dfirhub

SQLiteDatabases

Compoundv1.3

Author: Andrew Rathbun

description

SQLDatabases Target for use with SQLECmd Module

paths

106 paths
SQLDatabases4K Video Downloader
C:\Users\%user%\AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader*.sqlite

Grabs database(s) that stores user download history

SQLDatabasesMicrosoft OneNote - FullTextSearchIndex
C:\Users\%user%\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex

Grabs database(s) comprising of each OneNote notebook's text content

SQLDatabasesMicrosoft OneNote - RecentNotebooks_SeenURLs
C:\Users\%user%\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\NotificationsRecentNotebooks_SeenURLs

Grabs a file that appears to record recently seen OneNote notebooks

SQLDatabasesMicrosoft OneNote - AccessibilityCheckerIndex
C:\Users\%user%\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex

Grabs database(s) comprising of each OneNote notebook's version sync error history

SQLDatabasesMicrosoft OneNote - User NoteTags
C:\Users\%user%\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags*LiveId.db

Grabs a database that stores the user specified tags within OneNote to be used application-wide

SQLDatabasesMicrosoft OneNote - RecentSearches
C:\Users\%user%\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearchesRecentSearches.db

Grabs a database that stores the user's recent searches within OneNote

SQLDatabasesMicrosoft Sticky Notes - 1607 and later
C:\Users\%user%\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState\plum.sqlite*
SQLDatabasesMicrosoft To Do - SQLite Database of To Do tasks
C:\Users\%user%\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\todosqlite.db*
AppsRobo-FTP Jobs
C:\Program Files\Robo-FTP *\ProgramData\SchedulerService.sqlite
SQLDatabasesTeraCopy - History Databases
C:\Users\%user%\AppData\Roaming\TeraCopy\History*.db
SQLDatabasesTeraCopy - Main Database
C:\Users\%user%\AppData\Roaming\TeraCopy\main.db
AppsNotion Local Storage
C:\Users\%user%\AppData\Roaming\Notionnotion.db
AppsIDrive Backed Up Files
C:\ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\*.idbs
SQLDatabasesDropbox Metadata
C:\Users\%user%\AppData\Local\Dropbox\*\filecache.db*

Getting individual files because folder may contain very large extraneous files

SQLDatabasesDropbox Metadata
C:\Users\%user%\AppData\Local\Dropbox\*\config.dbx

Getting individual files because folder may contain very large extraneous files

SQLDatabasesDropbox Metadata
C:\Users\%user%\AppData\Local\Dropbox\*\home.db

SQlite database which appears to keep track of the user's recent Dropbox activity

SQLDatabasesDropbox Metadata
C:\Users\%user%\AppData\Local\Dropbox\*\icon.db

SQLite database which appears to keep track of icons in the user's Drobox sync history which can give an indication as to which files and folders are present

SQLDatabasesDropbox Metadata
C:\Users\%user%\AppData\Local\Dropbox\*\sync_history.db

SQLite database which appears to keep track of the user's Drobox sync history

SQLDatabasesDropbox Metadata
C:\Users\%user%\AppData\Local\Dropbox\*\sync\nucleus.sqlite3*

SQLite database which appears to contain a table for deleted files

SQLDatabasesDropbox Metadata
C:\Users\%user%\AppData\Local\Dropbox\host.db

SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together.

SQLDatabasesDropbox Metadata
C:\Users\%user%\AppData\Local\Dropbox\host.dbx

SQLite database which contains the local path of the user's Dropbox folder encoded in BASE64. Decode each line separately, not together.

