Collect Browser History and upload them. Based on TriageWebBrowserHistory from forensicartifacts.com
name: Linux.Collection.BrowserHistory
author: alternate
description: |
Collect Browser History and upload them.
Based on TriageWebBrowserHistory from forensicartifacts.com
reference:
- https://github.com/ForensicArtifacts/artifacts/blob/main/data/triage.yaml
precondition: SELECT OS FROM info() WHERE OS = 'linux'
parameters:
- name: ChromiumBasedBrowsersHistory
default: |
["/{root,home/*}/.config/chromium/*/Archived History",
"/{root,home/*}/snap/chromium/common/chromium/*/History-journal",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-profile/*/History",
"/{root,home/*}/snap/chromium/common/chromium/*/Archived History",
"/{root,home/*}/.config/opera/*/Archived History",
"/{root,home/*}/.config/BraveSoftware/Brave-Browser/*/Archived History-journal",
"/{root,home/*}/.config/chromium/*/Archived History-journal",
"/{root,home/*}/snap/chromium/common/chromium/*/Archived History-journal",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-profile/*/Archived History",
"/{root,home/*}/.config/opera/*/Archived History-journal",
"/{root,home/*}/.config/yandex-browser-beta/*/Archived History",
"/{root,home/*}/snap/chromium/common/chromium/*/History",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History-journal",
"/{root,home/*}/.config/BraveSoftware/Brave-Browser/*/History",
"/{root,home/*}/.config/BraveSoftware/Brave-Browser/*/Archived History",
"/{root,home/*}/.config/opera/*/History",
"/{root,home/*}/.config/opera/*/History-journal",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived History-journal",
"/{root,home/*}/.config/google-chrome-beta/*/Archived History",
"/{root,home/*}/.config/google-chrome-beta/*/History",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-config/google-chrome/*/Archived History",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-config/google-chrome/*/History",
"/{root,home/*}/.config/google-chrome/*/Archived History-journal",
"/{root,home/*}/.config/google-chrome/*/History",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-profile/*/History-journal",
"/{root,home/*}/.config/google-chrome/*/History-journal",
"/{root,home/*}/.config/yandex-browser-beta/*/Archived History-journal",
"/{root,home/*}/.config/chrome-remote-desktop/chrome-profile/*/Archived History-journal",
"/{root,home/*}/.config/google-chrome/*/Archived History",
"/{root,home/*}/.config/google-chrome-beta/*/History-journal",
"/{root,home/*}/.config/google-chrome-beta/*/Archived History-journal",
"/{root,home/*}/.config/yandex-browser-beta/*/History",
"/{root,home/*}/.config/chromium/*/History",
"/{root,home/*}/.config/yandex-browser-beta/*/History-journal",
"/{root,home/*}/.config/BraveSoftware/Brave-Browser/*/History-journal",
"/{root,home/*}/.config/chromium/*/History-journal"]
- name: FirefoxHistory
default: |
["/{root,home/*}/.mozilla/firefox/*/places.sqlite-wal",
"/{root,home/*}/.mozilla/firefox/*/places.sqlite"]
- name: OperaHistoryFile
default: |
["/{root,home/*}/.opera/global_history.dat"]
sources:
- name: uploadChromiumBasedBrowsersHistory
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=ChromiumBasedBrowsersHistory))
- name: uploadFirefoxHistory
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=FirefoxHistory))
- name: uploadOperaHistoryFile
query: |
SELECT OSPath,
Mtime,
upload(file=OSPath) AS Upload
FROM glob(globs=parse_json_array(data=OperaHistoryFile))