diff --git a/definitions/InternetExplorer_WebCacheV01.yaml b/definitions/InternetExplorer_WebCacheV01.yaml new file mode 100644 index 0000000..13625df --- /dev/null +++ b/definitions/InternetExplorer_WebCacheV01.yaml @@ -0,0 +1,39 @@ +Name: IE or Edge WebCacheV01 +Categories: + - Edge + - InternetExplorer + - Browser + +FilenameRegex: "WebCacheV01.dat" +Globs: + - C:/Users/*/AppData/Local/Microsoft/Windows/WebCache/WebCacheV01.dat + +Sources: +- name: All Data + VQL: | + LET MatchingFiles = SELECT OSPath FROM Rows + + LET Containers(OSPath) = SELECT Table + FROM parse_ese_catalog(file=OSPath) + WHERE Table =~ "Container_" + GROUP BY Table + + LET AllHits(OSPath) = SELECT * FROM foreach(row={ + SELECT * FROM Containers(OSPath=OSPath) + }, query={ + SELECT timestamp(winfiletime=ExpiryTime) AS ExpiryTime, + timestamp(winfiletime=ModifiedTime) AS ModifiedTime, + timestamp(winfiletime=AccessedTime) AS AccessedTime, Url, * + FROM parse_ese(file=OSPath, table=Table) + }) + + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT * FROM AllHits(OSPath=OSPath) + }) + +- name: Highlights + VQL: | + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT AccessedTime, ModifiedTime, ExpiryTime, Url + FROM AllHits(OSPath=OSPath) + }) diff --git a/definitions/Windows_SearchService.yaml b/definitions/Windows_SearchService.yaml new file mode 100644 index 0000000..f5405df --- /dev/null +++ b/definitions/Windows_SearchService.yaml @@ -0,0 +1,107 @@ +Name: Windows Search Service + +Description: | + Analysis of the Windows search index database. See + https://www.aon.com/cyber-solutions/aon_cyber_labs/windows-search-index-the-forensic-artifact-youve-been-searching-for/ + +Categories: + - Windows + +FilenameRegex: "Windows.edb" +Globs: + - C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb + +Sources: +- name: SystemIndex_Gthr + VQL: | + LET MatchingFiles = SELECT OSPath FROM Rows + + LET FormatTimeB(T) = timestamp(winfiletime=parse_binary( + filename=T, accessor="data", struct="uint64b")) + + LET FormatTime(T) = timestamp(winfiletime=parse_binary( + filename=T, accessor="data", struct="uint64")) + + LET FormatSize(T) = parse_binary( + filename=T, accessor="data", struct="uint64") + + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT ScopeID, DocumentID, SDID, + FormatTimeB(T=LastModified) AS LastModified, + FileName + FROM parse_ese(file=OSPath, table= "SystemIndex_Gthr") + }) + +- name: SystemIndex_GthrPth + VQL: | + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT Scope, Parent, Name + FROM parse_ese(file=OSPath, table= "SystemIndex_GthrPth") + }) + +- name: SystemIndex_PropertyStore + VQL: | + LET X = scope() + + -- The PropertyStore columns look like + -- -ProperName so we strip the + -- random part off to display it properly. + LET FilterDict(Dict) = to_dict(item={ + SELECT split(sep_string="-", string=_key)[1] || _key AS _key, _value + FROM items(item=Dict) + }) + + LET PropStore(OSPath) = SELECT *, + FormatTime(T=X.System_Search_GatherTime) AS System_Search_GatherTime, + FormatSize(T=X.System_Size) AS System_Size, + FormatTime(T=X.System_DateModified) AS System_DateModified, + FormatTime(T=X.System_DateAccessed) AS System_DateAccessed, + FormatTime(T=X.System_DateCreated) AS System_DateCreated + FROM foreach(row={ + SELECT *, FilterDict(Dict=_value) AS _value + FROM items(item={ + SELECT * FROM parse_ese(file=OSPath, table="SystemIndex_PropertyStore") + }) + }, column="_value") + + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT * + FROM PropStore(OSPath=OSPath) + }) + +- name: SystemIndex_PropertyStore_Highlights + VQL: | + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT WorkID, + System_Search_GatherTime, + System_Size, + System_DateModified, + System_DateCreated, + X.System_FileOwner AS System_FileOwner, + X.System_ItemPathDisplay AS System_ItemPathDisplay, + X.System_ItemType AS System_ItemType, + X.System_FileAttributes AS System_FileAttributes, + X.System_Search_AutoSummary AS System_Search_AutoSummary + FROM PropStore(OSPath=OSPath) + }) + +- name: BrowsingActivity + VQL: | + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT X.ItemPathDisplay AS ItemPathDisplay, + X.Activity_ContentUri AS Activity_ContentUri, + X.Activity_Description