Added chrome extensions and bookmarks (#6)

Velocidex · Jul 25, 2023 · 1c1f4bd · 1c1f4bd
1 parent 5560760
commit 1c1f4bd
Show file tree

Hide file tree

Showing 6 changed files with 262 additions and 9 deletions.
diff --git a/compile/artifact.go b/compile/artifact.go
@@ -19,6 +19,10 @@ name: %v
 description: |
 %v
 
+column_types:
+- name: Image
+  type: preview_upload
+
 export: |
   LET SPEC <= %q
   LET Specs <= parse_json(data=gunzip(string=base64decode(string=SPEC)))
@@ -59,6 +63,12 @@ export: |
         file=OSPath, query=get(item=Specs.sources, field=SourceName).SQL)
   })
 
+  -- Filter for matching files without sqlite checks.
+  LET FilterFile(SourceName) =
+     SELECT OSPath FROM AllFiles
+     WHERE if(condition=MatchFilename,
+              then=OSPath =~ get(item=Specs.sources, field=SourceName).filename)
+
   -- Build a regex for all enabled categories.
   LET all_categories = SELECT _value FROM foreach(row=%v) WHERE get(field=_value)
   LET category_regex <= join(sep="|", array=all_categories._value)
@@ -138,12 +148,24 @@ func (self *Artifact) getSources() string {
 		if !ok {
 			continue
 		}
-		res = append(res, fmt.Sprintf(`
+		// If it is not an SQLite query at all, just pass the files
+		// directly.
+		if v.SQL == "" {
+			res = append(res, fmt.Sprintf(`
+- name: %v
+  query: |
+    LET Rows = SELECT * FROM FilterFile(SourceName=%q)
+%v
+`, k, k, indent(v.VQL, 4)))
+
+		} else {
+			res = append(res, fmt.Sprintf(`
 - name: %v
   query: |
     LET Rows = SELECT * FROM ApplyFile(SourceName=%q)
 %v
 `, k, k, indent(v.VQL, 4)))
+		}
 	}
 	return strings.Join(res, "\n")
 }
diff --git a/definitions/ChromiumBrowser_Bookmarks.yaml b/definitions/ChromiumBrowser_Bookmarks.yaml
@@ -0,0 +1,51 @@
+Name: Chromium Browser Bookmarks
+Author: Sikha Puthanveedu @SikhaMohan, Mike Cohen
+Categories:
+  - Chrome
+  - Browser
+
+FilenameRegex: "Bookmarks"
+Globs:
+  - "{{LinuxChromeProfiles}}/*/Bookmarks"
+  - "{{WindowsChromeProfiles}}/*/Bookmarks"
+  - "{{MacOSChromeProfiles}}/*/Bookmarks"
+
+Sources:
+- VQL: |
+     -- Recursive function to report the details of a folder
+     LET ReportFolder(Data, BaseName) = SELECT * FROM chain(a={
+       -- First row emit the data about the actual folder
+       SELECT BaseName + " | " + Data.name AS Name,
+              timestamp(winfiletime=int(int=Data.date_added) * 10) AS DateAdded,
+              timestamp(winfiletime=int(int=Data.date_last_used) * 10) AS DateLastUsed,
+              Data.type AS Type,
+              Data.url || ""  AS URL
+       FROM scope()
+     },
+     b={
+        -- If this folder has children recurse into it
+        SELECT * FROM foreach(row={
+           SELECT _value FROM items(item=Data.children)
+        },  query={
+           SELECT * FROM ReportFolder(Data=_value, BaseName=BaseName + " | " + Data.name)
+        })
+     })
+
+     LET MatchingFiles = SELECT OSPath, parse_json(data=read_file(filename=OSPath)) AS Data
+     FROM Rows
+
+     SELECT * FROM foreach(row=MatchingFiles, query={
+       SELECT * FROM chain(
+       a={
+         SELECT OSPath, *, "bookmark_bar" AS Type
+         FROM ReportFolder(Data=Data.roots.bookmark_bar, BaseName="")
+       },
+       b={
+         SELECT OSPath, *, "other" AS Type
+         FROM ReportFolder(Data=Data.roots.other, BaseName="")
+       },
+       c={
+         SELECT OSPath, *, "synced" AS Type
+         FROM ReportFolder(Data=Data.roots.synced, BaseName="")
+       })
+     })
diff --git a/definitions/ChromiumBrowser_Extensions.yaml b/definitions/ChromiumBrowser_Extensions.yaml
@@ -0,0 +1,40 @@
+Name: Chromium Browser Extensions
+Author: Mike Cohen
+Categories:
+  - Chrome
+  - Browser
+
+FilenameRegex: "manifest.json"
+Globs:
+  - "{{LinuxChromeProfiles}}/*/Extensions/**/manifest.json"
+  - "{{WindowsChromeProfiles}}/*/Extensions/**/manifest.json"
+  - "{{MacOSChromeProfiles}}/*/Extensions/**/manifest.json"
+
+Sources:
+- VQL: |
+    -- Resolve the message string against the Locale dict
+    LET ResolveName(Message, Locale) = get(item=Locale,
+          field=lowcase(string=parse_string_with_regex(regex="^__MSG_(.+)__$", string=Message).g1),
+          default=Message).message || Message
+
+    -- Read the manifest files
+    LET ManifestData = SELECT OSPath, parse_json(data=read_file(filename=OSPath)) AS Manifest
+    FROM Rows
+
+    -- Find the Locale file to help with.
+    LET LocaleData = SELECT *, if(condition=Manifest.default_locale, else=dict(),
+         then=parse_json(data=read_file(
+            filename=OSPath.Dirname + "_locales" + Manifest.default_locale + "messages.json"))) AS Locale
+    FROM ManifestData
+
+    LET GetIcon(Manifest) = Manifest.icons.`128` || Manifest.icons.`64` || Manifest.icons.`32` || Manifest.icons.`16`
+
+    SELECT OSPath, Manifest.author.email AS Email,
+      ResolveName(Message = Manifest.name, Locale=Locale) AS name,
+      ResolveName(Message = Manifest.description, Locale=Locale) AS description,
+      Manifest.oauth2.scopes as Scopes,
+      Manifest.permissions as Permissions,
+      Manifest.key as Key, if(condition=GetIcon(Manifest=Manifest),
+                then=upload(file=OSPath.Dirname + GetIcon(Manifest=Manifest))) AS Image,
+      Manifest AS _Manifest
+    FROM LocaleData
diff --git a/definitions/ChromiumBrowser_Favicons.yaml b/definitions/ChromiumBrowser_Favicons.yaml
@@ -1,6 +1,6 @@
 Name: Chromium Browser Favicons
-Author: Andrew Rathbun
-Email: [email protected]
+Author: Andrew Rathbun, Phill Moore
+Email: [email protected], @phillmoore
 Reference: https://github.com/EricZimmerman/SQLECmd
 SQLiteIdentifyQuery: |
   SELECT count(*) AS `Check`
@@ -21,14 +21,21 @@ Globs:
 Sources:
 - VQL: |
     SELECT ID, IconID,
-      timestamp(winfiletime= (last_updated * 10) || 0) AS LastUpdated,
-      PageURL, FaviconURL, OSPath
+      timestamp(winfiletime= (LastUpdated * 10) || 0) AS LastUpdated,
+      PageURL, FaviconURL,
+      upload(accessor="data",
+         file=_image,
+         name=format(format="Image%v.png", args=ID)) AS Image,
+      OSPath as _OSPath
     FROM Rows
+
+
   SQL: |
     SELECT
       favicons.id AS ID,
       favicon_bitmaps.icon_id AS IconID,
-      favicon_bitmaps.last_updated,
+      favicon_bitmaps.image_data as _image,
+      favicon_bitmaps.last_updated AS LastUpdated,
       icon_mapping.page_url AS PageURL,
       favicons.url AS FaviconURL
     FROM favicons

