dfirhub

ChromeBeta

Browsersv1

Author: Eric Zimmerman, Andrew Rathbun, Hernan Filannino, Reece394

description

Chrome Beta

paths

47 paths
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: ChromeBeta
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. SYSTEM Chrome Beta History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Chrome Beta\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chrome_Beta_History"

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Chrome Beta Bookmarks XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Beta_Bookmarks_XP_$UserName"
        # Chrome Beta Cookies XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Beta_Cookies_XP_$UserName"
        # Chrome Beta Current Session XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Beta_Current_Session_XP_$UserName"
        # Chrome Beta Current Tabs XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Beta_Current_Tabs_XP_$UserName"
        # Chrome Beta Favicons XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Beta_Favicons_XP_$UserName"
        # Chrome Beta History XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_Beta_History_XP_$UserName"
        # Chrome Beta Last Session XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Beta_Last_Session_XP_$UserName"
        # Chrome Beta Last Tabs XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Beta_Last_Tabs_XP_$UserName"
        # Chrome Beta Login Data XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chrome_Beta_Login_Data_XP_$UserName"
        # Chrome Beta Preferences XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Beta_Preferences_XP_$UserName"
        # Chrome Beta Shortcuts XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Beta_Shortcuts_XP_$UserName"
        # Chrome Beta Top Sites XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Beta_Top_Sites_XP_$UserName"
        # Chrome Beta Visited Links XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Beta_Visited_Links_XP_$UserName"
        # Chrome Beta Web Data XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Beta_Web_Data_XP_$UserName"
        # Chrome Beta Bookmarks
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Beta_Bookmarks_$UserName"
        # Chrome Beta Cookies
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Beta_Cookies_$UserName"
        # Chrome Beta Current Session
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Beta_Current_Session_$UserName"
        # Chrome Beta Current Tabs
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Beta_Current_Tabs_$UserName"
        # Chrome Beta Download Metadata
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Chrome_Beta_Download_Metadata_$UserName"
        # Chrome Beta Extension Cookies
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Chrome_Beta_Extension_Cookies_$UserName"
        # Chrome Beta Favicons
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Beta_Favicons_$UserName"
        # Chrome Beta History
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_Beta_History_$UserName"
        # Chrome Beta Last Session
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Beta_Last_Session_$UserName"
        # Chrome Beta Last Tabs
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Beta_Last_Tabs_$UserName"
        # Chrome Beta Sessions Folder
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Sessions"
        Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Beta_Sessions_Folder_$UserName"
        # Chrome Beta Login Data
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Chrome_Beta_Login_Data_$UserName"
        # Chrome Beta Media History
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chrome_Beta_Media_History_$UserName"
        # Chrome Beta Network Action Predictor
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Chrome_Beta_Network_Action_Predictor_$UserName"
        # Chrome Beta Network Persistent State
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Beta_Network_Persistent_State_$UserName"
        # Chrome Beta Network Persistent State
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Network"
        Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Beta_Network_Persistent_State_$UserName"
        # Chrome Beta Preferences
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Beta_Preferences_$UserName"
        # Chrome Beta Quota Manager
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Beta_Quota_Manager_$UserName"
        # Chrome Beta Quota Manager
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\WebStorage"
        Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Beta_Quota_Manager_$UserName"
        # Chrome Beta Reporting and NEL
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Beta_Reporting_and_NEL_$UserName"
        # Chrome Beta Reporting and NEL
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Network"
        Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Beta_Reporting_and_NEL_$UserName"
        # Chrome Beta Shortcuts
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Beta_Shortcuts_$UserName"
        # Chrome Beta Top Sites
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Beta_Top_Sites_$UserName"
        # Chrome Beta Trust Tokens
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Beta_Trust_Tokens_$UserName"
        # Chrome Beta Trust Tokens
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Network"
        Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Beta_Trust_Tokens_$UserName"
        # Chrome Beta SyncData Database
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Sync Data"
        Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chrome_Beta_SyncData_Database_$UserName"
        # Chrome Beta Visited Links
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Beta_Visited_Links_$UserName"
        # Chrome Beta Web Data
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Beta_Web_Data_$UserName"
        # Chrome Beta IndexedDB
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\IndexedDB"
        Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Beta_IndexedDB_$UserName"
        # Chrome Beta Local Storage
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\*\Local Storage\leveldb"
        Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Beta_Local_Storage_$UserName"
        # Windows Protect Folder
        $UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
        Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
        # Chrome Beta Snapshots Folder
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Beta\User Data\Snapshots\*"
        Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Beta_Snapshots_Folder_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

references

notes

The SQLite database(s) this Target collects can be parsed with SQLECmd using the following map(s): https://github.com/EricZimmerman/SQLECmd/blob/master/SQLMap/Maps/Windows_Chrome_History.smap

For the files that aren't JSON or SQlite, aka Current Session, Current Tabs, Last Tabs, Last Session, see above links for clues on how to interpret that data

included in collections

SANS_Triage KapeTriage WebBrowsers