It’s been a long time since I did any forensic research, so today is the day.
There is no old phrase coined yet — your forensic investigations’ results are as good as your understanding & context of the data you see — but it’s hard to disagree with it.
EDRs and forensic analysis tools gave us a lot of data to work with, but these often lack that specific context – and despite all the goodness they provide I think vendors can still do a bit better.
Take Chrome browser extensions as an example.
EDR logs are typically very process- and file system-centric and when it comes to browser extensions the most common things we usually see are artifacts like this:
What the heck is cjpalhdlnbpafiamejdnhcphjbkeiagm?
It is an extension ID (in some weird parallel universe they are kinda an equivalent of ActiveX CLSID). Thanks to Twitter (Thanks Ziyad!), today I learned how extension IDs are actually generated. It doesn’t help with forensic analysis of an extenssion ID though – yes, you can search for their meaning/mapping online, or if you are lucky and installed the very same extension in your browser you may find reference to this specific ID manually on your file system. And eventually, pair it with the actual name of the extension: uBlock Origin.
There are many problems with manual analysis like this. Throughout the years there were at least 400-500K Chrome extensions out there, maybe even more, many with a short life span and either already deleted by authors or forcibly removed from the Chrome Web Store by Google themselves.
Obviously, it would be nice if we could somehow collect the info about all the extension IDs ever registered and use this info to enrich our searches, whether in IR of DF context. Right, Google?
Luckily, someone already did the hard work for us — the chrome-extensions-archive project provides tools to collect and archive Google Chrome extensions. However, and unfortunately really, the project has been suspended for a while now and I am not sure if it will ever be revived. FWIW some parts of the old crx.dam.io website are still available online preserved by Web Archive if you need to access it.
I’ve been using the aforementioned code to collect the list of Extension IDs for a few years now and every once in a while I revisit the Google site to refresh the set and update my local lookup table. Other sources I have used are a bunch of Google Chrome clone sites, primarily in China, that on occasions prove themselves useful to fill in some extension ID gaps, especially for older, or short-lived extensions.
At this very moment, the lookup table is nearly 340K entries strong and since it’s holiday time, I have decided to release the data to anyone who is interested.
See part 2; I have released the file publicly.