Windows.Applications.Edge.Favicons

Enumerate the users Microsoft Edge favicons.

Tested against Chrome as well, replace Microsoft Edge with Google Chrome in the faviconsGlob

Chrome Favicons are stored in the ‘Favicons’ SQLite database, within the ‘favicons’, ‘favicon_bitmaps’ and ‘icon_mapping’ tables. Older versions of Chrome stored Favicons in a ‘Thumbnails’ SQLite database, within the ‘favicons’ table.

NOTES:

This artifact is deprecated in favor of Generic.Forensic.SQLiteHunter and will be removed in future

name: Windows.Applications.Edge.Favicons
description: |
  Enumerate the users Microsoft Edge favicons.

  Tested against Chrome as well, replace Microsoft Edge with Google Chrome in the faviconsGlob

  Chrome Favicons are stored in the 'Favicons' SQLite database, within
  the 'favicons', 'favicon_bitmaps' and 'icon_mapping' tables. Older
  versions of Chrome stored Favicons in a 'Thumbnails' SQLite
  database, within the 'favicons' table.

  ## NOTES:

  This artifact is deprecated in favor of
  Generic.Forensic.SQLiteHunter and will be removed in future

references:
  - https://www.foxtonforensics.com/browser-history-examiner/chrome-history-location

author: Phill Moore, @phillmoore

parameters:
  - name: faviconsGlob
    default: /AppData/Local/Microsoft/Edge/User Data/*/Favicons

  - name: faviconsQuery
    default: |
      SELECT favicons.id AS ID,
             favicon_bitmaps.icon_id AS IconID,
             favicon_bitmaps.image_data as _image,
             HEX(favicon_bitmaps.image_data) as _image_hex,
             datetime( favicon_bitmaps.last_updated / 1000000 + ( strftime( '%s', '1601-01-01' ) ), 'unixepoch', 'localtime' ) AS LastUpdated,
             icon_mapping.page_url AS PageURL,
             favicons.url AS FaviconURL
             FROM favicons
             INNER JOIN icon_mapping
             INNER JOIN favicon_bitmaps
             ON icon_mapping.icon_id = favicon_bitmaps.icon_id
             AND favicons.id = favicon_bitmaps.icon_id
             ORDER BY favicons.id ASC
  - name: userRegex
    default: .
    type: regex

precondition: |
  SELECT OS From info() where OS = 'windows'

sources:
  - query: |
        LET favicons_files = SELECT * from foreach(
          row={
             SELECT Uid, Name AS User,
                    expand(path=Directory) AS HomeDirectory
             FROM Artifact.Windows.Sys.Users()
             WHERE Name =~ userRegex
          },
          query={
             SELECT User, OSPath, Mtime
             FROM glob(globs=faviconsGlob, root=HomeDirectory)
          })

        SELECT * FROM foreach(row=favicons_files,
          query={
            SELECT ID, IconID, LastUpdated, PageURL, FaviconURL,
                   upload(accessor="data",
                          file=_image,
                          name=format(format="Image%v.png", args=ID)) AS Image, _image_hex, OSPath as _OSPath
            FROM sqlite(
              file=OSPath,
              query=faviconsQuery)
          })

column_types:
- name: Image
  type: preview_upload