ChmaraX/forensix

Google Chrome forensic tool to process, analyze and visualize browsing artifacts

ForensiX

Google Chrome forensic tool

Forensic tool for processing, analyzing and visually presenting Google Chrome artifacts.

Features

• Mounting of volume with Google Chrome data and preserving integrity trough manipulation process
  • read only
  • hash checking
• Suspect profile and behavior estimations including:
  • personal information (emails, phone nums, date of birth, gender, nation, city, adress...)
  • Chrome metadata
    • Accounts
    • Version
  • Target system metadata
    • Operating system
    • Display resolution
    • Mobile Devices
  • Browsing history URL category classification using ML model
  • Login data frequency (most used emails and credentials)
  • Browsing activity during time periods (heatmap, barchart)
  • Most visited websites
• Browsing history
  • transition types
  • visit durations
  • avg. visit duration for most common sites
• Login data (including parsed metadata)
• Autofills
  • estimated cities and zip codes
  • estimated phone number
  • other possible addresses
  • geolocation API (needed to be registered to Google)
• Downloads (including default download directory, download statistics...)

• default download directory
• download statistics

• Bookmarks
• Favicons (including all subdomains used for respective favicon)
• Cache
  • URLs
  • content types
  • payloads (images or base64)
  • additional parsed metadata
• Volume
  • volume structure data (visual, JSON)
• Shared database to save potential evidence found by investigators

Installation

Requirements:

• docker
• docker-compose

Clone repository:

git clone https://github.com/ChmaraX/forensix.git

Note: ML model need to be pulled using since its size is ~700MB. This model is already included in pre-built Docker image.

git lfs pull

Put directory with Google Chrome artifacts to analyze into default project directory. Data folder will me mounted as a volume on server startup. The directory name must be named /data .

cp -r /Default/. /forensix/data

To download prebuild images (recommended): Note: If there is error, you may need to use sudo or set docker to not need a sudo prompt.

./install

Note: to build images from local source use -b:

./install -b

Wait for images to download and then start them with:

./startup

The runninng services are listenning on:

• ForensiX UI => http://localhost:3000
• ForensiX Server => http://localhost:3001
• MongoDB => http://localhost:27017

HTTPS/SSL

If you want to use HTTPS for communication between on UI or Server side, place key and certificate into /certificates directory in either /server or /client directory.

To generate self-signed keys:

openssl req -nodes -new -x509 -keyout server.key -out server.cert

Change baseURL protocol to https in /client/src/axios-api.js, then rebuild the specific changed image:

docker-compose build <client|server>