Announcement

Collapse
No announcement yet.

Timestamps in Chrome Web Data history not converted correctly

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Timestamps in Chrome Web Data history not converted correctly

    It seems that Chrome histories for different activities record timestamps in different formats.
    By simple SQLite browsing I noticed different lengths of timestamps.
    While Browsing history displays correct time and dates, Form history displays always 1/1/1970 1:21 AM.
    After searching, I found out that timestamps in Chrome Form history are UNIX epoch format and with some online converters I got the correct time and date.

  • #2
    I assume this was with the latest version of Chrome on Windows?

    After the Christmas break we'll take a look and fix it up if need be.

    If you notice anything else that appears strange, just let me know.

    Comment


    • #3
      No, but you should not support only latest version and differences in versions are normal. Maybe user disabled updates or the last use of machine was 1 year ago.
      I checked the latest version and still exists different formats of timestamps.

      And of course, Merry Christmas. I forgot, I am orthodox.

      Comment


      • #4
        Our aim is to support all versions, or at least everything from the last few years.

        I was only asking about the version you are using in order to allow us to reproduce the problem here as quickly as possible. (Just in case the behavior varies between versions).

        Comment


        • #5
          No matter of version, same issue.

          Results:
          - ver. 4.1.249.1064 (in year 2010): Date and time for all listed items are 1/1/1970, 1:21 AM
          - ver. 23.0.1271.97 m (latest) : Date and time for all listed items are 1/1/1970, 1:22 AM

          and OSF ver. 1.2 build 1003 (x64)

          Comment


          • #6
            These are my latest findings that might help.

            No matter which version of Chrome it is:
            - in History DB, timestamps are NT format 18 digits. OSF represents them correctly.
            - in Web Data DB, timestamps are UNIX time format 10 digits. OSF represent them incorrectly.

            This is the way how UNIX time should be converted in NT time:
            ntTime = (unixTime + 11644473600) * 10000000

            I tested this and works i.e. gives correct date and time for timestamps in Web Data DB.

            In my opinion OSF either threats UNIX time as NT time or applies incorrect algorithm for conversion of UNIX time to real time or applies incorrect algorithm for conversion from UNIX to NT time.
            Or because in Web Data DB, timestamps are stored in different table (Values are in Autofill table and dates are in Autofill_dates table, maybe there is no established relation by Ids between tables.

            Comment


            • #7
              I would say you are probably correct, and it is a bug.
              The best person to look at it is on annual leave until next week for Christmas. So it will have to wait for a few days before it can be fixed.

              Comment


              • #8
                We've fixed the issue with the Chrome timestamps not being converted correctly and this fix will be available in the V2 build of OSForensics.

                Comment

                Working...
                X