Does this method still work?
Forensic question: How can data be recovered from a Chromebook device? | |
OS: ChromeOS | |
Tools: |
Procedures and scripts written by Special Agent Daniel Dickerman
Technical Advisor – IRS Criminal Investigation – Electronic Crimes
daniel dot dickerman at ci dot irs dot gov
THE PROCEDURES AND SCRIPTS IN THIS DOCUMENT ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
This document is provided to the general Computer Forensic community as a starting point to incite further research by others in the community, with the goal of further refining these procedures and developing additional procedures. This document contains three main sections. The first section explains the importance of obtaining all available cloud data from Google either via legal process or via consent through the Google self-service “Takeout” mechanism. The second section provides scripts and instructions on capturing a decrypted logical backup of all encrypted data on a Chromebook/Chromebox if you have the username(s) and password(s) for the accounts on the Chromebook/Chromebox. The final section provides scripts and instructions on capturing a full physical disk clone of a Chromebook/Chromebox in some situations. Please see each section for complete details.
Your Chromebook or Pixelbook does not have traditional keyboard keys and do not include Function (Fn) keys across the top of the keyboard. To use Fn keys on a Chromebook or Pixelbook, such as is needed to enter or switch between one of the virtual terminals (TTY1, TTY2, etc.) in either ChromeOS, Chromium OS or other, use the below links to identify the appropriate keyboard keys you need to press.
The below links provide details about the keys found on most Chromebooks and the new Pixelbooks.
Use your Chromebook keyboard: https://support.google.com/chromebook/answer/1047364
Chromebook Keyboard shortcuts: https://support.google.com/chromebook/answer/183101
Use the Pixelbook keyboard: https://support.google.com/pixelbook/answer/7504061
Pixelbook keyboard shortcuts: https://support.google.com/pixelbook/answer/7503852
Debug Button Shortcuts https://chromium.googlesource.com/chromiumos/docs/+/master/debug_buttons.md
Chromebook and Chromebox devices are cloud-centric devices designed to be used via a live Internet connection in conjunction with Google Accounts. Depending on Privacy Settings for each Google Account, a significant amount of user data, to include: Personal Info; Account Security Info; People & Sharing Info (Contacts and Family Group info); Payments & Subscription Info; Activity History and Timeline (by location) for Web & App Activity, Location History, Voice & Audio Activity, Device Information, YouTube Search History; and activity and stored content from Google Services you use (i.e. Account, AdWords, Android, Books, Google Calendar, Chrome, Contacts, Google Drive, Gmail, Google Play Store, Google+, Google Payments and YouTube).
If you have a cooperating owner of a Google Account, the owner may provide online access to their Google Account and allow the export of a complete copy of all data in the Google Account via Google Takeout. https://takeout.google.com/?hl=en&utm_source=google-account&utm_medium=web
If you do not have a cooperating owner of a Google Account, you will want to immediately serve the appropriate legal process to Google to preserve and obtain all available data associated with the Google Account. Detailed information about legal process for user data requests is publicly available as an FAQ here: https://support.google.com/transparencyreport/answer/7381738?hl=en
Examples of the kinds of data that may be available for each Google product or service is listed in the FAQ under the heading “What kinds of data do you disclose for different products?”
If and when legal authority allows, law enforcement and/or government officials should immediately submit a preservation request to Google LLC, followed by a Search Warrant, to preserve and then obtain all account content. Remember that anyone having the username and password for the Google Account(s) in question can remotely destroy data in their Google Account(s) at any time.
Legal Process requests for account data is submitted through the Google Law Enforcement Request System (LERS). Law Enforcement can create an account and login here: https://lers.google.com/signup_v2/landing
Additional contact information and/or information about serving legal process to Google LLC may be available to law enforcement and/or government officials from the Department of Justice, Computer Crime & Intellectual Property Section (CCIPS) or Search.org. Questions can be sent directly to the Google Legal Investigations Support team via email [email protected].
This section provides information needed to create various specialized USB disks for use in various data acquisition scenarios.
Three standard 32GB USB drives (do not use SD cards or other media). One to create a bootable live Chromium OS USB, one to create an Encrypted Partition Recovery USB drive used when you have the username and password for the account(s) on the Chromebook/Chromebox, and one to create a Physical Cloning Recovery USB drive that may be used in certain situations.
