Enumerate the user’s Microsoft Edge favicons.
Also tested against Chrome: replace Microsoft Edge with Google Chrome in
the faviconsGlob
parameter.
Chrome Favicons are stored in the ‘Favicons’ SQLite database, within the ‘favicons’, ‘favicon_bitmaps’ and ‘icon_mapping’ tables. Older versions of Chrome stored Favicons in a ‘Thumbnails’ SQLite database, within the ‘favicons’ table.
Generic.Forensic.SQLiteHunter
and
will be removed in future
name: Windows.Applications.Edge.Favicons
description: |
Enumerate the user's Microsoft Edge favicons.
Also tested against Chrome: replace Microsoft Edge with Google Chrome in
the `faviconsGlob` parameter.
Chrome Favicons are stored in the 'Favicons' SQLite database, within
the 'favicons', 'favicon_bitmaps' and 'icon_mapping' tables. Older
versions of Chrome stored Favicons in a 'Thumbnails' SQLite
database, within the 'favicons' table.
## NOTES:
- This artifact is deprecated in favor of `Generic.Forensic.SQLiteHunter` and
will be removed in future
references:
- https://www.foxtonforensics.com/browser-history-examiner/chrome-history-location
author: Phill Moore, @phillmoore
parameters:
- name: faviconsGlob
default: /AppData/Local/Microsoft/Edge/User Data/*/Favicons
- name: faviconsQuery
default: |
SELECT favicons.id AS ID,
favicon_bitmaps.icon_id AS IconID,
favicon_bitmaps.image_data as _image,
HEX(favicon_bitmaps.image_data) as _image_hex,
datetime( favicon_bitmaps.last_updated / 1000000 + ( strftime( '%s', '1601-01-01' ) ), 'unixepoch', 'localtime' ) AS LastUpdated,
icon_mapping.page_url AS PageURL,
favicons.url AS FaviconURL
FROM favicons
INNER JOIN icon_mapping
INNER JOIN favicon_bitmaps
ON icon_mapping.icon_id = favicon_bitmaps.icon_id
AND favicons.id = favicon_bitmaps.icon_id
ORDER BY favicons.id ASC
- name: userRegex
default: .
type: regex
precondition: |
SELECT OS From info() where OS = 'windows'
sources:
- query: |
LET favicons_files = SELECT * from foreach(
row={
SELECT Uid, Name AS User,
expand(path=Directory) AS HomeDirectory
FROM Artifact.Windows.Sys.Users()
WHERE Name =~ userRegex
},
query={
SELECT User, OSPath, Mtime
FROM glob(globs=faviconsGlob, root=HomeDirectory)
})
SELECT * FROM foreach(row=favicons_files,
query={
SELECT ID, IconID, LastUpdated, PageURL, FaviconURL,
upload(accessor="data",
file=_image,
name=format(format="Image%v.png", args=ID)) AS Image, _image_hex, OSPath as _OSPath
FROM sqlite(
file=OSPath,
query=faviconsQuery)
})
column_types:
- name: Image
type: preview_upload