SQLDatabasesDropbox Metadata
C:\Users\%user%\AppData\Local\Dropbox\*\sync\aggregation.dbx

SQLite database which appears to contain snapshot table of the user's Dropbox contents in JSON with timestamps in UNIX Epoch

SQLDatabasesDropbox Metadata
C:\Users\%user%\AppData\Local\Dropbox\*\avatarcache.db

SQLite database which appears to contain the ID's of account(s) on the user's system where Dropbox is installed

SQLDatabasesDropbox Metadata
C:\Users\%user%\AppData\Local\Dropbox\*\avatarcache.db

SQLite database which appears to contain the ID's of account(s) on the user's system where Dropbox is installed

SQLDatabasesGoogle File Stream Metadata
C:\Users\%user%\AppData\Local\Google\Drive\*\cloud_graph\cloud_graph.db

Windows_GoogleDrive_CloudGraphDB.smap

SQLDatabasesGoogle File Stream Metadata
C:\Users\%user%\AppData\Local\Google\Drive\*\TempData\*\change_buffer\

DB(s) with seemingly randomized filename(s) that track file system changes within Google Drive

SQLDatabasesGoogle File Stream Metadata
C:\Users\%user%\AppData\Local\Google\Drive\*\snapshot.db

Windows_GoogleDrive_SnapshotDB.smap

SQLDatabasesGoogle File Stream Metadata
C:\Users\%user%\AppData\Local\Google\Drive\*\sync_config.db

Windows_GoogleDrive_SyncConfigDB.smap

SQLDatabasesFileZilla SQLite3 Log Files
C:\Users\%user%\AppData\Roaming\FileZilla\*.sqlite3*
SQLDatabasesChrome bookmarks XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Bookmarks*
SQLDatabasesChrome Cookies XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Cookies*
SQLDatabasesChrome Current Session XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Current Session
SQLDatabasesChrome Current Tabs XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Current Tabs
SQLDatabasesChrome Favicons XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Favicons*
SQLDatabasesChrome History XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\History*
SQLDatabasesChrome Last Session XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Last Session
SQLDatabasesChrome Last Tabs XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Last Tabs
SQLDatabasesChrome Login Data XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Login Data
SQLDatabasesChrome Preferences XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Preferences
SQLDatabasesChrome Shortcuts XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Shortcuts*
SQLDatabasesChrome Top Sites XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Top Sites*
SQLDatabasesChrome Visited Links XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Visited Links
SQLDatabasesChrome Web Data XP
C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\Web Data*
SQLDatabasesChrome bookmarks
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Bookmarks*
SQLDatabasesChrome Cookies
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Cookies*
SQLDatabasesChrome Current Session
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Current Session
SQLDatabasesChrome Current Tabs
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Current Tabs
SQLDatabasesChrome Download Metadata
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Download Metadata
SQLDatabasesChrome Extension Cookies
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Extension Cookies
SQLDatabasesChrome Favicons
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Favicons*
SQLDatabasesChrome History
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\History*
SQLDatabasesChrome Last Session
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Last Session
SQLDatabasesChrome Last Tabs
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Last Tabs
SQLDatabasesChrome Login Data
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Login Data
SQLDatabasesChrome Media History
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Media History*
SQLDatabasesChrome Network Action Predictor
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Network Action Predictor
SQLDatabasesChrome Network Persistent State
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Network Persistent State
SQLDatabasesChrome Preferences
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Preferences
SQLDatabasesChrome Quota Manager
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\QuotaManager
SQLDatabasesChrome Reporting and NEL
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Reporting and NEL
SQLDatabasesChrome Shortcuts
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Shortcuts*
SQLDatabasesChrome Top Sites
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Top Sites*
SQLDatabasesChrome Trust Tokens
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Trust Tokens*
SQLDatabasesChrome SyncData Database
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Sync DataSyncData.sqlite3
SQLDatabasesChrome Visited Links
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Visited Links
SQLDatabasesChrome Web Data
C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Web Data*
SQLDatabasesEdge bookmarks
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*
SQLDatabasesEdge Collections
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\CollectionscollectionsSQLite
SQLDatabasesEdge Cookies
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Cookies*
SQLDatabasesEdge Current Session
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Current Session
SQLDatabasesEdge Current Tabs
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Current Tabs
SQLDatabasesEdge Favicons
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Favicons*
SQLDatabasesEdge History
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\History*
SQLDatabasesEdge Last Session
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Last Session
SQLDatabasesEdge Last Tabs
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Last Tabs
SQLDatabasesEdge Login Data
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Login Data
SQLDatabasesEdge Media History
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Media History*
SQLDatabasesEdge Network Action Predictor
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Network Action Predictor
SQLDatabasesEdge Preferences
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Preferences
SQLDatabasesEdge Shortcuts
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Shortcuts*
SQLDatabasesEdge Top Sites
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Top Sites*
SQLDatabasesEdge SyncData Database
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Sync DataSyncData.sqlite3
SQLDatabasesEdge Bookmarks
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Bookmarks*
SQLDatabasesEdge Visited Links
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Visited Links
SQLDatabasesEdge Web Data
C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Web Data*
SQLDatabasesAddons
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\addons.sqlite*
SQLDatabasesBookmarks
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\bookmarks.sqlite*
SQLDatabasesCookies
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\cookies.sqlite*
SQLDatabasesCookies
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\firefox_cookies.sqlite*
SQLDatabasesDownloads
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\downloads.sqlite*
SQLDatabasesFavicons
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\favicons.sqlite*
SQLDatabasesForm history
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\formhistory.sqlite*
SQLDatabasesPermissions
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\permissions.sqlite*
SQLDatabasesPlaces
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\places.sqlite*
SQLDatabasesProtections
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\protections.sqlite*
SQLDatabasesSearch
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\search.sqlite*
SQLDatabasesSignons
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\signons.sqlite*
SQLDatabasesStorage Sync
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\storage-sync.sqlite*
SQLDatabasesWebappstore
C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\webappstore.sqlite*
SQLDatabasesWindows 10 Notification DB
C:\Users\%user%\AppData\Local\Microsoft\Windows\Notifications\wpndatabase.db
SQLDatabasesWindows 10 Notification DB
C:\Users\%user%\AppData\Local\Microsoft\Windows\Notifications\appdb.dat
SQLDatabasesActivitiesCache.db
C:\Users\%user%\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db*
OS UpgradeUpdate Store.db
C:\ProgramData\USOPrivate\UpdateStorestore.db
AntivirusBitdefender SQLite DB Files
C:\Program Files*\Bitdefender*\regex:*.+\.(db|db-wal|db-shm)

Bitdefender SQLite databases

SystemEventsEventTranscript.db
C:\ProgramData\Microsoft\Diagnosis\EventTranscriptEventTranscript.db*
SystemEventsEventTranscript.db
C:\Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscriptEventTranscript.db*
paths use Windows environment syntax

collection commands 

# PowerShell Artifact Collection Script
# Target: SQLiteDatabases
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. 4K Video Downloader
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader"
Collect-Artifact -SourcePath "$UserPath\*.sqlite" -FolderName "4K_Video_Downloader"

# 2. Microsoft OneNote - FullTextSearchIndex
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Microsoft_OneNote___FullTextSearchIndex"

# 3. Microsoft OneNote - RecentNotebooks_SeenURLs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications"
Collect-Artifact -SourcePath "$UserPath\RecentNotebooks_SeenURLs" -FolderName "Microsoft_OneNote___RecentNotebooks_SeenURLs"

# 4. Microsoft OneNote - AccessibilityCheckerIndex
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Microsoft_OneNote___AccessibilityCheckerIndex"

# 5. Microsoft OneNote - User NoteTags
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags"
Collect-Artifact -SourcePath "$UserPath\*LiveId.db" -FolderName "Microsoft_OneNote___User_NoteTags"

# 6. Microsoft OneNote - RecentSearches
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches"
Collect-Artifact -SourcePath "$UserPath\RecentSearches.db" -FolderName "Microsoft_OneNote___RecentSearches"

# 7. Microsoft Sticky Notes - 1607 and later
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState\"
Collect-Artifact -SourcePath "$UserPath\plum.sqlite*" -FolderName "Microsoft_Sticky_Notes___1607_and_later"

# 8. Microsoft To Do - SQLite Database of To Do tasks
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*\"
Collect-Artifact -SourcePath "$UserPath\todosqlite.db*" -FolderName "Microsoft_To_Do___SQLite_Database_of_To_Do_tasks"