Provided custom bash scripts:
create_encrypted_partition_recovery_usb.sh
create_physical_cloning_recovery_usb.sh
custom_chromeos-install
image_chromebook.sh
prep_evidence_drive.sh
triage_stateful.sh
An additional USB drive of any kind, on which you will place the above provided bash scripts. Later you will mount the USB drive and copy the scripts from this USB to a /home/scripts/ folder on your Chromium OS live USB.
A large capacity portable USB3.0 hard drive large enough to hold a complete clone of the Chromebook/Chromebox internal HD you may be imaging, if desired. Preferably a very fast SSD drive with an external easily visible activity light, like the Samsung T5 shown below.
Chrome Browser, if not already installed and updated.
Chromebook Recovery Utility app, available here: https://chrome.google.com/webstore/detail/chromebook-recovery-utili/jndclpdbaamdhonoechobihbbiimdgai
The “Special” build of Chromium for amd64 or x86 computers,
Camd64OS_R72-11316.B-Special.7z for 64-bit computers, available here:
https://chromium.arnoldthebat.co.uk/index.php?dir=special&order=modified&sort=desc
If desired, you may manually download any of the past or present released builds of the ChromeOS Recovery USB image for your model Chromebook/Chromebox. These scripts and procedures were designed on release 72 and in the event future ChromeOS releases break these scripts or processes, you may need to go to this URL and use a build 72 or earlier Recovery image instead of the newer one produced by the Recovery Utility app. All builds are here:
https://cros-updates-serving.appspot.com/
You must create unique Recovery USB drives for each model Chromebook/Chromebox device you wish to acquire. Each Recovery USB is designed for a specific model and will only work with that model. You will need to repeat these steps each time you need to acquire a new Chromebook/Chromebox device, using freshly created Recovery USB drives.
Your first step is to create factory ChromeOS Recovery USB drives for the specific Chromebook/Chromebook you need to acquire.
Run your Chrome Browser, type chrome://apps/ into the Chrome address bar, launch the Chromebook Recovery Utility app and click “Get Started.”
Click “Select a model from a list” and select your manufacturer and model from the dropdown boxes…
…or enter a model # directly and click “Continue.”
Select your 32GB USB drive, on which you will be deploying one of the customized ChromeOS Recovery images discussed in this document, and click “Continue.”
Click “Create now” to create a factory ChromeOS Recovery USB drive.
When complete, safely eject your USB.
Click “Create another” to repeat the steps in this section to create a second factory ChromeOS Recovery USB drive, one to modify as an Encrypted Partition Recovery USB and one to modify as a Physical Cloning Recovery USB.
Note that if you are performing these steps on a Windows OS, upon the creation of these ChromeOS USB drives, Windows will pop up NUMEROUS annoying dialog boxes asking if you want to format all of the many newly created partitions on the disk. Do NOT format or do anything other than simply close each and every pop-up dialog that appears.
The Chromium OS Live USB created in this section is designed to be used as a “utility” OS environment, in which you will be running various scripts to create your needed Recovery USBs or perform various functions. These “Special” build Chromium OS Live USBs need to be able to boot one of your forensic computers successfully so you can operate inside this Chromium OS environment. All of these procedures were successfully accomplished with Special builds 72 and 78, booting a MacBook Pro laptop. Testing with build 76 resulted in unsuccessful booting of that same MacBook Pro laptop due to video driver issues. Through trial and error, you may need to find the build (up through build 78 at the time of this release) that properly boots your forensic computer that you will be using. This step, and which Special build of Chromium that you use, will depend solely on the computer you will be booting with your Chromium OS Live USB.
Note: Once you find a build that successfully boots you forensic computer, this Chromium OS Live USB does not need to be recreated each time you need to acquire a new Chromebook/Chromebox device and may be reused on your forensic computer for any subsequent creating of custom Recovery USB drives in the following sections of this document.
Download the “Special” build of Chromium for amd64 or x86 computers,
Camd64OS_R78-12499.B-Special.7z for 64-bit computers, available here:
https://chromium.arnoldthebat.co.uk/index.php?dir=special&order=modified&sort=desc
Use 7-Zip to extract the image out of the 7z archive. Note, older releases called the image chromium_image.img but more recent releases of these Chromium images have been named chromium_image.bin instead. Regardless of what the name of the image is, simply extract the image contained in the 7-zip archive.
