[This is a multi-part series examining ways to recover information about browsing activities from Google Chrome.]
First, let’s take a step back. Why do you think that the Chrome history had been cleared? Is it because there are no browsing records at all? Gaps in the entries? Records that stop abruptly after a few months? Each of these variations has a potential explanation besides “the user cleared their history”. Let’s take a look at each of these scenarios before declaring that the history has been cleared.
If there are no records at all, there are a two likely scenarios: either the browsing history has indeed been cleared, or the user didn’t actually use that browser. On Windows and Mac computers, Chrome is very seldom the only web browser installed, so the user could simply be using a different one.
Let’s dig a little further to try and determine which case is more likely. First, what version of Chrome is installed? Chrome is quite good about keeping itself up to date via silent, automatic updates, so an older version of Chrome is a good indicator that the browser hasn’t been launched in quite a while. You can compare the version of Chrome on the system and the release date of that particular version; if they are substantially different, the browser may not have been launched recently.
If the user did in fact clear their Chrome history, the ‘smoking gun’ may be found in the Chrome Preferences file. browser.last_clear_browsing_data_time has a WebKit timestamp of the last time the user cleared browsing data from Chrome. browser.clear_data has a number of children that document what items had been cleared at the specified time. Hindsight will parse these values out for you (if you are using the XLSX output format, it places them on the ‘Preferences’ tab).
Note that this only shows the latest time that browsing data was deleted; timestamps of previous clearing are not saved here.
A third (but in my opinion less likely) scenario that explains no records at all is that the user had Chrome set to run exclusively in Incognito mode. This can be accomplished by running Chrome with the command line flag --incognito set; if you think this may be the case, check any shortcuts to Chrome for saved command line options. Chrome has a myriad of command line options, so checking the shortcut is a good practice, as you never know what you’ll find. If you’re finding no browsing records but other operating system artifacts show evidence of Chrome launching frequently, something like this may be the culprit.
Gaps in records
Gaps in browsing history can be explained by many scenarios, but we’ll take a look at three:
Option 1: Targeted clearing of data. The user could have done some browsing, then used the ‘Clear Browsing Data’ option configured to only wipe out the last few hours or days. We can check for the most recent time the data was cleared by checking the Preferences file as described above.
Option 2: Incognito. This mode was made for browsing sessions for which the user doesn’t want information recorded. A gap in normal history could mean the user had switched to Incognito mode (I’ll look at some ways to recover Incognito history in a later part).
Option 3: Different account/browser/computer. It’s always good to look at all browsers installed on the system for activity, as well as under all user accounts. Most browsers store the web history for each user separately, so don’t forget to check all of them. In addition to alternate browsers or user accounts, a good question to ask is “is this the only device the subject has?” The subject could simply have used a different computer or a cell phone to do the browsing.
URL records that cut off after a few months
In version 37, Chrome eliminated the ‘Archived History’ file. This file kept URL records that were older than three months, with no time limit. The ‘Archived History’ file on my personal computer had hundreds of thousands of records, dating back years. Unfortunately, the ‘History’ file only keeps URL records that happened within the last three months, and that time frame hasn’t been extended. Three months of URL records is now all we can expect for live Chrome history. Fortunately, other Chrome records (cookies, downloads, etc) don’t have this time limit, but I’ll cover that in another post.
Ok, now what?
If the Chrome history has indeed been cleared, or if you just want to look around for what older records may still be present on the system, stay tuned for more. I’ll be covering multiple approaches to recovering information about Chrome browsing activities in future posts. In the meantime, if you want to start delving into Chrome, you can check out Hindsight, an open source Chrome forensics tool. The Hindsight user guide (pdf) also has some good information on Chrome artifacts, starting on page 6.