Chrome Forensics for Linux

The Forensics Tool

David Enos recently developed a small Python program designed to gather data stored by Chrome on Windows machines, specifically for forensic analysis. Currently, it gathers the search history, searched keywords, form autofill information, and login usernames/passwords stored by Chrome on a given user’s account. Although there are several tools like this, such as ChromePass, David’s tool is open sourced and built with forensics specifically in mind. It is designed to be a stand-alone executable, requiring zero installations before running it. This is important while doing a forensic analysis as installing other programs could overwrite important data on the hard drive and RAM. His tool is designed to run off of and store the Chrome data onto a USB drive, so no data is written to the hard drive of the machine being analyzed. Although USB drives often require drivers to be installed on whichever computer it’s plugged into, this impact is typically minimal compared to writing gathered data and programs directly onto a hard drive.


The Linux Version

A friend (Phillip Anderson) and I came across David’s program and thought it’d be an interesting way to learn more about Chrome and browser password-storing. When I asked David how we could help, he asked if we’d be able to port the code over to Linux. We happily agreed, which leads us to the next section…


How Linux is Different from Windows

In Windows, Chrome stores its saved data in SQlite database files, located at [Path to User’s home folder]\AppData\Local\Google\Chrome\User Data\Default. These databases have names such as “History,” and inside these databases are various tables which may include search history information or keyword search information. These database files are encrypted with Windows-specific information, but can easily be decrypted using  Python’s win32crypt library.

In Linux, these database files from Chrome are located at ~/.config/google-chrome/Default/. The only difference is that the “Login Data” SQlite file (where the saved login data is stored) is blank. This is because in Linux, Chrome stores passwords using either the GNOME Keyring, KWallet, or in plain text, depending on the desktop environment. With Ubuntu, the GNOME Keyring is the default application used to store all saved passwords on the system, including Chrome’s. These password-storing environments encrypt their data on disk, but become unencrypted once a user logs into his/her account. Once logged in (authenticated), the keyring is unlocked and a user can see all their passwords in plain text (on Ubuntu, search for Applications and type in “Passwords and Keys” to view the GNOME Keyring). 

In order to actually get the passwords from the GNOME Keyring, we used Python’s secretstorage module, mentioned in this GitHub issue. This uses the Secret Service protocol supported by the GNOME Keyring to manipulate the keyring database (See this page mentioned in the Resources section below for more information). 

*Note: For both OS’s, in order to open any of the SQLite database files, Chrome must be closed. That said, Chrome should be closed before running the application or it will crash when trying to open the database files.


Environment Details (Linux Version)

Built Using: Python 3.5

Tested on: Ubuntu 16.04.1

Executable Built With: PyInstaller 3.2


How to Build Executable

*PyInstaller was used to build the executable binary of this program on Linux.

There are several dependencies the code relies on. If you’d like to build the executable yourself (from the source code), the following steps are recommended:

  1. Create a virtual environment with Python3 built into it
    1. Make sure that pip for Python3 is being used. You may need to use ‘sudo apt install python3-pip’ for this.
  2. Run ‘sudo apt install python3-gi’ (to install PyGOject aka PyGi onto system)
  3. Run ‘pip install dbus-python’ within virtual environment
  4. Run ‘sudo apt install python3-dev’ on system
  5. Run ‘pip install cryptography’ within virtual environment
  6. Run ‘pip install secretstorage’ within virtual environment
  7. Run ‘pip install pyinstaller’ within virtual environment
  8. Use pyinstaller to build the executable within your virtual environment (For example, ‘pyinstaller -D -F -n chromethief_linux —

If you have any questions, please contact me or leave a comment below.


Future Ideas

This tool can definitely be improved and if you’d like to contribute or if you’re simply interested in this tool, here are a few modifications to be on the lookout for:

  • The ability to close Chrome before trying to open a SQLite file, if it is detected to be open
  • Expand the keyring backends supported using Python’s keyring library
  • The addition of other Chrome cache information to this tool’s gathering capabilities (cookies, bookmarks, etc.)
  • The addition of a GUI to make the tool more user-friendly

If you have any other ideas or requests for this tool, please share in the comments below!



How passwords are stored on different browsers on Linux:

More information on the GNOME Keyring and how it works:

Secret Storage Documentation:

Another (older) method of getting passwords from GNOME Keyring with Python: