Expert Insights on Performing Chromebook Forensic Examination

Dexter Morgan | April 27th, 2015 | Forensics

Google, after measuring the outbreak of its famous web browser Google Chrome, decided to deploy an individual machine running Chrome OS. Primarily designed to provide users what they love to do the most, Chromebook solely focuses on a web browser connected to internet and most of the applications with their data completely residing on the cloud. Besides they are shipped with 8-128GB SSDs which can be upgraded anytime.

Chromebooks utilize the power of Chromium OS which is the open source, development version of Chrome OS. Chromium OS was typically designed & developed to coordinate with web applications. Chrome OS was typically released with the following versions serially:

  1. ChromiumOS Cherry
  2. ChromiumOS Zero
  3. ChromiumOS Flow
  4. ChromiumOS Vanilla

Chromebook Forensics – Modus Operandi

Chromebook is basically built on Linux kernel, deploys Sea BIOS (Open Source Firmware specially developed for x86 architecture) runs on Chrome OS. As tempting as it seems, chrome book is a real challenge for an investigator. The primary reason being is that most of the data is getting stored on the cloud, logically hardly any concrete data is available. Chrome OS are intended to be portable and safe with eCryptfs File System. Which basically stores cryptographic metadata in the header of the each file ever written in chrome OS. The encrypted files can be copied between hosts and it will be decrypted utilizing the exact key in the Linux Kernel Keyring. Despite the fact that it is almost a tough nut to crack, however there are multiple ways to perform forensic investigation on Chrome book:

Google Takeout for Chromebook Forensics

Chromebook upon installation asks for a Google account which is used to synchronize all the data via the account. From an investigative point of view user footprints such as search history, download history, location, user data can all be investigated using that particular Gmail account the suspect is signed in with. Investigator can leverage Google’s takeout feature to download complete user data at once without even going through the gruesome pain of acquiring and investigating the system.


Google Takeout

But let’s prepare for the worst, to be sure that the suspect is savvy enough to wipe out Google data easily. Or logs in using guest account, then the method fails invariably.

Acquiring forensic image of Chromebook

The primary step towards an investigation is to first acquire physical or logical image of the potential source of evidence. Chromebook although leaves nothing substantial but as discussed earlier it surely does provide SSD for internal storage which might be a viable source of probative evidence.

Despite being such a security frenzy OS, Chromium OS however does provide an alternative developer mode. Developer mode allows you gain root access and execute Linux/shell commands. Due to major complexity of the chromium boot process, entering into developer mode becomes a necessity to run other distribution or execute Linux commands on Chromebook. Each and every device has a different approach to enter into developer mode, you can refer to the official website:

As soon as you enable developer mode, it will display “Chrome OS verification is turned off. Press space to begin recovery” respectively.

As soon as you enter the developer mode the next course of action is to boot using a live OS and execute forensic cloning of SSD using DD or DCFLDD commands respectively.


Usage: sudo dd if=/dev/sda of=/media/removable/$external_hard_drive/$harddisk.img

But Wait…

There is a major flaw in the process! Chromium OS hard resets your device and erases the data completely off the device. Which completely defeats your purpose to enter into the developer mode in the first place.

That although is a major setback for an investigator during the process of Chromebook Forensics, but there are other ways round to perform this. Forensic Utilities that support Network Acquisition might come handy, provided they should support chromium OS and leverage software based write blocker/protection to preserve evidence integrity.

Open Chromebook back panel to locate the following key parts essential during investigation:



  1. CPU
  2. RAM
  3. System firmware. 8MB SPI Flash.
  4. NGFF (M.2) SSD
  5. Battery enable switch
  6. Battery enable screw
  7. Write-protect screw
  8. Servo debug header
  9. NGFF (M.2) WWAN connector

Upon proper SSD imaging you can use forensic utility such as Access Data FTK Imager to mount the image or investigate the image. Here’s a glimpse of what you may find:


SSD partition Structure

Now, upon analyzing each and every partition, investigator is greeted with a variety of user information. As discussed earlier, almost each and every data is encrypted in Chromebook. However, data can be analyzed and investigated after understanding the complete encryption process. Upon complete investigation you may encounter SQLite database, configuration files, relevant browsed images, & much more.


Encrypted Data

Chromebook RAM DUMPS

Volatile memory has always been a valuable treasure for investigators, considering the amount of user data to be retrieved. Acquiring Chromebook RAM dumps is however a tedious process than usual. Considering the scenario that investigators manage to capture suspect’s Chromebook in a running state, a lot of evidence would yield.

Volatile memory dumps might contain, user passwords, browsing history and any other extension activity easily. There is a very high possibility of locating application specific data such as chats, descriptions, messages, etc. via RAM dumps.


Google Chromebook maintains its reputation to secure user data and maintain its integrity. For an investigator it is a nightmare to conduct Chromebook Forensics by uncovering layers of protection to acquire evidence and then analyze. Chromebook uses encryption to protect data by using eCrypt File System which maintains a lock and key concept while encrypting & decrypting data. Adding to that, nothing else could be performed in Chromium OS other than regular we surfing using chrome, performing additional tasks using extensions or copy, move & edit data from drives unless you have developer mode enabled.

Developer mode comes with a punch that is to secure wipe resident data from physical drives which makes the process a dead end. Chromebook data can be acquired by non-traditional methods by using forensic imaging hardware such as tableau. While acquiring volatile memory from RAM again investigator either has to freeze, remove, mount and dump the ram or be lucky enough to get a Chromebook running in developer mode.

*Note: The screenshots used in this post are intended for educational/informational purpose. In case of any issues/discrepancy contact the administrator or author to takedown content/propitiatory images.