dfirhub

ChromeSxS

Browsersv1

Author: Eric Zimmerman, Andrew Rathbun, Hernan Filannino, Reece394

description

Chrome SxS - Canary

paths

47 paths
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: ChromeSxS
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. SYSTEM Chrome SxS History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Google\Chrome SxS\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chrome_SxS_History"

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Chrome SxS Bookmarks XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_SxS_Bookmarks_XP_$UserName"
        # Chrome SxS Cookies XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_SxS_Cookies_XP_$UserName"
        # Chrome SxS Current Session XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_SxS_Current_Session_XP_$UserName"
        # Chrome SxS Current Tabs XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_SxS_Current_Tabs_XP_$UserName"
        # Chrome SxS Favicons XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_SxS_Favicons_XP_$UserName"
        # Chrome SxS History XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_SxS_History_XP_$UserName"
        # Chrome SxS Last Session XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_SxS_Last_Session_XP_$UserName"
        # Chrome SxS Last Tabs XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_SxS_Last_Tabs_XP_$UserName"
        # Chrome SxS Login Data XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chrome_SxS_Login_Data_XP_$UserName"
        # Chrome SxS Preferences XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_SxS_Preferences_XP_$UserName"
        # Chrome SxS Shortcuts XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_SxS_Shortcuts_XP_$UserName"
        # Chrome SxS Top Sites XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_SxS_Top_Sites_XP_$UserName"
        # Chrome SxS Visited Links XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_SxS_Visited_Links_XP_$UserName"
        # Chrome SxS Web Data XP
        $UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_SxS_Web_Data_XP_$UserName"
        # Chrome SxS Bookmarks
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_SxS_Bookmarks_$UserName"
        # Chrome SxS Cookies
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_SxS_Cookies_$UserName"
        # Chrome SxS Current Session
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_SxS_Current_Session_$UserName"
        # Chrome SxS Current Tabs
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_SxS_Current_Tabs_$UserName"
        # Chrome SxS Download Metadata
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Chrome_SxS_Download_Metadata_$UserName"
        # Chrome SxS Extension Cookies
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Chrome_SxS_Extension_Cookies_$UserName"
        # Chrome SxS Favicons
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_SxS_Favicons_$UserName"
        # Chrome SxS History
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_SxS_History_$UserName"
        # Chrome SxS Last Session
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_SxS_Last_Session_$UserName"
        # Chrome SxS Last Tabs
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_SxS_Last_Tabs_$UserName"
        # Chrome SxS Sessions Folder
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Sessions"
        Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_SxS_Sessions_Folder_$UserName"
        # Chrome SxS Login Data
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Chrome_SxS_Login_Data_$UserName"
        # Chrome SxS Media History
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chrome_SxS_Media_History_$UserName"
        # Chrome SxS Network Action Predictor
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Chrome_SxS_Network_Action_Predictor_$UserName"
        # Chrome SxS Network Persistent State
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_SxS_Network_Persistent_State_$UserName"
        # Chrome SxS Network Persistent State
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Network"
        Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_SxS_Network_Persistent_State_$UserName"
        # Chrome SxS Preferences
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_SxS_Preferences_$UserName"
        # Chrome SxS Quota Manager
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_SxS_Quota_Manager_$UserName"
        # Chrome SxS Quota Manager
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\WebStorage"
        Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chrome_SxS_Quota_Manager_$UserName"
        # Chrome SxS Reporting and NEL
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_SxS_Reporting_and_NEL_$UserName"
        # Chrome SxS Reporting and NEL
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Network"
        Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chrome_SxS_Reporting_and_NEL_$UserName"
        # Chrome SxS Shortcuts
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_SxS_Shortcuts_$UserName"
        # Chrome SxS Top Sites
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_SxS_Top_Sites_$UserName"
        # Chrome SxS Trust Tokens
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_SxS_Trust_Tokens_$UserName"
        # Chrome SxS Trust Tokens
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Network"
        Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_SxS_Trust_Tokens_$UserName"
        # Chrome SxS SyncData Database
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Sync Data"
        Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chrome_SxS_SyncData_Database_$UserName"
        # Chrome SxS Visited Links
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_SxS_Visited_Links_$UserName"
        # Chrome SxS Web Data
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_SxS_Web_Data_$UserName"
        # Chrome SxS IndexedDB
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\IndexedDB"
        Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_SxS_IndexedDB_$UserName"
        # Chrome SxS Local Storage
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\*\Local Storage\leveldb"
        Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_SxS_Local_Storage_$UserName"
        # Windows Protect Folder
        $UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
        Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
        # Chrome SxS Snapshots Folder
        $UserPath = "$($_.FullName)\AppData\Local\Google\Chrome SxS\User Data\Snapshots\*"
        Collect-Artifact -SourceDir $UserPath -FolderName "Chrome_SxS_Snapshots_Folder_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

references

notes

The SQLite database(s) this Target collects can be parsed with SQLECmd using the following map(s): https://github.com/EricZimmerman/SQLECmd/blob/master/SQLMap/Maps/Windows_Chrome_History.smap

For the files that aren't JSON or SQlite, aka Current Session, Current Tabs, Last Tabs, Last Session, see above links for clues on how to interpret that data

included in collections

SANS_Triage KapeTriage WebBrowsers