PuffinSecureBrowser
Author: Andrew Rathbun
description
Puffin Secure Browser
paths
collection commands
# PowerShell Artifact Collection Script
# Target: PuffinSecureBrowser
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# Puffin - data.db
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "data.db" -FolderName "Puffin_data_db_$UserName"
# Puffin - Autocomplete Data
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "autocompletes.dat" -FolderName "Puffin_Autocomplete_Data_$UserName"
# Puffin - Password Forms Data
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "passwordForms.dat" -FolderName "Puffin_Password_Forms_Data_$UserName"
# Puffin - Password (Encrypted)
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "credential.dat" -FolderName "Puffin_Password_Encrypted_$UserName"
# Puffin - Subscription Data
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "subscription" -FolderName "Puffin_Subscription_Data_$UserName"
# Puffin - Cookies
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourceDir $UserPath -FileMask "cookies.dat" -FolderName "Puffin_Cookies_$UserName"
# Puffin - Image Cache
$UserPath = "$($_.FullName)\AppData\Local\PuffinSecureBrowser\image_cache"
Collect-Artifact -SourceDir $UserPath -FolderName "Puffin_Image_Cache_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
Open in CyberChef to decode values extracted from this artifact.
notes
Puffin is a secure web browser that takes a LOT of work to get set up. If your suspect is using this, they went out of their way to make this their browser of choice. I had to use a credit card/billing address, authorization codes sent to my fake email, sign in multiple times to activate the browser and my membership, etc. It was a pain.
As secure as Puffin claims to be, they store some stuff locally!
Data.db had evidence of tabs I had opened with the browser.
Autocompletes.dat stored some autocomplete data (email, etc) that I entered throughout the setup process.
passwordForms.dat stored the email in plaintext but the password itself is not in plain text.
"subscription" was a file without a file extension (viewable in a text editor) that showed the fake email I used to set up my trial with Puffin.
The image_cache folder will store what appears to be .JPG files but as .ci0 files. I was able to view all the images with IrfanView despite the proprietary file extension.