AS Activity_Description + FROM PropStore(OSPath=OSPath) + WHERE Activity_ContentUri + }) + +- name: UserActivityLogging + VQL: | + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT X.System_ItemPathDisplay AS System_ItemPathDisplay, + FormatTime(T=X.ActivityHistory_StartTime) AS ActivityHistory_StartTime, + FormatTime(T=X.ActivityHistory_EndTime) AS ActivityHistory_EndTime, + X.ActivityHistory_AppId AS ActivityHistory_AppId + FROM PropStore(OSPath=OSPath) + WHERE ActivityHistory_AppId + }) diff --git a/output/SQLiteHunter.yaml b/output/SQLiteHunter.yaml index fcf49df..0d72fbd 100644 --- a/output/SQLiteHunter.yaml +++ b/output/SQLiteHunter.yaml @@ -20,7 +20,7 @@ column_types: type: preview_upload export: | - LET SPEC <= "H4sIAAAAAAAA/+x9/XMaN9fov6Jh7ju2U4JjJ/14cocfMOCGtzZwASdtSu5a3hWgelntI4k4tM392+/oc6X9wDjGJPM+7UwdkM6Xjs45Ovrkr9o8Jjes9vp39an2unZ8xRBlx8+OL/ANhXR9fIkYg3PEjsMF5I3oplavcTgXOLVLGA7GtXqtFce1D/VaApeo9rpm4D7XM6ILskTHz44bIUlmeH48J2Qeo+fhgqryd+gGdCCHDu22rKvVa2eU3DFEC2wszgY+isFzipaEo+cRYrecpKY0pWSG4ydnj1fLzzvk0X49ncoumk6fTaetNBUA0+lfIwKXOJnXL0gI48/HZxR+RGMy43eQIvXtmexaSXD/8vwse/xYsfiaglzikBJGZvy4G82/piTT6SBFFALTSfY7hzcxmk53aZd5n26laYxDyDFJwHiVpoTycovZtxC+meybu7UNIG3jCSNDPgCeEXK7hPSWPYRRhvT4EPjEAugguDsuuwqDe5eoOhDuXZQNoXDfsmwRDHdooY8Jh3sWoxAQ98y/GBKfLlLkg2KbkFuMHsTHoDw+ID4hcx0Md8NhV4Fwr9JUB8G9irEhAO5Tji2C346s8TGBb48iFILeHnkXA97TRIJ8sOt+4ihhmCTs+Nmz4yVM8Awx3viDkeQhnH3Ex4fBryKWDpBPzXtXofMbkbM6qH4jAm4It9+GhFsE4if3h8eE6G9CuELw/iakKob1fUe2fMA/hx9xSJIHjSsW5/GB/UnZ6wC+Kx67CtR7lqc6IO9ZkA2Bd7+SbBFgd2aXjwmkexWiEDD3yr0YGJ8qMuQD4BvMOKHrh7AxKI8Pf0/IXAe/3XDYVejbqzTVgW+vYmwIe/uUY4ugtyNrfEzI26MIhYC3R97FcPc0kSAf7C5RhCH4Al4+4uMD354E0UFw99x2FRC/mmTVwfGribQhUH4tmbYImk9gyY8JoF9JnEIw/UpyFAPr00eafJDtI35H6C1ohVK0IUURDjmhD2FeSePxoferiqcD8r5k2FWY/sbkrQ7e35igG0L6tyXpFoF+b37zmPD/TQlZGBS+KemKQ8XXioz5AWS8IJSHK/6gtY8M6fFDxBMLoAeB3XHZVZjfu0TVgXzvomwI1fuWZYtgvEMLfUy43bMYhYC6Z/7FkPl0kaIQFBFT22T6Q/DsQSwV0i5i417kMCFy18x2Fim/kmAbAuZXkmhT3Pw6Im0TPnduxI+Kol9FmmIw/SpilMTUp44w+dA6ISkYY/6ww2UZ0uNj6hMLoIPp7rjsKoruXaLq8Ll3UTbEzX3LskXA3KGFPiZS7lmMQojcM/9ibNy/aVySP3Ecw+n0HFM0I5+m06GKW0L4NIYhYg327xhz5IikYTfI5GPuWq5Qnfz9EsFyqLuWLCJ3SUxg9EWyFZB3Ld1MHyD5EuHyuDuXjdDlQu1GfJF4RfRN7tiG4UKylR+2uXBtAV2yKcUfIUfHHyE9TtTSWCQ+rBico2Izyinn4e9lEN3slEdBNyThECeiMCTLBkzTGDX6hCN2LEcwA6eK5N+3zxpC9Sjyb3GWyyIwxgJaC/O3ItH4LiOxSbyfKVmlwBFyLgoamaiJlcvlsmOx2q+tYNrgj6WZC+0lKOQo6qCPOERsGEMujPP4ovHsuBVy/BFzjFiJ3b3DSUTuWEGwEqTPH+o1RlY0RKz2+q8a1s8HBMafRGFfYRfr6rW3/+dCpNLdi257AjheIsbhMj1EKQkXzQhyBI7ByQvzH/gO/OvHn16++PH0xYsj0BqDicGog2fT5Hw0uAQjcsemSa1eGzukpwkAywYldziqi88hgTFiITpcNkLRkoASshSNZHWwaOBIEV9QBKOewlg2MAtmlCyDJRKVPXZOyfIS1aeJqG63xl1wt0CJD9gEJ2DyptsHywYMQ7JKuADuXoy7ko380u8IeoLacEES1F8tbxC9j+yLKrK2ZYvTBo50axw+E1LksmwwRIWJCICx+qgbLbpAf+ToExcAuhcn6BNXumxEmKUxXAdCgQJiRMhS9LnukaVCAJCBpUCI0YyDPwhOwAImUSwrFoCINqqCAEegCRaqv3yMcAG5gA8VfK7zQBOEDfFNifL8ORAe+FpiOeWYiXKwSvC/V6gO+AIzsIRrEMIVQ4Ak6Dknz5cwWUueRQECLaYsEMJI6UMlr5Bh0ZBgeeGd5p5KjIXf4FPT4ndvuqOuwAWiDZyuAScAxXiJE+ES0UplcIiBaIVEXUKS56o5FktrPa+iY18XClwYizEBoZxVHANCHbuQwukvR8JoBqNOdwTOftMmAjrdcft/S7fDUfDvFaLrzK2lgR4+kz513V6g8PZaW4YKb8ESMo6objbg6xQ1D+SM4ECK1+p3wKEQtnmQ1/4BGIyAqtLtDSDnMFwsUcIVhGqh+M+CsnUSBhGKEUdRoPHYwZGV/yOMV6j2+mW9JsJUkn/mROXBeLUEOgUArRUXES0ui3pbAOfC4M9XvY70rHw8BELVwZJEeIaRilEdyNGlLijHWTEUCDwJfsVQx3j0OaaMCyHr4BJHUYzU5wtoSrtLiONWFFHEmMRwIwdok2UKk7UCHXOKEHdh25ivRbngBt7jtE0iVBf828Ia6mAwHkK+uC9mQ6MrvYTBGvMVjkRLrJI8ncgS0+J6GQVp9awxE423AStTxQaUpVSSxXF0tgEphg4bq9pSBCTUzRryHxEjCuovYKSiP1gjkT0iGPihvUx9oeo1K5Lbi+UYTHZtAJUgcoQodHYJH8zXkr4wgyrCInBIelWdxRp/4jQkkQQzRlQOKDpdBhpt5m01KgrzKkUQhb1+vzsC/z3o9at6Awwqq5QlNitM9D7yquvKyFcSNt29DXk1GpYJ7xAp46GsVrEwMX6jI7afPugb3k6wDymKMA9CSCNWFuHJbIaoCALQQRLjF6LGkhFzqm7R+o4IWoVB4HtvEHDeetkQ2C8hu0URaEshQVsIudWAUIaXGxueARswy1JcSSBwtdNQ4VIHyzIA0bSAJPKbABViDhLBvRrFnL0YSyn1UYxKcBkEZ2RFTRA8JytaCY0+pcGSJHwhoLuf0kvxeSP0GkGqgX9DsJryDUxubeQ7g8mtDXuljcThrQ2TopX6eyWC+BtgxlYqGAucnvxWiYETxulK5iq6m2xBr2Oy5yKem35V9fg/fmn9K3uMZIMTus+cKI97/hyMULiiDH9EYLZK1DkjTgBFKaEc8AUCEeJymCAzAMGMxJHQ3EV3AkYS5lyWHArJ6uAMMpkuHIEm8L05XECcHMLmX0Jjz5+rdARQcgfQEmtGkEMAb8hKfYUhX8HYcgSGoOEBvgPTGvhb/PlOKqZhLNmavP4vyxfvcCI0KgqaOOGHOOFNiSozLBhFIuV8Bk5e2MSzJcq+hJgMCCtWIChiwxXzaUosYYZy9rpOUaFyRWPwt2jrtAbk6D+6kPmtNOqQpOjwaJp8rk+TG6VhoeLeTE37lAbBQs7icBxRlAAqex0BnHACsJxa5zpsRiiC4eKQkjtNMgNRBqrgMEdLdij+qsYbFnJCDj7XAZDeWaBhonzeiJqKeGZLzc0drvmI5stZm7DMS8jDBU7m52IUz0xR5eN1kELKUPAHI8mhsLkmRTAKRFceGndrKtAj02vQS+KnSbWqPNZ1t+1l/iDTDqOanJTP6mBau9EuG9xAOq0Z81DwFfqTmqGEcNZwsR2FCiuSavss7exmkwCEL9AXcJZo1SzDTSzF1BVFD+ep8EqZauuw6YQ/bHhBN1nFsRd33XeeCjE1MM+iVIfdIHtspWIl0A0khyFFct8qWPFQR46//wYqfrR13dWknUWICjroU4opYmVkuqpqGyoyisEwRKyUkghmLVnrEXtDGP8FresqEgPZt7byjJD48K1QdhOzgIlApCbuPTaWX6pAF5ynJInXGvgN5+kgidel4AvIAq0BCf4GMtlqqb4qBimiDDOOEq5ZDG1BhjKkmFA18ZdLwkNCt57qm+0wt4/rboXTaV55rhu8ugVhPLhFcipqFO/WF0ZFU5FClX/a7jEVtlvypaYHfP6ZqvPwqa8/y1irUDI36nQB1GJ7IFMQMXm2itYK1nBOjlim2cdniKCYIHordYqpt0DHYTGPO/XiSfaQUjFDyx7w2JTHOVBeIsdI/BHJ3MksRzNOcTIHcA5FGi6r5L4JAhEOuUnjJJ5gdqjXvesaSqRxc8TV6K6KrCPMMIqjZkzuQsjQoWLUVCOr+hLcYb4IKJqjT4fyb3Na+79BcDn+OThsfHcUBP9rWqtrCZua8VFjfnJkWURoBlcxzypNs/7+26zQi8FYth1GquH66RKgF0BUNqDKxFDx6GTAEMslBDKjTSJXwwJdpNILFKdA6KKhxFHVvjDP6gDPDkOSRFhYb9NwaWgVBLFSPkAxQ03Rd4dWTXyBkmZ1K7JMMteeRgfTxKRVmgGTuVUFdwlolpLl2zDT2pHSimqT1omrb5OR/Yx4LyTJoakTlmXZqJ3u65PTn65l1+bKf3hVWvzytLT45IdrJ0MzvWyh4IovCNUrkGIsFB+kKkv8wBUyUSvHsqFN4x6tMbDT5XvwI8RCilM5/pSQcasFNYtHhMSnDZnkMwAZGMtPPlCK6BKrg34CZJh99eHEMAEZkGOzZ3D5/rEWeORORYy1rdKYwEg6SNGYqkkpW+ktRYRxxRKlQc6xMi/5wrQt/4hRMYzaBz42hFrn4RAveet16kC0srCL4WZP4FBO9lIxH4zKUiddpTYe4BxdjS7qhqX4LFf6la7V4E9oc1oTDj6tmX6RnRBgq1QA1Fg0I3QJ+aH6pzmtSbX/18dGmsxF3IV0zpq9Tr5LVG8KGwm2S2nsQRVvDU6XBjeYL2HKpG+a5Z9MawUoIUaglgEYcNqUB1Rza63XEl1K4CVMU5zMG6kgKubPMtVRSvYk13WZ3nWbDcA0cZahXdJeRU5GqUwf3GqhWaUfgSTyC1epG4Bt9uN3whMtizmJj9sqJ/sxYhSLjOz3bUA6b+4UfVHfng7eYob5Rq/NQRZ9VzpKxZTno0AKxOe8y0pyE2wWlzZNmaqJCFuVhFCUkboaXUwwFwO8DAGyXm8iihlwpD5LUC9sL3AUoQQ0/x84ODmoq+A8rf0mxnGdK0xrfTKtqTmQBFZUJAcRxM4pWZovskZJHq3UVCk7mmIV0NFVvWSMhCRqiNlyBrSicS5USH6s4SgMMpB9q1usvF4hA7miDJYLZep1MqVYW6W93YZXUaZI2K01R/0ZRdENGUiuVySI7gzIwCLTtG6earKraF0hj7vIz+aETAlQrk+sgkyJ1rqQQqRb5xMVkhS2CENG7U1DcUVjJ34U+2AfUUQI5YQKJYRTYA9oeuvo8yVKPDDVMysaB/LMg5iCycX3e5bTs7cYquNHx0iwTbDJgE28EYmv3Pi9IOR2lYLp6sWLl2FTzr0Or19cNw96CRhSMqeIsYM6uD65bh60yTKNEUfi++l1c1prwyREcYwi4dPXL0VRL+GI0lXKdeGrQuGRSrs7MJkjKoy1hHmfcA1AVob9tGZLJOXT6+aBLRFOc6BkcArbJBEz/AOdfQhhDnQZuIRrcIbAJYxxiDWX76+bB1dJSJZLkmTI4PoHj+rZigN5jP8tjLEc2S2DHz3AN4RJ9J+umwdDIohhGMdrcJXcwUSiget/XTcP3i0wRzFmImW4WYMhiXG4PtB6srobIchIUlQWOOiTDEorCxycizlel1JCdXcdqNUw0EEJVrylsjC7BeerOFZtkCqQedaEEHBBkvlBXTZfkpNlkM6lBYi2vsVU94/otQlapoRCuhaWcxOjpawRlnMWk/DW6On6REgjF9QwXwPpqOAc4lhJdSLEGiG2WrryS6vQ+55ZqaAt7zDI4CMGrQgMVrrDr09PVX8nSG0eXej+OH0p+dOPiALhGlIXL7IyS/+loD8S/QlG6N8rMR/QdZL+y9MMZ0iRHfscAi+lRYkQI+bbc6Rm/7LqVYZ8lai5H/7T6ujl91l1G1GOZ/LImavZlz9kILpvzwm9kQFe1v/ocpD7ADLWaQY/Oc5wgZI5X4BLzJaQhwuJLSyzTQljYEDxHCdghCJMUShV+Eqoy7q/LJH9rAPPeLHikdSsMqoXTl2bQrZA0cGRMxcWw708UgTaK0pRwtXUeCJsTX9WQsD4snfZlftQYIRChD+i6GzNEauDCeEwVp+r5z2HjENanv2MRY3Ne6qWrpOoFLmbRPehkhQlxbnWQJZuwnMXWKuyNtX9JRKoU2iShHdwTSB5B9fsWpozKtT1Shrj9JBx2pRHho7qdvFrWrtKbhNyl+gsLjtJZKllUT5PLJI1gRgiN5B08D26uaiYJ45NdUBl/QYOeUpqvWSGKEVUZrxjzNXsdwJvzL8egBld5Zftcs3sgoeXcGbFxXN2tipUHhKYNXLXY3xILt3HAjre5MMR7VrBEi9RYDZ7Cw7nI1HtfcGNcDl57tjzx5wowjkz0JyvOvddrHvmKozj5UXP3CcrzHtMWbV3ZNHjz/PwjqXmavJmVlCRshKlnMxicixFZqpTf2Nr+X68MQDaBov1hpcDmGfp2KmZajhF2mQtVW8FwZbKZFZuELMcvsjlPbNuegy9RYGc+f+Tz6+DX/RRm23SeQubWz3Q5WIYvRpd3LOW8CVrAZrBGEEaLiaILuvAXRvYLvbpQ0UBk1QCjuiSNUyhinpZQyoRRCco4KypZXPxagrir8PMaVRxrl45UdeNLWPgOZBAEx6yqS1NMxd2POV+Zf0nO498ujAwEBs8xwcsWTCX9vtO5L7C2r3Vo9zW/UccIWI27t+KL6VgcBVhC9YSXzZ5o7tqLM02YNXL8XpkFmJv53FpDNc3MLz1kw1bmlt2suV3Qh1Gmta4XD0W2uqmWAxt821xSYN9AJWTaBc3DdYNNUCOn/hNfHqfUOI51m0EKCnSL1Xct8Ccf4ezyoqHmiwwL2Dca/cFjPJV50eapjUgs/QXLJleo5WpQunabEoYLsIOdakPq4eaFuWY8TpoxTerpTnqouu+1DO0YsodxFTeZ7MGrsKfTLWjntJ6RyWl9SWDUh4EShUJGK2sUiChPwkjFVkGog+7WI6ursvgt3FaDVviu1kn/M90X718FWRvJW7w3CJw9VWEUtMG+pZAAOXiV5AaQr6RV4OtmJj06FunVwxRe+V0A45v+tWA6tJUQGbBAnM5uqh7U4PZG8zZ1shLzBjy0C9liTaLKgp1QJE5yCUmTmKcs5WBPLVG9WKXY6ebFfr0Y87WMmdH/60xV8nu2Psm8tXJmu8EG14FLZp49jzeBj9wH97bftACX7JqJuxbbp7VwTmO417CSTfCXCeHeqlU2WbHPTGjVrf0NKKuLsWPUSzv/p+thedsOxyRZYKDG/IpYKbV5WsZJXDGUbNGVADKq0444SSQ15zk9UunsRVYOccugQi1ftS1RkdXJbDOiSKZGuQOGJU1L38DoQRGT4ucOV0VZDH6lHVaBbIJn7ozixBOyNiiQ/cSOuThT+ceUEGs+06Guk9ZZk5qXnALzIcyTy4ClY9kOJmRw6N/Dif/czi5wgTtg3/FUSJ7+WrDUOK+qfWgVIqTNGACUa7UUJjc6lg4gom6dulBuIEyq/DTdq01W+10SSm3vYcIK8V93eI+OmaeZwJD+eqX0xm5CvcYgrnEIkI7y21vy23/q9GF2fCf1tQFm+y8wRilkEJOqDxY4KzoDCGV9zhVLmk3jnx2+X2je3ajsvtvZW/ltNQdveLtvLLtuMuNu3F2BuwvsJ4TivA8kWdkt8so7A0hP+vPilOpJhXOHIVlAHbbIyuKvOZl5XG+GQ4b3R53dp9nVJzXLsmfgX5ALudXGdpMOmOmGXNvl/wZmDtmcoS3GO4xpIwBGPR9ok2Xu7cmm9PpHq76Ckn0m2aF1VevoWWXfrNm5LBwkq64Jlv08leel+ef8cs5dOlxpEqQXPiV9XLvX6WN+/Gw7fxH6AkmCWENqQG9tGEk9iF0BuwkwGo5zBPVlcwxVUnBmIL4EkDOKb5Zccmz1weHJ/XTI/fqueVrGfxjjMrSihsCFQDuMKRO0BaPo51cNw8mo1Z/3Jv0Bv3gotf/xRyocoonvw27HXOmyik/Gwx+uWyNftEHYV75td3LM4X1/XUTuBWjbqc36rYnwbA7umz1u/2JOYZWBjTpXg4Ho9boN83lRx+uM3jXvxi0OuYomlN1Pmpddju2Uf/KM5Bo7kGd6sO5hZePnI04+wCS3VW0zyB5B4rV8Qo14OUnhc4QbrsqP3zrbb/Ng3iGXdi3kUenCgeSHQhBmtlUQEeSc4pClITrOhhS9BGjO3ln4QE7ogWPKjmTW4TZfDzXGbxyHZGv3nzCuHoIdmo2D933zPaLLcu6MU/KOb3ssl+bW0dO4Uz3ilKO7qEcTKr6S13nsBcx/E50grTC8vZ1C8KLPMLhkK2IN0u7ORfQy3vsPz6uF2+y52tKtnTFnN5c85beWxGnzNR3gpfIu8pedp3CiW1q9dDJL0zBBjw5319nN92dO99OlAFYXzcvuXvug5mL5ube+WQylPfOHxB47LKD91CRU7EgaitJ6jNfWVgkcSvVUxwiplj1u9VhXs9upavhQqVSY6EYu5ryK4yiHG8uLoYU1LGHWXfGsugdJ/4LiPkHq60TbEq+K7Nu4SL6+UF7olYtGJlztxU2zMw52ZJTsyUWrw7GFg7JPsg39BFHfdD3En7Sn7azctmvFScuc3XFZ3r8+iVeooleivbORebg1EJctgZXBqNOZ2YHMxUM8/WJXJX5+OGK0jNzoNLTUJngWmdScP3Z8QXn1J/nDXs/qOcxvc8jSp5Jt3ZfcoO2UFXiEVVXXSvMFQVLVmqx28ffkiuqcjCFc8SCO11ddVHUIRCSJChcF80BWZmdri/eI7WlASdKDpPUODc/i0DZ5c8cLa8pHqkMVzbQEvYbX8iSco3ZX3qUv0JabEiu0mvIfZunxYf1M5MldAmqp7VedYlVn4tZkpsJqf2u7K2vgnXLB1qvTHZzbr5tSIeu3FQog1W3OrZzB/+etpA5eyHWNEBUleQV3LTHbuZZEWae8LErnXvK3nEJ5ycEHMvb52KfI8F9QbD09w7Uy/bA+a0RBuSb8Y7xVIL4BmR7PJBdDrxn351Y1ziDTHaKQ9GMYZyug15HpQCcru19XkSZnhS+VR9V+QKyRWA7+Q1kCzM2EiriRCovyKnsQ5aoG3MKiKqLWmZnzwbwNMaMq3chDAi5+QOFvA4KDxjIbtQ3vkqwWUoShu5FV2AaH1KeLYCbL9uOFSCcyXP36i1xTbjh6tV8rtu5mVZu3dFmPafBuqusDDPr7HomdwZrmp3Tg9liLJHUGxFcgJuY3KhHFQb9e9rYLEe0AJU89D0V+kV8PGSH15M/tF4io/vOZ5kqyqbllW25byxyfuREBwp9tOeKwXkxiniV9/ysBHg/6V12x5PW5XDDD0pMyx5Tf3/eG40n1ehynLqHxkXvbTe4Grd+7gbVhC7wRyQb4xN7f3bV71x0+63LrtxSWiVRbPYB3g9Hg7apGVIiYoIdsd6/6533en15ihrPcC/JSgdXE1M8WHFd/q7V19AwscDvWn0DDJMoA+6Nuh1Dm6IoIz7qdix1ijKMXxV08KsB/VWDBb9amGD4i68IYad2lKwcwqUWuuNxI+vkul/ud6GqFH0iu8RBk9xL+ko/L+N0ha9+V9+ell3Vehr11Ojrzuor01NB4mD4S12rJSt2NxlN20XwyfQgFNz0CL1pjXXt0weYjK8TVoxw9235F39DyIQB4h/BcEuLd5WkxelTN2oM/P3kgzlsKgoFovjXriqPE5ymaqYs6tTQF6iPojBz9pCEBMqjgHI1D0WTcba2ly3RlSGI/FXdyu242xaqaBNiB1O1s6eSHw/b1GV5USu0S+6B/iyKO/IEJ1GrW/aLal7L/raGCSxZyRj/mSu50ldHvVdZitXm4SzdA69PP4DvwMFDf2RJt4Cp3z7S347lmejjA/BdTizJwS9WTzOL9NEWCVI5bfX1fCBwvjvV2iDsN6fKrNoEzndRPV8lf+LUPBLYgRzah3Uzu9yYmyUNEyzNCbKk8b4/mHQBZNaEQXgiYtvkonsiirN9ElE+7veGw+5EvqCWWbis6nW6/UnvvNcdGWq610Rle9RtTXqDfqc16b4EAsAau4U5H1x0uqPLQad33mtbaNnEorlarIvWeDIYdvvdjoH2vUIBnjbet9rtwVV/8lIwd6xY1snmnooaz6hlnd+unJ2D8JUYJ/RAKygXDB+ELxXIuPc+B2I8QVLx+ZRYf/h9471l4xuVrMsRcC1L1msFTH4buiTsumDSeN9pTVqykdlbze97bWEgpkb+xpEzXvTa7YvBVWf8W7/d6/88OPtvYWaQgfBE5q8nyrwkdlOb37YUTiWFUzP8ZBayLYGXksBLJULTmPq22K8k9qvG+9Zk0mq/uez2JydNSe4BbfheEvnebYPuhVNnui6PAj35MJp1pDuOlol+36C61a/OmZ+GA9lPwalJe6AL1kMY3sI56kXOMPwApNwonX+p779e/Po89799se93uZSrKfai31+8fvWh7ha8ev2DX/DD658+1HNYP70+eeFDnbx4/QF8UGODLZVo5hf16kA3QP9wkl2LlaP15hguj3y7hLejqqkZvMBq8OltzvB0DK4oRkmlfSfnvrlf2c8MbrC8dozTGwLpVhaXARdXmXK5mXdmq7RwkLRjbI5Z+RtR7lbTEK5jApXJlOaZ4AYy9MOrCIUkyr0X/AcjSQAphWv1eK2VXxM9+v3FB3PwSyWYOQCHq3dm/JJnVlSeV+hTyYXu+x9qYZ8///8AAAD//zxaeOAfswAA" + LET SPEC <= "H4sIAAAAAAAA/+x9/XPbtpbov4LRvB3bqSLHTtrbmzf6QZbkRFtb1pPkpE3VR8MkLKEmCV4AiqPeZP/2HXwS4Icsx7KS2W1n6ojA+cLBOQcHIAD+uzGPyTVrvP5d/Wq8bhxeMkTZ4bPDM3xNIV0dniPG4Byxw3ABeSu6bjQbHM4FTuMchheTRrPRiePGH81GChPUeN0wcF+aOdEFSdDhs8NWSNIbPD+cEzKP0fNwQVX5e3QNepBDh3ZX1jWajRNK7hiiJTYWZw0fxeA5RQnh6HmE2C0nmSnNKLnB8ZOzx8vkyxZ5dF/PZrKLZrNns1knywTAbPbvMYEJTufNMxLC+MvhCYUf0YTc8DtIkXp6JrtWEty9PG9kjx8qFt9SkHMcUsLIDT/sR/NvKclsdpEhCoHpJPvM4XWMZrNt2mXRpztZFuMQckxSMFlmGaG82mJ2LYRvJrvmbm0DSNt4wshQDIAnhNwmkN6yhzDKkR4fAp9YAB0Et8dlW2Fw5xLVB8Kdi7ImFO5alg2C4RYt9DHhcMdilALijvmXQ+LTRYpiUOwScovRg/gYlMcHxCdkroPhdjhsKxDuVJr6ILhTMdYEwF3KsUHw25I1Pibw7VCEUtDbIe9ywHuaSFAMdv1PHKUMk5QdPnt2mMAU3yDGW38ykj6Es4/4+DD4TcTSAfKpeW8rdH4nctYH1e9EwDXh9vuQcINA/OT+8JgQ/V0IVwre34VU5bC+68hWDPin8CMOSfqgccXiPD6wPyl7HcC3xWNbgXrH8tQH5B0Lsibw7laSDQLs1uzyMYF0p0KUAuZOuZcD41NFhmIAfIsZJ3T1EDYG5fHh7wmZ6+C3HQ7bCn07laY+8O1UjDVhb5dybBD0tmSNjwl5OxShFPB2yLsc7p4mEhSD3TmKMARfwctHfHzg25EgOghun9u2AuI3k6w+OH4zkdYEym8l0wZB8wks+TEB9BuJUwqm30iOcmB9+khTDLJDxO8IvQWdUIo2oijCISf0IcxraTw+9H5T8XRA3pUM2wrT35m89cH7OxN0TUj/viTdINDvzG8eE/6/KyFLg8J3JV15qPhWkbE4gEwWhPJwyR+09pEjPX6IeGIB9CCwPS7bCvM7l6g+kO9clDWheteybBCMt2ihjwm3OxajFFB3zL8cMp8uUpSCImLqNZn+ETx7EEuFtI3YuBM5TIjcNrOtRcpvJNiagPmNJFoXN7+NSJuEz60b8aOi6DeRphxMv4kYFTH1qSNMMbROSQYmmD9sc1mO9PiY+sQC6GC6PS7biqI7l6g+fO5clDVxc9eybBAwt2ihj4mUOxajFCJ3zL8cG3dvGufkLxzHcDY7xRTdkE+z2UjFLSF8FsMQsRb7V4w5ckTSsGtk8jG3LVeodv5+jWAF1G1LFpG7NCYw+irZSsjblu5GbyD5GuGKuFuXjdBkod5GfJV4ZXRPQuuQWrxDKZQTpt/jNCJ37PA9uu7CcIHsj3cvjloR5I40wlsbzcYg5YimiPc/ZTGhUqY1pxU9WusihQQUBfLHJmfBLaBLNqP4I+To8COkh6latYvEjyWDc1TWcDXlIvy9DKLrrfIo6YakHOJUFIYkacEsi1FrSDhih6pTNZwqkn/fPWsJq0CRf8C0WhaBMRHQWpjPikTrh5zEOvHeULLMgCPkXBS0clFTK5fLZcti1Rp7l6QpCjmKeugjDhEbxZALvzk8az077IQcf8QcI1Zhd9o5SoJVIBXiwoiSOYWJigjW22azCYI0XMxmqsIZHdlsprnZHy20kTAu9Jc/mg1GljRErPH63w2s71cITMARhUOFVq5rNt79vzMx1+if9btTwHGCGIdJto8yEi7aEeQIHIKjF+Y/8AP45z9+fvniH8cvXhyAzgRMDUYTPJulp+OLczAWDUobzcbEIT1LAUhalNzhqCl+hwTGiIVoP2mFQp8BJSQRrWNNsGjhSBFfUASjgcJIWpgFN5QkQYJE5YCdUpKco+YsFdXdzqQP7hYo9QHb4AhM3/aHIGnBMCTLlAvg/tmkL9nIh2FP0BPURguSouEyuUb0PrIv6sjali2OWzjSrXH4TEmZS9JiiApDFQAT9VM3WnSB/snRJy4AdC9O0SeudNmKMMtiuAqEAgXEmJBE9LnukUQhAMhAIhBidMPBnwSnYAHTKJYVC0BEG1VBgCPQBgvVXz5GuIBcwIcKvtB5oA3ClnhSojx/DkQceC2xnHLMRDlYpvhfS9QEfIEZSOAKhHDJECApes7J8wSmK8mzLECgxZQFQhgpfajkFTIsWhKsKLzT3GOJsfAbfGxa/P5tf9wXuEC0gdMV4ASgGCc4FS4RLZUTIwaiJRJ1KUmfq+ZYLK31oooOfV0ocGEsxgSEcpZxDAh17EIKpx8OhNFcjHv9MTj5TZsI6PUn3f8r3Q5Hwb+WiK5yt5YGuv9M+tRVd4HC2yttGSrIBglkHFHdbMBXGWrvySnTnhSvM+yBfSFse6+o/T1wMQaqSrc3gJzDcJGglCsI1ULxnwVlqzQMIhQjjqJA47G9Ayv/RxgvUeP1y2ZDhKm0eA+MmijgZQJ0FgI6Sy4iWlwV9TYALoTBN5eDnvSsYjwEQtVBQiJ8g5GKUT3I0bkuqMZZMhQIPAl+yVDPePQppowLIZvgHEdRjNTvM2hK+wnEcSeKKGJMYriRA3RJksF0pUAnnCLEXdgu5itRLriBDzjrkgg1Bf+usIYmuJiMIF/cF7Oh0ZVe42Gt+RJHoiVWSZ5OZIlpcbOKgrR61roRjbcBK1fFGpREKsniODpbgxRDh41VbSUCEupmLfmPiBEl9ZcwMtEfrJXKHhEM/NBepb5Q9ZoVye3FagwmuzaAShA5QpQ6u4IP5itJX5hBHWEROCS9us5irb9wFpJIghkjqgYUnS4DjTbzrhoVhXlVIojCwXDYH4P/vBgM63oDXNRWKUts15jofeRV11WRryVsunsT8mo0rBLeIVLFQ1mtYmFi/FpH7D590De8nWAfUhRhHoSQRqwqwpObG0RFEIAOkhi/EDWWjJhTdYtWd0TQKg0CP3qDgHMZzprAfg7ZLYpAVwoJukLIjQaEKrzC2PAM2IBZleJKAoGrnZYKlzpYVgGIpgUklU8CVIh5kQru9Shmc8pESqn3qtSCyyB4Q5bUBMFTsqS10OhTFiQk5QsB3f+UnYvfa6FXCFIN/BuC9ZSvYXprI98JTG9t2KtsJA5vbZgUrdTPtQjib4AZW6pgLHAG8qkWA6eM06XMVXQ32YJBz2TPZTw3/arr8b/90vpXflvLGid074FRHvf8ORijcEkZ/ojAzTJVG7E4ARRlhHLAFwhEiMthgtwACG5IHAnNnfWnYCxhTmXJvpCsCU4gk+nCAWgD35vDBcTpPmz/W2js+XOVjgBK7gBKsGYEOQTwmizVIwz5EsaWIzAEDQ/wA5g1wGfx5wepmJaxZGvy+r88X7zDqdCoKGjjlO/jlLclqsywYBSJlPMZOHphE8+OKPsaYjIgLFmJoIgNl8ynKbGEGcrZ6ypDpcoljcFn0dZZA8jRf3wm81tp1CHJ0P7BLP3SnKXXSsNCxYMbNe1TGgQLOYvDcURRCqjsdQRwygnAcmpd6LAbQhEMF/uU3GmSOYgyUAWHOUrYvvirGm9YyAk5+NIEQHpniYaJ8kUjaiviuS2113e45iOaL2dtwjLPIQ8XOJ2filE8N0WVjzdBBilDwZ+MpPvC5toUwSgQXblv3K2tQA9Mr0EviZ+l9aryWDfdtlf5g0w7jGoKUj5rglnjWrtscA3prGHMQ8HX6E9qhhLCWcvFdhQqrEiq7Yu0s+t1AhC+QF/BWaLVswzXsRRTVxQ9nKfCq2SqrcOmE/6w4QXddBnHXtx1L8IqxdTA3BtTH3aD/DaampVAN5DshxTJpctgyUMdOT5/Bip+dHXd5bSbR4gaOuhThiliVWT6qmoTKjKKwTBErJKSCGYdWesRe0sY/wWtmioSA9m3tvKEkHj/nVB2G7OAiUCkJu4DNpEPdaALzjOSxisN/Jbz7CKNV5XgC8gCrQEJ/hYy2WqpvjoGGaIMM45SrlmMbEGOMqKYUDXxl0vCI0I3nuqb94VuHzfdCqfTvPJCN3h1C8J4cIvkVNQo3q0vjYqmIoMq/7TdYypstxRLTQ/4/HNVF+EzX3+WsVahZG7U6QKoxfZApiBi8mwVrRWs4ZwcsUqzj88QQTlB9FbqFFNvgY7Dch537MWT/KapcoaW33CyLo9zoLxEjpH4I5K5k1mOZpzidA7gHIo0XFbJtzcIRDjkJo2TeILZvl73bmookcbNEVejuyqyjnCDURy1Y3IXQob2FaO2GlnVQ3CH+SKgaI4+7cu/7Vnj/wfB+eRNsN/64SAI/s+s0dQStjXjg9b86MCyiNANXMY8rzTN+vzZrNCLwVi2HUaq4fpuF6AXQFQ2oMrEUPHoZMAQKyQEMqNNI1fDAl2k0gsUZ0DooqXEUdW+MM+aAN/shySNsLDetuHS0ioIYqV8gGKG2qLv9q2a+AKl7fpW5JlkoT2tHqapSas0AyZzqxruEtAsJcvLc2aNA6UV1SatE1ffJiN7g/ggJOm+qROWZdmorQBXR8c/X8muLZT/9Kqy+OVxZfHRT1dOhmZ62ULBJV8QqlcgxVgofkhVVviBK2SqVo5lQ9vGPToTYKfL9+BHiIUUZ3L8qSDjVgtqFo8IiY9bMslnADIwkb98oAzRBKudkAJklD/6cGKYgAzIsdkzuGL/WAs8cKcixtqWWUxgJB2kbEz1pJStDBIRYVyxRGlQcKzcS74ybSve8lQOo/YGlDWh1rlZxUveBr0mEK0svcVwsyewLyd7mZgPRlWpk65SLx7gHF2Oz5qGpfgtV/qVrtXgT2h71hAOPmuYfpGdEGCrVADUWHRDaAL5vvqnPWtItf/Hx1aWzkXchXTO2oNesUtUbwobCTZLaexOHm8NTpcG15gnMGPSN83yT661EpQQI1DLAAw4bSoCqrm11muFLiVwArMMp/NWJoiK+bNMdZSSPcl1Xa533WYDMEudZWiXtFdRkFEq0we3WmjX6UcgifzCVeoaYJv9+J3wRMtiTuLjtsrJfowY5SIj+30vIJ1Licq+qI+XB+8ww3yt1xYgy74rHaVmyvNRIAXid9FlJbkpNotL66ZM9USErUpCKMpJXY7PppiLAV6GAFmvXyKKGXCkfktQL2wvcBShFLT/C+wd7TVVcJ41fhPjuM4VZo0hmTXUHEgCKyqSgwhip5Qk5kHWKMmjpZoq5VtTrAJ6umqQTpCQRA0xG86AljQuhArJj7UchUEG8qemxSrqFTJQKMphuVCmXidTirVV2ttteBVlioR9teaoP6couiEHKfSKBNGdARlY5JrWzVNNdhWtK