dfirhub

Firefox

Browsersv1.2

Author: Eric Zimmerman and Andrew Rathbun

description

Firefox

paths

35 paths
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: Firefox
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Addons
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "addons.sqlite*" -FolderName "Addons_$UserName"
        # Bookmarks
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave"
        Collect-Artifact -SourceDir $UserPath -FileMask "bookmarks.sqlite*" -FolderName "Bookmarks_$UserName"
        # Bookmarks
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*\bookmarkbackups"
        Collect-Artifact -SourceDir $UserPath -FolderName "Bookmarks_$UserName"
        # Cookies
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "cookies.sqlite*" -FolderName "Cookies_$UserName"
        # Cookies
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "firefox_cookies.sqlite*" -FolderName "Cookies_$UserName"
        # Downloads
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "downloads.sqlite*" -FolderName "Downloads_$UserName"
        # Extensions
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "extensions.json" -FolderName "Extensions_$UserName"
        # Favicons
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "favicons.sqlite*" -FolderName "Favicons_$UserName"
        # Form history
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "formhistory.sqlite*" -FolderName "Form_history_$UserName"
        # Permissions
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "permissions.sqlite*" -FolderName "Permissions_$UserName"
        # Places
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "places.sqlite*" -FolderName "Places_$UserName"
        # Protections
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "protections.sqlite*" -FolderName "Protections_$UserName"
        # Search
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "search.sqlite*" -FolderName "Search_$UserName"
        # Signons
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "signons.sqlite*" -FolderName "Signons_$UserName"
        # Storage Sync
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "storage-sync.sqlite*" -FolderName "Storage_Sync_$UserName"
        # Webappstore
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "webappstore.sqlite*" -FolderName "Webappstore_$UserName"
        # Password
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "key*.db" -FolderName "Password_$UserName"
        # Password
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "signon*.*" -FolderName "Password_$UserName"
        # Password
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "logins.json" -FolderName "Password_$UserName"
        # Preferences
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "prefs.js" -FolderName "Preferences_$UserName"
        # Sessionstore
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "sessionstore*" -FolderName "Sessionstore_$UserName"
        # Sessionstore Folder
        $UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups"
        Collect-Artifact -SourceDir $UserPath -FolderName "Sessionstore_Folder_$UserName"
        # Places XP
        $UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "places.sqlite*" -FolderName "Places_XP_$UserName"
        # Downloads XP
        $UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "downloads.sqlite*" -FolderName "Downloads_XP_$UserName"
        # Form history XP
        $UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "formhistory.sqlite*" -FolderName "Form_history_XP_$UserName"
        # Cookies XP
        $UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "cookies.sqlite*" -FolderName "Cookies_XP_$UserName"
        # Signons XP
        $UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "signons.sqlite*" -FolderName "Signons_XP_$UserName"
        # Webappstore XP
        $UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "webappstore.sqlite*" -FolderName "Webappstore_XP_$UserName"
        # Favicons XP
        $UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "favicons.sqlite*" -FolderName "Favicons_XP_$UserName"
        # Addons XP
        $UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "addons.sqlite*" -FolderName "Addons_XP_$UserName"
        # Search XP
        $UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "search.sqlite*" -FolderName "Search_XP_$UserName"
        # Password XP
        $UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "key*.db" -FolderName "Password_XP_$UserName"
        # Password XP
        $UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "signon*.*" -FolderName "Password_XP_$UserName"
        # Password XP
        $UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "logins.json" -FolderName "Password_XP_$UserName"
        # Sessionstore XP
        $UserPath = "$($_.FullName)\Application Data\Mozilla\Firefox\Profiles\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "sessionstore*" -FolderName "Sessionstore_XP_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

references

included in collections

SANS_Triage KapeTriage WebBrowsers