dfirhub

Chrome

Browsersv1.3

Author: Eric Zimmerman, Andrew Rathbun, Hernan Filannino

description

Chrome

paths

43 paths
CommunicationsChrome bookmarks XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*
CommunicationsChrome Cookies XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*
CommunicationsChrome Current Session XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session
CommunicationsChrome Current Tabs XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs
CommunicationsChrome Favicons XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*
CommunicationsChrome History XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\History*
CommunicationsChrome Last Session XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session
CommunicationsChrome Last Tabs XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs
CommunicationsChrome Login Data XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Login Data
CommunicationsChrome Preferences XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences
CommunicationsChrome Shortcuts XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*
CommunicationsChrome Top Sites XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*
CommunicationsChrome Visited Links XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links
CommunicationsChrome Web Data XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*
CommunicationsChrome bookmarks
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Bookmarks*
CommunicationsChrome Cookies
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Cookies*
CommunicationsChrome Current Session
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Current Session
CommunicationsChrome Current Tabs
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Current Tabs
CommunicationsChrome Download Metadata
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\DownloadMetadata
CommunicationsChrome Extension Cookies
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Extension Cookies
CommunicationsChrome Favicons
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Favicons*
CommunicationsChrome History
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\History*
CommunicationsChrome Last Session
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Last Session
CommunicationsChrome Last Tabs
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Last Tabs
CommunicationsChrome Sessions Folder
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Sessions\
CommunicationsChrome Login Data
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Login Data
CommunicationsChrome Media History
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Media History*
CommunicationsChrome Network Action Predictor
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor
CommunicationsChrome Network Persistent State
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Network Persistent State
CommunicationsChrome Preferences
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Preferences
CommunicationsChrome Quota Manager
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\QuotaManager
CommunicationsChrome Reporting and NEL
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL
CommunicationsChrome Shortcuts
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Shortcuts*
CommunicationsChrome Top Sites
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Top Sites*
CommunicationsChrome Trust Tokens
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*
CommunicationsChrome SyncData Database
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Sync DataSyncData.sqlite3
CommunicationsChrome Visited Links
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Visited Links
CommunicationsChrome Web Data
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Web Data*
CommunicationsChrome IndexedDB
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\IndexedDB\

Collects IndexedDB (LevelDB) databases used by modern web applications to store data.

CommunicationsChrome Local Storage
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Local Storage\leveldb\

Collects Local Storage (LevelDB) databases, another form of persistent client-side storage.

FileSystemWindows Protect Folder
C:\Users\%user%\AppData\Roaming\Microsoft\Protect\*\

Required for offline decryption

CommunicationsChrome Snapshots Folder
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\Snapshots\*\

Grabs folder that appears to have snapshots of Chrome SQLite DBs organized by version #.

CommunicationsSYSTEM Chrome History
C:\Windows\system32\config\systemprofile\AppData\Local\Google\Chrome\User Data\*\History*
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: Chrome
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. Chrome bookmarks XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Bookmarks*" -FolderName "Chrome_bookmarks_XP"

# 2. Chrome Cookies XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Cookies*" -FolderName "Chrome_Cookies_XP"

# 3. Chrome Current Session XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Current Session" -FolderName "Chrome_Current_Session_XP"

# 4. Chrome Current Tabs XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Current Tabs" -FolderName "Chrome_Current_Tabs_XP"

# 5. Chrome Favicons XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Favicons*" -FolderName "Chrome_Favicons_XP"

# 6. Chrome History XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\History*" -FolderName "Chrome_History_XP"

# 7. Chrome Last Session XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Last Session" -FolderName "Chrome_Last_Session_XP"

# 8. Chrome Last Tabs XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Last Tabs" -FolderName "Chrome_Last_Tabs_XP"

# 9. Chrome Login Data XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Login Data" -FolderName "Chrome_Login_Data_XP"

# 10. Chrome Preferences XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Preferences" -FolderName "Chrome_Preferences_XP"

# 11. Chrome Shortcuts XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Shortcuts*" -FolderName "Chrome_Shortcuts_XP"

# 12. Chrome Top Sites XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Top Sites*" -FolderName "Chrome_Top_Sites_XP"

# 13. Chrome Visited Links XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Visited Links" -FolderName "Chrome_Visited_Links_XP"

# 14. Chrome Web Data XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Web Data*" -FolderName "Chrome_Web_Data_XP"

# 15. Chrome bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Bookmarks*" -FolderName "Chrome_bookmarks"

# 16. Chrome Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Cookies*" -FolderName "Chrome_Cookies"

# 17. Chrome Current Session
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Current Session" -FolderName "Chrome_Current_Session"

# 18. Chrome Current Tabs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Current Tabs" -FolderName "Chrome_Current_Tabs"

# 19. Chrome Download Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\DownloadMetadata" -FolderName "Chrome_Download_Metadata"

# 20. Chrome Extension Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Extension Cookies" -FolderName "Chrome_Extension_Cookies"

# 21. Chrome Favicons
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Favicons*" -FolderName "Chrome_Favicons"

# 22. Chrome History
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\History*" -FolderName "Chrome_History"

# 23. Chrome Last Session
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Last Session" -FolderName "Chrome_Last_Session"

# 24. Chrome Last Tabs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Last Tabs" -FolderName "Chrome_Last_Tabs"

# 25. Chrome Sessions Folder
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\Sessions\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Chrome_Sessions_Folder"

# 26. Chrome Login Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Login Data" -FolderName "Chrome_Login_Data"

# 27. Chrome Media History
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Media History*" -FolderName "Chrome_Media_History"

# 28. Chrome Network Action Predictor
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Network Action Predictor" -FolderName "Chrome_Network_Action_Predictor"

# 29. Chrome Network Persistent State
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Network Persistent State" -FolderName "Chrome_Network_Persistent_State"

# 30. Chrome Preferences
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Preferences" -FolderName "Chrome_Preferences"

# 31. Chrome Quota Manager
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\QuotaManager" -FolderName "Chrome_Quota_Manager"

# 32. Chrome Reporting and NEL
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Reporting and NEL" -FolderName "Chrome_Reporting_and_NEL"

# 33. Chrome Shortcuts
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Shortcuts*" -FolderName "Chrome_Shortcuts"

# 34. Chrome Top Sites
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Top Sites*" -FolderName "Chrome_Top_Sites"

# 35. Chrome Trust Tokens
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Trust Tokens*" -FolderName "Chrome_Trust_Tokens"

# 36. Chrome SyncData Database
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\Sync Data"
Collect-Artifact -SourcePath "$UserPath\SyncData.sqlite3" -FolderName "Chrome_SyncData_Database"

# 37. Chrome Visited Links
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Visited Links" -FolderName "Chrome_Visited_Links"

# 38. Chrome Web Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Web Data*" -FolderName "Chrome_Web_Data"

# 39. Chrome IndexedDB
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\IndexedDB\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Chrome_IndexedDB"

# 40. Chrome Local Storage
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\Local Storage\leveldb\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Chrome_Local_Storage"

# 41. Windows Protect Folder
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Microsoft\Protect\*\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Windows_Protect_Folder"

# 42. Chrome Snapshots Folder
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\Snapshots\*\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Chrome_Snapshots_Folder"

# 43. SYSTEM Chrome History
Collect-Artifact -SourcePath "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Chrome\User Data\*\\History*" -FolderName "SYSTEM_Chrome_History"

Write-Host "Collection complete!" -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

references

included in collections

SANS_Triage KapeTriage WebBrowsers