Enumerates a targets chrome history.
Source based on Hindsight and code review of https://source.chromium.org/chromium/chromium/src/+/master:components/history/core/browser/history_types.h .
Some research has shown that older browsers may not have this table. In that case you should treat it as you would in a traditional investigation. This artifact is aimed at taking advantage of the newer tables to reduce false positives.
This artifact is deprecated in favor of Generic.Forensic.SQLiteHunter and
will be removed in future
name: Windows.Applications.Chrome.History
description: |
Enumerates a targets chrome history.
Source based on Hindsight and code review of
https://source.chromium.org/chromium/chromium/src/+/master:components/history/core/browser/history_types.h.
#### NOTES:
- Some research has shown that older browsers may not have this
table. In that case you should treat it as you would in a traditional
investigation. This artifact is aimed at taking advantage of the
newer tables to reduce false positives.
- This artifact is deprecated in favor of `Generic.Forensic.SQLiteHunter` and
will be removed in future
author: Angry-Bender @angry-bender
parameters:
- name: historyGlobs
default: \AppData\{Local,Roaming}\{Google\Chrome\User Data,Microsoft\Edge\User Data,BraveSoftware\Brave-Browser\User Data,Vivaldi\User Data,Opera Software\Opera*Stable}\*\History
- name: urlSQLQuery
default: |
SELECT U.id AS id,
U.url AS url,
V.visit_time as visit_time,
U.title AS title,
U.visit_count,
U.typed_count,
U.last_visit_time, U.hidden,
CASE VS.source
WHEN 0 THEN 'Synced'
WHEN 1 THEN 'Local'
WHEN 2 THEN 'Extension'
WHEN 3 THEN 'ImportFromFirefox'
WHEN 4 THEN 'ImportFromSafari'
WHEN 6 THEN 'ImportFromChrome/Edge'
WHEN 7 THEN 'ImportFromEdgeHTML'
ELSE 'Local'
END Source,
V.from_visit,
strftime('%H:%M:%f',V.visit_duration/1000000.0, 'unixepoch') as visit_duration,
V.transition
FROM urls AS U
JOIN visits AS V ON U.id = V.url
LEFT JOIN visit_source AS VS on V.id = VS.id
- name: userRegex
default: .
type: regex
- name: URLRegex
default: .
type: regex
precondition: SELECT OS From info() where OS = 'windows'
sources:
- query: |
LET history_files = SELECT * from foreach(
row={
SELECT Uid, Name AS User,
expand(path=Directory) AS HomeDirectory
FROM Artifact.Windows.Sys.Users()
WHERE Name =~ userRegex
},
query={
SELECT User, OSPath, Mtime
FROM glob(globs=historyGlobs, root=HomeDirectory)
})
SELECT * FROM foreach(row=history_files,
query={
SELECT User,
id AS url_id,
timestamp(winfiletime=visit_time * 10) AS visit_time,
url as visited_url,
title,visit_count,typed_count,
timestamp(winfiletime=last_visit_time * 10) AS last_visit_time,
hidden,
from_visit AS from_url_id,
Source,
visit_duration,transition,
timestamp(winfiletime=last_visit_time * 10) as _SourceLastModificationTimestamp,
OSPath
FROM sqlite(
file=OSPath,
query=urlSQLQuery)
})
WHERE visited_url =~ URLRegex