0

example data snippet: sZ:ADqtAZxSnZ6xU8hUKrEAL+OKQ9w4yLte28bSEP9+SCrrLOmiTiBj2Swrozz7K5ddA8uGGY0s/x+eMI7TR2SsjBa+kbzIlvH7gg==,,,,,,,,,,,Typed URLs,,{"typed_url":{"hidden":false,"title":"ABC website","url":"https://[example][dot][com]",/","visit_transitions":["1073741824","1073741824","1073741824"],"visits":["13233781772233286","13233781814559847","13233781838384902","13233781840069946"]}}

Actually does the data can give time visited to a URL or list of past visits to the URL? I am trying to do forensics of determining time various payment URLs were invoked in the android mobile using google chrome.

How to decode "visit_transitions" data? What does it indicate? I found out how to deal with "chrometime" listed as data element of "visits".

venkat pillai
  • 1
  • 2
  • Another actual log snippet:> sZ:ADqtAZxSnZ6xU8hUKrEAL+OKQ9w4ivQKGVelI7mH0UNIj1ikVTo1CUUq5MiC9GZhWXweguLhnpJPMICXgDZeYxSfgAiT1YwWNA==,,,,,,,,,,,Typed URLs,,{"typed_url":{"hidden":false,"title":"Example.com – Recharge & Utility Payments, Entertainment, Travel, DTH, Wallet & Payments","url":"https://Example.com/","visit_transitions":["-1610612736","838860801"],"visits":["13239381911414692","13239382674564693"]}} – venkat pillai Aug 10 '20 at 11:57
  • I found out how to deal with the 17 digit number; It is in chrome time format base 1601-01-01; the following link answers how to convert it to localtime : https://stackoverflow.com/questions/20458406/what-is-the-format-of-chromes-timestamps – venkat pillai Aug 10 '20 at 13:08
  • Now I want help on decoding "visit_transitions" data? What does it indicate? – venkat pillai Aug 10 '20 at 13:27

1 Answers1

0

Those visit_transitions values are the same as the values in visits.transition in Chrome's History database. A full write-up of how to convert these is at https://dfir.blog/chrome-transition-values/, but I've applied those steps for your value (1073741824) here:

Convert to hex

1073741824 (dec) = 0x40000000

AND the value with 0xFF

0x40000000 AND 0x000000FF = 0x00000000 (or just 0)

Look up value in transition table

0 is Link (so the user clicked a link to get to that URL)

Qualifiers

    0x40000000 
AND 0xFFFFFF00
  = 0x40000000

And looking that up shows the link from above was a redirect.

// Redirects caused by JavaScript or a meta refresh tag on the page.
  PAGE_TRANSITION_CLIENT_REDIRECT = 0x40000000
Ryan
  • 113
  • 1
  • 6