dbling: Identifying extensions installed on encrypted web thin clients

In this work, we present a novel approach to extract residual evidence stored on Chrome OS devices that successfully bypasses these challenges. Specifically, we are able to determine which extensions and apps are installed on an encrypted Chrome OS device, without breaking or otherwise extracting the encryption keys. Our framework, called dbling, generates signatures or fingerprints of extension and app code that persist after encryption, and we are able to use these fingerprints to identify the installed extensions and apps. We create fingerprints of 160,025 extensions for Chrome OS, we measure the uniqueness of these fingerprints, and we perform a case study by installing 14 extensions on a Chrome OS device and attempt to find their fingerprints.