Expert Insights on Performing Chromebook Forensic Examination
Google, after measuring the outbreak of its famous web browser Google Chrome. They decided to deploy an individual machine running Chrome OS. Primarily designed to provide users with what they love to do the most, the Chromebook solely focuses on a web browser connected to the internet and most of the applications with their data completely residing on the cloud. Besides they are shipped with 8-128GB SSDs which can be upgraded anytime. But after introducing the Chromebook it becomes tough to crack. So this post will help to perform the Chromebook forensic investigation.
Chromebooks utilize the power of Chromium OS which is the open-source, development version of Chrome OS. Chromium OS was typically designed & developed to coordinate with web applications. Chrome OS was typically released with the following versions serially:
ChromiumOS Cherry, Zero, Flow, Vanilla
Chromebook Forensics – Modus Operandi
Chromebook is basically built on Linux kernel, deploys Sea BIOS (Open Source Firmware specially developed for x86 architecture) runs on Chrome OS. As tempting as it seems, a chrome book is a real challenge for an investigator. The primary reason being is that it stores most of the data in the cloud, logically hardly any concrete data is available. Chrome OS intends to be portable and safe with the eCryptfs File System. Which basically stores cryptographic metadata in the header of each file ever written in Chrome OS. The encrypted files can be copied between hosts and they will be decrypted utilizing the exact key in the Linux Kernel Keyring. Despite the fact that it is almost a tough nut to crack, however, there are multiple ways to perform a forensic investigation on Chrome book:
Google Takeout for Chromebook Forensics
Chromebook upon installation asks for a Google account which uses to synchronize all the data via the account. From an investigative point of view, user footprints such as search history, download history, location, and user data can all be investigated using that particular Gmail account the suspect is signed in with. Investigators can leverage Google’s takeout feature to download complete user data at once without even going through the gruesome pain of acquiring and investigating the system.
But let’s prepare for the worst, to be sure that the suspect is savvy enough to wipe out Google data easily. Or log in using a guest account, then the method fails invariably.
Acquiring Forensic Image of Chromebook
The primary step toward an investigation is to first acquire a physical or logical image of the potential source of evidence. Chromebook although leaves nothing substantial but as discussed earlier it surely does provide SSD for internal storage which might be a viable source of probative evidence.
Despite being such a security frenzy OS, Chromium OS however does provide an alternative developer mode. Developer mode allows you to gain root access and execute Linux/shell commands. Due to the major complexity of the chromium boot process, entering into developer mode becomes a necessity to run other distributions or execute Linux commands on Chromebook. Each and every device has a different approach to entering into developer mode, you can refer to the official website: https://www.chromium.org/chromium-os/developer-information-for-chrome-os-devices
As soon as you enter the developer mode the next course of action is to boot using a live OS and execute forensic cloning of SSD using DD or DCFLDD commands respectively.
Usage: sudo dd if=/dev/sda of=/media/removable/$external_hard_drive/$harddisk.img
There is a major flaw in the process! Chromium OS hard resets your device and erases the data completely off the device. Which completely defeats your purpose to enter into the developer mode in the first place.
That although is a major setback for an investigator during the process of Chromebook Forensics, there are other ways round to perform this. Forensic Utilities that support Network Acquisition might come in handy, provided they should support chromium OS and leverage software-based write blocker/protection to preserve evidence integrity.
Open the Chromebook back panel to locate the following key parts essential during the investigation:
List of Key Components Essential During the Chromebook Forensic Investigation
- System firmware. 8MB SPI Flash.
- NGFF (M.2) SSD
- Battery enable switch
- Battery enable screw
- Write-protect screw
- Servo debug header
- NGFF (M.2) WWAN connector
Upon proper SSD imaging, you can use a forensic utility such as Access Data FTK Imager to mount the image. Here’s a glimpse of what you may find:
Now, upon analyzing each and every partition, the investigator is greeted with a variety of user information. Almost each and every piece of data is encrypted in Chromebook. However, data can be analyzed and investigated after understanding the complete encryption process by applying Chromebook forensic. Upon complete investigation, you may encounter SQLite database, configuration files, relevant browsed images, & much more.
Chromebook RAM DUMPS
Volatile memory is always a valuable treasure for investigators, considering the amount of user data to retrieve. Acquiring Chromebook RAM dumps is however a more tedious process than usual. Considering the scenario that investigators manage to capture the suspect’s Chromebook in a running state. A lot of evidence would yield.
Volatile memory dumps might contain, user passwords, browsing history and any other extension activity easily. There is a very high possibility of locating application-specific data such as chats, descriptions, messages, etc. via RAM dumps.
Google Chromebook maintains its reputation to secure user data and maintain its integrity. For an investigator, it is a nightmare to conduct Chromebook Forensics by uncovering layers of protection to acquire evidence and then analyze it. Chromebook uses encryption to protect data by using eCrypt File System which maintains a lock and key concept while encrypting & decrypting data. Adding to that, nothing else could be performed in Chromium OS other than regular surfing using chrome, performing additional tasks using extensions or copying, move & edit data from drives unless you have developer mode enabled.
Developer mode comes with a punch that is to secure wipe resident data from physical drives which makes the process a dead end. Chromebook data can be acquired by non-traditional methods by using forensic imaging hardware such as tableau. While acquiring volatile memory from RAM again investigator either has to freeze, remove, or mount. Then dump the ram or be lucky enough to get a Chromebook running in developer mode.
*Note: The screenshots used in this post are only for educational/informational purposes. In case of any issues/discrepancies contact the administrator or author to takedown content/propitiatory images.