Convert Chrome/WebKit timestamps to human-readable date
The WebKit Precision Time or High-Resolution Time timestamp format is used by Google Chrome (Chromium) in its base::Time class.
The values in screenshot (e.g., 13257408048478972) are Chrome Webkit Timestamps. This format represents the number of microseconds elapsed since January 1, 1601 (UTC).
To convert this to a human-readable UTC format, you can use the following methods:
Google Chrome stores forensic artifacts primarily within the user profile directory, often in a Default or Profile * folder. Key locations include History (SQLite), Cookies, Cache, Bookmarks, and Session data. On Windows, this is typically C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default
Step 1: Locating the Source Files
The investigation starts by navigating to the user's browser profile directory. In Chromium-based browsers, this is usually found in the "Default" folder.
Step 2: Identifying the Artifact Tables
Once the investigator has the files, they need to know which database and table to query for specific evidence.
History Database: Uses tables like
urls(for links) andvisits(for timestamps).
Step 3: Extracting Raw Data
Using a database viewer (like DB Browser for SQLite), the investigator opens the History file and views the urls table.
The Problem: The
last_visit_timecolumn contains long, 17-digit numbers (e.g.,13257408048478972).
Step 4: Decoding the Timestamp
The investigator uses a conversion tool (like epochconverter.com) or a SQL formula to translate the raw number into a recognizable date.
Input: The raw 17-digit timestamp is entered into the converter.
Output: The tool reveals the precise UTC/GMT time. In your example:
Timestamp:
13257408048478972Result: Wednesday, February 10, 2021 at 5:20:48 AM UTC.
* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ
#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud
No comments:
Post a Comment