Chrome cache payloads

data/formatters/browser.yaml

@@ -17,8 +17,10 @@ type: 'conditional'
 data_type: 'chrome:cache:entry'
 message:
 - 'Original URL: {original_url}'
+- 'Payloads: {payloads}'
 short_message:
 - 'Original URL: {original_url}'
+- 'Payloads: {payloads}'
 short_source: 'WEBHIST'
 source: 'Chrome Cache'
 ---

data/timeliner.yaml

@@ -189,6 +189,8 @@ data_type: 'chrome:cache:entry'
 attribute_mappings:
 - name: 'creation_time'
   description: 'Creation Time'
+- name: 'payloads'
+  description: 'Json-encoded list of file (with offset) of the cache payload'
 place_holder_event: true
 ---
 data_type: 'chrome:cookie:entry'

plaso/parsers/chrome_cache.py

@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 """Parser for Google Chrome and Chromium Cache files."""
 
+import json
 import os
 
 from dfdatetime import webkit_time as dfdatetime_webkit_time
@@ -84,6 +85,8 @@ class CacheEntry(object):
     key (bytes): key.
     next (int): cache address of the next cache entry.
     original_url (str): original URL derived from the key.
+    payloads (str): A json list of filenames (and offsets)
+        to find the cache payload.
     rankings_node (int): cache address of the rankings node.
   """
 
@@ -95,6 +98,7 @@ def __init__(self):
     self.key = None
     self.next = None
     self.original_url = None
+    self.payloads = None
     self.rankings_node = None
 
 
@@ -257,8 +261,17 @@ def ParseCacheEntry(self, file_object, block_offset):
       raise errors.ParseError((
           'Unable to parse cache entry at offset: 0x{0:08x} with error: '
           '{1!s}').format(block_offset, exception))
-
     cache_entry_object = CacheEntry()
+    payloads = []
+    for stream in list(cache_entry.data_stream_addresses):
+      data_stream = CacheAddress(stream)
+      if data_stream.filename is not None:
+        if data_stream.filename.startswith('f_'):
+          payloads.append(data_stream.filename)
+        else:
+          payloads.append(
+            f'{data_stream.filename} (offset: {hex(data_stream.block_offset)})')
+    cache_entry_object.payloads = json.dumps(payloads)
 
     cache_entry_object.hash = cache_entry.hash
     cache_entry_object.next = CacheAddress(cache_entry.next_address)
@@ -309,7 +322,7 @@ def __init__(self):
     super(ChromeCacheEntryEventData, self).__init__(data_type=self.DATA_TYPE)
     self.creation_time = None
     self.original_url = None
-
+    self.payloads = None
 
 class ChromeCacheParser(interface.FileEntryParser):
   """Parses Chrome Cache files."""
@@ -364,15 +377,16 @@ def _ParseCacheEntries(self, parser_mediator, index_table, data_block_files):
             timestamp=cache_entry.creation_time)
 
         # In Chrome Cache v3, doublekey-ing cache entries was introduced
-        # This shows up as r"_dk_{domain}( {domain})* {url}"
+        # This shows up as "_dk_{domain}( {domain})* {url}"
         # https://chromium.googlesource.com/chromium/src/+/
         # 95faad3cfd90169f0a267e979c36e3348476a948/net/http/http_cache.cc#427
-        if "_dk_" in cache_entry.original_url[:20]:
+        if '_dk_' in cache_entry.original_url[:20]:
           parsed_url = cache_entry.original_url.strip().rsplit(' ', 1)[-1]
           event_data.original_url = parsed_url
         else:
           event_data.original_url = cache_entry.original_url
 
+        event_data.payloads=cache_entry.payloads
         parser_mediator.ProduceEventData(event_data)
 
         cache_address = cache_entry.next
@@ -482,7 +496,6 @@ def ParseFileEntry(self, parser_mediator, file_entry):
               self.NAME, display_name, exception))
 
     # TODO: create event based on index file creation time.
-
     file_system = file_entry.GetFileSystem()
     self._ParseIndexTable(
         parser_mediator, file_system, file_entry, index_file_parser.index_table)

tests/parsers/chrome_cache.py

@@ -33,7 +33,8 @@ def testParse(self):
         'creation_time': '2014-04-30T16:44:36.226091+00:00',
         'data_type': 'chrome:cache:entry',
         'original_url': (
-            'https://s.ytimg.com/yts/imgbin/player-common-vfliLfqPT.webp')}
+            'https://s.ytimg.com/yts/imgbin/player-common-vfliLfqPT.webp'),
+        'payloads': '["data_3 (offset: 0x5c000)", "f_000010"]'}
 
     event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)
     self.CheckEventData(event_data, expected_event_values)
@@ -60,7 +61,8 @@ def testParseWithVersion3(self):
         'data_type': 'chrome:cache:entry',
         'original_url': ('https://m.media-amazon.com/images/'
             'G/01/gno/sprites/nav-sprite-global-1x-reorg-privacy'
-            '._CB587940754_.png')}
+            '._CB587940754_.png'),
+        'payloads': '["data_3 (offset: 0x5c000)", "f_000010"]'}
 
     event_data = storage_writer.GetAttributeContainerByIndex('event_data', 0)
     self.CheckEventData(event_data, expected_event_values)