如何使用 Osquery 转换 Chrome 浏览器历史记录 Sqlite 时间戳
How to Convert Chrome Browser History Sqlite Timestamps with Osquery
据我了解,Chrome 浏览器在浏览器历史数据库中使用 WebKit 时间格式作为时间戳。 WebKit 时间表示为自 1601 年 1 月以来的毫秒数。
我发现很多文章似乎可以回答我的问题,但 none 到目前为止都有效。常见的答案是使用下面的公式将 WebKit 转换为人类可读的本地时间:
SELECT datetime((time/1000000)-11644473600, 'unixepoch', 'localtime') AS time FROM table;
来源:
https://linuxsleuthing.blogspot.com/2011/06/decoding-google-chrome-timestamps-in.html
What is the format of Chrome's timestamps?
我正在尝试使用以下配置通过 Osquery 收集数据时转换时间戳。
"chrome_browser_history" : {
"query" : "SELECT urls.id id, urls.url url, urls.title title, urls.visit_count visit_count, urls.typed_count typed_count, urls.last_visit_time last_visit_time, urls.hidden hidden, visits.visit_time visit_time, visits.from_visit from_visit, visits.visit_duration visit_duration, visits.transition transition, visit_source.source source FROM urls JOIN visits ON urls.id = visits.url LEFT JOIN visit_source ON visits.id = visit_source.id",
"path" : "/Users/%/Library/Application Support/Google/Chrome/%/History",
"columns" : ["path", "id", "url", "title", "visit_count", "typed_count", "last_visit_time", "hidden", "visit_time", "visit_duration", "source"],
"platform" : "darwin"
}
"schedule": {
"chrome_history": {
"query": "select distinct url,datetime((last_visit_time/1000000)-11644473600, 'unixepoch', 'localtime') AS time from chrome_browser_history where url like '%nhl.com%';",
"interval": 10
}
}
生成的事件具有 1600 年的时间戳:
"time":"1600-12-31 18:46:16"
如果我更改配置以在不进行转换的情况下提取原始时间戳,我会得到如下所示的戳记:
"last_visit_time":"1793021894"
从我读到的关于 WebKit 时间的内容来看,它是用 17 位数字表示的,这显然不是我所看到的。所以我现在不确定这是 Osquery、Chrome 还是查询问题。感谢所有帮助和见解!
尝试:
SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls;
这是我前段时间写的东西 - 运行带有 ATC 配置的 osqueryi 以读取 chrome 历史文件,导出为 json 并卷曲 json到API端点
https://gist.github.com/defensivedepth/6b79581a9739fa316b6f6d9f97baab1f
您正在使用的东西是非常直接的 sqlite。所以我将从在 sqlit 中调试开始。
首先,您应该验证数据是否符合您的预期。在我的机器上,我看到:
$ cp Library/Application\ Support/Google/Chrome/Profile\ 1/History /tmp/
$ sqlite3 /tmp/History "select last_visit_time from urls limit 2"
13231352154237916
13231352154237916
其次,我将验证基础数学:
sqlite> select datetime(last_visit_time/1000000-11644473600, "unixepoch") from urls limit 2;
2020-04-14 15:35:54
2020-04-14 15:35:54
如果您将配置片段作为文本包含进来,我们可以更轻松地测试它 copy/paste。
已解决。日期时间转换需要在 table 定义查询中进行。
IE。 "chrome_browser_history".
下定义的查询
"chrome_browser_history" : {
"query" : "SELECT urls.id id, urls.url url, urls.title title, urls.visit_count visit_count, urls.typed_count typed_count, datetime(urls.last_visit_time/1000000-11644473600, 'unixepoch') last_visit_time, urls.hidden hidden, visits.visit_time visit_time, visits.from_visit from_visit, visits.visit_duration visit_duration, visits.transition transition, visit_source.source source FROM urls JOIN visits ON urls.id = visits.url LEFT JOIN visit_source ON visits.id = visit_source.id",
"path" : "/Users/%/Library/Application Support/Google/Chrome/%/History",
"columns" : ["path", "id", "url", "title", "visit_count", "typed_count", "last_visit_time", "hidden", "visit_time", "visit_duration", "source"],
"platform" : "darwin"
}
"schedule": {
"chrome_history": {
"query": "select distinct url,last_visit_time from chrome_browser_history where url like '%nhl.com%';",
"interval": 10
}
}
尝试在 osquery 计划查询中进行转换(正如我之前尝试的那样)将不起作用。即:
"schedule": {
"chrome_history": {
"query": "select distinct url,datetime((last_visit_time/1000000)-11644473600, 'unixepoch', 'localtime') AS time from chrome_browser_history where url like '%nhl.com%';",
"interval": 10
}
}
据我了解,Chrome 浏览器在浏览器历史数据库中使用 WebKit 时间格式作为时间戳。 WebKit 时间表示为自 1601 年 1 月以来的毫秒数。
我发现很多文章似乎可以回答我的问题,但 none 到目前为止都有效。常见的答案是使用下面的公式将 WebKit 转换为人类可读的本地时间:
SELECT datetime((time/1000000)-11644473600, 'unixepoch', 'localtime') AS time FROM table;
来源: https://linuxsleuthing.blogspot.com/2011/06/decoding-google-chrome-timestamps-in.html What is the format of Chrome's timestamps?
