chrome-visits
Parses the Chrome browser's History SQLite database file and retrieves website visit history. The command converts the visited page's URL, title, visit count, direct-entry count, and other data into structured fields.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | None |
| License usage | Counted |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
zippath=STR- Path to the ZIP file containing the History file. Use this option to query a History file inside a ZIP archive.
zipcharset=STR- Character set for ZIP file entries. Default:
utf-8
Target
FILE_PATH- Path to the Chrome browser's
HistorySQLite file. Use a wildcard (*) to specify multiple files. The History file is typically located atC:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\History.
Output fields
| Field | Type | Description |
|---|---|---|
_time | timestamp | Visit time |
title | string | Title of the visited web page |
visit_count | long | Total number of times the URL has been visited |
typed_count | long | Number of times the URL was visited by typing it directly in the address bar |
hidden | boolean | Whether the visit is hidden. true: indirect visit (for example via iframe), false: direct visit |
url | string | URL of the visited web page |
Error codes
Parse errors
N/A
Runtime errors
| Error code | Message | Description | Post-action |
|---|---|---|---|
| - | cannot load chrome history database: path | Unable to read the History file at the specified path | Query aborted |
Description
The chrome-visits command reads the urls table and the visits table from the Chrome browser's History SQLite database file and retrieves website visit history.
The command first builds a mapping of URLs, titles, visit counts, direct-entry counts, and hidden status from the urls table, then joins each record in the visits table with the corresponding URL information. Each row in the visits table corresponds to one visit record.
The _time field is derived from the visit_time column in the visits table, which is converted from Chrome's internal WebKit timestamp (in microseconds) to a timestamp type.
The hidden field returns true when the hidden column in the urls table is 1, and false when it is 0. Indirect visits through iframes and similar mechanisms are classified as hidden visits.
To query a History file inside a ZIP archive, specify the ZIP file path in the zippath option and the path inside the ZIP as the target.
Examples
-
Querying Chrome visit history
chrome-visits /opt/logpresso/evidence/HistoryRetrieves all visit history records from the
Historyfile at the specified path. -
Querying a History file inside a ZIP archive
chrome-visits zippath=/opt/logpresso/evidence/artifacts.zip HistoryRetrieves visit history from the
Historyfile inside a ZIP archive. -
Filtering visits made by directly typing the URL
chrome-visits /opt/logpresso/evidence/History | search typed_count > 0Filters only records where the URL was typed directly in the address bar.
-
Retrieving the top URLs by visit count
chrome-visits /opt/logpresso/evidence/History | stats max(visit_count) as visit_count by url | sort -visit_count | limit 20Retrieves the top 20 most-visited URLs.