Convert Chrome/WebKit timestamps to human-readable date

Convert Chrome/WebKit timestamps to human-readable date

The WebKit Precision Time or High-Resolution Time timestamp format is used by Google Chrome (Chromium) in its base::Time class.

The values in  screenshot (e.g., 13257408048478972) are Chrome Webkit Timestamps. This format represents the number of microseconds elapsed since January 1, 1601 (UTC).

To convert this to a human-readable UTC format, you can use the following methods:

Google Chrome stores forensic artifacts primarily within the user profile directory, often in a Default or Profile * folder. Key locations include History (SQLite), Cookies, Cache, Bookmarks, and Session data. On Windows, this is typically C:\Users\<user>\AppData\Local\Google\Chrome\User Data\Default

Step 1: Locating the Source Files 

The investigation starts by navigating to the user's browser profile directory. In Chromium-based browsers, this is usually found in the "Default" folder.

Forensic Value: This folder contains the raw SQLite databases that store everything from history and cookies to saved logins.

Key SQLite Artifacts & Forensic Value

Step 2: Identifying the Artifact Tables  

Once the investigator has the files, they need to know which database and table to query for specific evidence.

• History Database: Uses tables like urls (for links) and visits (for timestamps).

Step 3: Extracting Raw Data  

Using a database viewer (like DB Browser for SQLite), the investigator opens the History file and views the urls table.

• The Problem: The last_visit_time column contains long, 17-digit numbers (e.g., 13257408048478972).

  
  
  

Step 4: Decoding the Timestamp  

The investigator uses a conversion tool (like epochconverter.com) or a SQL formula to translate the raw number into a recognizable date.

• Input: The raw 17-digit timestamp is entered into the converter.

  

• Output: The tool reveals the precise UTC/GMT time. In your example:

  • Timestamp: 13257408048478972

  • Result: Wednesday, February 10, 2021 at 5:20:48 AM UTC.

www[.]online-python[.]com

Specialized tools like ChromeHistoryView simplify the process by automatically parsing the raw SQLite database into a readable format.

1. Automating the Connection

Instead of manually opening the History SQLite file, this tool reads the file directly from the browser's profile path. It maps the columns from multiple internal tables into a single consolidated view.

2. Focus on the visits Table

While the urls table contains the website addresses, the visits table is the "engine" of the timeline. It contains the crucial forensic data shown in your screenshot:

• visit_time: The tool automatically converts the 17-digit Webkit timestamp into the "Visited On" column (e.g., 2/10/2021 5:20:48 AM).

  

ChromeHistoryView

หมายเหตุ:เนื้อหาในเว็บไซต์นี้มีขึ้นเพื่อวัตถุประสงค์ในการให้ข้อมูลและเพื่อการศึกษาเท่านั้น

* หากมีข้อมูลข้อผิดพลาดประการใด ขออภัยมา ณ ที่นี้ด้วย  รบกวนแจ้ง Admin เพื่อแก้ไขต่อไป
ขอบคุณครับ

#WindowsForensic #ComputerForensics #dfir #forensics #digitalforensics #computerforensic #investigation #cybercrime #fraud