diff --git a/definitions/ChromiumBrowser_Sessions.yaml b/definitions/ChromiumBrowser_Sessions.yaml
@@ -0,0 +1,37 @@
+Name: Chromium Sessions
+Author: Mike Cohen
+Reference: https://www.inversecos.com/2022/10/recovering-cleared-browser-history.html
+SQLiteIdentifyQuery: |
+  SELECT count(*) AS `Check`
+  FROM sqlite_master WHERE type='table' AND (name='cookies' OR name='meta');
+SQLiteIdentifyValue: 2
+Categories:
+  - Chrome
+  - Browser
+FilenameRegex: "Session"
+Globs:
+  - "{{LinuxChromeProfiles}}/*/Sessions/Session_*"
+  - "{{WindowsChromeProfiles}}/*/Sessions/Session_*"
+  - "{{MacOSChromeProfiles}}/*/Sessions/Session_*"
+
+Sources:
+- name: Sessions
+  VQL: |
+    SELECT * FROM info()
+
+  SQL: |
+    SELECT
+      cookies.creation_utc,
+      cookies.expires_utc,
+      cookies.last_access_utc,
+      cookies.host_key AS HostKey,
+      cookies.name AS Name,
+      cookies.path AS Path,
+      cookies.is_secure,
+      cookies.is_httponly,
+      cookies.has_expires,
+      cookies.is_persistent,
+      cookies.priority AS Priority,
+      cookies.source_port AS SourcePort
+    FROM cookies
+    ORDER BY cookies.creation_utc ASC
diff --git a/output/SQLiteHunter.yaml b/output/SQLiteHunter.yaml