Chromium SQLite Parser (csp)


Google's Chrome Browser has many artifacts available that the forensics examiner can use in identifying a user's Internet activity. This includes Chrome's various databases, local storage, JSON formatted text files, and cache.

This tool, however, does not target all of Chrome's artifacts; it only targets certain SQLite databases and specific tables within those databases that are used by the Browser that have been deemed useful by the forensics community. Specifically, this tool targets the following seven databases: (a) History, (b) Cookies, (c) Web Data, (d) Top Sites, (e) Shortcuts, (f) Login Data and (g) Favicons.

The semantics to run this tool just requires one to use the -db option and pass in the path/file of the Chrome SQLite database to parse. The screenshot shows all the options available.

menu of options

Below is an example of running the tool in its simplest form. Without explicitly setting any options, the tool will use will default to the SQL Select-type parser. The parsed output will dump to the screen, unless one redirects the output to a file.

         c:\> csp -db c:\dump\History -csv > out.csv

To process multiple databases one would use the -pipe option while enumerating a folder and subfolder of databases, like so:

         c:\> dir c:\dump\chrome_dbs /b /s /a | csp -pipe -carve -csvl2t > out.csv

Integrated Parsing Algorithms

The csp tool offers three possible parsing algorithms to choose from. They are as follows:

For more information

The user's guide can be viewed here

If you would like more information about csp, contact us via email.


Intel 32-bit VersionIntel 64-bit VersionARM 64-bit Version
Mac OS X:Not Availablecsp.v.0.24.dmgcsp.v.0.24.dmgmd5/sha1
*32bit apps can run in a 64bit linux distribution if "ia32-libs" (and dependencies) are present.