Chracer: Memory analysis of Chromium-based browsers

The web browsing activities of a user provide useful evidence for digital forensic investigations. However, existing analysis techniques that aim to analyze local artifacts (e.g., history and cache) cannot find useful data (e. g., visited URLs) if a user accesses the web using private or secret mode. Hence, string-searching and pattern- matching techniques have been proposed and used to examine user activities from a memory dump. These simple techniques are useful for identifying individual URLs visited in both normal and private modes. However, since a piece of individually detected data does not have context on how it is created, additional analysis efforts are required to properly interpret the meaning of the data. This paper proposes Chracer, a practical methodology for extracting forensically meaningful information from the virtual memory of a Chromium-based browser by systematically discovering objects of web browsing-related classes. Moreover, a proof-of-concept tool developed based on the proposed methodology demonstrates that users’ web browsing-related artifacts can be extracted effectively from the virtual memory of any Chromium-based browser, such as Google Chrome, Microsoft Edge and Brave.