http://computer-forensics.sans.org/blog/2010/01/21/google-chrome-forensics/
Here’s a tutorial: Google Chrome Forensics. Some notes:
- The sqlite3 databases are “locked” when Chrome is running, so you might have to either close Chrome or copy the databases to a separate file before reading them.
- In the History database, the
visit_timeis μs since 1601-01-01 (1/10th the Windows filetime) even if you’re on Mac or Linux, so to convert it to Unix time (s since 1970-01-01) you have to scale and subtract11644473600 = new Date(1970, 0, 1)/1000 - new Date(1601, 0, 1)/1000. - E.g., Find the last 10 URLs I visited:
select urls.url, datetime(visit_time/1000000 - 11644473600, 'unixepoch', 'localtime') from visits left join urls on visits.url = urls.id order by visit_time desc limit 10; - The
visits.transition&255is an enum found in page_transition_types.h. See the descriptions within the extension documentation on history.
No comments:
Post a Comment