Forensic Recovery of Chrome Based Browser Passwords
Forensic Recovery of Chrome Based Browser Passwords
Search
Listen Share
R ecently John Hammond have release this excellent video [1] showing how
threat actors leverage tools to harvest credentials stored in Chrome
browser. I recommend checking his video and youtube channel for other cyber
security topics. During an investigation, the credentials stored in Chrome based
browsers (Chrome, Edge, Brave, etc) may be a critical piece of information to
support and/or solve the case under analysis. Few tools are able to parse that
information and extract such a relevant data to forensic investigator. Inspired by
John’s video and the tool created by Jayden Oh Yicong [2], I challenged myself to
adapt the python script, and in conjunction with other tools, be able to decrypt
sensitive data stored into chromium browsers.
Disclaimer
All the information shared here are should be used carefully. Please be advised
that you should not use this tool or knowledge without the proper authorization.
Use at your own risk.
Requirements
In order to successfully proceed with the passwords decryption, you will need to
have the following evidence previously preserved during your acquisition phase
of the forensic process:
• Files Local State and Default\Login Data collected from \User Data\
1 of 15 6/25/24, 8:38 PM
Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...
• Brave: C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User
Data\
Scenario
Imagine that during a digital forensic investigation you have acquired the
mentioned data, you’re lucky. I have created a test environment using Microsoft
Edge and saved this fake credential into the browser settings. The credential is
encrypted using AES algorithm and the key is encrypted with windows data
protection API (DPAPI). That’s the reason when I click the ‘eye’ icon to show the
password, Edge will ask for my credentials before displaying my saved password.
Process
As previously mentioned, the password is encrypted with a key stored into json
Local State file. In older chrome browser versions, this was the key used to
decrypt the passwords in local SQLite database Login Data file. The newer
chrome versions improved the security and now this key is encrypted with
DPAPI, using user’s masterkey to create a new layer of security. This is how you
will see the password stored in `Login Data` database file, table logins:
2 of 15 6/25/24, 8:38 PM
Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...
Since we were prepared for this case, we were able to collect the required files,
including the memory dump. We can now mount our memory file with
MemProcFS [3] and extract the minidump from lsass process.
The memory will be mounted as a network share, drive letter `M:`. Navigate to
M:\name\lsass-PID.exe\minidump dir. Into this path, you should see a file named
minidump.dmp. This is the memory dump of lsass process. I’ll not go into details
here, but LSASS (Local Security Authority Subsystem Service) is the process
responsible for authentication, auditing and policy enforcement in Windows OS.
This gives us a hint why this process memory is so important to our analysis. Let’s
continue.
lsass.exe — Minidump
3 of 15 6/25/24, 8:38 PM
Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...
M:\name\lsass.exe-652\minidump>dir
Volume in drive M is DOKAN
Volume Serial Number is 1983–1116
Directory of M:\name\lsass.exe-652\minidump
07/08/2023 12:10 PM 390 readme.txt
07/08/2023 12:11 PM 49,352,704 minidump.dmp
07/08/2023 12:12 PM <DIR> ..
07/08/2023 12:12 PM <DIR> .
2 File(s) 49,353,094 bytes
2 Dir(s) 536,870,912 bytes free
Once copied the file, we will open the minidump.dmp with mimikatz [4] and
export the masterkey for the user being investigated. Save the MasterKey value.
This is the first part of the secret we need to provide to our tool to decrypt the
chrome encryption key. We will use this information in the future, as you will see.
Now, open local state file from your chromium browser. In this example, since
I’m using Microsoft Edge, the path will be C:\Users\ jdoe\AppData\Local
\Microsoft\Edge\User Data\Local State. Search (Ctrl+F) for “encrypted” and copy
the encrypted_key value. This value is encoded with base64. Decode the
information using your preferred tool (I’m using Cyberchef). Save the output to
the disk in binary format (enckey.dat).
4 of 15 6/25/24, 8:38 PM
Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...
Open and edit the saved file (enckey.dat) with your favorite hex editor and
remove the DPAPI string in the beginning of the file. Save it. This is how it should
look:
Before
5 of 15 6/25/24, 8:38 PM
Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...
After
6 of 15 6/25/24, 8:38 PM
Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...
After saving the modified binary key, we have our encrypted key that will be used
to decrypt the saved chrome passwords, but we have one more problem here.
This key is encrypted with user’s DPAPI masterkey. To proceed with decryption
process, go back to mimikatz and this time use the dpapi module to decrypt the
encrypted blob:
Now we have the key used to encrypt the password in Login Data database.
• Key:
d9111ee35b805b52c36da25b53da42a61073d2c4ad592a295bba7c9f58164a20
7 of 15 6/25/24, 8:38 PM
Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...
now use the script I tweaked to decrypt the passwords stored in our browser [7].
Run the python script with the key you collected:
• MySecretPassword_918!!!
Summary
Again, one more interesting scenario where a digital forensic investigator can use
different techniques to extract critical information that may be extremely
relevant to the case under analysis. Of course there are other methods one could
use to acquire the same information, including collecting the masterkey from
disk [5], but this will only works if we have access to user’s password. The other
option would be to upload the script [2], execute it and collect the resulting CSV
file. In in some cases you might just being presented with the evidences and have
no other option to go back to the scenario and execute other tools. I hope this
article can help digital forensic community to recover important information that
can be relevant to a case.
Final words, when you don’t have the tool you need to do the job, just remember
Bear Grylls:
8 of 15 6/25/24, 8:38 PM
Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...
References
[1] https://www.youtube.com/watch?v=CIOsemj3kl4
[2] https://github.com/ohyicong/decrypt-chrome-passwords
Follow
[3] https://github.com/ufrisk/MemProcFS
[5] https://nandynarwhals.org/sieberrsec-ctf-3.0-digginginthedump/
[6] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-
escalation/dpapi-extracting-passwords
More from Palmenas Diniz
[7] https://github.com/palmenas/dcp
9 of 15 6/25/24, 8:38 PM
Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...
Palmenas Diniz
Jun 4, 2023
10 of 15 6/25/24, 8:38 PM
Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...
Palmenas Diniz
C83—Nintendo Hunt—Writeup
Summary
May 8, 2023
Palmenas Diniz
Nov 9, 2020
11 of 15 6/25/24, 8:38 PM
Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...
ShadowPyre in REDTACTICTEAMACADEMY
Jan 25
Lists
Staff Picks
671 stories · 1086 saves
Self-Improvement 101
20 stories · 2175 saves
12 of 15 6/25/24, 8:38 PM
Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...
Productivity 101
20 stories · 1937 saves
@cryptax
Feb 8
13 of 15 6/25/24, 8:38 PM
Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...
n4d
Feb 20
RED TEAM
Mar 7
14 of 15 6/25/24, 8:38 PM
Forensic Recovery of Chrome Based Browser Password... https://palmenas.medium.com/forensic-recovery-of-c...
Marcel Rick-Cen
Mar 15
15 of 15 6/25/24, 8:38 PM