Introducing Chrome DownloadMetadata Parser

Google Chrome’s DownloadMetadata file appears to change the file format. It is not a SQLite database file anymore. Chrome starts recording file download history in the Chrome History file, which remains to be a SQLite database file. However, the current DownloadMetadata file contains more information, including:

• File checksum
  History file also contains this field as well but it is empty during my testings.
• Archive file content
  For instance, if an user downloads a ZIP file containing a VBS file, that VBS filename and checksum will be recorded in DownloadMetadata.
• Referrer chain
  Maladvertisement attacks tend to redirect the traffic to other URLs to deploy the malicious files. History file can show where the file is downloaded from. However, it is a manual process to trace back to the URL the user clicks initially. Referrer chain actually records the chain. It is easier for incident responders to identify the infection vector.

DownloadMetadataParser is developed to parse DownloadMetadata files. If anyone happens to be interested, the link is provided below.

https://github.com/LYLC/DownloadMetadataParser

Originally published at https://www.tumblr.com on July 26, 2019.