What’s good about the Python script Chris developed is, first and foremost, the readability of the entire output. We don’t have to navigate through the raw data in the table or scour through the binary data just to find the IOCs we’re trying to look for using either the DB Browser for SQLite or a hex editor, respectively. It will take us some time to find them, especially when there is a lot of data stored in the database. With either the standard or CSV output generated by the script, we can easily find the host URL and/or the IOCs we are looking for by grepping, using the Find tool (CTRL + F), or by any means available at our disposal.
In addition to that, we can easily create a timeline of events by looking at the ‘Last Visited’ timestamp found in both outputs. The only difference between the two is that those in the CSV output are still in WebKit timestamp format, so we still need to convert them to human-readable format if we choose to use that output (Figures 18 and 19). On the other hand, the ‘Last Visited’ timestamps in the standard output have been converted to a human-readable version and are in the Coordinated Universal Time (UTC) time standard (Figures 16 and 17).