Updates to log2timeline
I’ve been working on a new version of log2timeline, which according to the roadmap is a “web history add-on”. I started by creating an input module to parse the simple format of Opera browser. Opera browser maintains two main history files, the “Opera Global History” and the “Opera Direct History”, which are both in a plain text format (although different). Besides these two files there are some timestamp information that can be gathered from the binary file download.dat as well as few other binary files (I’ve already started to create an input module to parse the binary format).
The main history file of Opera is called the “Opera Global History” and it is stored using a plain text file where each visit is logged in four lines of the files, with the following structure:
Title of the web site (as displayed in the title bar) The URL of the visited site Time of visit (in Epoch time format) An integer, representing the popularity of the web site
The other history file is called “Opera Direct History”, which is a XML file that stores typed history (urls that are typed into the browser). The structure of the file is the following:
<?xml version="1.0" encoding="ENCODING"?>
<typed_history>
<typed_history_item content="URL TYPED IN" type="text"
last_typed="DATE"/>
</typed_history>
The input module called opera is able to determine which history file is provided as an input to log2timeline and parse the file accordingly.
An example usage is the following:
log2timeline -z local -f opera Opera\ Global\ History Local timezone is: Atlantic/Reykjavik (GMT) Start processing file/dir [Opera Global History] ... Loading output file: mactime Starting to parse file using format: [opera] 0|[Opera] User unkown visited http://www.opera.com/portal/startup/ (http:// \ www.opera.com/portal/startup/) [2419292]|0|0|0|0|0|1262716353|1262716353| \ 1262716353|1262716353 0|[Opera] User unkown visited http://mbl.is/mm/frettir/ (mbl.is - Fréttir) \ [-1]|0|0|0|0|0|1262716353|1262716353|1262716353|1262716353 0|[Opera] User unkown visited http://mbl.is/mm/vidskipti/frettir/2010/01/05/ \ fitch_laekkar_lanshaefismat/ (Fitch lækkar lánshæfismat - mbl.is) [-1]|0|0|0 \ |0|0|1262716386|1262716386|1262716386|1262716386
And for the direct history file
log2timeline -z local -f opera Opera\ Direct\ History Local timezone is: Atlantic/Reykjavik (GMT) Start processing file/dir [Opera Direct History] ... Loading output file: mactime Starting to parse file using format: [opera] 0|[Opera] User unkown typed the URL mbl.is directly into the browser \ (type "text")|0|0|0|0|0|1262716352|1262716352|1262716352|1262716352
I’ve also added a support for Google’s Chrome. In short Google Chrome stores it’s data in a SQLite database, not unlike Firefox (as of version 3), so creating an input module was quite quick for that browser. The first version of the input module parses three tables;
- urls – Contains information about each visited URL
- visits – Contains the timestamp information from each URL
- downloads – Contains information about the downloads
Going through the Google Chrome’s setup is something that I will reserver for a future blog post, so an example is given of the usage. This first version of the input module gathers basic information from the history file and displays it in a timeline, future versions will include more detailed versions (need to do more research to determine some parts of the history format)
log2timeline -f chrome -z local History Local timezone is: Atlantic/Reykjavik (GMT) Start processing file/dir [History] ... Loading output file: mactime Starting to parse file using format: [chrome] 0|[Chrome] URL visited: http://tools.google.com/chrome/intl/en/welcome.html \ (Get started with Google Chrome) [count: 1] Host: tools.google.com (URL not \ typed directly)|0|0|0|0|0|1261044829|1261044829|1261044829|1261044829 0|[Chrome] URL visited: http://www.google.com/ (Google) [count: 1] Host: www.\ google.com (URL not typed directly)|0|0|0|0|0|1261044829|1261044829|1261044829|\ 1261044829 0|[Chrome] URL visited: http://www.google.is/ (Google) [count: 1] Host: www.\ google.is visited from: http://www.google.com/ (URL not typed directly)|0|0|0\ |0|0|1261044829|1261044829|1261044829|1261044829 0|[Chrome] URL visited: http://www.google.is/search?hl=is&source=hp&q=try+a+\ single+google+searcg&btnG=Google+leit&lr= (try a single google searcg - Google\ leit) [count: 1] Host: www.google.is visited from: http://www.google.is/ (URL \ not typed directly)|0|0|0|0|0|1261044876|1261044876|1261044876|1261044876
Then today I saw a post by H. Carvey about browser forensics where he talked about the bookmark file contained in Firefox’s profile folder. He discussed the bookmark file and the fact that there are fields within it with timestamps, most notably the ADD_DATE and LAST_MODIFIED entries for folders, and ADD_DATE and LAST_VISIT entries for the URLs. So I decided to create a new input module to parse the file, ff_bookmark, which uses HTML::Parser to parse the HTML document and extract the timestamps that are contained within it. Sample usage is
log2timeline -f ff_bookmark -z local bookmarks.html Local timezone is: Atlantic/Reykjavik (GMT) Start processing file/dir [bookmarks.html] ... Loading output file: mactime Starting to parse file using format: [ff_bookmark] 0|[Firefox Bookmarks] User modified the bookmark file|0|0|0|0|0|1198266703|\ 1198266703|1198266703|1198266703 0|[Firefox Bookmarks] User modified the bookmark folder [Bookmarks Toolbar \ Folder]|0|0|0|0|0|1194274986|1194274986|1194274986|1194274986 0|[Firefox Bookmarks] User created the bookmark Orðabanki [http://herdubreid\ .rhi.hi.is:1026/wordbank/search]|0|0|0|0|0|1189521200|1189521200|1189521200|\ 1189521200 0|[Firefox Bookmarks] User visited the the bookmark [Orðabanki]|0|0|0|0|0|\ 1195489127|1195489127|1195489127|1195489127 0|[Firefox Bookmarks] User created the bookmark SANS Institute - \\ International Training Events [http://feeds.feedburner.com/SansInstituteInter\ nationalEvents]|0|0|0|0|0|1193489569|1193489569|1193489569|1193489569 0|[Firefox Bookmarks] User created the bookmark folder [Öryggisvitund]|0|0|0|\ 0|0|1191448948|1191448948|1191448948|1191448948 0|[Firefox Bookmarks] User modified the bookmark folder [Öryggisvitund]|0|0\ |0|0|0|1193819896|1193819896|1193819896|1193819896 0|[Firefox Bookmarks] User created the bookmark ISC: Tip #1 [http://isc.sans.\ org/diary.html?storyid=3438]|0|0|0|0|0|1191448977|1191448977|1191448977|1191448977
These input modules are not part of the published log2timeline tool, but they are all available in the development version of the tool, which can be found here.
I assume this article refers to the direct and global files that are found in Windows? Do you know where these files are located in the OS X version of Opera?
Hi, this article does not imply Windows specific settings, this is general, the location of the file in OS X: /Users/USERNAME/Library/Preferences/Opera Preferences. For older version of Opera the file should be named “Opera Global History” and “Opera Direct History”. In the current version the structure is the same but the names have changed to “global_history.dat” and “typed_history.xml”