Chrome Parser (cp)

Introduction

Google's Chrome Browser has many artifacts available that the forensics examiner can use in identifying a user's Internet activity. This includes Chrome's various databases, local storage, JSON formatted text files, and cache.

This tool, however, does not target all of Chrome's artifacts; it only targets certain SQLite databases and specific tables within those databases that are used by the Browser that have been deemed useful by the forensics community. Specifically, this tool targets the following seven databases: (a) History, (b) Cookies, (c) Web Data, (d) Top Sites, (e) Shortcuts, (f) Login Data and (g) Favicons.

The semantics to run this tool just requires one to use the -db option and pass in the path/file of the Chrome SQLite database to parse. The screenshot shows all the options available.

menu of options

Below is an example of running the tool in its simplest form. Without explicitly setting any options, the tool will use will default to the SQL Select-type parser. The parsed output will dump to the screen, unless one redirects the output to a file.

         c:\> cp -db c:\dump\History -csv > out.csv
                

To process multiple databases one would use the -pipe option while enumerating a folder and subfolder of databases, like so:

         c:\> dir c:\dump\chrome_dbs /b /s /a | cp -pipe -carve -csvl2t > out.csv
                

Integrated Parsing Algorithms

The cp tool offers three possible parsing algorithms to choose from. They are as follows:

For more information

The user's guide can be viewed here

If you would like more information about cp, contact us via email.

Downloads

32-bit Version64-bit Version
Windows:cp32.v.0.12.win.zipcp64.v.0.12.win.zipmd5/sha1
Linux:cp32.v.0.12.lin.tar.gzcp64.v.0.12.lin.tar.gzmd5/sha1
Mac OS X:cp.v.0.12.osx.tar.gzcp.v.0.12.osx.tar.gzmd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.