Opera

Browsersv1

Author: Andrew Rathbun

description

Opera

paths

2 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: Opera
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Opera - Local Folder
        $UserPath = "$($_.FullName)\AppData\Local\Opera Software\Opera Stable"
        Collect-Artifact -SourceDir $UserPath -FolderName "Opera_Local_Folder_$UserName"
        # Opera - Roaming Folder
        $UserPath = "$($_.FullName)\AppData\Roaming\Opera Software\Opera Stable"
        Collect-Artifact -SourceDir $UserPath -FolderName "Opera_Roaming_Folder_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

kb.digital-detective.net https://kb.digital-detective.net/display/BF/Opera

digitalforensics.com https://www.digitalforensics.com/blog/an-overview-of-web-browser-forensics/

davidkoepi.wordpress.com https://davidkoepi.wordpress.com/2012/12/16/opera-forensics/

forensafe.com https://www.forensafe.com/blogs/opera.html

notes

Opera is a third-party web browser that has a small market share compared to the bigger names.

The Local folder is mostly going to contain cache files that are not readable in a text editor.

The Roaming folder is where one can find the most useful information.

Within Roaming, IndexedDB folder will have folders named after URLs the user navigates to.

Within Roaming, Session Storage will have logs with the naming convention of XXXXXX.log that increment as they are rolled over. Within these files are URLs the user navigated to in a given session.

included in collections

SANS_Triage KapeTriage WebBrowsers

// description

// paths

// collection commands

// references

// notes

// included in collections