# 9. Robo-FTP Jobs
Collect-Artifact -SourcePath "C:\Program Files\Robo-FTP *\ProgramData\\SchedulerService.sqlite" -FolderName "Robo_FTP_Jobs"

# 10. TeraCopy - History Databases
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\TeraCopy\History"
Collect-Artifact -SourcePath "$UserPath\*.db" -FolderName "TeraCopy___History_Databases"

# 11. TeraCopy - Main Database
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\TeraCopy\"
Collect-Artifact -SourcePath "$UserPath\main.db" -FolderName "TeraCopy___Main_Database"

# 12. Notion Local Storage
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Notion"
Collect-Artifact -SourcePath "$UserPath\notion.db" -FolderName "Notion_Local_Storage"

# 13. IDrive Backed Up Files
Collect-Artifact -SourcePath "C:\ProgramData\IDrive\IBCOMMON\*\LDBNEW\*\\*.idbs" -FolderName "IDrive_Backed_Up_Files"

# 14. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\"
Collect-Artifact -SourcePath "$UserPath\filecache.db*" -FolderName "Dropbox_Metadata"

# 15. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\"
Collect-Artifact -SourcePath "$UserPath\config.dbx" -FolderName "Dropbox_Metadata"

# 16. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\"
Collect-Artifact -SourcePath "$UserPath\home.db" -FolderName "Dropbox_Metadata"

# 17. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\"
Collect-Artifact -SourcePath "$UserPath\icon.db" -FolderName "Dropbox_Metadata"

# 18. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\"
Collect-Artifact -SourcePath "$UserPath\sync_history.db" -FolderName "Dropbox_Metadata"

# 19. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\sync\"
Collect-Artifact -SourcePath "$UserPath\nucleus.sqlite3*" -FolderName "Dropbox_Metadata"

# 20. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\"
Collect-Artifact -SourcePath "$UserPath\host.db" -FolderName "Dropbox_Metadata"

# 21. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\"
Collect-Artifact -SourcePath "$UserPath\host.dbx" -FolderName "Dropbox_Metadata"

# 22. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\sync\"
Collect-Artifact -SourcePath "$UserPath\aggregation.dbx" -FolderName "Dropbox_Metadata"

# 23. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\"
Collect-Artifact -SourcePath "$UserPath\avatarcache.db" -FolderName "Dropbox_Metadata"

# 24. Dropbox Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Dropbox\*\"
Collect-Artifact -SourcePath "$UserPath\avatarcache.db" -FolderName "Dropbox_Metadata"

# 25. Google File Stream Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Drive\*\cloud_graph\"
Collect-Artifact -SourcePath "$UserPath\cloud_graph.db" -FolderName "Google_File_Stream_Metadata"

# 26. Google File Stream Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Drive\*\TempData\*\change_buffer\"
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Google_File_Stream_Metadata"

# 27. Google File Stream Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Drive\*\"
Collect-Artifact -SourcePath "$UserPath\snapshot.db" -FolderName "Google_File_Stream_Metadata"

# 28. Google File Stream Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Drive\*\"
Collect-Artifact -SourcePath "$UserPath\sync_config.db" -FolderName "Google_File_Stream_Metadata"

# 29. FileZilla SQLite3 Log Files
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\FileZilla\"
Collect-Artifact -SourcePath "$UserPath\*.sqlite3*" -FolderName "FileZilla_SQLite3_Log_Files"

# 30. Chrome bookmarks XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Bookmarks*" -FolderName "Chrome_bookmarks_XP"

# 31. Chrome Cookies XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Cookies*" -FolderName "Chrome_Cookies_XP"

# 32. Chrome Current Session XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Current Session" -FolderName "Chrome_Current_Session_XP"

# 33. Chrome Current Tabs XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Current Tabs" -FolderName "Chrome_Current_Tabs_XP"

# 34. Chrome Favicons XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Favicons*" -FolderName "Chrome_Favicons_XP"

# 35. Chrome History XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\History*" -FolderName "Chrome_History_XP"

# 36. Chrome Last Session XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Last Session" -FolderName "Chrome_Last_Session_XP"

