dfirhub

PuffinSecureBrowser

Browsersv1

Author: Andrew Rathbun

description

Puffin Secure Browser

paths

7 paths
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: PuffinSecureBrowser
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle artifact collection with robocopy
function Collect-Artifact {
    param (
        [string]$SourceDir,
        [string]$FolderName,
        [string]$FileMask = "*"
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}

# 1. Puffin - data.db
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir "$UserPath" -FileMask "data.db" -FolderName "Puffin___data_db"

# 2. Puffin - Autocomplete Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir "$UserPath" -FileMask "autocompletes.dat" -FolderName "Puffin___Autocomplete_Data"

# 3. Puffin - Password Forms Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir "$UserPath" -FileMask "passwordForms.dat" -FolderName "Puffin___Password_Forms_Data"

# 4. Puffin - Password (Encrypted)
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir "$UserPath" -FileMask "credential.dat" -FolderName "Puffin___Password__Encrypted_"

# 5. Puffin - Subscription Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir "$UserPath" -FileMask "subscription" -FolderName "Puffin___Subscription_Data"

# 6. Puffin - Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir "$UserPath" -FileMask "cookies.dat" -FolderName "Puffin___Cookies"

# 7. Puffin - Image Cache
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\PuffinSecureBrowser\image_cache"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Puffin___Image_Cache"

Write-Host "Collection complete!" -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

references

included in collections

SANS_Triage KapeTriage WebBrowsers