EnCase App Central
Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.Become a Developer
Chrome History Transition Parser
This script is designed to parse the
transition field from records in the
visits table of the Chrome/Chromium History SQLite database file.
This field is defined as follows in the Chromium source code:
- Types of transitions between pages. These are stored in the history database to separate visits and are reported by the renderer for page navigations.
Each type is stored as a 32-bit bitfield value that is best viewed as hex.
The low 8-bits store the core transition value; the high 24-bits store zero or more qualifiers.
The significance of these values (as defined by the aforementioned source code) is included in the output, which is by way of data bookmarks and a tab-delimited spreadsheet.
To extract these values, the script uses the following query:
SELECT urls.url as 'URL', title AS 'Title', visit_time AS 'Visit Time', transition AS 'Transition', urls.typed_count AS 'Typed Count', urls.visit_count AS 'Visit Count', urls.hidden AS 'Hidden' FROM urls JOIN visits ON urls.id = visits.url ORDER BY visit_time
In addition to interpreting the
visit_time field as UTC, the script also presents it as a raw Chromium timestamp for validation purposes.
Please note that the script does not read any write-ahead-log (WAL) or journal file.
Progress can be monitored using the console.
This script was developed for use in EnCase training. For more details, please click the following link:Download Now