lowmanio.co.uk

How Opera stores web history

Mon, 14 Jun 2010 03:12PM

Category: Digital Forensics & Malware

Written by Sarah | No comments

Out of all the popular browsers, Opera leaves behind the least amount of useful information for investigators. Not only is the data stored in plain text format, but it does not record every URL visited, only the latest one. Therefore it is impossible to tell how often someone has visited a particular website. Even when viewing web history from within the browser only the latest entries are shown, giving a false impression of the actual history. For example if someone went to exactly the same websites two days in a row, the first day would have no history associated with it, since each entry would be overridden by the latest visit.

If the computer is running Windows XP, the Opera default path to user data is:

C:\Documents and Settings\<User Name>\Application Data\Opera\Opera

For Windows Vista and Windows 7, the default path is:

C:\Users\<User Name>\AppData\Roaming\Opera\Opera\

There are two important files in this directory, global_history.dat and typed_history.xml.

GLOBAL_HISTORY.DAT

global_history.dat is a plaintext file which stores details for each URL visited. Each entry takes up four lines as described in the table below.

Line Meaning
1 The title of the website.
2 Website URL.
3 Time of the last visit. This is the number of seconds after the Unix Epoch UTC (1st January 1970).
4 An integer representing the ‘popularity’ of the website. This number seems to be set to -1 initially, and rises to several million if the website has been visited more than once. It is not clear how this relates to the popularity column when you view web history via the Opera browser.

The lines below show two entries in global_history.dat and the image underneath shows the same entries in Opera’s history viewer. Popularity has been made bold. It is unclear what the popularity field in the file and the viewer mean, and how 1936804 corresponds to 2 and -1 to 1. They do not correspond to number of visits.

http://cuteoverload.com 
http://cuteoverload.com
1276255696
1936804   
BBC NEWS | News Front Page
http://news.bbc.co.uk
1276255696
-1    

Opera screenshot

TYPED_HISTORY.XML

typed_history.xml is an XML file that has an entry for each URL that was typed in manually. Each entry is in the format

<typed_history_item content="url" type="type" last_typed="date" />

Type is either ‘text’ or ‘selected’, where ‘selected’ means the URL was chosen from Opera’s autocomplete and ‘text’ means it was typed in manually. Again, this only stores the latest URL and not all of them.

And that's really all I could find that Opera stores!

References

Tagged with: web history, Opera

Comments

No comments.

Add a comment

captcha