Enumerate the users Microsoft Edge favicons.
Tested against Chrome as well, replace Microsoft Edge with Google Chrome in the faviconsGlob
Chrome Favicons are stored in the ‘Favicons’ SQLite database, within the ‘favicons’, ‘favicon_bitmaps’ and ‘icon_mapping’ tables. Older versions of Chrome stored Favicons in a ‘Thumbnails’ SQLite database, within the ‘favicons’ table.
This artifact is deprecated in favor of Generic.Forensic.SQLiteHunter and will be removed in future
name: Windows.Applications.Edge.Favicons
description: |
Enumerate the users Microsoft Edge favicons.
Tested against Chrome as well, replace Microsoft Edge with Google Chrome in the faviconsGlob
Chrome Favicons are stored in the 'Favicons' SQLite database, within
the 'favicons', 'favicon_bitmaps' and 'icon_mapping' tables. Older
versions of Chrome stored Favicons in a 'Thumbnails' SQLite
database, within the 'favicons' table.
## NOTES:
This artifact is deprecated in favor of
Generic.Forensic.SQLiteHunter and will be removed in future
references:
- https://www.foxtonforensics.com/browser-history-examiner/chrome-history-location
author: Phill Moore, @phillmoore
parameters:
- name: faviconsGlob
default: /AppData/Local/Microsoft/Edge/User Data/*/Favicons
- name: faviconsQuery
default: |
SELECT favicons.id AS ID,
favicon_bitmaps.icon_id AS IconID,
favicon_bitmaps.image_data as _image,
HEX(favicon_bitmaps.image_data) as _image_hex,
datetime( favicon_bitmaps.last_updated / 1000000 + ( strftime( '%s', '1601-01-01' ) ), 'unixepoch', 'localtime' ) AS LastUpdated,
icon_mapping.page_url AS PageURL,
favicons.url AS FaviconURL
FROM favicons
INNER JOIN icon_mapping
INNER JOIN favicon_bitmaps
ON icon_mapping.icon_id = favicon_bitmaps.icon_id
AND favicons.id = favicon_bitmaps.icon_id
ORDER BY favicons.id ASC
- name: userRegex
default: .
type: regex
precondition: |
SELECT OS From info() where OS = 'windows'
sources:
- query: |
LET favicons_files = SELECT * from foreach(
row={
SELECT Uid, Name AS User,
expand(path=Directory) AS HomeDirectory
FROM Artifact.Windows.Sys.Users()
WHERE Name =~ userRegex
},
query={
SELECT User, OSPath, Mtime
FROM glob(globs=faviconsGlob, root=HomeDirectory)
})
SELECT * FROM foreach(row=favicons_files,
query={
SELECT ID, IconID, LastUpdated, PageURL, FaviconURL,
upload(accessor="data",
file=_image,
name=format(format="Image%v.png", args=ID)) AS Image, _image_hex, OSPath as _OSPath
FROM sqlite(
file=OSPath,
query=faviconsQuery)
})
column_types:
- name: Image
type: preview_upload