Google Chrome forensic tool
Forensic tool for processing, analyzing and visually presenting Google Chrome artifacts.
- Mounting of volume with Google Chrome data and preserving integrity trough manipulation process
- read only
- hash checking
- Suspect profile and behavior estimations including:
- personal information (emails, phone nums, date of birth, gender, nation, city, adress...)
- Chrome metadata
- Accounts
- Version
- Target system metadata
- Operating system
- Display resolution
- Mobile Devices
- Browsing history URL category classification using ML model
- Login data frequency (most used emails and credentials)
- Browsing activity during time periods (heatmap, barchart)
- Most visited websites
- Browsing history
- transition types
- visit durations
- avg. visit duration for most common sites
- Login data (including parsed metadata)
- Autofills
- estimated cities and zip codes
- estimated phone number
- other possible addresses
- geolocation API (needed to be registered to Google)
- Downloads (including default download directory, download statistics...)
- default download directory
- download statistics
- Bookmarks
- Favicons (including all subdomains used for respective favicon)
- Cache
- URLs
- content types
- payloads (images or base64)
- additional parsed metadata
- Volume
- volume structure data (visual, JSON)
- Shared database to save potential evidence found by investigators
Requirements:
Clone repository:
git clone https://github.com/ChmaraX/forensix.git
Note: ML model need to be pulled using since its size is ~700MB. This model is already included in pre-built Docker image.
git lfs pull
Put directory with Google Chrome artifacts to analyze into default project directory. Data folder will me mounted as a volume on server startup. The directory name must be named /data
.
cp -r /Default/. /forensix/data
To download prebuild images (recommended):
Note: If there is error, you may need to use sudo
or set docker to not need a sudo prompt.
./install
Note: to build images from local source use -b
:
./install -b
Wait for images to download and then start them with:
./startup
The runninng services are listenning on:
- ForensiX UI => http://localhost:3000
- ForensiX Server => http://localhost:3001
- MongoDB => http://localhost:27017
If you want to use HTTPS
for communication between on UI or Server side, place key and certificate into /certificates
directory in either /server
or /client
directory.
To generate self-signed keys:
openssl req -nodes -new -x509 -keyout server.key -out server.cert
Change baseURL
protocol to https in /client/src/axios-api.js
,
then rebuild the specific changed image:
docker-compose build <client|server>