PuffinSecureBrowser
Browsersv1
Author: Andrew Rathbun
description
Puffin Secure Browser
paths
7 paths
CommunicationsPuffin - data.db
C:\Users\%user%\AppData\Local\PuffinSecureBrowserdata.dbGrabs an important database file that contains browser history
CommunicationsPuffin - Autocomplete Data
C:\Users\%user%\AppData\Local\PuffinSecureBrowserautocompletes.datGrabs a file that stores autocomplete data
CommunicationsPuffin - Password Forms Data
C:\Users\%user%\AppData\Local\PuffinSecureBrowserpasswordForms.datGrabs a file that stores some saved password data
CommunicationsPuffin - Password (Encrypted)
C:\Users\%user%\AppData\Local\PuffinSecureBrowsercredential.datGrabs a file that stores passwords in an encrypted format
CommunicationsPuffin - Subscription Data
C:\Users\%user%\AppData\Local\PuffinSecureBrowsersubscriptionGrabs a file that stores the user's email address that's associated with their Puffin subscription
CommunicationsPuffin - Cookies
C:\Users\%user%\AppData\Local\PuffinSecureBrowsercookies.datGrabs a file that stores information related to cookies
CommunicationsPuffin - Image Cache
C:\Users\%user%\AppData\Local\PuffinSecureBrowser\image_cacheGrabs a directory that caches images from websites visited
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: PuffinSecureBrowser
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle directory creation and copying
function Collect-Artifact {
param (
[string]$SourcePath,
[string]$FolderName
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
if (-not (Test-Path -Path $FullDest)) {
New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
}
Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}
# 1. Puffin - data.db
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourcePath "$UserPath\data.db" -FolderName "Puffin___data_db"
# 2. Puffin - Autocomplete Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourcePath "$UserPath\autocompletes.dat" -FolderName "Puffin___Autocomplete_Data"
# 3. Puffin - Password Forms Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourcePath "$UserPath\passwordForms.dat" -FolderName "Puffin___Password_Forms_Data"
# 4. Puffin - Password (Encrypted)
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourcePath "$UserPath\credential.dat" -FolderName "Puffin___Password__Encrypted_"
# 5. Puffin - Subscription Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourcePath "$UserPath\subscription" -FolderName "Puffin___Subscription_Data"
# 6. Puffin - Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\PuffinSecureBrowser"
Collect-Artifact -SourcePath "$UserPath\cookies.dat" -FolderName "Puffin___Cookies"
# 7. Puffin - Image Cache
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\PuffinSecureBrowser\image_cache"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Puffin___Image_Cache"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes
Open in CyberChef to decode values extracted from this artifact.