Chrome Forensics for Linux

The Forensics Tool

David Enos recently developed a small Python program designed to gather data stored by Chrome on Windows machines, specifically for forensic analysis. Currently, it gathers the search history, searched keywords, form autofill information, and login usernames/passwords stored by Chrome on a given user’s account. Although there are several tools like this, such as ChromePass, David’s tool is open sourced and built with forensics specifically in mind. It is designed to be a stand-alone executable, requiring zero installations before running it. This is important while doing a forensic analysis as installing other programs could overwrite important data on the hard drive and RAM. His tool is designed to run off of and store the Chrome data onto a USB drive, so no data is written to the hard drive of the machine being analyzed. Although USB drives often require drivers to be installed on whichever computer it’s plugged into, this impact is typically minimal compared to writing gathered data and programs directly onto a hard drive.


The Linux Version

A friend (Phillip Anderson) and I came across David’s program and thought it’d be an interesting way to learn more about Chrome and browser password-storing. When I asked David how we could help, he asked if we’d be able to port the code over to Linux. We happily agreed, which leads us to the next section…


How Linux is Different from Windows

In Windows, Chrome stores its saved data in SQlite database files, located at [Path to User’s home folder]\AppData\Local\Google\Chrome\User Data\Default. These databases have names such as “History,” and inside these databases are various tables which may include search history information or keyword search information. These database files are encrypted with Windows-specific information, but can easily be decrypted using  Python’s win32crypt library.

In Linux, these database files from Chrome are located at ~/.config/google-chrome/Default/. The only difference is that the “Login Data” SQlite file (where the saved login data is stored) is blank. This is because in Linux, Chrome stores passwords using either the GNOME Keyring, KWallet, or in plain text, depending on the desktop environment. With Ubuntu, the GNOME Keyring is the default application used to store all saved passwords on the system, including Chrome’s. These password-storing environments encrypt their data on disk, but become unencrypted once a user logs into his/her account. Once logged in (authenticated), the keyring is unlocked and a user can see all their passwords in plain text (on Ubuntu, search for Applications and type in “Passwords and Keys” to view the GNOME Keyring). 

In order to actually get the passwords from the GNOME Keyring, we used Python’s secretstorage module, mentioned in this GitHub issue. This uses the Secret Service protocol supported by the GNOME Keyring to manipulate the keyring database (See this page mentioned in the Resources section below for more information). 

*Note: For both OS’s, in order to open any of the SQLite database files, Chrome must be closed. That said, Chrome should be closed before running the application or it will crash when trying to open the database files.


Environment Details (Linux Version)

Built Using: Python 3.5

Tested on: Ubuntu 16.04.1

Executable Built With: PyInstaller 3.2


How to Build Executable

*PyInstaller was used to build the executable binary of this program on Linux.

There are several dependencies the code relies on. If you’d like to build the executable yourself (from the source code), the following steps are recommended:

  1. Create a virtual environment with Python3 built into it
    1. Make sure that pip for Python3 is being used. You may need to use ‘sudo apt install python3-pip’ for this.
  2. Run ‘sudo apt install python3-gi’ (to install PyGOject aka PyGi onto system)
  3. Run ‘pip install dbus-python’ within virtual environment
  4. Run ‘sudo apt install python3-dev’ on system
  5. Run ‘pip install cryptography’ within virtual environment
  6. Run ‘pip install secretstorage’ within virtual environment
  7. Run ‘pip install pyinstaller’ within virtual environment
  8. Use pyinstaller to build the executable within your virtual environment (For example, ‘pyinstaller -D -F -n chromethief_linux —

If you have any questions, please contact me or leave a comment below.


Future Ideas

This tool can definitely be improved and if you’d like to contribute or if you’re simply interested in this tool, here are a few modifications to be on the lookout for:

  • The ability to close Chrome before trying to open a SQLite file, if it is detected to be open
  • Expand the keyring backends supported using Python’s keyring library
  • The addition of other Chrome cache information to this tool’s gathering capabilities (cookies, bookmarks, etc.)
  • The addition of a GUI to make the tool more user-friendly

If you have any other ideas or requests for this tool, please share in the comments below!



