Reminders
Storage
Chromium-based browsers like Google Chrome, Microsoft Edge, Brave store a variety of sensitive user data, including:
- Saved passwords
- Cookies and session tokens
- Form autofill data
- Credit card information
- Browser history
- Installed extensions and their local storage
This data is stored on disk in various formats and directories under the user's profile.
C:\Users\
| Data Type | File / Folder Location | Format | Notes |
|---|---|---|---|
| Passwords | Login Data |
SQLite | Encrypted with AES-GCM using DPAPI-unlocked master key |
| Cookies | Network/Cookies |
SQLite | Encrypted with AES-GCM, App Bound Master Key (Windows 10+ / v80+) |
| Form Autofill Data | Web Data |
SQLite | Includes names, addresses, emails, phone numbers |
| Credit Card Info | Web Data |
SQLite | Encrypted; full credit card numbers stored only if user allows |
| Browser History | History |
SQLite | URLs visited, timestamps, visit counts, etc. |
| Installed Extensions | Extensions\ folder |
Files/JSON | Metadata stored in manifest.json, state in IndexedDB/LocalStorage |
| Local Extension Data | Local Extension Settings\<ext_id>\ and IndexedDB\ |
LevelDB/IndexedDB | Includes extension-specific storage and potentially sensitive data |
| Session/Tab State | Sessions, Last Session, Last Tabs |
Binary/Protobuf | Recently closed tabs and windows |
| Favicons | Favicons |
SQLite | Stores site icons and their mapping to URLs |
| Bookmarks | Bookmarks |
JSON | Tree-structured list of user bookmarks |
| Preferences | Preferences |
JSON | Browser and user settings, includes extension permissions |
| Downloads | History |
SQLite | Stored along with visit history under the downloads table |
| Media Licenses | Pepper Data\Shockwave Flash\WritableRoot or WidevineCdm\ |
Files | Used for DRM content; may store license keys |
DPAPI Decryption
The Master Key: Chrome stores a randomly generated key in the Local State JSON file under os_crypt.encrypted_key. This master key is encrypted using DPAPI (user-bound).
- SQLite %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data
- Get Chrome user level AES Master key located in %LOCALAPPDATA%\Microsoft\Edge\User Data\Local State
- Decrypt MasterKey with CryptUnprotectData
- Decrypt AES-GCM password with BCryptDecrypt and decrypted Masterkey
Function CryptUnprotectData from dpapi.h decrypt the input DATA_BLOB pDataIn and stores the result in pDataOut
DPAPI_IMP BOOL CryptUnprotectData(
[in] DATA_BLOB *pDataIn,
[out, optional] LPWSTR *ppszDataDescr,
[in, optional] DATA_BLOB *pOptionalEntropy,
PVOID pvReserved,
[in, optional] CRYPTPROTECT_PROMPTSTRUCT *pPromptStruct,
[in] DWORD dwFlags,
[out] DATA_BLOB *pDataOut
);
DATA_BLOB structure. cbData contains the Length of bytes data and *pbData is a pointer to content bytes data(encrypted/decrypted)
typedef struct _CRYPTOAPI_BLOB {
DWORD cbData;
BYTE *pbData;
}
Structure of the Chrome AES master key
Header = [0..3] // Chrome specific version
IV = 96 random bit [3..15]
CipherText : 16 bit [15..17]
TAG = 128 bit [-16]
AES-GCM decryption
Finally the password encrypted_value can be decrypted using BCryptDecrypt from bcrypt.h with a symetric AES-GCM key
NTSTATUS BCryptDecrypt(
[in, out] BCRYPT_KEY_HANDLE hKey,
[in] PUCHAR pbInput,
[in] ULONG cbInput,AES
[out, optional] PUCHAR pbOutput,
[in] ULONG cbOutput,
[out] ULONG *pcbResult,
[in] ULONG dwFlags
);
Bcrypt Algorithm and chaining mode variables
BCRYPT_AES_ALGORITHM = "AES"
BCRYPT_CHAIN_MODE_GCM = "ChainingModeGCM"
BCRYPT_CHAINING_MODE = "ChainingMode"
BCRYPT_AUTH_TAG_LENGTH = "AuthTagLength"