chrome-search-terms
Parses the Chrome browser's History SQLite database file and retrieves the search term history. The command converts the search keywords, URL and title of the search results page, last visit time, and other data into structured fields.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zippath=STR- Path to the ZIP file containing the History file. Use this option to query a History file inside a ZIP archive.
zipcharset=STR- Character set for ZIP file entries. Default:
utf-8
Target
FILE_PATH- Path to the Chrome browser's
HistorySQLite file. Use a wildcard (*) to specify multiple files. The History file is typically located atC:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\History.
Output fields
| Field | Type | Description |
|---|---|---|
_time | timestamp | Last visit time of the search results page |
keywords | string | Keywords used in the search |
title | string | Title of the search results page |
url | string | URL of the search results page |
Error codes
Parse errors
N/A
Runtime errors
| Error code | Message | Description | Post-action |
|---|---|---|---|
| - | cannot load chrome history database: path | Unable to read the History file at the specified path | Query aborted |
Description
The chrome-search-terms command reads the keyword_search_terms table and the urls table from the Chrome browser's History SQLite database file and retrieves the search term history.
The command first builds a mapping of URLs, titles, and last visit times from the urls table, then joins each record in the keyword_search_terms table with the corresponding URL information.
The _time field is derived from the last_visit_time column in the urls table, which is converted from Chrome's internal WebKit timestamp (in microseconds) to a timestamp type.
The term column value from the keyword_search_terms table is assigned to the keywords field.
To query a History file inside a ZIP archive, specify the ZIP file path in the zippath option and the path inside the ZIP as the target.
Examples
-
Querying Chrome search term history
chrome-search-terms /opt/logpresso/evidence/HistoryRetrieves all search term history records from the
Historyfile at the specified path. -
Querying a History file inside a ZIP archive
chrome-search-terms zippath=/opt/logpresso/evidence/artifacts.zip HistoryRetrieves search term history from the
Historyfile inside a ZIP archive. -
Searching for a specific keyword
chrome-search-terms /opt/logpresso/evidence/History | search keywords == "*logpresso*"Filters search term history that contains a specific keyword.