![]() ![]() Now we know where we’re looking, it’s time to open the Google Chrome history database, which is stored in the SQLite format. Opening the Google Chrome history database As usual, we write an update to the screen. To achieve this, the global variables windows_drive and username are imported and used to piece together the path to the Chrome History database. global windows_drive global username database_file = windows_drive + ":\Users \\ " + username + "\AppData\Local\Google\Chrome\User Data\Default\History" print "Accessing Google Chrome browsing history." The first step is the initial setup, importing the variables we’ll be using and compiling the correct path. Setting things upĪs with the other MCAS Windows Forensic Gatherer modules, the code that fetches and parses the Google Chrome history will sit in its own function and will be called by the main script. The data returned by this module’s function will be extremely useful for an examiner, detailing exactly what a user did online and offering clues as to whether they uploaded company data, were planning a trip to a certain location, visited illegal material, or did anything else that might be relevant to the case. I don’t expect this one requires much introduction, but the Chrome history is a database that contains details of all the user’s non-Incognito browsing activity using Google’s web browser, including page titles, URLs, timestamps, and the way the user visited the page (e.g. ![]() ![]() What is the Chrome history and how does it help our investigation? Here’s how to extract the history of the most popular browser – Google Chrome – with a new Python module for our forensics tool. Web browsing data can tell an analyst a lot about what happened on a system before they got their hands on it. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |