dfirhub

ChromeDev

Browsersv1

Author: Eric Zimmerman, Andrew Rathbun, Hernan Filannino, Reece394

description

Chrome Dev

paths

47 paths
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: ChromeDev
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. SYSTEM Chrome Dev History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Chrome Dev\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chrome_Dev_History"

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Chrome Dev Bookmarks XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Dev_Bookmarks_XP_$UserName"
        # Chrome Dev Cookies XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Dev_Cookies_XP_$UserName"
        # Chrome Dev Current Session XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Dev_Current_Session_XP_$UserName"
        # Chrome Dev Current Tabs XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Dev_Current_Tabs_XP_$UserName"
        # Chrome Dev Favicons XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Dev_Favicons_XP_$UserName"
        # Chrome Dev History XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_Dev_History_XP_$UserName"
        # Chrome Dev Last Session XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Dev_Last_Session_XP_$UserName"
        # Chrome Dev Last Tabs XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Dev_Last_Tabs_XP_$UserName"
        # Chrome Dev Login Data XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chrome_Dev_Login_Data_XP_$UserName"
        # Chrome Dev Preferences XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Dev_Preferences_XP_$UserName"
        # Chrome Dev Shortcuts XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Dev_Shortcuts_XP_$UserName"
        # Chrome Dev Top Sites XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Dev_Top_Sites_XP_$UserName"
        # Chrome Dev Visited Links XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Dev_Visited_Links_XP_$UserName"
        # Chrome Dev Web Data XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Dev_Web_Data_XP_$UserName"
        # Chrome Dev Bookmarks
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_Dev_Bookmarks_$UserName"
        # Chrome Dev Cookies
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Dev_Cookies_$UserName"
        # Chrome Dev Current Session
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Dev_Current_Session_$UserName"
        # Chrome Dev Current Tabs
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Dev_Current_Tabs_$UserName"
        # Chrome Dev Download Metadata
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Chrome_Dev_Download_Metadata_$UserName"
        # Chrome Dev Extension Cookies
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Chrome_Dev_Extension_Cookies_$UserName"
        # Chrome Dev Favicons
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Dev_Favicons_$UserName"
        # Chrome Dev History
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_Dev_History_$UserName"
        # Chrome Dev Last Session
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Dev_Last_Session_$UserName"
        # Chrome Dev Last Tabs
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Dev_Last_Tabs_$UserName"
        # Chrome Dev Sessions Folder
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Sessions"
        Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Dev_Sessions_Folder_$UserName"
        # Chrome Dev Login Data
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Chrome_Dev_Login_Data_$UserName"
        # Chrome Dev Media History
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chrome_Dev_Media_History_$UserName"
        # Chrome Dev Network Action Predictor
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Chrome_Dev_Network_Action_Predictor_$UserName"
        # Chrome Dev Network Persistent State
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Dev_Network_Persistent_State_$UserName"
        # Chrome Dev Network Persistent State
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Network"
        Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Dev_Network_Persistent_State_$UserName"
        # Chrome Dev Preferences
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Dev_Preferences_$UserName"
        # Chrome Dev Quota Manager
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Dev_Quota_Manager_$UserName"
        # Chrome Dev Quota Manager
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\WebStorage"
        Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_Dev_Quota_Manager_$UserName"
        # Chrome Dev Reporting and NEL
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Dev_Reporting_and_NEL_$UserName"
        # Chrome Dev Reporting and NEL
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Network"
        Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_Dev_Reporting_and_NEL_$UserName"
        # Chrome Dev Shortcuts
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Dev_Shortcuts_$UserName"
        # Chrome Dev Top Sites
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Dev_Top_Sites_$UserName"
        # Chrome Dev Trust Tokens
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Dev_Trust_Tokens_$UserName"
        # Chrome Dev Trust Tokens
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Network"
        Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Dev_Trust_Tokens_$UserName"
        # Chrome Dev SyncData Database
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Sync Data"
        Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chrome_Dev_SyncData_Database_$UserName"
        # Chrome Dev Visited Links
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Dev_Visited_Links_$UserName"
        # Chrome Dev Web Data
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Dev_Web_Data_$UserName"
        # Chrome Dev IndexedDB
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\IndexedDB"
        Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Dev_IndexedDB_$UserName"
        # Chrome Dev Local Storage
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\*\Local Storage\leveldb"
        Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Dev_Local_Storage_$UserName"
        # Windows Protect Folder
        $UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
        Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
        # Chrome Dev Snapshots Folder
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome Dev\User Data\Snapshots\*"
        Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_Dev_Snapshots_Folder_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

references

notes

The SQLite database(s) this Target collects can be parsed with SQLECmd using the following map(s): https://github.com/EricZimmerman/SQLECmd/blob/master/SQLMap/Maps/Windows_Chrome_History.smap

For the files that aren't JSON or SQlite, aka Current Session, Current Tabs, Last Tabs, Last Session, see above links for clues on how to interpret that data

included in collections

SANS_Triage KapeTriage WebBrowsers