Chrome History Transition Parser
This script is designed to parse the transition
field from records in the visits
table of the Chrome/Chromium History SQLite database file.
This field is defined as follows in the Chromium source code:
- Types of transitions between pages. These are stored in the history database to separate visits and are reported by the renderer for page navigations.
Each type is stored as a 32-bit bitfield value that is best viewed as hex.
The low 8-bits store the core transition value; the high 24-bits store zero or more qualifiers.
The significance of these values (as defined by the aforementioned source code) is included in the output, which is by way of data bookmarks and a tab-delimited spreadsheet.
To extract these values, the script uses the following query:
SELECT urls.url as 'URL', title AS 'Title', visit_time AS 'Visit Time', transition AS 'Transition', urls.typed_count AS 'Typed Count', urls.visit_count AS 'Visit Count', urls.hidden AS 'Hidden' FROM urls JOIN visits ON urls.id = visits.url ORDER BY visit_time
In addition to interpreting the visit_time
field as UTC, the script also presents it as a raw Chromium timestamp for validation purposes.
Please note that the script does not read any write-ahead-log (WAL) or journal file.
Progress can be monitored using the console.
This script was developed for use in EnCase training. For more details, please click the following link:
Download Now