+R2F/nb7JCpACr0iVWQKdFaF1KIdOt0qkKSwhZhyKi9bSguaezEj3If7CKKCKGcUKGEcArsDlZvHX2eoNQDUz2zpHEg9zyIKZhcfL9nOT2/rKI+fvSMBJsEmxzYxBuR+MoXv2eE3C4zMFu+ePEybMu51/7Vi6v23iAFck8bYmyvCa6Ortp7XZJkMeJIPB9ftWeNLkxDFMcoEj599VIUyc2idJlxXfiqVHig0u4eTOeICmOtYD4kXAOQpWE/a9gSSfn4qr1nS4TT7CkZnMIuScUMf09nH0KYPV0GzuEKnCBwDmMcYs3lx6v23mUakiQhaY4Mrn7yqJ4sOZDnHN7BGMuR3TL4hwf4ljCJ/vNVe29EBDEM43gFLtM7mEo0cPXPq/be+wXmKMZMpAzXKzAiMQ5Xe1pPVndjBBlJy8oCe0OSQ2llgb1TMcfrU0qo7q49tRoGeijFirdUFma34HQZx6oNUgUyz5oSAs5IOt9ryuZLcrIM0rm0ANHWd5jq/hG9NkVJRiikK2E51zFKZI2wnJOYhLdGT1dHQhq5oIb5CkhHBacQx0qqIyHWGLFl4sovrUK/98xLBW15yEMGHzFoReBiqTv86vhY9XeK1MujM90fxy8lf/oRUSBcQ+riRV5m6b8U9MeiP8EY/Wsp5gO6TtJ/eZzjjCiyY59D4KW0KBFixHx7jtTsX1a9ypEvUzX3w39ZHb38Ma/uIsrxjdxy5mr25U85iO7bU0KvZYCX9f9wOcj3ADLWaQY/O85whtI5X4BzzBLIw4XEFpbZpYQxcEHxHKdgjCJMUShV+Eqoy7q/LJH9rAPPZLHkkdSsMqoXTl2XQrZA0d6BMxcWw73cUgS6S0pRytXUeCpsTf9WQsD4fHDel++hwBiFCH9E0cmKI9YEU8JhrH7Xz3v2GYe0OvuZiBqb99QtXadRJXI/je5DJRlKy3OtC1m6Ds9dYK3L2lT3V0igdqFJEt7GNYHkbVyza2nOqNDUK2mM033GaVtuGTpo2sWvWeMyvU3JXaqzuHwnkaWWR/kisUjWBGKIXEPSwffoFqJikTg21QGV9Ws4FCmp9ZIbRCmiMuOdYK5mv1N4bf71AMzoKh82yzXzEzBewpkXl/fZ2apQeUhg1shdj/EhuXQfC+h4kw9HtGsFCU5QYF72lhzOR6La+4Jr4XJy37HnjwVRhHPmoAVfdQ4EWfcsVBjHK4qeu09eWPSYqmpvy6LHnxfhHUst1BTNrKQiZSVKObnFFFiKzFSn/sbWiv14bQC0DZbrDS8HsMjSsVMz1XCKtMlaqt4Kgi2Vyax8QcwK+CKX98y67TH0FgUK5v93Pr8KftFbbTZJ5y1sYfVAl4th9HJ8ds9awtesBWgG6kzLFNGkCdy1gc1in95UFDBJJeCIJqxlClXUyxtSiyA6QQHnTa2ai9dTEH8dZk6jynP12om6bmwVA8+BBJrwkHVtaZu5sOMp9yvrf7PzyLsdAwOxxnN8wIoFc2m/70XuK6zdWz0qvLr/iCNEzIv7d+KhEgwuI2zBOuJhnTe6q8bSbANWvxyvR2Yh9mYel8VwdQ3DWz/ZsKWFZSdbfifUYaTpTKrVY6GtbsrF0DbfFlc02AdQOYl2cdNg3VAD5PiJ38Sn9wklnmPdRoCKIn2Vx30LzMWLSuuseKTJAnNFyL12X8KoXnV+pGlaAzJLf0HC9BqtTBUq12YzwnAZdqRLfVg91HQox4w3QSe+XiZmq4uu+1rP0IqpdhBTeZ/NGrgafzLVjnoq6x2VVNZXDEpFEChVJGC0siqBhP4kjFRkFYje7GI5urqugt/EaTVshe/mnfA/03318lWQXya5xnPLwPVHESpNG+hTAgGUi19BZgj5Rl4PtmRi0qNPnV4yRO2R0zU4vunXA6pDUwG5CRaYy9FFnZu6uHmLOdsYOcGMIQ/9XJZos6ij0AQUmY1cYuIkxjlbGchda1Qvdjl2ul6hTz/mbCxzvvXfGnOd7I69ryNfn6z5TrDm2tSyief3B67xA/dmws0HLfA1q2bCvuXLsyY4xXE8SDnpR5jr5FAvlSrb7Lk7ZtTqlp5GNNWh+AmK5Q0EJyvhOZsORyRJcXBNPgXMtLp6LaMCzjhq3ogaQHnUCaecBPKYkzx+6TS2Bqvg2BUQodaPOtbo6KoC1tlRJFODwgajquYVTyBUwOhpkTOnq4MsR5+qTqtBNuFTd2YZwgkZG3ToTkKH3PzpnAMqiXXfzlD3rs/cSc0Vd4H5UeXJZaDqkQynN2T/4O/NyX9vTq4xQXsjYnmUyK8GWzOUuJeOPSiV4iQLmECUKzUUprc6Fo5hqo5dehBuoMwr/LRda81WO11SyW3nIcJKcV+3uLeymfurwEhei+Z0RqHC3YZgDrGI0M4Kr7fla//L8Zl54T9rqAM2+X6DCcoghZxQubHAWdEZQSrPcapc0r448tkV3xvd8zYqP/9WdVdOR53RK5/Oq3odd772bZydAfsLrKeEIjxP5R7ZzTIKe0LIz/rz4kyqSYUzR2E5gH3tkRdFXvPy8rjYDIeNbo87uy8yKs9rE/JXoG/YK/hVjnYjnTHXjDm3S/4KzBkzOcJbDHcbUs4AXAx9om2Xu7cmW9DpDo76Ckn0pW+l1VevoVWHfvNmFLBwmi25Jlv28leelxfvOSw4dOV2pFqQQviV9fLdv0obd+Nhm/mP0BNMU8JaUgN6acNI7EPoDNhJgNVymCeqK5ljqpKCMQXxEEDOKb5ecslzMAT7R83jA/foueVrGfxtjMrSyi8EagDcYUjtoC1vRzu6au9Nx53hZDAdXAyDs8HwF7Ohyime/jbq98yeKqf85OLil/PO+Be9EeaVX9s/P1FYP161gVsx7vcG4353Goz64/POsD+cmm1oVUDT/vnoYtwZ/6a5/MOH6128H55ddHpmK5pTdTrunPd7tlH/LDKQaO5GnfrNuaWbj5wXcfYCJPtW0V6D5G0oVtsr1IBXnBQ6Q7jtquLwrV/7rR/Ec+zSexu5daq0IdmBEKSZTQV0JDmlKERpuGqCEUUfMbqTZxYe8Ea05FEVe3LLMOu35zqDV6EjitXrdxjXD8FOzfqh+57ZfrlleTcWSTm7l132K3PqyCm80b2ilKN7qACTqf5SxznsQQy/E50grbC897ol4UUe4XDIV8Tbld1cCOjVPfa/Pq6XT7IXaype6Yo5vTnmLb23Jk6Zqe8UJ8g7yl51nMKJbWr10MkvTMEaPDnfX+Un3Z0z306UAVgfN684e+6DmYPm5tz5dDqS584fEHjssoN3UZFTsSDqVZLUZ7GytEjiVqqrOERMsep3q8Oint1KV8OlSqXGUjF2NeVXGEU53lxeDCmpYwez7pxl2TuO/BsQizd6WydYl3zXZt3CRfT1g3ZHrVowMvtua2yYmX2yFbtmKyxebYwtbZJ9kG/oLY56o+85/KR/bWblsl9rdlwW6srX9Pj1CU7QVC9Fe/siC3BqIS5fg6uCUbsz842ZCob5+kSuynz8cEnpidlQ6WmoSnCtMym4/u34grPrz/OGnW/U85je5xEV98hbu684QVuqqvCIuqOuNeaKgoRVWuzm8bfiiKocTOEcseBOV9cdFHUIhCQNSsdFC0BWZqfry+dIbWnAiZLDJDXOyc8yUH74s0DLa4pHKseVDbSE/caXsqRCY3aXHhWPkJYbUqj0GnLfy9PylwdykyU0AfXTWq+6wqpPxSzJzYTU+678rq+SdcsLWi9NdnNqntakQ5duKpTDqlMdm7mDf05byJzfEGsaIKoq8gpu2mNf5lkRbjzhY1c6d5e94xLONxYcy9vlYp8jwX1BsPKDEI1BHxAqP7cCnG8yBJ04Vhf15TZ0H6S7RrL28jLg3ToiwPMPBOzre0pynKn8Jo/eGiRvCEEMBSHkMCZz9/qGA6MziQHa/wVmDUs4mDVm6ZvxxeVI9JCmqZh34vgt5hWc6y+R8wFK0ucCffFuTwNrb82SI8Mqz4HsY9NMo6rxzCKhxXQL7sF1ZyIS15uagEsaywv7zdVlVv+u3ptAmmdbKtVeYff42+X8fnF0+rWXoJW/OVJn02/xfBHj+cLbcXI/bPXbwge13de/15OuRYiemZm7E3ehKPkZDuB+lQJIEEc/tSC+WuzAEEhzBN7XIZyUqHUCmYzdDkWT6nK6CgY9NVPgdGWP/SPK9NrRO/VTlS8gWwR2LHgL2cKk0ISKdCKT52jVJEWWqIO1Coiq85xmA4DN87IYM678wICQ6z