Launch the Chromebook Recovery Utility app and click the gear icon in the upper-right corner of the Chromebook Recovery Utility app.
chrome://apps/
If your extracted Chromium OS image has a .bin file extension then the image file will be immediately visible when you browse to the folder containing the image. If your extracted Chromium OS image has an .img file extension, you will not immediately see the image file in the browse window where you select the downloaded and extracted “local image” and you must type “*.*” or “*.img” in the File name: box (as shown in the 2nd screenshot below) to see and select the chromium_image.img image.
Select a 32GB USB drive, on which you will be deploying the Chromium OS live USB image, and click “Continue.”
Click “Create now” to create your Chromium OS live USB drive.
When complete, safely eject your USB and label the USB as your Chromium OS live USB.
Note that upon the creation of this USB drive, Windows will pop up NUMEROUS annoying dialog boxes asking if you want to format all of the many newly created partitions on the disk. Do NOT format or do anything other than simply close each and every pop-up dialog that appears.
If this Chromium OS live USB does not correctly boot your own forensic computer then you will need to repeat this section to find a “Special” build that does correctly boot your own computer, or try another forensic computer.
Note: this section of the instructions requires at least some minimal understanding of *nix command line usage and commands.
On your additional regular USB thumb drive, use Windows to create a folder in the root of the thumb drive called “scripts” and copy all provided bash scripts into that “scripts” folder.
Boot your own forensic computer to your newly created Chromium OS live USB.
Upon booting to Chromium OS, at the GUI splash screen, press CTRL+ALT+F2 to open a non-GUI pseudoterminal (TTY1 = /dev/pts/1), otherwise known as a terminal or console.
Log into TTY1 using “root” as the username and no password is required.
Plug in your USB thumb drive containing all the provided bash scripts in a “scripts” folder. The USB drive should contain ONLY the provided scripts in a “scripts” folder and nothing else!
At the terminal prompt, run “fdisk -l” so you can identify your USB drive containing the bash scripts.
At the terminal prompt, type “mktemp -d” and hit enter. Make note of the temporary folder created, as you will use this folder as a mount point to mount your USB drive containing the bash scripts. (i.e. temp folder created named /tmp/tmp.i4F2gtKrs)
Mount the partition of your USB drive that contains the bash scripts using the command “mount /dev/sdc1 /tmp/tmp.i4F2gtKrs5” where /dev/sdc1 must be the correct device and partition identifier for your USB drive containing the bash scripts. The /tmp/tmp.i4F2gtKrs5 part of the command must match the randomly generated folder created by the “mktemp -d” command.
Copy all files from /tmp/tmp.i4F2gtKrs5/scripts/ to a /home/scripts/ folder on your Chromium OS live USB using the command:
mkdir /home/scripts && cp /tmp/tmp.i4F2gtKrs5/scripts/* /home/scripts/
Unmount the USB drive containing the bash scripts, using the command “umount /tmp/tmp.i4F2gtKrs5”
Unplug the USB drive containing the bash scripts so it is no longer attached to the computer before running any of the scripts!
Attach one of your previously created factory ChromeOS Recovery USB drive to your forensic computer, which you have currently booted to Chromium OS using your Chromium OS live USB.
Run the bash script to turn the factory ChromeOS Recovery USB drive into an Encrypted Partition Recovery USB drive, using the command:
“. /home/scripts/create_encrypted_partition_recovery_usb.sh” without the quotes. Make sure you have a space between the ‘.’ and /home/scripts/create_encrypted_partition_recovery_usb.sh.
You will be prompted to select the attached factory ChromeOS Recovery USB and then have the opportunity to choose the partition size to be created on the USB. The default partition size is 10GB and you can take the default unless you know you need a larger partition for capture of a very large amount of encrypted user data.
Read each prompt and/or information provided by the script. Confirm “Y” at each prompt in the script until the script ends.
The factory ChromeOS Recovery USB is now an Encrypted Partition Recovery USB to be used solely for the purpose of acquiring a decrypted logical backup of encrypted data on a Chromebook/Chromebox device for which you have a username and password.
Remove the USB drive and label the USB as your Encrypted Partition Recovery USB.
Do not shutdown Chromium OS yet. Continue with the next section.
Attach your second previously created factory ChromeOS Recovery USB drive to your forensic computer, which you have currently booted to Chromium OS using your Chromium OS live USB.
Run the bash script to turn the factory ChromeOS Recovery USB drive into a Physical Cloning Recovery USB, using the command:
“. /home/scripts/create_physical_cloning_recovery_usb.sh” without the quotes. Make sure you have a space between the ‘.’ and /home/scripts/create_physical_cloning_recovery_usb.sh.
