dfirhub

Chromium

Browsersv1

Author: Eric Zimmerman, Andrew Rathbun, Hernan Filannino, Reece394

description

Chromium

paths

47 paths
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: Chromium
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle artifact collection with robocopy
function Collect-Artifact {
    param (
        [string]$SourceDir,
        [string]$FolderName,
        [string]$FileMask = "*"
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}

# 1. Chromium Bookmarks XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Bookmarks*" -FolderName "Chromium_Bookmarks_XP"

# 2. Chromium Cookies XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Cookies*" -FolderName "Chromium_Cookies_XP"

# 3. Chromium Current Session XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Current Session" -FolderName "Chromium_Current_Session_XP"

# 4. Chromium Current Tabs XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Current Tabs" -FolderName "Chromium_Current_Tabs_XP"

# 5. Chromium Favicons XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Favicons*" -FolderName "Chromium_Favicons_XP"

# 6. Chromium History XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "History*" -FolderName "Chromium_History_XP"

# 7. Chromium Last Session XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Last Session" -FolderName "Chromium_Last_Session_XP"

# 8. Chromium Last Tabs XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Last Tabs" -FolderName "Chromium_Last_Tabs_XP"

# 9. Chromium Login Data XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Login Data" -FolderName "Chromium_Login_Data_XP"

# 10. Chromium Preferences XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Preferences" -FolderName "Chromium_Preferences_XP"

# 11. Chromium Shortcuts XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Shortcuts*" -FolderName "Chromium_Shortcuts_XP"

# 12. Chromium Top Sites XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Top Sites*" -FolderName "Chromium_Top_Sites_XP"

# 13. Chromium Visited Links XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Visited Links" -FolderName "Chromium_Visited_Links_XP"

# 14. Chromium Web Data XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Web Data*" -FolderName "Chromium_Web_Data_XP"

# 15. Chromium Bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Bookmarks*" -FolderName "Chromium_Bookmarks"

# 16. Chromium Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Cookies*" -FolderName "Chromium_Cookies"

# 17. Chromium Current Session
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Current Session" -FolderName "Chromium_Current_Session"

# 18. Chromium Current Tabs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Current Tabs" -FolderName "Chromium_Current_Tabs"

# 19. Chromium Download Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "DownloadMetadata" -FolderName "Chromium_Download_Metadata"

# 20. Chromium Extension Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Extension Cookies*" -FolderName "Chromium_Extension_Cookies"

# 21. Chromium Favicons
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Favicons*" -FolderName "Chromium_Favicons"

# 22. Chromium History
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "History*" -FolderName "Chromium_History"

# 23. Chromium Last Session
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Last Session" -FolderName "Chromium_Last_Session"

# 24. Chromium Last Tabs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Last Tabs" -FolderName "Chromium_Last_Tabs"

# 25. Chromium Sessions Folder
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\Sessions\"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Chromium_Sessions_Folder"

# 26. Chromium Login Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Login Data*" -FolderName "Chromium_Login_Data"

# 27. Chromium Media History
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Media History*" -FolderName "Chromium_Media_History"

# 28. Chromium Network Action Predictor
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Network Action Predictor*" -FolderName "Chromium_Network_Action_Predictor"

# 29. Chromium Network Persistent State
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Network Persistent State" -FolderName "Chromium_Network_Persistent_State"

# 30. Chromium Network Persistent State
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\Network"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Network Persistent State" -FolderName "Chromium_Network_Persistent_State"

# 31. Chromium Preferences
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Preferences" -FolderName "Chromium_Preferences"

# 32. Chromium Quota Manager
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "QuotaManager*" -FolderName "Chromium_Quota_Manager"

# 33. Chromium Quota Manager
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\WebStorage"
Collect-Artifact -SourceDir "$UserPath" -FileMask "QuotaManager*" -FolderName "Chromium_Quota_Manager"

# 34. Chromium Reporting and NEL
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Reporting and NEL*" -FolderName "Chromium_Reporting_and_NEL"

# 35. Chromium Reporting and NEL
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\Network"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Reporting and NEL*" -FolderName "Chromium_Reporting_and_NEL"

# 36. Chromium Shortcuts
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Shortcuts*" -FolderName "Chromium_Shortcuts"

# 37. Chromium Top Sites
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Top Sites*" -FolderName "Chromium_Top_Sites"

# 38. Chromium Trust Tokens
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Trust Tokens*" -FolderName "Chromium_Trust_Tokens"

# 39. Chromium Trust Tokens
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\Network"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Trust Tokens*" -FolderName "Chromium_Trust_Tokens"

# 40. Chromium SyncData Database
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\Sync Data"
Collect-Artifact -SourceDir "$UserPath" -FileMask "SyncData.sqlite3" -FolderName "Chromium_SyncData_Database"

# 41. Chromium Visited Links
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Visited Links" -FolderName "Chromium_Visited_Links"

# 42. Chromium Web Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Web Data*" -FolderName "Chromium_Web_Data"

# 43. Chromium IndexedDB
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\IndexedDB\"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Chromium_IndexedDB"

# 44. Chromium Local Storage
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\*\Local Storage\leveldb\"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Chromium_Local_Storage"

# 45. Windows Protect Folder
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Microsoft\Protect\*\"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Windows_Protect_Folder"

# 46. Chromium Snapshots Folder
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Chromium\User Data\Snapshots\*\"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Chromium_Snapshots_Folder"

# 47. SYSTEM Chromium History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Chromium\User Data\*\" -FileMask "History*" -FolderName "SYSTEM_Chromium_History"

Write-Host "Collection complete!" -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

references

included in collections

SANS_Triage KapeTriage WebBrowsers