ogmini - Exploration of DFIR
Having fun while learning about and pivoting into the world of DFIR.
About Blog Research CTF/Challenge GitHub RSS
ChromeCacheView / ChromeHistoryView
by ogmini
Continuing my work on David Cowen’s Sunday Funday challenge, I leveraged ChromeCacheView and ChromeHistoryView to look both at the Edge Browser and the ChatGPT Desktop App. I want to see if we can capture the user authentication process with timestamps and any artifacts related to uploaded files.
User Authentication
ChromeCacheView
The cache for the ChatGPT Desktop App is examined using ChromeCacheView. Typically the location for this will be %localappdata%\Packages\OpenAI.ChatGPT-Desktop_2p2nqsd0c76g0\LocalCache\Roaming\ChatGPT\Cache.
Some records related to authentication can be seen starting at 9:58:05 AM which lines up with our test scenario.
Subsequently, a record at 9:59:24 AM shows us the start page for the ChatGPT Desktop App being loaded. This lines up with the successful authentication being passed back to the ChatGPT Desktop App.
The actual authentication process can be see using ChromeHistoryView in the next section.
ChromeHistoryView
Next, I looked at the History for the Edge Browser which is currently set as the default browser.
Some records related to the authentication can be seen starting at 9:58:40 AM which again lines up with our test scenario. These records culminate with the prompt to open the ChatGPT Desktop App at 9:59:13 AM after successful authentication.
Timeline
| Timestamp | Source | Description |
|---|---|---|
| 9:58:05 AM | ChatGPT Cache | Application launched and login.htm page displayed |
| 9:58:40 AM | Edge History | ChatGPT Login Page loaded |
| 9:58:54 AM | Edge History | Account Authorized |
| 9:59:13 AM | Edge History | Callback to open ChatGPT Desktop App |
| 9:59:23 AM | ChatGPT Cache | Callback to open ChatGPT Desktop App |
| 9:59:24 AM | ChatGPT Cache | Startup Page loaded |
File Upload
I started a new conversation topic by uploading a screenshot and asking ChatGPT to tell me about it. Using leveldb-cli in a similar fashion to yesterday’s post, I see the following text:
[media pointer="file-service://file-QovPq6QZ7EK4CrJzMjxN7S"]
This led me to once again, use strings to search for “QovPq6QZ7EK4CrJzMjxN7S” and I got a few hits and most importantly hits within the ChromeCache.
1/0/https://files.oaiusercontent.com/file-QovPq6QZ7EK4CrJzMjxN7S?se=2025-01-23T17%3A58%3A27Z&sp=r&sv=2024-08-04&sr=b&rscc=max-age%3D299%2C%20immutable%2C%20private&rscd=attachment%3B%20filename%3Dchromecacheview-startuppage.png&sig=rsli2NzsWVBG%2B/P4R%2BUnW7GSrvCVEyaxoxWwhiRp5xA%3D
Zipping over to ChromeCacheView, I see a handy record that links “file-QovPq6QZ7EK4CrJzMjxN7S” to “chromecacheview-startuppage.png”. Right-clicking and choosing “Open Selected Cache File” even retrieves the image for us. In this case, the file is stored in the f_00001d data stream file and renaming the file to *.png allows us to open the file manually.
