Skip to content

Google Chrome forensic tool to process, analyze and visualize browsing artifacts

License

Notifications You must be signed in to change notification settings

ChmaraX/forensix

Repository files navigation

ForensiX

Google Chrome forensic tool

Forensic tool for processing, analyzing and visually presenting Google Chrome artifacts.

forensix ui

Features

  • Mounting of volume with Google Chrome data and preserving integrity trough manipulation process
    • read only
    • hash checking
  • Suspect profile and behavior estimations including:
    • personal information (emails, phone nums, date of birth, gender, nation, city, adress...)
    • Chrome metadata
      • Accounts
      • Version
    • Target system metadata
      • Operating system
      • Display resolution
      • Mobile Devices
    • Browsing history URL category classification using ML model
    • Login data frequency (most used emails and credentials)
    • Browsing activity during time periods (heatmap, barchart)
    • Most visited websites
  • Browsing history
    • transition types
    • visit durations
    • avg. visit duration for most common sites
  • Login data (including parsed metadata)
  • Autofills
    • estimated cities and zip codes
    • estimated phone number
    • other possible addresses
    • geolocation API (needed to be registered to Google)
  • Downloads (including default download directory, download statistics...)
  • default download directory
  • download statistics
  • Bookmarks
  • Favicons (including all subdomains used for respective favicon)
  • Cache
    • URLs
    • content types
    • payloads (images or base64)
    • additional parsed metadata
  • Volume
    • volume structure data (visual, JSON)
  • Shared database to save potential evidence found by investigators

Installation

Requirements:

Clone repository:

git clone https://github.com/ChmaraX/forensix.git

Note: ML model need to be pulled using since its size is ~700MB. This model is already included in pre-built Docker image.

git lfs pull

Put directory with Google Chrome artifacts to analyze into default project directory. Data folder will me mounted as a volume on server startup. The directory name must be named /data .

cp -r /Default/. /forensix/data

To download prebuild images (recommended): Note: If there is error, you may need to use sudo or set docker to not need a sudo prompt.

./install

Note: to build images from local source use -b:

./install -b

Wait for images to download and then start them with:

./startup

The runninng services are listenning on:

HTTPS/SSL

If you want to use HTTPS for communication between on UI or Server side, place key and certificate into /certificates directory in either /server or /client directory.

To generate self-signed keys:

openssl req -nodes -new -x509 -keyout server.key -out server.cert

Change baseURL protocol to https in /client/src/axios-api.js, then rebuild the specific changed image:

docker-compose build <client|server>