# 37. Chrome Last Tabs XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Last Tabs" -FolderName "Chrome_Last_Tabs_XP"

# 38. Chrome Login Data XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Login Data" -FolderName "Chrome_Login_Data_XP"

# 39. Chrome Preferences XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Preferences" -FolderName "Chrome_Preferences_XP"

# 40. Chrome Shortcuts XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Shortcuts*" -FolderName "Chrome_Shortcuts_XP"

# 41. Chrome Top Sites XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Top Sites*" -FolderName "Chrome_Top_Sites_XP"

# 42. Chrome Visited Links XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Visited Links" -FolderName "Chrome_Visited_Links_XP"

# 43. Chrome Web Data XP
$UserPath = Join-Path $env:USERPROFILE "Local Settings\Application Data\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Web Data*" -FolderName "Chrome_Web_Data_XP"

# 44. Chrome bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Bookmarks*" -FolderName "Chrome_bookmarks"

# 45. Chrome Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Cookies*" -FolderName "Chrome_Cookies"

# 46. Chrome Current Session
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Current Session" -FolderName "Chrome_Current_Session"

# 47. Chrome Current Tabs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Current Tabs" -FolderName "Chrome_Current_Tabs"

# 48. Chrome Download Metadata
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Download Metadata" -FolderName "Chrome_Download_Metadata"

# 49. Chrome Extension Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Extension Cookies" -FolderName "Chrome_Extension_Cookies"

# 50. Chrome Favicons
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Favicons*" -FolderName "Chrome_Favicons"

# 51. Chrome History
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\History*" -FolderName "Chrome_History"

# 52. Chrome Last Session
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Last Session" -FolderName "Chrome_Last_Session"

# 53. Chrome Last Tabs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Last Tabs" -FolderName "Chrome_Last_Tabs"

# 54. Chrome Login Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Login Data" -FolderName "Chrome_Login_Data"

# 55. Chrome Media History
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Media History*" -FolderName "Chrome_Media_History"

# 56. Chrome Network Action Predictor
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Network Action Predictor" -FolderName "Chrome_Network_Action_Predictor"

# 57. Chrome Network Persistent State
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Network Persistent State" -FolderName "Chrome_Network_Persistent_State"

# 58. Chrome Preferences
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Preferences" -FolderName "Chrome_Preferences"

# 59. Chrome Quota Manager
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\QuotaManager" -FolderName "Chrome_Quota_Manager"

# 60. Chrome Reporting and NEL
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Reporting and NEL" -FolderName "Chrome_Reporting_and_NEL"

# 61. Chrome Shortcuts
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Shortcuts*" -FolderName "Chrome_Shortcuts"

# 62. Chrome Top Sites
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Top Sites*" -FolderName "Chrome_Top_Sites"

# 63. Chrome Trust Tokens
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Trust Tokens*" -FolderName "Chrome_Trust_Tokens"

# 64. Chrome SyncData Database
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\Sync Data"
Collect-Artifact -SourcePath "$UserPath\SyncData.sqlite3" -FolderName "Chrome_SyncData_Database"

# 65. Chrome Visited Links
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Visited Links" -FolderName "Chrome_Visited_Links"

# 66. Chrome Web Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Google\Chrome\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Web Data*" -FolderName "Chrome_Web_Data"

# 67. Edge bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Bookmarks*" -FolderName "Edge_bookmarks"

# 68. Edge Collections
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\Collections"
Collect-Artifact -SourcePath "$UserPath\collectionsSQLite" -FolderName "Edge_Collections"

# 69. Edge Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Cookies*" -FolderName "Edge_Cookies"

# 70. Edge Current Session
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Current Session" -FolderName "Edge_Current_Session"

# 71. Edge Current Tabs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Current Tabs" -FolderName "Edge_Current_Tabs"

# 72. Edge Favicons
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Favicons*" -FolderName "Edge_Favicons"

# 73. Edge History
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\History*" -FolderName "Edge_History"

# 74. Edge Last Session
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Last Session" -FolderName "Edge_Last_Session"

