Browser timestamp formats explained

A wrong epoch assumption is the most common browser-forensics mistake — it shifts every event by years. Three formats cover almost everything.

Chrome / Chromium / Edge

Microseconds since 1601‑01‑01 UTC (the Windows/WebKit epoch). Used by urls.last_visit_time, visits.visit_time, cookie times, etc.

unix_ms = chrome_value / 1000 − 11644473600000

Exception: Chrome's autofill table uses plain Unix seconds.

Firefox

Microseconds since 1970‑01‑01 UTC (Unix epoch ×1,000,000). Used by moz_places.last_visit_date, moz_historyvisits.visit_date. Note moz_cookies.expiry is Unix seconds.

unix_ms = firefox_value / 1000

Safari

Mac absolute time — seconds (often fractional) since 2001‑01‑01 UTC.

unix_ms = (safari_value + 978307200) × 1000

Don't do this by hand

This parser applies the correct conversion per column automatically, so History, places.sqlite, History.db, cookies and sessions all show human-readable UTC times — and the unified timeline sorts them together.