Triage a Chrome profile, fast
2026-06-21 · 4 min
Triage is about getting to a verdict — interesting or not — without boiling the ocean. This is the sequence I run on a Chrome or Edge profile when I have ten minutes to decide whether it earns a deeper look. It is deliberately repeatable, so the same steps work whether you are clearing a queue or staring at a single suspicious host.
1. Grab the right files
Pull the whole profile folder rather than cherry-picking, but if you
must be selective, these are the files that carry the signal. They live
under …\User Data\<profile>\ (Default, Profile 1, …), with one
exception noted below:
History— visits, downloads, search terms.Network\Cookies— session and tracking cookies.Login Data— saved credentials.Web Data— autofill and payment methods.Bookmarks,Top Sites,Shortcuts,Favicons.PreferencesandSecure Preferences.Local Storage\leveldb\— web-app state.Cache\Cache_Data\— cached responses.Local State— sits at theUser Dataroot, not in the profile, and holds the wrapped key you need to decrypt cookies and passwords.
Always grab the -wal sidecars alongside the SQLite files
(History-wal, Network\Cookies-wal, and so on). Recent activity
lives in the write-ahead log; skip it and you miss the last few minutes,
which is often the part that matters.
2. Load the whole folder
Drag the entire profile folder onto the drop zone. Folder upload does the tedious bookkeeping for you:
- Uploads accumulate, so you can drop several folders in turn.
-walsidecars are auto-paired with their parent databases.- LevelDB and cache directories are grouped into single artifacts
instead of a pile of
.ldbor block files.
If you are unsure of the exact paths on the source host, open the "Where do I find these files?" helper — it lists them per OS. And because everything parses client-side, this is safe for sensitive or air-gapped work: nothing leaves the machine.
3. Read the Overview first
Start at the Overview, not the raw tables. It gives you the shape of the profile at a glance: artifact and record counts, the overall date range, and the top domains. Three quick reads here:
- A date range that stops abruptly can mean a clear, a reimage, or a short-lived profile.
- Top domains that match the lead (a phishing host, a file-share site) tells you immediately whether to keep digging.
- Record counts that are near zero on a supposedly active account are themselves a finding.
4. Work the timeline
Move to the unified Timeline, which merges history, downloads, cookies and session events into one chronological view. For triage, two filters do most of the work:
- Date — narrow to the incident window and group by day to spot bursts of activity.
- Keyword — search the domain or filename from the lead and see everything around it in sequence.
This is usually where you build the activity story — visit, download, execute — without leaving the profile.
5. Paste your IOCs
Paste known-bad indicators — domains, URLs, filenames — and the tool highlights hits across the parsed artifacts. This turns "is this host involved?" into a yes/no in seconds, and it scales: the same IOC list applied to every profile in a queue surfaces the one that lights up.
6. Decrypt only if the case needs it
Cookie values and saved passwords are AES-GCM ciphertext keyed via the
Local State blob. Decrypt them only when the case calls for it —
proving an authenticated session, recovering a credential — rather than
by reflex. When you do need it, see
decrypting Chrome cookies in the browser.
7. Export a report
Finish by exporting a hashed HTML report. The hash gives you an integrity anchor for the findings, and the self-contained HTML drops straight into a case file. Everything was processed locally, so the report is the only thing that ever leaves the workstation.