# 75. Edge Last Tabs
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Last Tabs" -FolderName "Edge_Last_Tabs"

# 76. Edge Login Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Login Data" -FolderName "Edge_Login_Data"

# 77. Edge Media History
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Media History*" -FolderName "Edge_Media_History"

# 78. Edge Network Action Predictor
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Network Action Predictor" -FolderName "Edge_Network_Action_Predictor"

# 79. Edge Preferences
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Preferences" -FolderName "Edge_Preferences"

# 80. Edge Shortcuts
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Shortcuts*" -FolderName "Edge_Shortcuts"

# 81. Edge Top Sites
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Top Sites*" -FolderName "Edge_Top_Sites"

# 82. Edge SyncData Database
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\Sync Data"
Collect-Artifact -SourcePath "$UserPath\SyncData.sqlite3" -FolderName "Edge_SyncData_Database"

# 83. Edge Bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Bookmarks*" -FolderName "Edge_Bookmarks"

# 84. Edge Visited Links
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Visited Links" -FolderName "Edge_Visited_Links"

# 85. Edge Web Data
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Edge\User Data\*\"
Collect-Artifact -SourcePath "$UserPath\Web Data*" -FolderName "Edge_Web_Data"

# 86. Addons
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\addons.sqlite*" -FolderName "Addons"

# 87. Bookmarks
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\"
Collect-Artifact -SourcePath "$UserPath\bookmarks.sqlite*" -FolderName "Bookmarks"

# 88. Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\cookies.sqlite*" -FolderName "Cookies"

# 89. Cookies
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\firefox_cookies.sqlite*" -FolderName "Cookies"

# 90. Downloads
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\downloads.sqlite*" -FolderName "Downloads"

# 91. Favicons
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\favicons.sqlite*" -FolderName "Favicons"

# 92. Form history
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\formhistory.sqlite*" -FolderName "Form_history"

# 93. Permissions
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\permissions.sqlite*" -FolderName "Permissions"

# 94. Places
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\places.sqlite*" -FolderName "Places"

# 95. Protections
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\protections.sqlite*" -FolderName "Protections"

# 96. Search
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\search.sqlite*" -FolderName "Search"

# 97. Signons
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\signons.sqlite*" -FolderName "Signons"

# 98. Storage Sync
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\storage-sync.sqlite*" -FolderName "Storage_Sync"

# 99. Webappstore
$UserPath = Join-Path $env:USERPROFILE "AppData\Roaming\Mozilla\Firefox\Profiles\*\"
Collect-Artifact -SourcePath "$UserPath\webappstore.sqlite*" -FolderName "Webappstore"

# 100. Windows 10 Notification DB
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Windows\Notifications\"
Collect-Artifact -SourcePath "$UserPath\wpndatabase.db" -FolderName "Windows_10_Notification_DB"

# 101. Windows 10 Notification DB
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\Microsoft\Windows\Notifications\"
Collect-Artifact -SourcePath "$UserPath\appdb.dat" -FolderName "Windows_10_Notification_DB"

# 102. ActivitiesCache.db
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\ConnectedDevicesPlatform\*\"
Collect-Artifact -SourcePath "$UserPath\ActivitiesCache.db*" -FolderName "ActivitiesCache_db"

# 103. Update Store.db
Collect-Artifact -SourcePath "C:\ProgramData\USOPrivate\UpdateStore\store.db" -FolderName "Update_Store_db"

# 104. Bitdefender SQLite DB Files
Collect-Artifact -SourcePath "C:\Program Files*\Bitdefender*\\regex:*.+\.(db|db-wal|db-shm)" -FolderName "Bitdefender_SQLite_DB_Files"

# 105. EventTranscript.db
Collect-Artifact -SourcePath "C:\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*" -FolderName "EventTranscript_db"

# 106. EventTranscript.db
Collect-Artifact -SourcePath "C:\Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscript\EventTranscript.db*" -FolderName "EventTranscript_db"

Write-Host "Collection complete!" -ForegroundColor Green

Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
cyberchef recipes

Open in CyberChef to decode values extracted from this artifact.

references