome data can reveal information about a user’s internet activities, synced devices, and accounts.
Examining Internet Browsing Data
Although a browser gives the user the impression of “going out” to the internet, in fact, a browser more accurately brings the internet to the user. Every website visited, every image viewed, every search conducted, and all other content both visible and invisible is downloaded and stored locally on the user’s device. Some of this information gets automatically deleted after a short period and some of it is stored indefinitely, but all of it has the potential to be captured and used as evidence.
Every browser stores certain basic pieces of information about the websites a user has visited. The history database stores a record of websites accessed with the date and time of the last visit. The browser cache stores content from visited sites, such as images and text. Some internet activities create cookies which can store a wide variety of information about a user and can be recovered by a forensic examiner. Browsers may also store countless other types of information that could be useful in an investigation, such as bookmarks, logins, search history, and downloads.
Identifying Additional Devices and Accounts
Chrome may provide even more information than some other browsers due to robust synchronization between devices. The popularity of Chrome and the ubiquity of Google accounts means that access to one device can provide substantial information about other devices and accounts. For example, an examiner analyzing a laptop may review the Chrome synchronization data and learn that the subject of the investigation also used a cellphone or a second computer, which might lead to the collection of additional evidence.
Incognito Mode and Forensic Examination
Chrome has a well-known feature called “Incognito Mode” which allows users to browse the internet with a greater amount of privacy. When browsing in Incognito Mode, Chrome does not retain a history of websites, downloads, or cookies. However, this information is still stored temporarily, mainly in RAM, and therefore can be recovered in some circumstances, particularly if the device has not been powered off. Even in Incognito Mode, using Chrome leaves plenty of traces, and some data regarding the user’s activities will persist on the device for a long time. An experienced examiner can use forensic tools to extract and interpret this data.