The new update of Chrome (v30) released yesterday has a number of security fixes, new features, and improvements, but it also unfortunately came with some bad news for forensicators: the History Index files are no more. These files were SQLite DBs named ‘History Index YYYY-MM’ and had the text content of most websites a user visited. Chrome used these indexes to rapidly search previously viewed pages to power the omnibox suggestions. They could be of great value in investigations, as they potentially contained multiple snapshots of a page’s content at different times.
I’ve also verified that the ‘visits.is_indexed’ fields have been removed from the History and Archived History DBs. I will update Hindsight to deal with these changes (and the other changed DB fields in v30) soon.
It’s too bad these DBs were dropped from Chrome; they were a great resource.
The relevant revision (212459):
Remove TextDatabase from the history service. The full text indexing feature is no longer used by anything. - Remove the TextDatabase, TextDatabaseManager and related files. - Remove is_indexed field from VisitRow objects. - Modify ExpireHistoryBackend and HistoryBackend to no longer call TextDatabase - Have HistoryBackend delete the "History Index *" files from the users profile - Remove ChromeViewHostMsg_PageContents IPC message since the browser process no longer requires to have the page contents of recently loaded pages.