The factory ChromeOS Recovery USB is now a Physical Cloning Recovery USB to be used solely for the purpose of capturing a full physical clone of the hard drive of a seized Chromebook/Chromebox device.
Remove the USB drive and label the USB as your Physical Cloning Recovery USB.
Do not shutdown Chromium OS yet. Continue with the next section.
You may, if desired and in certain circumstances, be cloning the internal HD of a seized Chromebook/Chromebox to your large capacity USB3.0 hard drive. You MUST first completely WIPE your large capacity USB hard drive using whatever method you choose before completing any further preparation steps, to ensure the destination drive contains no residual data.
After the destination USB drive is wiped, attach it to your forensic computer running Chromium OS from the previous section of this document.
Run the bash script to prepare the wiped destination USB drive so that it is ready to be cloned with the internal HD of your seized Chromebook/Chromebox. Use the command:
“. /home/scripts/prep_evidence_drive.sh” without the quotes. Make sure you have a space between the ‘.’ and /home/scripts/prep_evidence_drive.sh.
When prompted by the script, select the number identified as your wiped destination USB drive.
You will be prompted to confirm that you wish to re-write new partitioning information to the selected disk. Hit “Y” or “y” to confirm and finish preparing the destination USB drive.
You may now disconnect your prepared destination USB drive, label the USB as your Evidence Destination USB, and shutdown Chromium OS.
This section of the document is for use when you either 1) have a cooperating individual that provides you with the username and password for the user account(s) setup on a Chromebook/Chromebox; or 2) you obtain the username(s) and password(s) from other means.
Note that any Chromebook/Chromebox can be in either “Normal mode” or “Developer Mode” when using this process. Either way, this process recovers decrypted data from the users’ encrypted vault and/or encrypted.block system file on the “STATE” partition (i.e. stateful_partition) of the Chromebook/Chromebox device and leaves the device in its pre-existing operational status.
Chromebook/Chromebox devices have a complex hard drive partitioning scheme. There are several small partitions that contain non-user data including copies of the ChromeOS kernel, root file systems, and EFI firmware. Partition 1 (/dev/mmcblk0p1 shown below) is the largest partition on the hard drive and contains user and system data of evidentiary value. The screenshot below demonstrates the default partitioning scheme on the 256GB drive of a Google Pixelbook. The partition
Partition 1 has a volume label called “STATE”, and it is known as and mounted by ChromeOS as the “Stateful Partition”. ChromeOS mounts this partition to the folder mountpoint /mnt/stateful_partition as shown in the below screenshot.
Contained in the root of the STATE partition, is an encrypted block of volatile data in a file called encrypted.block. Upon successful boot of ChromeOS, this encrypted.block is decrypted into the mountpoint folders /mnt/stateful_partition/encrypted, /var, and /home/chronos. These mountpoint folders contain all kinds of user-attributable system data of evidentiary value.
Here are some examples of the contents of the decrypted “encrypted.block” file.
Additionally, each user on the Chromebook/Chromebox has their own user-specific encrypted vault where all their user data is stored. These encrypted vaults are only accessible in a decrypted form when the user logs in with the correct username and password. The encrypted vaults consist of a series of folders, subfolders and files contained within the /mnt/stateful_partition/home/.shadow folder of the mounted “STATE” partition.
The below screenshot shows that this Pixelbook currently has two user accounts, and therefore two encrypted user vaults, contained in folders called 76fda1cf9d734b9d5ebcc934b72c64dd6f372551 and d424c43345941d4cc7467c7c3a2c6281680e4058. The vault starting with d424… is currently logged on and decrypted and the vault starting with 76dfa… is not logged on and is therefore is still encrypted.
Your Encrypted Partition Recovery USB will perform a decrypted extraction of the contents of the encrypted user vault of your choice, providing you have the correct username and password. An example of the data to be decrypted and extracted is shown below, including the contents of the user’s Downloads folder and all other user-attributable data for this user.
If the user account is the “owner” account on the Chromebook/Chromebox then in addition to the decrypted user vault, you will also get the entire decrypted contents of the system data contained in the encrypted.block file. If the user account you extract is not the “owner” account on the device, then you will only be provided the decrypted user vault for that user without the extra system data.
