def ReadHistoryDb(chrome_artifacts, db, file_size, user, source): db.row_factory = sqlite3.Row cursor = db.cursor() query = """SELECT urls.url, urls.title, urls.visit_count, urls.hidden, v.visit_time, v.visit_duration, v.from_visit, (SELECT urls.url FROM urls LEFT JOIN visits ON urls.id = visits.url where visits.id=v.from_visit) as referrer FROM urls LEFT JOIN visits v ON urls.id = v.url ORDER BY v.visit_time""" cursor = db.execute(query) for row in cursor: visit_duration = row['visit_duration'] visit_time = row['visit_time'] if visit_duration and (visit_time > 0): end_time = CommonFunctions.ReadChromeTime(visit_time + visit_duration) else: end_time = None item = ChromeItem( ChromeItemType.HISTORY, row['url'], row['title'], CommonFunctions.ReadChromeTime(visit_time), end_time, None, row['referrer'], f"VisitCount={row['visit_count']}, Hidden={row['hidden']}", user, source) chrome_artifacts.append(item) # downloaded files query = """SELECT current_path, target_path, start_time, end_time, received_bytes, total_bytes, c.url, referrer FROM downloads LEFT JOIN downloads_url_chains c ON c.id = downloads.id where c.chain_index = 0 ORDER BY start_time""" cursor = db.execute(query) for row in cursor: start_time = CommonFunctions.ReadChromeTime(row['start_time']) if start_time == '': start_time = None end_time = CommonFunctions.ReadChromeTime(row['end_time']) if end_time == '': end_time = None path = row['target_path'] if not path: path = row['current_path'] downloaded_file_name = os.path.basename(path) item = ChromeItem( ChromeItemType.DOWNLOAD, row['url'], downloaded_file_name, start_time, end_time, row['referrer'], path, f"Received Bytes = {row['received_bytes']}/{row['total_bytes']}", user, source) chrome_artifacts.append(item)
def ReadTabsFile(chrome_artifacts, f, file_size, user, source): '''Reads 'Current/Last Tabs/Sessions' binary format''' if source.endswith('Last Tabs'): source_type = ChromeItemType.LASTTAB elif source.endswith('Current Tabs'): source_type = ChromeItemType.CURRENTTAB elif source.endswith('Last Session'): source_type = ChromeItemType.LASTSESSION elif source.endswith('Current Session'): source_type = ChromeItemType.CURRENTSESSION sig = f.read(4) ver = f.read(4) if sig != b'SNSS': log.error( f"ERR, wrong sig for {source}, expected SNSS, got {sig.hex()}") else: pos = 0x8 if ver != b'\x01\0\0\0': log.warning(f'Not version 1, parser may fail! Version={ver.hex()}') while pos < file_size: f.seek(pos) size, command = struct.unpack('<HB', f.read(3)) if size > 25: if command in (1, 6): data = f.read(size - 1) nav = NavigationEntry.parse(data[4:]) #print(nav) url = nav.virtual_url_spec.data.decode('utf8', 'ignore') title = nav.title.data.decode('utf16', 'ignore') referrer = nav.referrer.data.decode('utf8', 'ignore') ts = CommonFunctions.ReadChromeTime( nav.timestamp_internal_value) url2 = nav.original_request_url_specc.data.decode( 'utf8', 'ignore') if url2: url2 = 'requested_orig_url=' + url2 if url or title: InsertUnique( chrome_artifacts, ChromeItem(source_type, url, title, ts, None, None, referrer, url2, user, source)) else: if command != 19: log.debug(f'size ({size}) > 25, command = {command}') pos += size + 2
def ReadTopSitesDb(chrome_artifacts, db, file_size, user, source): try: db.row_factory = sqlite3.Row tables = CommonFunctions.GetTableNames(db) if 'topsites' in tables: # meta.version == 4 cursor = db.cursor() query = "SELECT url, url_rank, title from top_sites ORDER BY url_rank ASC" cursor = db.execute(query) for row in cursor: item = ChromeItem(ChromeItemType.TOPSITE, row['url'], row['title'], None, None, None, None, f"URL_RANK={row['url_rank']}", user, source) chrome_artifacts.append(item) elif 'thumbnails' in tables: # meta.version == 3 cursor = db.cursor() query = "SELECT url, url_rank, title, last_updated from thumbnails ORDER BY url_rank ASC" cursor = db.execute(query) for row in cursor: item = ChromeItem(ChromeItemType.TOPSITE, row['url'], row['title'], CommonFunctions.ReadChromeTime(row['last_updated']), None, None, None, f"URL_RANK={row['url_rank']}", user, source) chrome_artifacts.append(item) except sqlite3.Error: log.exception('DB read error from ReadTopSitesDb()')