Chromium
Browsersv1.1
Author: Eric Zimmerman, Andrew Rathbun, Hernan Filannino, Reece394, Yogesh Khatri
description
Chromium
paths
48 paths
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: Chromium
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# 1. SYSTEM Chromium History
Collect-Artifact -SourceDir "C:\Windows\system32\config\systemprofile\AppData\Local\Chromium\User Data\*" -FileMask "History*" -FolderName "SYSTEM_Chromium_History"
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# Chromium Bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chromium_Bookmarks_XP_$UserName"
# Chromium Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chromium_Cookies_XP_$UserName"
# Chromium Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chromium_Current_Session_XP_$UserName"
# Chromium Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chromium_Current_Tabs_XP_$UserName"
# Chromium Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chromium_Favicons_XP_$UserName"
# Chromium History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chromium_History_XP_$UserName"
# Chromium Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chromium_Last_Session_XP_$UserName"
# Chromium Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chromium_Last_Tabs_XP_$UserName"
# Chromium Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chromium_Login_Data_XP_$UserName"
# Chromium Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chromium_Preferences_XP_$UserName"
# Chromium Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chromium_Shortcuts_XP_$UserName"
# Chromium Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chromium_Top_Sites_XP_$UserName"
# Chromium Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chromium_Visited_Links_XP_$UserName"
# Chromium Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chromium_Web_Data_XP_$UserName"
# Chromium Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chromium_Bookmarks_$UserName"
# Chromium Cookies
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chromium_Cookies_$UserName"
# Chromium Current Session
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chromium_Current_Session_$UserName"
# Chromium Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chromium_Current_Tabs_$UserName"
# Chromium Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "DownloadMetadata" -FolderName "Chromium_Download_Metadata_$UserName"
# Chromium Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies*" -FolderName "Chromium_Extension_Cookies_$UserName"
# Chromium Favicons
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chromium_Favicons_$UserName"
# Chromium History
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chromium_History_$UserName"
# Chromium Last Session
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chromium_Last_Session_$UserName"
# Chromium Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chromium_Last_Tabs_$UserName"
# Chromium Sessions Folder
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Sessions"
Collect-Artifact -SourceDir $UserPath -FolderName "Chromium_Sessions_Folder_$UserName"
# Chromium Login Data
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data*" -FolderName "Chromium_Login_Data_$UserName"
# Chromium Media History
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chromium_Media_History_$UserName"
# Chromium Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor*" -FolderName "Chromium_Network_Action_Predictor_$UserName"
# Chromium Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chromium_Network_Persistent_State_$UserName"
# Chromium Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chromium_Network_Persistent_State_$UserName"
# Chromium Preferences
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chromium_Preferences_$UserName"
# Chromium Secure Preferences
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Secure Preferences" -FolderName "Chromium_Secure_Preferences_$UserName"
# Chromium Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chromium_Quota_Manager_$UserName"
# Chromium Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\WebStorage"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager*" -FolderName "Chromium_Quota_Manager_$UserName"
# Chromium Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chromium_Reporting_and_NEL_$UserName"
# Chromium Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL*" -FolderName "Chromium_Reporting_and_NEL_$UserName"
# Chromium Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chromium_Shortcuts_$UserName"
# Chromium Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chromium_Top_Sites_$UserName"
# Chromium Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chromium_Trust_Tokens_$UserName"
# Chromium Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Network"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chromium_Trust_Tokens_$UserName"
# Chromium SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chromium_SyncData_Database_$UserName"
# Chromium Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chromium_Visited_Links_$UserName"
# Chromium Web Data
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chromium_Web_Data_$UserName"
# Chromium IndexedDB
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\IndexedDB"
Collect-Artifact -SourceDir $UserPath -FolderName "Chromium_IndexedDB_$UserName"
# Chromium Local Storage
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\*\Local Storage\leveldb"
Collect-Artifact -SourceDir $UserPath -FolderName "Chromium_Local_Storage_$UserName"
# Windows Protect Folder
$UserPath = "$($_.FullName)\AppData\Roaming\Microsoft\Protect\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Windows_Protect_Folder_$UserName"
# Chromium Snapshots Folder
$UserPath = "$($_.FullName)\AppData\Local\Chromium\User Data\Snapshots\*"
Collect-Artifact -SourceDir $UserPath -FolderName "Chromium_Snapshots_Folder_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes
Open in CyberChef to decode values extracted from this artifact.
references
notes
The SQLite database(s) this Target collects can be parsed with SQLECmd using the following map(s): https://github.com/EricZimmerman/SQLECmd/blob/master/SQLMap/Maps/Windows_Chrome_History.smap
For the files that aren't JSON or SQlite, aka Current Session, Current Tabs, Last Tabs, Last Session, see above links for clues on how to interpret that data