dbling: The Chrome OS Forensic Toolset
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
common Documentation, part 1!! Sep 8, 2017
config Completely changed how dbling summarizes jobs Jun 16, 2017
crawl Documentation, part 1!! Sep 8, 2017
docs More documentation for profiler, main page Oct 10, 2017
google More documentation for profiler, main page Oct 10, 2017
logo Badges, logo added Sep 8, 2017
merl Documentation, part 1!! Sep 8, 2017
other Directory size calculation test changes Apr 12, 2017
profiler More documentation for profiler, main page Oct 10, 2017
secret Documentation, part 1!! Sep 8, 2017
tasks Completely changed how dbling summarizes jobs Jun 16, 2017
.gitignore Documentation, part 1!! Sep 8, 2017
.gitmodules MERL schema now its own repo, submodule to dbling Mar 30, 2017
LICENSE Documentation, part 1!! Sep 8, 2017
Pipfile Lots of renaming... Sep 22, 2017
Pipfile.lock Lots of renaming... Sep 22, 2017
README.rst More documentation for profiler, main page Oct 10, 2017
VERSION Documentation, part 1!! Sep 8, 2017
ansible.cfg Moved clouds, downgraded messaging server to 14.04 Jun 10, 2017
dbling_crawler.yml Completely changed how dbling summarizes jobs Jun 16, 2017
hosts Completely changed how dbling summarizes jobs Jun 16, 2017
logo.png Added project logo and supporting files Sep 15, 2015
requirements.txt Lots of renaming... Sep 22, 2017
run_crawler.sh Downloads CRX list, yields IDs from generator Oct 12, 2016
run_download_start.sh Downloads CRX list, yields IDs from generator Oct 12, 2016

README.rst

../logo/logo.png

dbling: The Chrome OS Forensic Tool

Documentation Status Python versions supported License: MIT

dbling is a tool for performing forensics in Chrome OS.

Please view the latest version of the documentation on Read the Docs and the latest version of the code on GitHub.

Publication

This work is based on the following publication:

Installation

Coming soon!

dbling Components

dbling is divided into the following main components:

Crawler

The Crawler finds and downloads the list of the currently-available extensions on the Chrome Web Store, determines which extensions are at a version that has already been downloaded, downloads those that have not yet been downloaded, and adds information on the newly downloaded extensions to the database.

The documentation for the Crawler code is under crawl.

Template Generator

The Template Generator runs concurrently with the Crawler. For each new extension downloaded by the Crawler, the Template Generator calculates the centroid of the extension and stores it in the database. The Template Generator does not run inside Chrome or Chrome OS, and so it does not use the same mechanisms for unpacking and installing that Chrome does natively. Instead, the primary function of the Template Generator is to mimic as closely as possible the Chrome's functions as they pertain to unpacking and installing extensions.

The code for the Template Generator is implemented alongside the Crawler, but the main function that creates templates is :func:`~common.centroid.calc_centroid`.

Profiler

The Profiler is a command line tool designed for use by forensic examiners to create profiles of the extensions installed on a disk image. This is the piece of code that uses the information about Chrome OS's disk and file system layout to identify the most likely encrypted directories to contain installed extensions. It then leverages the MERL Exporter to interpret the results against the database of extension templates and store them to a MERL file.

The documentation for the Profiler code is under :doc:`profile`.

MERL Exporter

The MERL Exporter creates a MERL file based on a set of information on extension candidates. The MERL Exporter is used directly by the Profiler to query the database of extension fingerprints (originally created by the Template Generator) for matching extension profiles and filters them using a set of given criteria. It then saves the results of the profile search by translating the results into XML entries that conform to the MERL schema.

The documentation for the MERL Exporter code is under :doc:`merl`.

Gripper

Gripper leverages the APIs provided by G Suite to acquire data about a user's activities on a Chromebook. Specifically, Gripper answers the following questions:

  • Who was logged into a specific device?
  • When were they logged in?
  • What did they do while logged in?

For more information about Gripper, see :doc:`google/index`. The documentation for the Gripper code is under :doc:`google/apis`.

License

dbling is licensed under the MIT License.

.. toctree::
   :maxdepth: 2
   :hidden:

   Home <self>
   api
   secret
   google/index