Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Chrome History Transition Parser

This script is designed to parse the transition field from records in the visits table of the Chrome/Chromium History SQLite database file.

This field is defined as follows in the Chromium source code:

  • Types of transitions between pages. These are stored in the history database to separate visits and are reported by the renderer for page navigations.

Each type is stored as a 32-bit bitfield value that is best viewed as hex.

The low 8-bits store the core transition value; the high 24-bits store zero or more qualifiers.

The significance of these values (as defined by the aforementioned source code) is included in the output, which is by way of data bookmarks and a tab-delimited spreadsheet.

To extract these values, the script uses the following query:

SELECT urls.url as 'URL', title AS 'Title', visit_time AS 'Visit Time', transition AS 'Transition', urls.typed_count AS 'Typed Count', urls.visit_count AS 'Visit Count', urls.hidden AS 'Hidden' FROM urls JOIN visits ON urls.id = visits.url ORDER BY visit_time

In addition to interpreting the visit_time field as UTC, the script also presents it as a raw Chromium timestamp for validation purposes.

Please note that the script does not read any write-ahead-log (WAL) or journal file.

Progress can be monitored using the console.

This script was developed for use in EnCase training. For more details, please click the following link:

Download Now

Download Now


FAQ

Version: 1.0.0
Tested with:
EnCase 22.4
Developer: Simon Key
Category: Artifact

72 Downloads
18 Downloads in last 6 months