After reading Jesse Kornblum’s post Privacy Issues in Google Chrome are Opportunities for Forensic Examiners, I decided to see if I could incorporate some of the valuable information in the Chrome Preferences file into the report Hindsight produces.
I updated the core Hindsight program to create another tab on the output file called ‘Preferences’ and created a new plugin (preferences.pl) that opens the Preferences file in the Chrome directory and parses out interesting fields. As of now, the preferences.pl plugin pulls out eight preferences that jumped out to me immediately as potentially useful in an investigation. The settings that are parsed include the per_host_zoom_levels (mentioned in Jesse’s post), what things Chrome Sync is set to track, the Google services username associated with the profile, information about how Chrome is set to clear its history, and the default download and save directories.
There is a lot more good information in the Preferences file, and I plan on digging in more to it to see what else I can find and add to preferences plugin.