# Chrome Sessions

## Overview

**Evidence:** Chrome Sessions\
**Description:** Collect Chrome Sessions\
**Category:** Applications\
**Platform:** windows\
**Short Name:** chrss\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

Browser sessions maintain active tab state, cookies, and authentication context. This data reveals currently active user sessions, open websites, and authenticated connections at the time of collection.

## Data Collected

This collector gathers structured data about chrome sessions.

### Chrome Sessions Data

| Field         | Description  | Example       |
| ------------- | ------------ | ------------- |
| `ID`          | ID           | 123           |
| `WindowID`    | Window ID    | 123           |
| `Active`      | Active       | true          |
| `Url`         | Url          | Example value |
| `Title`       | Title        | Example value |
| `Deleted`     | Deleted      | true          |
| `Group`       | Group        | Example value |
| `History`     | History      | \[]           |
| `BrowserName` | Browser Name | Example value |

## Collection Method

This collector captures browser session data including active tabs, session cookies, and authentication state.

## Forensic Value

Session analysis identifies active compromises, authenticated sessions to malicious sites, concurrent suspicious activities, and real-time indicators of ongoing attacks. Analysts can detect active C2 connections, authenticated malware communications, and live attacker sessions.