我正在尝试使用以下配置通过 Osquery 收集数据时转换时间戳。
"chrome_browser_history" : {
"query" : "SELECT urls.id id, urls.url url, urls.title title, urls.visit_count visit_count, urls.typed_count typed_count, urls.last_visit_time last_visit_time, urls.hidden hidden, visits.visit_time visit_time, visits.from_visit from_visit, visits.visit_duration visit_duration, visits.transition transition, visit_source.source source FROM urls JOIN visits ON urls.id = visits.url LEFT JOIN visit_source ON visits.id = visit_source.id",
"path" : "/Users/%/Library/Application Support/Google/Chrome/%/History",
"columns" : ["path", "id", "url", "title", "visit_count", "typed_count", "last_visit_time", "hidden", "visit_time", "visit_duration", "source"],
"platform" : "darwin"
}
"schedule": {
"chrome_history": {
"query": "select distinct url,datetime((last_visit_time/1000000)-11644473600, 'unixepoch', 'localtime') AS time from chrome_browser_history where url like '%nhl.com%';",
"interval": 10
}
}
生成的事件具有 1600 年的时间戳:
"time":"1600-12-31 18:46:16"
如果我更改配置以在不进行转换的情况下提取原始时间戳,我会得到如下所示的戳记:
"last_visit_time":"1793021894"
从我读到的关于 WebKit 时间的内容来看,它是用 17 位数字表示的,这显然不是我所看到的。所以我现在不确定这是 Osquery、Chrome 还是查询问题。感谢所有帮助和见解!
尝试:
SELECT datetime(last_visit_time/1000000-11644473600, \"unixepoch\") as last_visited, url, title, visit_count FROM urls;
这是我前段时间写的东西 - 运行带有 ATC 配置的 osqueryi 以读取 chrome 历史文件,导出为 json 并卷曲 json到API端点
https://gist.github.com/defensivedepth/6b79581a9739fa316b6f6d9f97baab1f
您正在使用的东西是非常直接的 sqlite。所以我将从在 sqlit 中调试开始。
首先,您应该验证数据是否符合您的预期。在我的机器上,我看到:
$ cp Library/Application\ Support/Google/Chrome/Profile\ 1/History /tmp/
$ sqlite3 /tmp/History "select last_visit_time from urls limit 2"
13231352154237916
13231352154237916
其次,我将验证基础数学:
sqlite> select datetime(last_visit_time/1000000-11644473600, "unixepoch") from urls limit 2;
2020-04-14 15:35:54
2020-04-14 15:35:54
如果您将配置片段作为文本包含进来,我们可以更轻松地测试它 copy/paste。
已解决。日期时间转换需要在 table 定义查询中进行。 IE。 "chrome_browser_history".
下定义的查询"chrome_browser_history" : {
"query" : "SELECT urls.id id, urls.url url, urls.title title, urls.visit_count visit_count, urls.typed_count typed_count, datetime(urls.last_visit_time/1000000-11644473600, 'unixepoch') last_visit_time, urls.hidden hidden, visits.visit_time visit_time, visits.from_visit from_visit, visits.visit_duration visit_duration, visits.transition transition, visit_source.source source FROM urls JOIN visits ON urls.id = visits.url LEFT JOIN visit_source ON visits.id = visit_source.id",
"path" : "/Users/%/Library/Application Support/Google/Chrome/%/History",
"columns" : ["path", "id", "url", "title", "visit_count", "typed_count", "last_visit_time", "hidden", "visit_time", "visit_duration", "source"],
"platform" : "darwin"
}
"schedule": {
"chrome_history": {
"query": "select distinct url,last_visit_time from chrome_browser_history where url like '%nhl.com%';",
"interval": 10
}
}
尝试在 osquery 计划查询中进行转换(正如我之前尝试的那样)将不起作用。即:
"schedule": {
"chrome_history": {
"query": "select distinct url,datetime((last_visit_time/1000000)-11644473600, 'unixepoch', 'localtime') AS time from chrome_browser_history where url like '%nhl.com%';",
"interval": 10
}
}