Chrome History Transition Parser

363968

OpenText OpenText Community

App Support Tiers

OpenText SUPPORTED

Support via OpenText Software Support, with a ticket filed against the associated product.

PARTNER

OpenText offers a content partnership program for select partners. Support for Partner Content offerings is provided by the partner and not by OpenText of the OpenText community.

OpenText COMMUNITY

OpenText Community Content is provided by OpenText for the benefit of customers, support for it is not available via OpenText Software Support but through specific community content forums.

COMMUNITY

Community Contributed Content is provided by OpenText customers and supported by them.

EARLY ACCESS

Show less ...Show more

The downloads referenced under the "Cybersecurity Early Access" category are made available to subscribers to mitigate time-critical issues but have not undergone formal quality and performance testing associated with official OpenText/Cybersecurity product releases. OpenText has a multi-stage Quality Assurance process. During Stage 1 we conduct a resource analysis, field mapping, ensure content level 1 functionality and analysis in our sandbox environment. Stage 2 is a complete validation including production validation. This package has cleared Stage 1 validation and therefore should be deployed with the appropriate pre-production validation. OpenText strongly recommends that any downloaded content is first checked and tested thoroughly in a non-production environment before committing to production. We welcome feedback and, should any content be shown to be faulty, detrimental or carry an incorrect claim of authorship, we shall endeavor to remove or correct such content as promptly as reasonably possible once notified and validated.

OpenText | OpenText Community

This script is designed to parse the transition field from records in the visits table of the Chrome/Chromium History SQLite database file.

941 downloads

Product compatibility

EnCase App Central

Description

This script is designed to parse the transition field from records in the visits table of the Chrome/Chromium History SQLite database file.

This field is defined as follows in the Chromium source code:

Types of transitions between pages. These are stored in the history database to separate visits and are reported by the renderer for page navigations.

Each type is stored as a 32-bit bitfield value that is best viewed as hex.

The low 8-bits store the core transition value; the high 24-bits store zero or more qualifiers.

The significance of these values (as defined by the aforementioned source code) is included in the output, which is by way of data bookmarks and a tab-delimited spreadsheet.

To extract these values, the script uses the following query:

SELECT urls.url as 'URL', title AS 'Title', visit_time AS 'Visit Time', transition AS 'Transition', urls.typed_count AS 'Typed Count', urls.visit_count AS 'Visit Count', urls.hidden AS 'Hidden' FROM urls JOIN visits ON urls.id = visits.url ORDER BY visit_time

In addition to interpreting the visit_time field as UTC, the script also presents it as a raw Chromium timestamp for validation purposes.

Please note that the script does not read any write-ahead-log (WAL) or journal file.

Progress can be monitored using the console.

This script was developed for use in EnCase training. For more details, please click the following link: