SQLiteDatabases
Compoundv1.3
Author: Andrew Rathbun
description
SQLDatabases Target for use with SQLECmd Module
paths
106 paths
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: SQLiteDatabases
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle artifact collection with robocopy
function Collect-Artifact {
param (
[string]$SourceDir,
[string]$FolderName,
[string]$FileMask = "*"
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}
# 1. 4K Video Downloader
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader"
Collect-Artifact -SourceDir "$UserPath" -FileMask "*.sqlite" -FolderName "4K_Video_Downloader"
# 2. Microsoft OneNote - FullTextSearchIndex
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Microsoft_OneNote___FullTextSearchIndex"
# 3. Microsoft OneNote - RecentNotebooks_SeenURLs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications"
Collect-Artifact -SourceDir "$UserPath" -FileMask "RecentNotebooks_SeenURLs" -FolderName "Microsoft_OneNote___RecentNotebooks_SeenURLs"
# 4. Microsoft OneNote - AccessibilityCheckerIndex
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Microsoft_OneNote___AccessibilityCheckerIndex"
# 5. Microsoft OneNote - User NoteTags
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags"
Collect-Artifact -SourceDir "$UserPath" -FileMask "*LiveId.db" -FolderName "Microsoft_OneNote___User_NoteTags"
# 6. Microsoft OneNote - RecentSearches
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches"
Collect-Artifact -SourceDir "$UserPath" -FileMask "RecentSearches.db" -FolderName "Microsoft_OneNote___RecentSearches"
# 7. Microsoft Sticky Notes - 1607 and later
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "plum.sqlite*" -FolderName "Microsoft_Sticky_Notes___1607_and_later"
# 8. Microsoft To Do - SQLite Database of To Do tasks
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "todosqlite.db*" -FolderName "Microsoft_To_Do___SQLite_Database_of_To_Do_tasks"
# 9. Robo-FTP Jobs
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP *\ProgramData\" -FileMask "SchedulerService.sqlite" -FolderName "Robo_FTP_Jobs"
# 10. TeraCopy - History Databases
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\TeraCopy\History"
Collect-Artifact -SourceDir "$UserPath" -FileMask "*.db" -FolderName "TeraCopy___History_Databases"
# 11. TeraCopy - Main Database
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\TeraCopy\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "main.db" -FolderName "TeraCopy___Main_Database"
# 12. Notion Local Storage
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Notion"
Collect-Artifact -SourceDir "$UserPath" -FileMask "notion.db" -FolderName "Notion_Local_Storage"
# 13. IDrive Backed Up Files
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\" -FileMask "*.idbs" -FolderName "IDrive_Backed_Up_Files"
# 14. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "filecache.db*" -FolderName "Dropbox_Metadata"
# 15. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "config.dbx" -FolderName "Dropbox_Metadata"
# 16. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "home.db" -FolderName "Dropbox_Metadata"
# 17. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "icon.db" -FolderName "Dropbox_Metadata"
# 18. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "sync_history.db" -FolderName "Dropbox_Metadata"
# 19. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\sync\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "nucleus.sqlite3*" -FolderName "Dropbox_Metadata"
# 20. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "host.db" -FolderName "Dropbox_Metadata"
# 21. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "host.dbx" -FolderName "Dropbox_Metadata"
# 22. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\sync\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "aggregation.dbx" -FolderName "Dropbox_Metadata"
# 23. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "avatarcache.db" -FolderName "Dropbox_Metadata"
# 24. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "avatarcache.db" -FolderName "Dropbox_Metadata"
# 25. Google File Stream Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Drive\*\cloud_graph\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "cloud_graph.db" -FolderName "Google_File_Stream_Metadata"
# 26. Google File Stream Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Drive\*\TempData\*\change_buffer\"
Collect-Artifact -SourceDir "$UserPath" -FolderName "Google_File_Stream_Metadata"
# 27. Google File Stream Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Drive\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "snapshot.db" -FolderName "Google_File_Stream_Metadata"
# 28. Google File Stream Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Drive\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "sync_config.db" -FolderName "Google_File_Stream_Metadata"
# 29. FileZilla SQLite3 Log Files
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\FileZilla\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "*.sqlite3*" -FolderName "FileZilla_SQLite3_Log_Files"
# 30. Chrome bookmarks XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Bookmarks*" -FolderName "Chrome_bookmarks_XP"
# 31. Chrome Cookies XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Cookies*" -FolderName "Chrome_Cookies_XP"
# 32. Chrome Current Session XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Current Session" -FolderName "Chrome_Current_Session_XP"
# 33. Chrome Current Tabs XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Current Tabs" -FolderName "Chrome_Current_Tabs_XP"
# 34. Chrome Favicons XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Favicons*" -FolderName "Chrome_Favicons_XP"
# 35. Chrome History XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "History*" -FolderName "Chrome_History_XP"
# 36. Chrome Last Session XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Last Session" -FolderName "Chrome_Last_Session_XP"
# 37. Chrome Last Tabs XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Last Tabs" -FolderName "Chrome_Last_Tabs_XP"
# 38. Chrome Login Data XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Login Data" -FolderName "Chrome_Login_Data_XP"
# 39. Chrome Preferences XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Preferences" -FolderName "Chrome_Preferences_XP"
# 40. Chrome Shortcuts XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Shortcuts*" -FolderName "Chrome_Shortcuts_XP"
# 41. Chrome Top Sites XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Top Sites*" -FolderName "Chrome_Top_Sites_XP"
# 42. Chrome Visited Links XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Visited Links" -FolderName "Chrome_Visited_Links_XP"
# 43. Chrome Web Data XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Web Data*" -FolderName "Chrome_Web_Data_XP"
# 44. Chrome bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Bookmarks*" -FolderName "Chrome_bookmarks"
# 45. Chrome Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Cookies*" -FolderName "Chrome_Cookies"
# 46. Chrome Current Session
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Current Session" -FolderName "Chrome_Current_Session"
# 47. Chrome Current Tabs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Current Tabs" -FolderName "Chrome_Current_Tabs"
# 48. Chrome Download Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Download Metadata" -FolderName "Chrome_Download_Metadata"
# 49. Chrome Extension Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Extension Cookies" -FolderName "Chrome_Extension_Cookies"
# 50. Chrome Favicons
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Favicons*" -FolderName "Chrome_Favicons"
# 51. Chrome History
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "History*" -FolderName "Chrome_History"
# 52. Chrome Last Session
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Last Session" -FolderName "Chrome_Last_Session"
# 53. Chrome Last Tabs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Last Tabs" -FolderName "Chrome_Last_Tabs"
# 54. Chrome Login Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Login Data" -FolderName "Chrome_Login_Data"
# 55. Chrome Media History
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Media History*" -FolderName "Chrome_Media_History"
# 56. Chrome Network Action Predictor
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Network Action Predictor" -FolderName "Chrome_Network_Action_Predictor"
# 57. Chrome Network Persistent State
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Network Persistent State" -FolderName "Chrome_Network_Persistent_State"
# 58. Chrome Preferences
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Preferences" -FolderName "Chrome_Preferences"
# 59. Chrome Quota Manager
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "QuotaManager" -FolderName "Chrome_Quota_Manager"
# 60. Chrome Reporting and NEL
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Reporting and NEL" -FolderName "Chrome_Reporting_and_NEL"
# 61. Chrome Shortcuts
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Shortcuts*" -FolderName "Chrome_Shortcuts"
# 62. Chrome Top Sites
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Top Sites*" -FolderName "Chrome_Top_Sites"
# 63. Chrome Trust Tokens
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Trust Tokens*" -FolderName "Chrome_Trust_Tokens"
# 64. Chrome SyncData Database
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\Sync Data"
Collect-Artifact -SourceDir "$UserPath" -FileMask "SyncData.sqlite3" -FolderName "Chrome_SyncData_Database"
# 65. Chrome Visited Links
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Visited Links" -FolderName "Chrome_Visited_Links"
# 66. Chrome Web Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Web Data*" -FolderName "Chrome_Web_Data"
# 67. Edge bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Bookmarks*" -FolderName "Edge_bookmarks"
# 68. Edge Collections
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\Collections"
Collect-Artifact -SourceDir "$UserPath" -FileMask "collectionsSQLite" -FolderName "Edge_Collections"
# 69. Edge Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Cookies*" -FolderName "Edge_Cookies"
# 70. Edge Current Session
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Current Session" -FolderName "Edge_Current_Session"
# 71. Edge Current Tabs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Current Tabs" -FolderName "Edge_Current_Tabs"
# 72. Edge Favicons
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Favicons*" -FolderName "Edge_Favicons"
# 73. Edge History
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "History*" -FolderName "Edge_History"
# 74. Edge Last Session
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Last Session" -FolderName "Edge_Last_Session"
# 75. Edge Last Tabs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Last Tabs" -FolderName "Edge_Last_Tabs"
# 76. Edge Login Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Login Data" -FolderName "Edge_Login_Data"
# 77. Edge Media History
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Media History*" -FolderName "Edge_Media_History"
# 78. Edge Network Action Predictor
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Network Action Predictor" -FolderName "Edge_Network_Action_Predictor"
# 79. Edge Preferences
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Preferences" -FolderName "Edge_Preferences"
# 80. Edge Shortcuts
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Shortcuts*" -FolderName "Edge_Shortcuts"
# 81. Edge Top Sites
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Top Sites*" -FolderName "Edge_Top_Sites"
# 82. Edge SyncData Database
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\Sync Data"
Collect-Artifact -SourceDir "$UserPath" -FileMask "SyncData.sqlite3" -FolderName "Edge_SyncData_Database"
# 83. Edge Bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Bookmarks*" -FolderName "Edge_Bookmarks"
# 84. Edge Visited Links
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Visited Links" -FolderName "Edge_Visited_Links"
# 85. Edge Web Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "Web Data*" -FolderName "Edge_Web_Data"
# 86. Addons
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "addons.sqlite*" -FolderName "Addons"
# 87. Bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "bookmarks.sqlite*" -FolderName "Bookmarks"
# 88. Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "cookies.sqlite*" -FolderName "Cookies"
# 89. Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "firefox_cookies.sqlite*" -FolderName "Cookies"
# 90. Downloads
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "downloads.sqlite*" -FolderName "Downloads"
# 91. Favicons
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "favicons.sqlite*" -FolderName "Favicons"
# 92. Form history
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "formhistory.sqlite*" -FolderName "Form_history"
# 93. Permissions
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "permissions.sqlite*" -FolderName "Permissions"
# 94. Places
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "places.sqlite*" -FolderName "Places"
# 95. Protections
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "protections.sqlite*" -FolderName "Protections"
# 96. Search
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "search.sqlite*" -FolderName "Search"
# 97. Signons
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "signons.sqlite*" -FolderName "Signons"
# 98. Storage Sync
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "storage-sync.sqlite*" -FolderName "Storage_Sync"
# 99. Webappstore
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "webappstore.sqlite*" -FolderName "Webappstore"
# 100. Windows 10 Notification DB
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Windows\Notifications\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "wpndatabase.db" -FolderName "Windows_10_Notification_DB"
# 101. Windows 10 Notification DB
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Windows\Notifications\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "appdb.dat" -FolderName "Windows_10_Notification_DB"
# 102. ActivitiesCache.db
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\ConnectedDevicesPlatform\*\"
Collect-Artifact -SourceDir "$UserPath" -FileMask "ActivitiesCache.db*" -FolderName "ActivitiesCache_db"
# 103. Update Store.db
Collect-Artifact -SourceDir "C:\ProgramData\USOPrivate\UpdateStore" -FileMask "store.db" -FolderName "Update_Store_db"
# 104. Bitdefender SQLite DB Files
Collect-Artifact -SourceDir "C:\Program Files*\Bitdefender*\" -FileMask "regex:*.+\.(db|db-wal|db-shm)" -FolderName "Bitdefender_SQLite_DB_Files"
# 105. EventTranscript.db
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Diagnosis\EventTranscript" -FileMask "EventTranscript.db*" -FolderName "EventTranscript_db"
# 106. EventTranscript.db
Collect-Artifact -SourceDir "C:\Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscript" -FileMask "EventTranscript.db*" -FolderName "EventTranscript_db"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes
Open in CyberChef to decode values extracted from this artifact.