9RyJugdM+JdC19MLQCm2UkZehedAWm8SHl+Xsy87BpSgnCG3k8R31yQBNuuXo1v238MMptOtpsFjTYdJWVY+ad3czlzmFNswt6MDsRKiT1EkcX4Dom1+rulYvhPW1sVyNagFoe+jgb/So+HrLD68m/x1Aho3sdcJUqqlbvattyX8rqfA1HBwq9A/CSwXk5iniV93x9BnyYDs77k2nnfLTmuzOzqm8ufDgdjCfTenSZzt5D42zwrh9cTjpv+kE9oTP8EcnG+MQ+nFwOe2f9Yee8L988L9MoNq8LP4zGF11TM6JExASb2H54PzgdDIbysAW+wYM0L724nJriiyXX5e87Qw0NUwv8vjM0wDCNcuDBuN8ztCmKcuLjfs9SpyjH+FVBB78a0F81WPCrhQlGv/iKEHZqk+naTF9qoT+ZtPJObvrlfheqStEnskscNMm9oq/0LVROV/jqd/XtadlVradRT42+7qy+cj2VJA5GvzS1WvJidy+CabsIPrkehILbHqG3nYmuffoAk/N1wooR7r6dQeUPnpkwQPydWm5p+UijtDi9OU+Ngb8f/WH2pItCgSj+tS+fJinOMrWgJurU0Beon6Iwd/aQhATKlFku+qNoOslfAeSpdhWCmOaqw/s99+2mKlqH2MNUJYAq+fGwTV2eF3VC+2Yu0L9FcU9u9CZqEdw+qOZ17Cd4TGDJSyb4r0LJpT5h7l3eVK429+vpHnh9/Af4Aew99ItwugVMfahNPx3KoxOHe+CHgliSg1+sbnAX6aMtEqQK2hrqZYPAeXaqtUHYJ6fKLO4GzrOoni/Tv3Bm7hIVE2N7/3Zul2tzs7RlgqXZaJq2Pgwvpn0AmTVhEB6J2DY96x+J4vx1qiifDAejUX8qL1rMLVxWDXr94XRwOuiPDTXda6KyO+53poOLYa8z7b8EAsAau4U5vTjr9cfnF73B6aBroWUTy+Zqsc46k+nFqD/s9wy07xUK8Lj1odPtXlwOpy8Fc8eKZZ1s7rGo8Yxa1vntKtg5CF+JcUIPtIJyyfBB+FKBTAYfCiDGEyQVn0+F9Yc/tj5YNr5RyboCAdeyZL1WwPS3kUvCvj5IWx96nWlHNjK/0v3DoCsMxNTIT6E548Wg2z27uOxNfht2B8M3Fyf/KcwMMhAeyfz1SJmXxG5r89uUwrGkcGyGn9xCNiXwUhJ4qURoG1PfFPuVxH7V+tCZTjvdt+f94fSoLck9oA0/SiI/um3QvXDsrOrJHYNPPozmHemOo1Wi3zeobvSJTPOJSJB/t1JN2gNdsBrB8BbO0SByhuEHIBVG6eKFnv/x4tfnhf/txZ6/yzc+muIg+v3F61d/NN2CV69/8gt+ev3zH80C1s+vj174UEcvXv8B/tCrXaZUopnPfzaBboD+vpp9ZaPWXtbGcHkyxCW8GVVNzeAFVoNPb3OGp2NwZTEqKu11WvfN/Sq/iVpvRN0YZ9cE0o0sLgcurzIVcjNva2dl4UXajbHZjem/r3bfSI/gKiZQmUxlngmuIUM/vYpQSKLCteJ/MpIGkFK4UndcW/k10YPfX/xh9oeqBLMA4HD1jpac89yKqvMKs6xa7L7/8RamLuwwH0wNJivGUTJII/QpeMMXtMLM7sN4xKuOUxn6hC2d7E8PQLtmYV5ZyzVOIV2p68/tzefTihVCeQf9MhQhdYlT/tOr61nj4KDM8ylZljmKzElx3ALtr32pYDpEXjk+6DVBj4T6y11NMOk5S5xe17TP7t8ZLnCw+rbkhu9IwKxRNCbZtK9fqnc/8byxyY/44uFWL5Ae84bD6whz7EZtLfp67Y34YtcKHFGSIcpXMrl6mBp9VDeK/Ara+Tew5KcYpgt5h2MOD0ISL5OUgZiQWxDjWyTh1CZ0CtOIJPI3eq7Q5NyWEXCnPqGRiWm5xFCwcikekJsbwAnQX4YGmINMIscr/aWHUxxzRHs45PvijwwfJJA73uUea/flFctizPcZyvTXM9qzxnPn+xjBLVodiKHy82dgXqfINwX6W1z2hZb7OS7B0/0slmibVEfF+1rllW60a//aUvoPVK8EbyBfIJpvSqupdCmpKOZQwn/5yGZ+WMPZ/fSvi1f6JPAafG8LaUX5ffg6FSqi62JzV3zpRXf+ZY+CGegPnEl6eeeVes98L80PF2t93HdxzwHcD2E1tTe0Zw3N//EjhPOiu2hl23ip+rhAU/1O+jFUthHL3xN664yg693JAbAuk5eV3cGv07Zqq6x9C+ku7lJ1e2KxrAw+4CgRfdnTIS9HKtRUo5p1v0JRtVgdczSLFWTLK8qIWnudJSeTZZJAuipHKqfyOzBaeW4ap3OTt99voCWMbRjjr62Kvq3vVDsF0WfwLil21wSc4iqknn9Wpap8k54BQB+Br2D75P0m5quG7xmZz3E6v7/rqpC203tf7aDFgc+IZ67BnHgb0WtrN6bXT6Naat7Wdd9mDEgnywZRFa6s+CqrKVDYjt18+fLfAQAA//+57IIcqccAAA==" LET Specs <= parse_json(data=gunzip(string=base64decode(string=SPEC))) LET CheckHeader(OSPath) = read_file(filename=OSPath, length=12) = "SQLite forma" LET Bool(Value) = if(condition=Value, then="Yes", else="No") @@ -66,7 +66,7 @@ export: | then=OSPath =~ get(item=Specs.sources, field=SourceName).filename) -- Build a regex for all enabled categories. - LET all_categories = SELECT _value FROM foreach(row=["All","MacOS","Chrome","Browser","Firefox","Windows"]) WHERE get(field=_value) + LET all_categories = SELECT _value FROM foreach(row=["All","MacOS","Chrome","Browser","Firefox","Edge","InternetExplorer","Windows"]) WHERE get(field=_value) LET category_regex <= join(sep="|", array=all_categories._value) LET AllGlobs <= filter(list=Specs.globs, condition="x=> x.tags =~ category_regex") LET _ <= log(message="Globs for category %v is %v", args=[category_regex, CustomGlob || AllGlobs.glob]) @@ -115,6 +115,18 @@ parameters: default: N +- name: Edge + description: Select targets with category Edge + type: bool + default: N + + +- name: InternetExplorer + description: Select targets with category InternetExplorer + type: bool + default: N + + - name: Windows description: Select targets with category Windows type: bool @@ -466,6 +478,41 @@ sources: +- name: IE or Edge WebCacheV01_All Data + query: | + LET Rows = SELECT * FROM FilterFile(SourceName="IE or Edge WebCacheV01_All Data") + LET MatchingFiles = SELECT OSPath FROM Rows + + LET Containers(OSPath) = SELECT Table + FROM parse_ese_catalog(file=OSPath) + WHERE Table =~ "Container_" + GROUP BY Table + + LET AllHits(OSPath) = SELECT * FROM foreach(row={ + SELECT * FROM Containers(OSPath=OSPath) + }, query={ + SELECT timestamp(winfiletime=ExpiryTime) AS