dfirhub

BraveBrowser

Browsersv1

Author: Cassie Doemel

description

Brave Browser

paths

20 paths
CommunicationsBookmarks
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Bookmarks*
CommunicationsCookies
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Cookies*
CommunicationsCurrent Session
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Current Session
CommunicationsCurrent Tabs
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Current Tabs
CommunicationsDownload Metadata
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\DownloadMetadata
CommunicationsFavicons
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Favicons*
CommunicationsHistory
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\History*
CommunicationsSessions Folder
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Sessions\
CommunicationsLogin Data
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Login Data
CommunicationsNetwork Action Predictor
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Network Action Predictor
CommunicationsNetwork Persistent State
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Network Persistent State
CommunicationsPreferences
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Preferences
CommunicationsQuota Manager
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\QuotaManager
CommunicationsReporting and NEL
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Reporting and NEL
CommunicationsShortcuts
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Shortcuts*
CommunicationsPublisher Info DB/Brave Rewards
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\publisher_info_db*

SQLite Database related to "Brave Rewards" containing an event_log table

CommunicationsTop Sites
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Top Sites*
CommunicationsVisited Links
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Visited Links*
CommunicationsWeb Data
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Web Data*
CommunicationsSecure Preferences
C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\Secure Preferences*

Contains additional preferences data

paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: BraveBrowser
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. Bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Bookmarks*" -FolderName "Bookmarks"

# 2. Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Cookies*" -FolderName "Cookies"

# 3. Current Session
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Current Session" -FolderName "Current_Session"

# 4. Current Tabs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Current Tabs" -FolderName "Current_Tabs"

# 5. Download Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\DownloadMetadata" -FolderName "Download_Metadata"

# 6. Favicons
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Favicons*" -FolderName "Favicons"

# 7. History
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\History*" -FolderName "History"

# 8. Sessions Folder
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Sessions\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Sessions_Folder"

# 9. Login Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Login Data" -FolderName "Login_Data"

# 10. Network Action Predictor
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Network Action Predictor" -FolderName "Network_Action_Predictor"

# 11. Network Persistent State
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Network Persistent State" -FolderName "Network_Persistent_State"

# 12. Preferences
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Preferences" -FolderName "Preferences"

# 13. Quota Manager
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\QuotaManager" -FolderName "Quota_Manager"

# 14. Reporting and NEL
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Reporting and NEL" -FolderName "Reporting_and_NEL"

# 15. Shortcuts
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Shortcuts*" -FolderName "Shortcuts"

# 16. Publisher Info DB/Brave Rewards
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\publisher_info_db*" -FolderName "Publisher_Info_DB_Brave_Rewards"

# 17. Top Sites
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Top Sites*" -FolderName "Top_Sites"

# 18. Visited Links
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Visited Links*" -FolderName "Visited_Links"

# 19. Web Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Web Data*" -FolderName "Web_Data"

# 20. Secure Preferences
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\BraveSoftware\Brave-Browser\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Secure Preferences*" -FolderName "Secure_Preferences"

Write-Host "Collection complete!" -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

references

included in collections

SANS_Triage KapeTriage WebBrowsers