BraveBrowser
Browsersv1
Author: Cassie Doemel
description
Brave Browser
paths
20 paths
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: BraveBrowser
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle artifact collection with robocopy
function Collect-Artifact {
param (
[string]$SourceDir,
[string]$FolderName,
[string]$FileMask = "*"
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}
# 1. Bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Bookmarks*" -FolderName "Bookmarks"
# 2. Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Cookies*" -FolderName "Cookies"
# 3. Current Session
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Current Session" -FolderName "Current_Session"
# 4. Current Tabs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Current Tabs" -FolderName "Current_Tabs"
# 5. Download Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "DownloadMetadata" -FolderName "Download_Metadata"
# 6. Favicons
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Favicons*" -FolderName "Favicons"
# 7. History
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "History*" -FolderName "History"
# 8. Sessions Folder
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Sessions\"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Sessions_Folder"
# 9. Login Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Login Data" -FolderName "Login_Data"
# 10. Network Action Predictor
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Network Action Predictor" -FolderName "Network_Action_Predictor"
# 11. Network Persistent State
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Network Persistent State" -FolderName "Network_Persistent_State"
# 12. Preferences
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Preferences" -FolderName "Preferences"
# 13. Quota Manager
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "QuotaManager" -FolderName "Quota_Manager"
# 14. Reporting and NEL
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Reporting and NEL" -FolderName "Reporting_and_NEL"
# 15. Shortcuts
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Shortcuts*" -FolderName "Shortcuts"
# 16. Publisher Info DB/Brave Rewards
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "publisher_info_db*" -FolderName "Publisher_Info_DB_Brave_Rewards"
# 17. Top Sites
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Top Sites*" -FolderName "Top_Sites"
# 18. Visited Links
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Visited Links*" -FolderName "Visited_Links"
# 19. Web Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Web Data*" -FolderName "Web_Data"
# 20. Secure Preferences
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Secure Preferences*" -FolderName "Secure_Preferences"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes
Open in CyberChef to decode values extracted from this artifact.