On a Chromebook/Chromebox with only one user account, that user account is the “owner” account. On a Chromebook/Chromebox with multiple user accounts, the first account setup is the “owner” account. You can check for the “owner” account on the initial login screen of a booted Chromebook/Chromebox by clicking on the drop-down arrow to the right of any username on the login screen.
Read all steps in this section in their entirety before you go through this process! There are certain steps that MUST be followed EXACTLY as explained!
From a powered off Chromebook/Chromebox, place the device in “Recovery Mode”. Certain model Chromebooks require holding a keyboard sequence “ESC+Refresh” while powering on the Chromebook. Other models, such as Chromeboxes, have a physical recovery button/switch that must be pressed/switched while powering on the Chromebook. See further information under the “Enter Recovery Mode” section of this support page from Google. https://support.google.com/chromebook/answer/1080595?hl=en
or
When powered on to Recovery Mode, you will see this on the screen saying “Please insert a recovery USB stick.”
>
Insert your Encrypted Partition Recovery USB drive to automatically start the “Stateful Recovery” process.
After a few seconds, the screen will go blank and you will then see the below screens appear.
If you see anything other than the above screen stating “Stateful recovery requested”, you will have a short wait period during which you must immediately press and hold down the power button to force the Chromebook/Chromebox to power down before any data is destroyed.
You will be prompted to enter the username (email address) and password of the user account, of which you will capture a decrypted backup of the contents of the user’s encrypted vault. If the user entered is the system “Owner” (i.e. the first Google Account setup on the computer, if there are multiple accounts setup.) then the decrypted backup will also include all system data contained in the encrypted.block file found in the root of the stateful partition. This system data contains a significant amount of data that may be of interest. If the user entered is NOT the system owner then only the user’s vault will be decrypted and backed up. This decrypted backup process may be repeated for each user you have the username/password for, one user at a time.
Note: Goggle does not use special characters in the prefix of email addresses, so you must type [email protected] as [email protected]
After entering the username and password, just be patient while the system reboots.
The system will now reboot to the normal ChromeOS login screen and perform some processes in the background. Do not attempt to login or do anything, just be patient and wait. On some systems after the login screen disappears and then attempts to restart to start the copy process, you see the below screen saying “ChromeOS is missing or damaged.” If this appears, this is normal (nothing is corrupt or missing) and you should continue with steps 10 and 11. On some systems, this “Chrome OS is missing or damaged” message does not appear and the process automatically restarts in Recovery Mode and automatically continues with step 12 below, skipping steps 10 and 11. If the below screen appears, continue with step 10. If the below screen does not appear, continue with step 12.
Disconnect your Encrypted Partition Recovery USB drive and power off the Chromebook/Chromebox.
Restart the Chromebook/Chromebox in Recovery Mode again and insert the same Encrypted Partition Recovery USB drive you just disconnected.
Be patient and wait until you see the message that the recovery process is copying files. Note: Having USB devices with activity lights makes it easier to watch and ensure that the copying is taking place.
When the Copying Files process is complete you will be instructed to disconnect your USB and shutdown. Your USB now contains a file called extracted.tgz in a recovery folder created on the STATE partition (partition 1) of your Encrypted Partition Recovery USB drive.
This tar gzip archive contains the decrypted backup of your requested files. You may mount partition 1 of your Encrypted Partition Recovery USB drive using your Chromium live USB and extract or copy out the extracted.tgz for analysis. You may also use your standard computer forensic tools to copy/extract the extracted.tgz archive off your Encrypted Recovery USB drive.
Most of the relevant evidence in the extracted.tgz archive will be found within the “decrypted” folder. If there is only one user account on the Chromebox/Chromebook, that user account will be the “Owner” of the system. If there are multiple accounts present, the first created account will be the “Owner” of the system. For the “Owner” user, you will be interested in both the contents of the decrypted/mount and decrypted/encrypted folders. Most interesting user vault data will be found within decrypted/mount/user and system data will be found within the decrypted/encrypted folder. If the extracted user was NOT the system “Owner”, then the decrypted/encrypted folder, which would contain the decrypted contents of the encrypted.block file from the root of the stateful partition, will NOT be included in the decrypted backup and therefor no general system data is provided in your Encrypted Partition recovery.
The encrypted.tgz archive can be extracted and analyzed on your forensic workstation using your typical forensic tools of choice.
The Chromebook/Chromebox device has been left in the same operational state as when you started.
