Chrome extension analysis plugin

Notes on how to use the chrome_extension analysis plugin.

Running the analysis plugin

First run log2timeline to extract events:

log2timeline.py --storage-file timeline.plaso image.raw

Note that the Chrome extension analysis plugin analyzes file system data such as events with data type:

• fs:stat

Next run psort to determine Chrome extensions:

psort.py --analysis chrome_extension -o null timeline.plaso

This will extract information of Chrome extensions, such as name and identifier of the extension and corresponding username. The analysis results can be reviewed with pinfo:

pinfo.py --report chrome_extension timeline.plaso