Knowledgebase:
Investigating Google Chrome Data
Posted by Jack H. Ward, Last modified by Jack H. Ward on 07 February 2018 03:41 AM

Electronic Evidence Examiner allows you to add a special cache folder created by the Google Chrome browser that contains history, autofill items, keywords, logins, bookmarks and cookies data.

By default, the Cache folder can be found in the following locations:

OS

File location

Windows 10

Windows 7, 8, 8.1

C:\Users\<windows_username>\AppData\Local\Google\Chrome\User Data\Default

To investigate Google Chrome data, do the following:

1. Have the Add New Evidence window open.

2. In the Category list, select Internet Browser Data. In the Source Type list, select Google Chrome Browser Data. Click OK.



3. In the standard Browse For Folder window, navigate to the desired folder with cache data. Click OK.
4. Enter the Evidence name (opened folder name by default) and click OK.
5. The Google Chrome data is added to the case.

Electronic Evidence Examiner allows you to view Google Chrome keywords, i.e., data that the user typed in the Google Chrome address bar. Keywords display what the user searched for using the browser.

To view Google Chrome keywords, do the following:

1. Have the Add New Evidence window open.

2. In the Category list, select Internet Browser Data. In the Source Type list, select Google Chrome Browser Data. Click OK.
3. In the standard Browse For Folder window, navigate to the desired folder with cache data. Click OK.
4. Enter the Evidence name (opened folder name by default) and click OK.
5. The Google Chrome data is added to the case.
6. In the Case Content pane, select the Keywords node. Its contents are displayed in the Data View pane (to the right).
7. In the Term column, the list of Google Chrome keywords are displayed. In the Action URL column, the list of URLs used for the search is displayed.
8. You can copy the URL address from the Properties pane (lower left).




Attachments 
 
 Google Chrome data.png (32.71 KB)
(0 vote(s))
Helpful
Not helpful

Comments (0)