Note: Prior to performing any steps in the section, make sure you have served legal process to Google, as explained at the beginning of this document, to obtain all stored cloud data for any accounts used on the seized Chromebook or Chromebox device.
The procedure in this section produces a complete raw bitstream physical disk clone of a seized Chromebook’s internal HD. In order to accomplish this, the Chromebook must be in Developer Mode. If the Chromebook is already in Developer Mode, these procedures produce a physical clone of the Chromebook’s internal HD and leaves the existing Chromebook in the same state it was in before cloning the Chromebook. Examiners with advanced Linux skills may choose to perform their own data acquisition with dd or other tools. The script and instructions provided in this section are to provide an automated cloning acquisition process for users that are not Linux savvy.
If the Chromebook was not already in Developer Mode and you attempt to switch the Chromebook/Chromebox into Developer Mode, you will clear the TPM in the process and render all encrypted data unrecoverable. DO NOT switch device to Developer Mode, making it impossible to perform an Encrypted Partition recovery as described in the previous section of this document. If you switch to Developer Mode all user accounts will be cleared and you will be presented with an “Out Of the Box Experience” (OOBE) requiring the setup of new accounts.
User data on the Chromebook’s internal HD is stored within each user’s encrypted folder structure located in /mnt/stateful_partition/home/.shadow/. These folders are located on partition 1 of the internal HD, which is an ext4 partition (i.e. /dev/mmcblk0p1).
While not covered in detail in this document, physically pulling the hard drive from a Chromebook/Chromebox and obtaining a physical image or clone may be an option to consider for devices in “Normal Mode.” Make sure you put the drive back in and leave the device in Normal Mode, in the same state as it was when you received it if you want any future possibility of performing an Encrypted Partition Recovery or otherwise log into any existing accounts on the device.
Read all steps in this section in their entirety before you go through this process! There are certain steps that MUST be followed EXACTLY as explained!
If the Chromebook/Chromebox was ALREADY in Developer Mode when you received it, you should see the following screen upon powering on the Chromebook/Chromebox device. At his screen, press CTRL+D to boot the native ChromeOS.
At the native ChromeOS login screen, where existing user accounts are presented to you, press CTRL+ALT+F2 to switch to a virtual terminal (TTY1). Log on as the user ‘root’ with no password required.
To ensure that booting from your Chromium OS live USB drive is allowed, at the root prompt, type “crossystem dev_boot_legacy=1 dev_boot_usb=1” without the quotes and hit enter.
Note that for *nix-savvy users, you have full root access right now and may choose to image using dd however you wish, perform searching or triage, capture RAM, or perform any other desired task. The following steps are for non-*nix-savvy users that need a simple method for cloning the internal Chromebook/Chromebox hard drive.
Press CTRL+ALT+F1 to switch back to the GUI login screen and shutdown the device normally.
Attach your Chromium OS live USB drive and power on the Chromebook, then at the Developer Mode startup screen (screen says “OS verification is OFF”), press CTLR+U to boot into Chromium OS. Make sure no other USB drives are attached yet!
>
>
Once booted to your Chromium OS live USB, at the initial startup Splash Screen, press CTRL+ALT+F2 to switch to a virtual terminal (TTY1). Log on as the user ‘root’ with no password required.
Attach your previously prepared clone output destination USB drive, using the procedures discussed earlier in this document. Make sure the Chromebook is plugged in and providing enough power for destination drive and the Chromebook for the duration of the cloning process.
Run the script to clone the internal Chromebook/Chromebox hard drive to the attached prepared destination USB drive, using the command:
“. /home/scripts/image_chromebook.sh” without the quotes. Make sure you have a space between the ‘.’ and /home/scripts/image_chromebook.sh.
Wait until the dd cloning process is complete. Progress and imaging speed will be displayed on your screen. If your screen goes to sleep you may hit “Esc” to wake the screen back up.
Exit out of the logged in TTY1 shell by typing “exit” and hitting enter.
Switch back to the GUI splash screen by pressing CTRL+ALT+F1. Shutdown Chromium by clicking on the Shut Down icon in the lower left corner of the Splash Screen.
You may now remove the Chromium OS live USB and your newly cloned destination USB device.
The Chromebook/Chromebox has been left in the same operational state as when you started.
You now have either decrypted user and/or system data from an Encrypted Partition Recovery, or a forensic image or clone of the internal Chromebook HD from the above scripts, from pulling the hard drive out of a Chromebook/Chromebox that is in “normal mode”, or your own physical acquisition process. You have a variety of both unencrypted and encrypted data available and may use the forensic tools of your choice to parse, search, carve, etc.
