Collect Browser Extensions and upload them. Based on TriageWebBrowserExtensions from forensicartifacts.com
name: Linux.Collection.BrowserExtensions
author: alternate
description: |
Collect Browser Extensions and upload them.
Based on TriageWebBrowserExtensions from forensicartifacts.com
reference:
- https://github.com/ForensicArtifacts/artifacts/blob/main/data/triage.yaml
precondition: SELECT OS FROM info() WHERE OS = 'linux'
parameters:
- name: ChromiumBasedBrowsersExtensions
default: |
["/{root,home/*}/.config/google-chrome/*/Extensions/**10",
"/{root,home/*}/.config/yandex-browser-beta/*/Extensions/**10",
"/{root,home/*}/.config/chromium/*/Extensions/**10",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Extensions/**10",
"/{root,home/*}/.config/BraveSoftware/Brave-Browser/*/Extensions/**10",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-profile/*/Extensions/**10",
"/{root,home/*}/.config/opera/*/Extensions/**10",
"/{root,home/*}/.config/google-chrome-beta/*/Extensions/**10",
"/{root,home/*}/snap/chromium/common/chromium/*/Extensions/**10"]
- name: ChromiumBasedBrowsersExtensionActivitySQLiteDatabaseFile
default: |
["/{root,home/*}/.config/google-chrome-beta/*/Extension Activity",
"/{root,home/*}/.config/google-chrome/*/Extension Activity",
"/{root,home/*}/.config/yandex-browser-beta/*/Extension Activity",
"/{root,home/*}/.config/BraveSoftware/Brave-Browser/*/Extension Activity",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-profile/*/Extension Activity",
"/{root,home/*}/.config/opera/*/Extension Activity",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Extension Activity",
"/{root,home/*}/.config/chromium/*/Extension Activity",
"/{root,home/*}/snap/chromium/common/chromium/*/Extension Activity"]
- name: ChromePreferences
default: |
["/{root,home/*}/.config/chromium/*/Secure Preferences",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-profile/*/Secure Preferences",
"/{root,home/*}/.config/google-chrome/*/Preferences",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Secure Preferences",
"/{root,home/*}/.config/google-chrome/*/Secure Preferences",
"/{root,home/*}/.config/chromium/*/Preferences",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-profile/*/Preferences",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Preferences"]
- name: FirefoxAddOns
default: |
["/{root,home/*}/.mozilla/firefox/*/webapps/webapps.json",
"/{root,home/*}/.mozilla/firefox/*/addons.json",
"/{root,home/*}/.mozilla/firefox/*/extensions.json"]
sources:
- name: uploadChromiumBasedBrowsersExtensions
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=ChromiumBasedBrowsersExtensions))
- name: uploadChromiumBasedBrowsersExtensionActivitySQLiteDatabaseFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=ChromiumBasedBrowsersExtensionActivitySQLiteDatabaseFile))
- name: uploadChromePreferences
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=ChromePreferences))
- name: uploadFirefoxAddOns
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=FirefoxAddOns))