SQLiteDatabases
Compoundv1.3
Author: Andrew Rathbun
description
SQLDatabases Target for use with SQLECmd Module
paths
106 paths
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: SQLiteDatabases
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# 1. Robo-FTP Jobs
Collect-Artifact -SourceDir "C:\Program Files\Robo-FTP *\ProgramData" -FileMask "SchedulerService.sqlite" -FolderName "Robo_FTP_Jobs"
# 2. IDrive Backed Up Files
Collect-Artifact -SourceDir "C:\ProgramData\IDrive\IBCOMMON\*\LDBNEW\*" -FileMask "*.idbs" -FolderName "IDrive_Backed_Up_Files"
# 3. Update Store.db
Collect-Artifact -SourceDir "C:\ProgramData\USOPrivate\UpdateStore" -FileMask "store.db" -FolderName "Update_Store_db"
# 4. Bitdefender SQLite DB Files
Collect-Artifact -SourceDir "C:\Program Files*\Bitdefender*" -FileMask "regex:*.+\.(db|db-wal|db-shm)" -FolderName "Bitdefender_SQLite_DB_Files"
# 5. EventTranscript.db
Collect-Artifact -SourceDir "C:\ProgramData\Microsoft\Diagnosis\EventTranscript" -FileMask "EventTranscript.db*" -FolderName "EventTranscript_db"
# 6. EventTranscript.db
Collect-Artifact -SourceDir "C:\Windows.old\ProgramData\Microsoft\Diagnosis\EventTranscript" -FileMask "EventTranscript.db*" -FolderName "EventTranscript_db"
# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
ForEach-Object {
$UserName = $_.Name
# 4K Video Downloader
$UserPath = "$($_.FullName)\AppData\Local\4kdownload.com\4K Video Downloader\4K Video Downloader"
Collect-Artifact -SourceDir $UserPath -FileMask "*.sqlite" -FolderName "4K_Video_Downloader_$UserName"
# Microsoft OneNote - FullTextSearchIndex
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\*\FullTextSearchIndex"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_OneNote_FullTextSearchIndex_$UserName"
# Microsoft OneNote - RecentNotebooks_SeenURLs
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\Notifications"
Collect-Artifact -SourceDir $UserPath -FileMask "RecentNotebooks_SeenURLs" -FolderName "Microsoft_OneNote_RecentNotebooks_SeenURLs_$UserName"
# Microsoft OneNote - AccessibilityCheckerIndex
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\AccessibilityCheckerIndex"
Collect-Artifact -SourceDir $UserPath -FolderName "Microsoft_OneNote_AccessibilityCheckerIndex_$UserName"
# Microsoft OneNote - User NoteTags
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\NoteTags"
Collect-Artifact -SourceDir $UserPath -FileMask "*LiveId.db" -FolderName "Microsoft_OneNote_User_NoteTags_$UserName"
# Microsoft OneNote - RecentSearches
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\LocalState\AppData\Local\OneNote\16.0\RecentSearches"
Collect-Artifact -SourceDir $UserPath -FileMask "RecentSearches.db" -FolderName "Microsoft_OneNote_RecentSearches_$UserName"
# Microsoft Sticky Notes - 1607 and later
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes*\LocalState"
Collect-Artifact -SourceDir $UserPath -FileMask "plum.sqlite*" -FolderName "Microsoft_Sticky_Notes_1607_and_later_$UserName"
# Microsoft To Do - SQLite Database of To Do tasks
$UserPath = "$($_.FullName)\AppData\Local\Packages\Microsoft.Todos_8wekyb3d8bbwe\LocalState\AccountsRoot\*"
Collect-Artifact -SourceDir $UserPath -FileMask "todosqlite.db*" -FolderName "Microsoft_To_Do_SQLite_Database_of_To_Do_tasks_$UserName"
# TeraCopy - History Databases
$UserPath = "$($_.FullName)\AppData\Roaming\TeraCopy\History"
Collect-Artifact -SourceDir $UserPath -FileMask "*.db" -FolderName "TeraCopy_History_Databases_$UserName"
# TeraCopy - Main Database
$UserPath = "$($_.FullName)\AppData\Roaming\TeraCopy"
Collect-Artifact -SourceDir $UserPath -FileMask "main.db" -FolderName "TeraCopy_Main_Database_$UserName"
# Notion Local Storage
$UserPath = "$($_.FullName)\AppData\Roaming\Notion"
Collect-Artifact -SourceDir $UserPath -FileMask "notion.db" -FolderName "Notion_Local_Storage_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox\*"
Collect-Artifact -SourceDir $UserPath -FileMask "filecache.db*" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox\*"
Collect-Artifact -SourceDir $UserPath -FileMask "config.dbx" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox\*"
Collect-Artifact -SourceDir $UserPath -FileMask "home.db" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox\*"
Collect-Artifact -SourceDir $UserPath -FileMask "icon.db" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox\*"
Collect-Artifact -SourceDir $UserPath -FileMask "sync_history.db" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox\*\sync"
Collect-Artifact -SourceDir $UserPath -FileMask "nucleus.sqlite3*" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox"
Collect-Artifact -SourceDir $UserPath -FileMask "host.db" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox"
Collect-Artifact -SourceDir $UserPath -FileMask "host.dbx" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox\*\sync"
Collect-Artifact -SourceDir $UserPath -FileMask "aggregation.dbx" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox\*"
Collect-Artifact -SourceDir $UserPath -FileMask "avatarcache.db" -FolderName "Dropbox_Metadata_$UserName"
# Dropbox Metadata
$UserPath = "$($_.FullName)\AppData\Local\Dropbox\*"
Collect-Artifact -SourceDir $UserPath -FileMask "avatarcache.db" -FolderName "Dropbox_Metadata_$UserName"
