±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35615
New Yesterday: 0 Visitors: 153

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

browser history time stamp question

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2, 3  Next 
  

creatureman
Newbie
 

browser history time stamp question

Post Posted: Oct 10, 14 22:57

PostPosted: Sat Oct 11, 2014 1:10 am Post subject: Internet Browser history timestamp question Reply with quote
Hello, I was wondering, if say I saw three websites url"s in the Chrome browser history that were accessed 15 mins apart in Chrome google and windows 8.1. This is according to the browser history timestamps. Is there anyway to tell If one of the URLs was open and the last one visited was closed.? Say like hitting a back button on a web browser, and going to a new website. Or can you tell if there were multiple tabs were open simultaneously. In a nut shell I guess Im asking is it possible to tell when a webpage was closed.? Should be the next url time stamp shouldn't it? Even if you open new tabs, It still registers a new time stamp. But is there anyway to say a web page was left open also ? Thanks This is not my field but need to know if I should refer this to a long wait in a lab, Thanks  
 
  

a.nham
Member
 

Re: browser history time stamp question

Post Posted: Oct 11, 14 04:16

If you are just asking if there is a way to find out when a tab was closed or how long it was open. The simple answer to that is no, or at least there is not one I am currently aware of.

That said I do have several suggestions that may solve your problem. If you use a sql lite reader, you can see the tie stamp of when the tabs were open, down to the microseconds. Thus, even if tabs are open simultaneously, they will likely have different timestamps, as the time they connect to the site's server will likely differ. Sql lite readers can also tell you how the link was opened (a new tab, new window, or on top of the page); off the top of my head, I don't remember the labels but if you do a simple search of "Chrome internet artifacts" it should give you some good results. Thus, you can compile a timeline of all the tabs that were opened and what their last visited page.

Hope that was helpful.  
 
  

creatureman
Newbie
 

Re: browser history time stamp question

Post Posted: Oct 11, 14 04:47

Hey sure was, Thanks, ill give that a go!  
 
  

PaulSanderson
Senior Member
 

Re: browser history time stamp question

Post Posted: Oct 11, 14 14:04

If you are going to look directly at the SQLite database then as the different tables are normalised then you will need to do some SQL joins to get a usable result. Also the chrome date is microseconds since January 1, 1601 UTC which as a large number is not really very readable without a conversion program to do this on-mass.

You could use Craig Wilsons NetAnalysis to look at this or my new software - The Forensic Browser for SQLite (part of the Forensic Toolkit for SQLite) - could help you with this and other similar queries. Amongst other things it will let you join tables visually and the latest version will decode Chrome dates and times. The screenshot below shows a join on the visits table (which only holds a URL number) with the URL table to get the actual URL. I have also shown a raw visit_time along with the decoded visit time. You can choose which fields you want displayed in a results column and decode/display different values (such as dates) in different formats. You even can create a query and display all the different icons from the favicons database as graphics.

Feel free to drop me an email and I'll send you a fully functional Demo licence

sandersonforensics.com...for-SQLite


_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 
 
  

FoxtonForensics
Member
 

Re: browser history time stamp question

Post Posted: Oct 11, 14 14:33

In the 'History' SQLite database the 'visits' table contains two columns that may help you.

You can determine if a user navigated away from a webpage by opening a link within the same tab (therefore effectively "closing" the webpage). This can be determined using the 'from_visit' column which contains the ID of the previous page viewed (if applicable). This data allows you to build up a chain of navigations as you can see in the following screenshot:



The other column that may be of use is the 'visit_duration' column. I haven't looked at this column before but it may be possible to use this data along with the 'visit_time' column to determine when a tab/window was closed.

Lastly, if any of the URLs visited were in a recent session then you may be able to find the info you need in the session and tabs files:
www.cclgroupltd.com/ch...he-pickle/
_________________
Alex Billingsley
Foxton Forensics
www.foxtonforensics.com 
 
  

Chris_Ed
Senior Member
 

Re: browser history time stamp question

Post Posted: Oct 12, 14 14:03

- PaulSanderson
..Also the chrome date is microseconds since January 1, 1601 UTC which as a large number is not really very readable without a conversion program to do this on-mass.

You could use Craig Wilsons NetAnalysis to look at this or my new software...


Or alternatively, you could just decode them "en masse" using native SQLite datetime statements in a freeware or open source SQLite browser (or your favourite programming language of choice!). Modifying your example:

Code:
select datetime((visits.visit_time/1000000)-11644473600, 'unixepoch', 'localtime') AS Decoded_Visit_time,
visits.visit_duration,
urls.url,
urls.visit_count,
datetime((urls.last_visit_time/1000000)-11644473600, 'unixepoch', 'localtime') AS Decoded_Last_Visit_Time
FROM visits
 LEFT JOIN urls ON visits.url = urls.id

With thanks to this marvellous blog post regarding the conversion, as well as this obligatory stack overflow link.  
 
  

PaulSanderson
Senior Member
 

Re: browser history time stamp question

Post Posted: Oct 13, 14 00:13

You are of course correct Chris and with a bit of integer fooey you can of course convert any integer date into another and you rightly point out that this is built into SQLite (I don't use the SQLite date routines because I need more control over the formatted dates for timezone conversion etc.)

However the thrust of my post and the reason for the link was to highlight the need for SQLite joins. The initial picture and query was reasonably simple, but I have created (all visually, i.e. drag and drop, without typing anything other than slightly more meaningful alias's) another query that the OP might want to use, that quite frankly I would have had trouble crafting by hand at an SQLite command line because of the complexity (and I generally can't get my head around it Smile )

The SQLite history table contains two tables that I have used - visits from which I get the ID, visit time and the URLID of the current page and the ID of the referring page (the From URL) these I need to use to get the actual URL (and page titles) from the URL's table along with the visit count. So by just introducing the referrer the SQL gets much more complex, i.e.:

Code:
SELECT visits.visit_time,
  visits.id,
  urls.url,
  urls.title,
  visits.url AS URLID,
  visits.from_visit,
  Query2.visit_time AS FromVisitTime,
  Query2.url AS FromURL,
  Query2.title AS FromTitle,
  urls.visit_count
FROM visits
  LEFT JOIN urls ON visits.url = urls.id
  LEFT JOIN (SELECT urls.url,
    urls.title,
    visits.visit_time,
    visits.id
  FROM visits
    LEFT JOIN urls ON visits.url = urls.id) Query2 ON visits.from_visit = Query2.id
*see footnote

But using my software I was able to generate the visual query below and hence the corresponding SQL in a matter of a couple of minutes.

By way of further explanation the URL field in the visits table points to the ID field in the URLs table so we can look up the actual URL and page name along with the visit count. The from_visit field in the visits table points back to an earlier entry in the visits table which then references the actual "from URL" and the time of the visit to this. So to get at this we need to create a derived table (query2).

A picture paints a thousand words so here are a couple of screenshots showing the main visual query:



And just for completeness here's the derived table, query2:



And as you say you can use my code above add your unix epoch code and get the date from any sqlite command line tool using the code above.

*incidentally if you open a Chrome history DB in the Forensic Browser for SQLite and paste in the text of the SQL query in the box above, The Browser will automatically create the visual elements for you.
_________________
Paul Sanderson
SQLite Forensics Book
www.amazon.com/SQLite-...entries*=0

Forensic Toolkit for SQLite
sandersonforensics.com...for-SQLite 
 

Page 1 of 3
Page 1, 2, 3  Next