How Opera stores web history

Out of all the popular browsers, Opera leaves behind the least amount of useful information for investigators. Not only is the data stored in plain text format, but it does not record every URL visited, only the latest one. Therefore it is impossible to tell how often someone has visited a particular website. Even when viewing web history from within the browser only the latest entries are shown, giving a false impression of the actual history. For example if someone went to exactly the same websites two days in a row, the first day would have no history associated with it, since each entry would be overridden by the latest visit.

If the computer is running Windows XP, the Opera default path to user data is:

C:\Documents and Settings\<User Name>\Application Data\Opera\Opera

For Windows Vista and Windows 7, the default path is:

C:\Users\<User Name>\AppData\Roaming\Opera\Opera\

There are two important files in this directory, global_history.dat and typed_history.xml.

GLOBAL_HISTORY.DAT

global_history.dat is a plaintext file which stores details for each URL visited. Each entry takes up four lines as described in the table below.

LineMeaning
1The title of the website.
2Website URL.
3Time of the last visit. This is the number of seconds after the Unix Epoch UTC (1st January 1970).
4An integer representing the ‘popularity’ of the website. This number seems to be set to -1 initially, and rises to several million if the website has been visited more than once. It is not clear how this relates to the popularity column when you view web history via the Opera browser.

The lines below show two entries in global_history.dat and the image underneath shows the same entries in Opera’s history viewer. Popularity has been made bold. It is unclear what the popularity field in the file and the viewer mean, and how 1936804 corresponds to 2 and -1 to 1. They do not correspond to number of visits.

http://cuteoverload.com 
http://cuteoverload.com
1276255696
1936804   
BBC NEWS | News Front Page
http://news.bbc.co.uk
1276255696
-1    

TYPED_HISTORY.XML

typed_history.xml is an XML file that has an entry for each URL that was typed in manually. Each entry is in the format

<typed_history_item content=”url” type=”type” last_typed=”date” />

Type is either ‘text’ or ‘selected’, where ‘selected’ means the URL was chosen from Opera’s autocomplete and ‘text’ means it was typed in manually. Again, this only stores the latest URL and not all of them.

And that’s really all I could find that Opera stores!

References

IR and forensic talk blog post

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s