chrome-downloads
Parses the Chrome browser's History SQLite database file and retrieves the file download history. The command converts the downloaded file path, size, MIME type, download URL, referrer URL, and other data into structured fields.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zippath=STR- Path to the ZIP file containing the History file. Use this option to query a History file inside a ZIP archive.
zipcharset=STR- Character set for ZIP file entries. Default:
utf-8
Target
FILE_PATH- Path to the Chrome browser's
HistorySQLite file. Use a wildcard (*) to specify multiple files. The History file is typically located atC:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\History.
Output fields
| Field | Type | Description |
|---|---|---|
_time | timestamp | Download start time. Same value as the start_time field |
start_time | timestamp | Download start time |
end_time | timestamp | Download completion time |
mime_type | string | MIME type of the downloaded file (for example: application/pdf, image/png) |
file_open | boolean | Whether the file was opened after download. true: opened, false: not opened |
file_path | string | Path where the file was saved |
file_size | long | Received file size in bytes |
url | string | URL from which the file was downloaded |
referer | string | Referrer URL of the download request. Returns null if the value is an empty string |
Error codes
Parse errors
N/A
Runtime errors
| Error code | Message | Description | Post-action |
|---|---|---|---|
| - | cannot load chrome history database: path | Unable to read the History file at the specified path | Query aborted |
Description
The chrome-downloads command reads the downloads table and the downloads_url_chains table from the Chrome browser's History SQLite database file and retrieves the file download history.
The command first builds a mapping of download IDs to URLs from the downloads_url_chains table, then joins each record in the downloads table with the corresponding URL.
Date fields (start_time, end_time) are converted from Chrome's internal WebKit timestamp (in microseconds) to a timestamp type.
The referer field is assigned a value only when a referrer URL exists in the download request and is not an empty string.
To query a History file inside a ZIP archive, specify the ZIP file path in the zippath option and the path inside the ZIP as the target.
Examples
-
Querying Chrome download history
chrome-downloads /opt/logpresso/evidence/HistoryRetrieves all download history records from the
Historyfile at the specified path. -
Querying a History file inside a ZIP archive
chrome-downloads zippath=/opt/logpresso/evidence/artifacts.zip HistoryRetrieves download history from the
Historyfile inside a ZIP archive. -
Filtering downloads by MIME type
chrome-downloads /opt/logpresso/evidence/History | search mime_type == "application/pdf"Filters only PDF file download records.