Chrome
Browsersv1.4
Author: Eric Zimmerman, Andrew Rathbun, Hernan Filannino, Reece394
description
Chrome
paths
47 paths
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: Chrome
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# 1. SYSTEM Chrome History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Chrome\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chrome_History"
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# Chrome Bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Bookmarks_XP_$UserName"
# Chrome Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Cookies_XP_$UserName"
# Chrome Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Current_Session_XP_$UserName"
# Chrome Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Current_Tabs_XP_$UserName"
# Chrome Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Favicons_XP_$UserName"
# Chrome History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_History_XP_$UserName"
# Chrome Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Last_Session_XP_$UserName"
# Chrome Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Last_Tabs_XP_$UserName"
# Chrome Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chrome_Login_Data_XP_$UserName"
# Chrome Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Preferences_XP_$UserName"
# Chrome Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Shortcuts_XP_$UserName"
# Chrome Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Top_Sites_XP_$UserName"
# Chrome Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Visited_Links_XP_$UserName"
# Chrome Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Web_Data_XP_$UserName"
# Chrome Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Bookmarks_$UserName"
# Chrome Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Cookies_$UserName"
# Chrome Current Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Current_Session_$UserName"
# Chrome Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Current_Tabs_$UserName"
# Chrome Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Chrome_Download_Metadata_$UserName"
# Chrome Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Chrome_Extension_Cookies_$UserName"
# Chrome Favicons
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Favicons_$UserName"
# Chrome History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_History_$UserName"
# Chrome Last Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Last_Session_$UserName"
# Chrome Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Last_Tabs_$UserName"
# Chrome Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Sessions_Folder_$UserName"
# Chrome Login Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Chrome_Login_Data_$UserName"
# Chrome Media History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chrome_Media_History_$UserName"
# Chrome Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Chrome_Network_Action_Predictor_$UserName"
# Chrome Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Network_Persistent_State_$UserName"
# Chrome Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Network_Persistent_State_$UserName"
# Chrome Preferences
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Preferences_$UserName"
# Chrome Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Quota_Manager_$UserName"
# Chrome Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Quota_Manager_$UserName"
# Chrome Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Reporting_and_NEL_$UserName"
# Chrome Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Reporting_and_NEL_$UserName"
# Chrome Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Shortcuts_$UserName"
# Chrome Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Top_Sites_$UserName"
# Chrome Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Trust_Tokens_$UserName"
# Chrome Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Trust_Tokens_$UserName"
# Chrome SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chrome_SyncData_Database_$UserName"
# Chrome Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Visited_Links_$UserName"
# Chrome Web Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Web_Data_$UserName"
# Chrome IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_IndexedDB_$UserName"
# Chrome Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Local_Storage_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Chrome Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Snapshots_Folder_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes
Open in CyberChef to decode values extracted from this artifact.
references
notes
The SQLite database(s) this Target collects can be parsed with SQLECmd using the following map(s): https://github.com/EricZimmerman/SQLECmd/blob/master/SQLMap/Maps/Windows_Chrome_History.smap
For the files that aren't JSON or SQlite, aka Current Session, Current Tabs, Last Tabs, Last Session, see above links for clues on how to interpret that data