How passwords are stored on different browsers on Linux:

More information on the GNOME Keyring and how it works:

Secret Storage Documentation:

Another (older) method of getting passwords from GNOME Keyring with Python:

Forensic Toolbox: Wireshark


The infamous Wireshark (formerly known as “Ethereal) – a network analyzer used to capture and analyze network traffic going through a given Network Interface Card (NIC) on your system. Network traffic is made up of “packets”. When information is sent from your computer to another device via a network, the NIC divides that information up into small chunks called packets and puts those packets onto the medium you are using (copper, fiber, or air). Wireshark is able to capture these packets so they can be analyzed in detail individually, or combined with other packets in the packet “stream” to form the original message.

For example, if a password were sent in cleartext (as they typically are if sent via email), the packets forming the email content can be put together and that password could be viewed by an outside entity if they were using some packet capture tool and if they were on the same network as the computer which sent the email. Wireshark is also useful for network troubleshooting and forensic analysis. If any of this seems vague, don’t worry, the more you use it and learn about networking, the more it will make sense.


Continue Reading

Forensic Toolbox: lsof


lsof (‘list open files’) is a powerful Unix tool which lets us link open ports (discovered through tools like netcat) to running processes. It also lists the files which a given process has open, along with information about those files. Since everything is considered to be a file in Unix, this tool can be used to get information on actual files, directories, devices, and more. 

Continue Reading

Forensic Toolbox: Sysinternals


Here I’d like to give a brief overview of what the Sysinternals Suite is and some of the tools included in the suite I have experience with (Note: Sysinternal tools are for Windows only).

The Sysinternals Suite is a bundle of utilities released by Microsoft to help troubleshoot and monitor Windows systems. These tools also help investigate a system. There are many tools, all of which are listed and can be downloaded separately on the Microsoft Technet page. You can find more detailed information for each tool on the Technet page as well.

Continue Reading

Forensic Toolbox: Netcat


Netcat is awesome. It is often referred to as the “swiss army knife” of network administrators since it can be used in so many different ways. In the forensics world, it can be used to do a live forensic analysis of a machine, sending data from the “victim” machine to another machine without writing that data to the “victim’s” hard drive and potentially overwriting important information. In hacking / computer security, it can be used as a backdoor into a machine, to do port scans, and even to capture network traffic. In school, it can be used to chat with friends (there are definitely easier ways, but what’s more fun than chatting through a command prompt?). 

Continue Reading

Forensic Toolbox: Netstat


Netstat is a tool for both Windows and Linux systems, used to examine real-time network connections on a machine. This is useful for several reason. For one, imagine an attacker has some sort of process on your machine acting as a backdoor so he/she can easily gain access later. This could be in the form of netcat or an IRC bot or some other rogue application, but no matter the backdoor method, it is important to discover this. Using netstat is one way of discovering open ports which should not be open. Granted, not all of us know which ports are valid and which are not, as there may be many ports active or open on a machine. However, through some port research and other tools I will cover in future posts, this can be a critical step in the forensics process. If, for example, you see a connection from your computer to another device on port 6667 and you are not aware of running any form of IRC, your computer may be infected with an IRC bot and most likely part of some larger botnet. This is good information to have.

Continue Reading

The Hacker Roadmap: Resources to Begin Your Journey

Obviously, this list isn’t exhaustive and I haven’t gone through all of these myself, so if anyone has experience with one of the links listed, or has another (quality) source of learning that was not mentioned, please share it in a comment below. If it seems like a worthwhile study tool, I’ll add it to this article.


I just wanted to provide a starting list for those who are like me and wishes there were more sites that brought together the many great training tools out there to one place.

There are so many resources out there, it’s sometimes hard to sort through what’s actually worthy of your time.

Continue Reading