Industry News
Timeline

Chromebook Data Locations

Hi!  This is Jessica Hyde, Forensics Director here at Magnet Forensics.  I recently received an email regarding the data locations for the artifacts I spoke about in the Chromebook forensics presentation at the Magnet Virtual Summit, Taking a Byte of Chromebook Analysis.

The ask was for a summary list of where to find the artifacts discussed in that presentation. I thought it would make sense to share that list here as a reference document. There are multiple locations listed for each artifact type.

Browser History

home/shadow/(GUID)/mount/user/history

home/chronus/user/history

home/chronus/u-(GUID)/history

home/user/(GUID)/history

home/(username)/.config/chromium/Default/history

Browser Cache

home/shadow/(GUID)/mount/user/Cache

home/chronus/user/Cache

home/chronus/u-(GUID)/Cache

home/user/(GUID)/Cache

home/(username)/.config/chromium/Default/Cache/data_1

Browser History – Current Tabs

home/shadow/(GUID)/mount/user/Current Tabs

home/chronus/user/Current Tabs

home/chronus/u-(GUID)/Current Tabs

home/user/(GUID)/Current Tabs

home/(username)/.config/chromium/Default/Current Tabs

Browser History – Last Tabs

home/shadow/(GUID)/mount/user/Last Tabs

home/chronus/user/Last Tabs

home/chronus/u-(GUID)/Last Tabs;

home/user/(GUID)/Last Tabs;

home/(username)/.config/chromium/Default/Last Tabs

Browser History – Current Sessions

home/shadow/(GUID)/mount/user/Current Sessions

home/chronus/user/Current Sessions

home/chronus/u-(GUID)/Current Sessions

home/user/(GUID)/Current Sessions

home/(username)/.config/chromium/Default/Current Sessions

Browser History – Last Sessions

home/shadow/(GUID)/mount/user/Last Sessions

home/chronus/user/Last Sessions

home/chronus/u-(GUID)/Last Sessions

home/user/(GUID)/Last Sessions

home/(username)/.config/chromium/Default/Last Sessions

Downloads

In the browser history, downloads table, e.g. home/chronos/u-(GUID)/downloads/(filename)

AND

home/shadow/(GUID)/mount/user/Downloads

home/chronus/user/Downloads

home/chronus/u-(GUID)/Downloads

home/user/(GUID)/Downloads

home/(username)/Downloads

Also

 downloads_url_chains table in browser history

Extensions

File names are GUIDS. Note – use a search engine for the GUID or check manifest json file (includes name and prefrences)

home/shadow/(GUID)/mount/user/Extensions

home/chronus/user/Extensions

home/chronus/u-(GUID)/Extensions

home/user/(GUID)/Extensions

home/(username)/Extensions

Extensions – manifest.json

home/shadow/(GUID)/mount/user/Extensions/(extensionGUID)/(Version)/manifest.json

home/chronus/user/Extensions/(extensionGUID)/(Version)/manifest.json

home/chronus/u-(GUID)/Extensions/(extensionGUID)/(Version)/manifest.json

home/user/(GUID)/Extensions/(extensionGUID)/(Version)/manifest.json

home/(username)/Extensions/(extensionGUID)/(Version)/manifest.json

Extensions – Sync App Settings

home/shadow/(GUID)/mount/user/Sync App Settings

home/chronus/user/Sync App Settings

home/chronus/u-(GUID)/Sync App Settings

home/user/(GUID)/Sync App Settings

home/(username)/Sync App Settings

Offline Storage

home/shadow/(GUID)/mount/user/gcache/v1/files 

home/chronus/user/gcache/v1/files 

home/chronus/u-(GUID)/gcache/v1/files 

home/user/(GUID)/gcache/v1/files 

home/(username)/gcache/v1/files 

Note – Files  are listed by GUID rather than name and can be associated via gcache/v1/meta/*.ldb

Shell History

home/shadow/(GUID)/mount/user/.bash_history

home/chronus/user/.bash_history

home/chronus/u-(GUID)/.bash_history

home/user/(GUID)/.bash_history

home/(username)/.bash_history

Avatar

home/shadow/(GUID)/mount/user/Accounts/Avatar/Images/(emailadderess)

home/chronus/user/Accounts/Avatar/Images/(emailadderess)

home/chronus/u-(GUID)/Accounts/Avatar/Images/(emailadderess)

home/user/(GUID)/Accounts/Avatar/Images/(emailadderess)

home/(username)/Accounts/Avatar/Images/(emailadderess)

I hope this serves as a quick reference document for your Chromebook analysis. If you are looking for acquisition of Chromebooks, try the method from Daniel Dickerman posted on DFIR Review.

Have you found other artifact locations in your Chromebook analysis? Share them with me by email to jessica.hyde@magnetforensics.com.

Related Resources

Blog

Blog

Understanding the security impacts of iOS 18’s inactivity reboot

Beginning with iOS 18, Apple has added an inactivity reboot timer into the operating system that is tied only to the device’s lock state. This means that when the device

November 13, 2024 • About a 4 minute view
Blog

Blog

Real-time hash matching against NCMEC: Now in Magnet Griffeye products 

About a year ago, we announced our partnership with the National Center for Missing and Exploited Children (NCMEC)—the largest and most influential child protection organization in the U.S. Over the

October 8, 2024 • About a 2 minute view
Blog

Blog

Save your spot for Magnet User Summit 2025 in Nashville! 

Join us for the DFIR event of the year. This is your chance to get hands-on training and hear about the newest innovations from Magnet Forensics

October 3, 2024 • About a 3 minute view
Resource Center Home

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top