I came across these files during a case and I was wondering if there is any information out there about them?
I've heard reference to Google Chrome creating a search index of the websites it visits and goggling 'chrome "history index"' tells me that these are indeed the files it stores it in. They seem to contain, if not the whole text content of a webpage then certainly a large chunk of it.
They're stored in sqlite format and can be viewed with an sqlite database browser, the database itself is made up of 5 tables one of which is pages_content which contains an id number, the URL of the website, the page title and the body of the page.
The body record seems to contain the entire text based content of the visited website (as if somebody hit select all then copy and pasted it into a text file) without any formatting and with much of the whitespace removed (I'll qualify this with a most of the time as pages with exceptionally large text content seem to hit a record length barrier at which point the rest of the text is dropped)
From my own testing with a fresh install of chrome onto a windows vista machine Chrome appears to create these indices for every webpage visited (although my sample size is a little too small to rule out the possibility that it only does some of them) and from what I've seen it only indexes the content of the page so there are no dates and times stored unless they are embedded in the body of the page (There is a table full of what look at first glance to be unix timestamps but none of them resolved back to the times I visited the websites)
So rambling over and back to my original question, does anybody know if there is more information available out there specifically with regards whether Chrome does infact create these records for every page visited.
(The reason this post is full of appears, seems and maybes is because SQL is a topic i've never before looked into so i'm trying to piece its behaviour together as I go)
I've done a bit of playing about with these databases before, but hopefully will get time to look at them better at some point.
From what I found, the time in the info table does relate to the records in the pages_content table.
This timestamp uses an epoch which is 1601-01-01 000000 UTC
and is measured in milliseconds as described in this link http//
Dcode 4.02a from Digital Detective can decode this time.
The records in the pages_content table have a field named docid that relates to the ROWID (not record number) in the info table.
From my brief testing, it would seem that not all pages visited had their text content copied to this database.
I haven't found much else about them but i have found some quite useful information from webpages that weren't cached any longer.
I did plug a few of those timestamps into dcode and they came up as 6th of January 2011 but having set my clock to 1st of march 2011 in order to get a clean history index file i thought they were clocking something else
Are you saying you got timestamps that decoded to January in the newly created March database (History Index 2011-03). If so that's pretty strange. Was a History Index 2011-03 file created?
I just change the system clock on mine machine and Chrome does appear to record my machine's time (as opposed to taking it from a webserver).
As I said, i haven't properly looked into it so can only comment on what I've seen.
Are you saying you got timestamps that decoded to January in the newly created March database (History Index 2011-03). If so that's pretty strange. Was a History Index 2011-03 file created?
I just change the system clock on mine machine and Chrome does appear to record my machine's time (as opposed to taking it from a webserver).
As I said, i haven't properly looked into it so can only comment on what I've seen.
I went back and tested it again, it turns out my confusion came from using an old version of dcode without the chrome time support, checked it in the latest version and they came out as they should.