The triage script provided for this section may be of use when you ONLY have an encrypted original hard drive or clone from a Chromebook/Chromebox. The triage_stateful.sh script allows an examiner to quickly see if the Chromebook/Chromebox user(s) has files and/or folders in their “Downloads” folder. Although the data is encrypted, using file system metadata we are able to identify the Downloads folder for each encrypted user vault on the hard drive and enumerate the contents of the Downloads folder(s).
Boot any non-Chromebook (non-evidence) computer to your Chromium OS live USB.
Once booted to your Chromium OS live USB, at the initial startup Splash Screen, press CTRL+ALT+F2 to switch to a virtual terminal (TTY1). Log on as the user ‘root’ with no password required.
Attach, via USB, the Chromebook/Chromebox hard drive or clone containing encrypted user vaults (located in /home/.shadow of the STATE partition of the drive).
The run the bash script to triage the user(s) encrypted vaults on the attached hard drive, using the command: “. /home/scripts/triage_stateful.sh” without the quotes. Make sure you have a space between the ‘.’ and /home/scripts/triage_stateful.sh. Follow the prompts.
You will be prompted to enter any known username (i.e. email address) of any user accounts that were used on this Chromebook/Chromebox?
Type each of the known username(s) separated by a space and hit ENTER. Type VERY carefully because there is no backspace or delete in this script.
Goggle does not use special characters in the prefix of email addresses, so you must type [email protected] as [email protected]!
The script will tell you which encrypted vault belongs to any usernames you provide.
The script will enumerate the contents of the Downloads folder of each encrypted vault.
Additionally, booting into the native ChromeOS will allow you to use the Chrome Browser in the ChromeOS GUI environment to access chrome://chrome-urls/. These URLS provide a vast amount of information about the Chromebook, so you will want to explore and document as desired. The below URL and other online resources will provide you further information about the available information.
https://www.ghacks.net/2012/09/04/list-of-chrome-urls-and-their-purpose/
To access chrome://chrome-urls/, do the following:
At the GUI login screen, you will click on the “Browse as Guest” button in the lower left corner of the screen.
Open the Chrome Browser, if it doesn’t automatically open, and enter chrome://chrome-urls/ in the Chrome address bar. Now explore the many links.
Once in the Chrome Browser, you can also press CTRL+ALT+T to open a terminal window within the Chrome Browser. The help and help_advanced commands will provide you much information at the crosh> prompt. Many of the available commands will provide information you may be interested in. If the Chromebook/Chromebox is in Developer mode, you can additionally type “shell” and hit enter to get a full root shell in the terminal window within the Chrome Browser.
This “Analysis and beyond…” section of this whitepaper is just a quick set of instructions to get you started. This is an in-depth work in progress and future revisions of this document will provide further information on the forensic analysis of Chromebooks.
Any contributions from other researchers on Chromebook analysis and artifacts is welcome and encouraged.
This paper provides a step-by-step guide for acquiring evidence from a Chromebook. This is particularly useful due to the limited amount of prior literature in this area. This paper was also peer-reviewed as part of the VTO Brews and Bytes event that took place in Denver, Colorado on November 11, 2019. The directions provided in the paper were used to acquire evidence from three devices (Samsung Gen 3 XE501C13, Asus C100PA Flip, Lenovo C330 H1HY). One reviewer noted that they were unsuccessful with acquiring at least one type of device. Another reviewer found that it may not be necessary to have three USB drives, a device with a capacity of 32 GB or higher that can make a USB connection can be used. They were able to create live and recovery USBs using a 2TB external hard drive, which may also provide greater speed than USB flash drives.
Further research in troubleshooting the bash scripts with the ChromeOS Recovery images for various models and builds would be helpful. It may also be interesting to see this logical-style extraction of individual user accounts performed repeatedly to see if there are any differences between successive acquisitions.
This extraction could also be performed on a Chromebook with developer mode enabled. If a physical image of the drive was taken before and after the acquisition, the artifacts left behind (if any) by this type of extraction could be enumerated so investigators are better able to explain the ramifications of their actions.
Jessica Hyde (Methodology Review, Validated Review using Reviewer Generated Datasets)
Timothy Bollé (Methodology Review)
Linda Shou (Methodology Review)
Lisa Brown (Methodology Review)