# Google File Stream Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Drive\*\cloud_graph"
Collect-Artifact -SourceDir $UserPath -FileMask "cloud_graph.db" -FolderName "Google_File_Stream_Metadata_$UserName"
# Google File Stream Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Drive\*\TempData\*\change_buffer"
Collect-Artifact -SourceDir $UserPath -FolderName "Google_File_Stream_Metadata_$UserName"
# Google File Stream Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Drive\*"
Collect-Artifact -SourceDir $UserPath -FileMask "snapshot.db" -FolderName "Google_File_Stream_Metadata_$UserName"
# Google File Stream Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Drive\*"
Collect-Artifact -SourceDir $UserPath -FileMask "sync_config.db" -FolderName "Google_File_Stream_Metadata_$UserName"
# FileZilla SQLite3 Log Files
$UserPath = "$($_.FullName)\AppData\Roaming\FileZilla"
Collect-Artifact -SourceDir $UserPath -FileMask "*.sqlite3*" -FolderName "FileZilla_SQLite3_Log_Files_$UserName"
# Chrome bookmarks XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_bookmarks_XP_$UserName"
# Chrome Cookies XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Cookies_XP_$UserName"
# Chrome Current Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Current_Session_XP_$UserName"
# Chrome Current Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Current_Tabs_XP_$UserName"
# Chrome Favicons XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Favicons_XP_$UserName"
# Chrome History XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_History_XP_$UserName"
# Chrome Last Session XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Last_Session_XP_$UserName"
# Chrome Last Tabs XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Last_Tabs_XP_$UserName"
# Chrome Login Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chrome_Login_Data_XP_$UserName"
# Chrome Preferences XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Preferences_XP_$UserName"
# Chrome Shortcuts XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Shortcuts_XP_$UserName"
# Chrome Top Sites XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Top_Sites_XP_$UserName"
# Chrome Visited Links XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Visited_Links_XP_$UserName"
# Chrome Web Data XP
$UserPath = "$($_.FullName)\Local Settings\Application Data\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Web_Data_XP_$UserName"
# Chrome bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Chrome_bookmarks_$UserName"
# Chrome Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Chrome_Cookies_$UserName"
# Chrome Current Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Chrome_Current_Session_$UserName"
# Chrome Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Chrome_Current_Tabs_$UserName"
# Chrome Download Metadata
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Download Metadata" -FolderName "Chrome_Download_Metadata_$UserName"
# Chrome Extension Cookies
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Extension Cookies" -FolderName "Chrome_Extension_Cookies_$UserName"
# Chrome Favicons
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Chrome_Favicons_$UserName"
# Chrome History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Chrome_History_$UserName"
# Chrome Last Session
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Chrome_Last_Session_$UserName"
# Chrome Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Chrome_Last_Tabs_$UserName"
# Chrome Login Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Chrome_Login_Data_$UserName"
# Chrome Media History
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Chrome_Media_History_$UserName"
# Chrome Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Chrome_Network_Action_Predictor_$UserName"
# Chrome Network Persistent State
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Persistent State" -FolderName "Chrome_Network_Persistent_State_$UserName"
# Chrome Preferences
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Chrome_Preferences_$UserName"
# Chrome Quota Manager
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "QuotaManager" -FolderName "Chrome_Quota_Manager_$UserName"
# Chrome Reporting and NEL
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Reporting and NEL" -FolderName "Chrome_Reporting_and_NEL_$UserName"
# Chrome Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Chrome_Shortcuts_$UserName"
# Chrome Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Chrome_Top_Sites_$UserName"
# Chrome Trust Tokens
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Trust Tokens*" -FolderName "Chrome_Trust_Tokens_$UserName"
# Chrome SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Chrome_SyncData_Database_$UserName"
# Chrome Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Chrome_Visited_Links_$UserName"
# Chrome Web Data
$UserPath = "$($_.FullName)\AppData\Local\Google\Chrome\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Chrome_Web_Data_$UserName"
# Edge bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Edge_bookmarks_$UserName"
# Edge Collections
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Collections"
Collect-Artifact -SourceDir $UserPath -FileMask "collectionsSQLite" -FolderName "Edge_Collections_$UserName"
