Browser History Forensics Trick : Chromium based Browsers

Are you working in DFIR and often perform Browser History Forensics? Here's a trick I discovered while analyzing a Chrome browser history SQLite database. This is very handy when analyzing a Chromium-based browser history database (e.g., Chrome, Edge, Brave, Vivaldi) using DB Browser for SQLite.

Terminologies:

• History database:

  • A history database is a file where a user's browsing history is automatically stored by web browsers like Chrome, Edge, and Safari.

  • Usually, the information is stored in SQLite databases.

  • File extension for SQLite databases:

    • .sqlite

    • .db

    • .sqlitedb

    • .storedata

    • Sometimes, it doesn't have any extension at all!

      • Quick tip: Run the file command on that file to identify it's file type.

  • History database associated files:

    • WAL

    • SHM

Background:

• I usually analyze the SQLite database files on macOS using DB Browser for SQLite. Whenever I encounter timestamps, I manually paste them into CyberChef to parse them into a human-readable format, which looks like DD-MM-YYYY HH:MM:SS. So, let's dig into analyzing a History Database. This has 2 parts.

  1. Opening on macOS DB Browser for SQLite

  2. Opening on Windows DB Browser for SQLite

Analysis:

1. Using DB Browser for SQLite on macOS:

• Open DB Browser for SQLite and load your database file and select downloads table. The output should look as shown below in Fig 1

• Select the column where your timestamp appears and right click on it. In this case, we selected "start_time column" and select "Edit display format" as shown in Fig 2

• All the display formats available are displayed as shown in Fig 3. Unfortunately, none of them can be selected because the timestamp we want to convert to a human-readable format is not in the list, including the 'Windows DATE to date' option. I've tried all the options, and it doesn't work!

2. Using DB Browser for SQLite on Windows:

• Open DB Browser for SQLite and load your database file and select downloads table. The output should look as shown below in Fig 4

• Select the column where your timestamp appears and right click on it. In this case, we selected start_time column and select "Edit display format" as shown in Fig 5

• Scroll through the all display formats available as shown in Fig 6 & Fig 7. Select "WebKit/Chromium epoch to local time" or "WebKit/Chromium epoch to date" This will convert your non-human readable time which appears like a bunch of numbers into a human readable format

Once you select and click on "WebKit/Chromium epoch to local time" and click OK, your timestamp will appear human readable as shown in Fig 8.

Conclusion:

• Use the Windows-based DB Browser for SQLite if you're analyzing a Chromium-based Browser History SQLite Database to quickly convert the timestamps into a human-readable format. Why?

  • Because this option of conversion is not available on macOS verion of DB Browser for SQLite

• Trick:

  • Before starting you should know about the timestamp used in your database. A quick google search would reveal it

    • In this case it is 13384327104835331

    • This is a 17 length long timestamp which is usually a WebKit/Chromium time.

• Caveats of using the following display format options for conversion:

  • WebKit/Chromium epoch to date

    • This will convert the database timestamp to the original date and time.

  • WebKit/Chromium epoch to local time

    • This will convert the database timestamp to the local time of the Windows Analysis machine which has been set.

    • Example, if your Windows machine is set to Eastern Standard Time (EST) time (UTC-5) then your converted timestamp will be in EST.