BraveBrowser

Browsersv1

Author: Cassie Doemel

description

Brave Browser

paths

20 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: BraveBrowser
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Bookmarks
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Bookmarks_$UserName"
        # Cookies
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Cookies_$UserName"
        # Current Session
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Current_Session_$UserName"
        # Current Tabs
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Current_Tabs_$UserName"
        # Download Metadata
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Download_Metadata_$UserName"
        # Favicons
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Favicons_$UserName"
        # History
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "History_$UserName"
        # Sessions Folder
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Sessions"
        Collect-Artifact -SourceDir $UserPath -FolderName "Sessions_Folder_$UserName"
        # Login Data
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Login_Data_$UserName"
        # Network Action Predictor
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Network_Action_Predictor_$UserName"
        # Network Persistent State
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Network_Persistent_State_$UserName"
        # Preferences
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Preferences_$UserName"
        # Quota Manager
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "Quota_Manager_$UserName"
        # Reporting and NEL
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "Reporting_and_NEL_$UserName"
        # Shortcuts
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Shortcuts_$UserName"
        # Publisher Info DB/Brave Rewards
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "publisher_info_db*" -FolderName "Publisher_Info_DB_Brave_Rewards_$UserName"
        # Top Sites
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Top_Sites_$UserName"
        # Visited Links
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links*" -FolderName "Visited_Links_$UserName"
        # Web Data
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Web_Data_$UserName"
        # Secure Preferences
        $UserPath = "$($_.FullName)\AppData\Local\BraveSoftware\Brave-Browser\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences*" -FolderName "Secure_Preferences_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

› cyberchef recipes

URL Decode
Decode URL-encoded strings
open in cyberchef(opens in new tab)

Open in CyberChef to decode values extracted from this artifact.

references

forensafe.com https://www.forensafe.com/blogs/brave.html

notes

While Brave is Webkit/Chrome based, when compared to Chrome:

Does not appear to create Extension Cookies or Media History files

Has Unknowns: Safe Browsing Cookies & TransportSecurity

Adds: Secure Preferences & publisher_info_db

Brave Rewards - publisher_info_db - https://github.com/brave/brave-browser/issues/9655

included in collections

SANS_Triage KapeTriage WebBrowsers

// description

// paths

// collection commands

// references

// notes

// included in collections