Colleagues,
I am trying to determine geo-location information from the below browsing history (if possible)
http//
1) I determined that the "ts=1407353476" is a Time Stamp = 8/6/2014 (source TimestampConvert.com).
2) I see "venue=02661", which I am guessing could be a Starbucks store number.
I noted that typing in "http//
3) I have no clue what this value means "vh=a88eb0f6c7e5422b81917e3d9dcf0fd1". Perhaps "vh" is "view history"?
Any help would be greatly appreciated!
Regards,
Larry
02661 is the zip code for Harwich MA (according to Google)
Using mans best friend, Mr Google I typed in the following 'starbucks UK store number 2661' and first result came back with what I assume is store number 2661, located in Notting Hilll London.
I have then gone to Starbucks store finder, picked a random starbucks
Store number 2677
Store number 1008978
Cant help more than that I'm afraid
Colleagues,
3) I have no clue what this value means "vh=a88eb0f6c7e5422b81917e3d9dcf0fd1". Perhaps "vh" is "view history"?
Given that what follows is a 32-character length hexadecimal string, I'm guessing the "h" in "vh" stands for "hash". The most likely candidate is our pal MD5, but who knows what it's hashing? "V"enue is a tempting choice, but the value provided doesn't match the md5 hash of either 02661 or 2661 (or even "Notting Hill, London"). It might even just stand for "Value", I guess.
Think you have an opportunity here to buy coffee and cake from your nearest starbucks on the company credit card.
Paul,
Ironic that you commented on my post as I was actually able to use your SQL Forensic tools software successfully on this project - thank you for the excellent tool set.
As yet another example of why it is important to run multiple tools on the same data to compare results, the opponent's Cellebrite tool was able to extract internet browsing history from the target Samsung Galaxy Tab 3, but Katana's Lantern and Compelson's Mobiledit Forensic were not.
Rooting the Tab allowed me to create a physical image of the device, which I then ingested into GetData's Forensic Explorer ("FEX"). However, although I was able to identify the internet browsing history database file and view it using FEX, I was not able to create a report of the database file contents nor extract the database contents using FEX.
So, I used FEX to extract the entire DB file from User\data\com.android.browser\databases\browser2.db to my forensic workstation and then ran it in your SQL Forensic tool and was able to create an Excel file report of the "history" tab of the browser2.db database.
Does your tool have the ability to automatically convert the millisecond time stamps into normal format Date and Time values in a separate column? That would be awesome if it did.
Regards,
Larry
Hi Larry
I am very pleased my software was able to assist. Without seeing the time stamp I cannot be certain but assuming the date was unix milliseconds then yes it can convert this date.
The current conversion set is as follows.
If a date format isn't supported then I can easily add it - and you could of course use SQL to convert a date (but this can get a bit messy and it is pretty much impossible to apply timezone offsets this way)
Oops might have misunderstood
If you wnat to add the same column twice - once with the "raw" data and once with a converted timestamp then it is easy - just check the column to add it to the centre 'columns designer' and build the SQL query and then drag the column down to add it again (or just type the relevant SQL and a column alias - something like below (using a skype unix10 date as an example)
Hope this helps.
Paul
[updated to change to animated gif]