# Edge Cookies
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Cookies*" -FolderName "Edge_Cookies_$UserName"
# Edge Current Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Session" -FolderName "Edge_Current_Session_$UserName"
# Edge Current Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Current Tabs" -FolderName "Edge_Current_Tabs_$UserName"
# Edge Favicons
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Favicons*" -FolderName "Edge_Favicons_$UserName"
# Edge History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "History*" -FolderName "Edge_History_$UserName"
# Edge Last Session
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Session" -FolderName "Edge_Last_Session_$UserName"
# Edge Last Tabs
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Last Tabs" -FolderName "Edge_Last_Tabs_$UserName"
# Edge Login Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Login Data" -FolderName "Edge_Login_Data_$UserName"
# Edge Media History
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Media History*" -FolderName "Edge_Media_History_$UserName"
# Edge Network Action Predictor
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Network Action Predictor" -FolderName "Edge_Network_Action_Predictor_$UserName"
# Edge Preferences
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Preferences" -FolderName "Edge_Preferences_$UserName"
# Edge Shortcuts
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Shortcuts*" -FolderName "Edge_Shortcuts_$UserName"
# Edge Top Sites
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Top Sites*" -FolderName "Edge_Top_Sites_$UserName"
# Edge SyncData Database
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*\Sync Data"
Collect-Artifact -SourceDir $UserPath -FileMask "SyncData.sqlite3" -FolderName "Edge_SyncData_Database_$UserName"
# Edge Bookmarks
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Bookmarks*" -FolderName "Edge_Bookmarks_$UserName"
# Edge Visited Links
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Visited Links" -FolderName "Edge_Visited_Links_$UserName"
# Edge Web Data
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Edge\User Data\*"
Collect-Artifact -SourceDir $UserPath -FileMask "Web Data*" -FolderName "Edge_Web_Data_$UserName"
# Addons
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "addons.sqlite*" -FolderName "Addons_$UserName"
# Bookmarks
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave"
Collect-Artifact -SourceDir $UserPath -FileMask "bookmarks.sqlite*" -FolderName "Bookmarks_$UserName"
# Cookies
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "cookies.sqlite*" -FolderName "Cookies_$UserName"
# Cookies
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "firefox_cookies.sqlite*" -FolderName "Cookies_$UserName"
# Downloads
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "downloads.sqlite*" -FolderName "Downloads_$UserName"
# Favicons
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "favicons.sqlite*" -FolderName "Favicons_$UserName"
# Form history
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "formhistory.sqlite*" -FolderName "Form_history_$UserName"
# Permissions
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "permissions.sqlite*" -FolderName "Permissions_$UserName"
# Places
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "places.sqlite*" -FolderName "Places_$UserName"
# Protections
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "protections.sqlite*" -FolderName "Protections_$UserName"
# Search
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "search.sqlite*" -FolderName "Search_$UserName"
# Signons
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "signons.sqlite*" -FolderName "Signons_$UserName"
# Storage Sync
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "storage-sync.sqlite*" -FolderName "Storage_Sync_$UserName"
# Webappstore
$UserPath = "$($_.FullName)\AppData\Roaming\Mozilla\Firefox\Profiles\*"
Collect-Artifact -SourceDir $UserPath -FileMask "webappstore.sqlite*" -FolderName "Webappstore_$UserName"
# Windows 10 Notification DB
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\Notifications"
Collect-Artifact -SourceDir $UserPath -FileMask "wpndatabase.db" -FolderName "Windows_10_Notification_DB_$UserName"
# Windows 10 Notification DB
$UserPath = "$($_.FullName)\AppData\Local\Microsoft\Windows\Notifications"
Collect-Artifact -SourceDir $UserPath -FileMask "appdb.dat" -FolderName "Windows_10_Notification_DB_$UserName"
# ActivitiesCache.db
$UserPath = "$($_.FullName)\AppData\Local\ConnectedDevicesPlatform\*"
Collect-Artifact -SourceDir $UserPath -FileMask "ActivitiesCache.db*" -FolderName "ActivitiesCache_db_$UserName"
}
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
› cyberchef recipes
Open in CyberChef to decode values extracted from this artifact.
notes
This Target is meant to pull all SQLite databases for which there are currently (or soon will be) SQLECmd Maps - https://github.com/EricZimmerman/SQLECmd/tree/master/SQLMap/Maps
This Target will likely be updated often as more SQLECmd Maps are created
Despite not pointing to other .tkape files directly in the interest of only grabbing SQL databases, this Target is considered a Compound Target since it references many other Targets
Use with SQLECmd.mkape or SQLECmd-Hunt.mkape for best results