Process a ChromeOs Acquisition Using The cLeapp Autopsy Plugin

With the introduction of cLeapp (Chrome Logs, Events and Protobuf Parser), I have created an Autopsy plugin that will run cLeapp against a ChromeOs extraction and pull in the information into Autopsy. To find out more about cLeapp head over to Alexis Brignoni’s Initialization vectors Blog to find out more information about cLeapp. To download the new plugin to install, head over to https://github.com/markmckinnon/Autopsy-NBM-Plugins

To add this plugin, download the Netbeans Module from here and install it, if you need help installing a Netbeans Autopsy Module then go here for instructions. Once installed you will now be able to parse ChromeOS extractions.

ChromeOs extractions can be accomplished in one (1) of two (2) ways. The first is to follow the process outlined in the Daniel Dickerman which can be found here. The second process is to use the Magnet Chromebook Acquisition Assistant created by Magnet Forensics, more information about this tool can be found here. Once an acquisition has been accomplished there are multiple ways to get the data into Autopsy:

  1. Using the Logical File datasource add the extracted.tgz file to it and then run the cLeapp plugin module against it. This is the slowest process to run as the plugin needs to extract the image then pull the information from the tar file.
  2. Unzip the extracted.tgz file to a tar file and using the Logical File datasource add the extracted.tar file to it and then run the cLeapp plugin module. This is the next preferable way to run the plugin. In order to run other Autopsy plugins against the data, you will need to extract and add the files back into the data source.
  3. Unzip/Untar the extracted.tgz file to a mounted VHD drive letter. Once you have unzip/untared the file then you need to unmount/eject the VHD and add the file as an image data source. You can run the cLeapp plugin module against it. This is the preferred method as it allows you to run other Autopsy modules against it.

Once you have the data source in Autopsy you can run the plugin module against it.

The plugin will run for a little while, especially if a Linux VM is on the extracted ChromeOs. Once the Plugin has run then you will see artifacts that have been populated that Autopsy supports, this part is a work in progress and more artifacts will be added.

Once cLeapp has been run if you want to see the actual cLeapp report all you need to do is to go to the reports section and click on the cLeapp report and it will show you the cLeapp HTML report.

This has been tested with Autopsy 4.17 and 4.18, it should work with 4.16, I just have not tested with that version. If you need it to work with a version lower than that please let me know and I will see if I can get it to work.

As I stated above there is a way to add additional artifacts that Autopsy will recognize and that is by downloading the two (2) files from here and saving them to your Autopsy config, you can find this directory at C:\Users\<User Name>\AppData\Roaming\autopsy\config. By adding to one (1) or both of the files you will be able to extend the current artifacts that Autopsy recognizes from cLeapp. I have included one (1) artifact as an example.

Hopefully, this helps you in your ChromeOs investigation(s). As always if you have any questions or comments please let me know.

Enjoy!!!

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store