Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Profile: base/browser-artifacts.toml

Source

  • Original path: profiles/base/browser-artifacts.toml

Profile (TOML)

# Browser Artifacts Profile
# Inspired by KAPE browser modules - detects browser history, cookies, and user activity

decode = ["base64", "percent-encoding", "unicode-escape-sequences"]

# Chrome/Chromium Artifacts
[[patterns]]
  name = "Chrome History Database"
  pattern = "Chrome.*History"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Chrome Login Data"
  pattern = "Chrome.*Login Data"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Chrome Cookies"
  pattern = "Chrome.*Cookies"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Chrome Web Data"
  pattern = "Chrome.*Web Data"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Chrome Bookmarks"
  pattern = "Chrome.*Bookmarks"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Chrome Extensions"
  pattern = "Chrome.*Extensions"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Chrome Cache"
  pattern = "Chrome.*Cache"
  case-insensitive = true
  type = "regex"

# Firefox Artifacts
[[patterns]]
  name = "Firefox Places"
  pattern = "places\\.sqlite"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Firefox Cookies"
  pattern = "cookies\\.sqlite"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Firefox Downloads"
  pattern = "downloads\\.sqlite"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Firefox Logins"
  pattern = "logins\\.json|key[34]\\.db"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Firefox Bookmarks"
  pattern = "bookmarkbackups"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Firefox Cache"
  pattern = "cache2|startupCache"
  case-insensitive = true
  type = "regex"

# Edge Artifacts
[[patterns]]
  name = "Edge History"
  pattern = "Edge.*History"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Edge Cookies"
  pattern = "Edge.*Cookies"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Edge WebCache"
  pattern = "WebCacheV"
  case-insensitive = true
  type = "regex"

# Internet Explorer Artifacts
[[patterns]]
  name = "IE History"
  pattern = "WebCacheV\\d+\\.dat"
  type = "regex"

[[patterns]]
  name = "IE Index.dat"
  pattern = "index\\.dat"
  case-insensitive = true
  type = "regex"

# Safari Artifacts
[[patterns]]
  name = "Safari History"
  pattern = "Safari.*History\\.db"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Safari Cookies"
  pattern = "Safari.*Cookies"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Safari Cache"
  pattern = "Safari.*Cache\\.db"
  case-insensitive = true
  type = "regex"

# Browser Session and Download Patterns
[[patterns]]
  name = "Download URL"
  pattern = "(?:download|dl).*(?:exe|zip|rar|7z|msi|dmg)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Visited URL"
  pattern = "(?:http|https|ftp)://[a-zA-Z0-9.-]+\\.[a-zA-Z]{2,}"
  type = "regex"

[[patterns]]
  name = "Search Query"
  pattern = "(?:q|query|search)=([^&]+)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Session Storage"
  pattern = "(?:sessionStorage|localStorage)"
  type = "regex"

# Browser Extension and Plugin Artifacts
[[patterns]]
  name = "Browser Extension ID"
  pattern = "[a-z]{32}"
  type = "regex"

[[patterns]]
  name = "Flash Cookie"
  pattern = "\\.sol$"
  type = "regex"

# Form and Password Artifacts
[[patterns]]
  name = "Saved Password"
  pattern = "(?:password_value|encryptedPassword)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Form Autofill"
  pattern = "(?:autofill|formhistory)"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Credit Card Data"
  pattern = "credit_cards|payment_methods"
  case-insensitive = true
  type = "regex"

# Incognito/Private Browsing Indicators
[[patterns]]
  name = "Private Browsing"
  pattern = "(?:incognito|private.*brows|InPrivate)"
  case-insensitive = true
  type = "regex"

[[signatures]]
  name = "Browser Profile Activity"
  query = "SELECT sha256, COUNT(DISTINCT pattern_name) as browser_artifacts FROM pattern_matches WHERE pattern_name LIKE '%Chrome%' OR pattern_name LIKE '%Firefox%' OR pattern_name LIKE '%Edge%' OR pattern_name LIKE '%Safari%' GROUP BY sha256 HAVING browser_artifacts > 3"

[[signatures]]
  name = "Sensitive Browser Data"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name IN ('Saved Password', 'Credit Card Data', 'Chrome Login Data', 'Firefox Logins')"

[[signatures]]
  name = "Download Activity"
  query = "SELECT DISTINCT sha256 FROM pattern_matches WHERE pattern_name LIKE '%Download%'"