ExpiryTime, + timestamp(winfiletime=ModifiedTime) AS ModifiedTime, + timestamp(winfiletime=AccessedTime) AS AccessedTime, Url, * + FROM parse_ese(file=OSPath, table=Table) + }) + + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT * FROM AllHits(OSPath=OSPath) + }) + + + +- name: IE or Edge WebCacheV01_Highlights + query: | + LET Rows = SELECT * FROM FilterFile(SourceName="IE or Edge WebCacheV01_Highlights") + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT AccessedTime, ModifiedTime, ExpiryTime, Url + FROM AllHits(OSPath=OSPath) + }) + + + - name: MacOS Applications Cache query: | LET Rows = SELECT * FROM ApplyFile(SourceName="MacOS Applications Cache") @@ -564,4 +611,116 @@ sources: +- name: Windows Search Service_SystemIndex_Gthr + query: | + LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_Gthr") + LET MatchingFiles = SELECT OSPath FROM Rows + + LET FormatTimeB(T) = timestamp(winfiletime=parse_binary( + filename=T, accessor="data", struct="uint64b")) + + LET FormatTime(T) = timestamp(winfiletime=parse_binary( + filename=T, accessor="data", struct="uint64")) + + LET FormatSize(T) = parse_binary( + filename=T, accessor="data", struct="uint64") + + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT ScopeID, DocumentID, SDID, + FormatTimeB(T=LastModified) AS LastModified, + FileName + FROM parse_ese(file=OSPath, table= "SystemIndex_Gthr") + }) + + + +- name: Windows Search Service_SystemIndex_GthrPth + query: | + LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_GthrPth") + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT Scope, Parent, Name + FROM parse_ese(file=OSPath, table= "SystemIndex_GthrPth") + }) + + + +- name: Windows Search Service_SystemIndex_PropertyStore + query: | + LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_PropertyStore") + LET X = scope() + + -- The PropertyStore columns look like + -- -ProperName so we strip the + -- random part off to display it properly. + LET FilterDict(Dict) = to_dict(item={ + SELECT split(sep_string="-", string=_key)[1] || _key AS _key, _value + FROM items(item=Dict) + }) + + LET PropStore(OSPath) = SELECT *, + FormatTime(T=X.System_Search_GatherTime) AS System_Search_GatherTime, + FormatSize(T=X.System_Size) AS System_Size, + FormatTime(T=X.System_DateModified) AS System_DateModified, + FormatTime(T=X.System_DateAccessed) AS System_DateAccessed, + FormatTime(T=X.System_DateCreated) AS System_DateCreated + FROM foreach(row={ + SELECT *, FilterDict(Dict=_value) AS _value + FROM items(item={ + SELECT * FROM parse_ese(file=OSPath, table="SystemIndex_PropertyStore") + }) + }, column="_value") + + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT * + FROM PropStore(OSPath=OSPath) + }) + + + +- name: Windows Search Service_SystemIndex_PropertyStore_Highlights + query: | + LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_PropertyStore_Highlights") + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT WorkID, + System_Search_GatherTime, + System_Size, + System_DateModified, + System_DateCreated, + X.System_FileOwner AS System_FileOwner, + X.System_ItemPathDisplay AS System_ItemPathDisplay, + X.System_ItemType AS System_ItemType, + X.System_FileAttributes AS System_FileAttributes, + X.System_Search_AutoSummary AS System_Search_AutoSummary + FROM PropStore(OSPath=OSPath) + }) + + + +- name: Windows Search Service_BrowsingActivity + query: | + LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_BrowsingActivity") + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT X.ItemPathDisplay AS ItemPathDisplay, + X.Activity_ContentUri AS Activity_ContentUri, + X.Activity_Description AS Activity_Description + FROM PropStore(OSPath=OSPath) + WHERE Activity_ContentUri + }) + + + +- name: Windows Search Service_UserActivityLogging + query: | + LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_UserActivityLogging") + SELECT * FROM foreach(row=MatchingFiles, query={ + SELECT X.System_ItemPathDisplay AS System_ItemPathDisplay, + FormatTime(T=X.ActivityHistory_StartTime) AS ActivityHistory_StartTime, + FormatTime(T=X.ActivityHistory_EndTime) AS ActivityHistory_EndTime, + X.ActivityHistory_AppId AS ActivityHistory_AppId + FROM PropStore(OSPath=OSPath) + WHERE ActivityHistory_AppId + }) + + +