diff --git a/.gitignore b/.gitignore
index 96ad146..818ecae 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
velociraptor*
sqlitehunter_compiler*
datastore
-output/*.zip
\ No newline at end of file
+output/*.zip
+output/*.yaml
\ No newline at end of file
diff --git a/compile/template.yaml b/compile/template.yaml
index 409e715..08205d0 100644
--- a/compile/template.yaml
+++ b/compile/template.yaml
@@ -75,13 +75,6 @@ export: |
FROM foreach(row=["All"{{ range .Categories }},"{{ . }}"{{ end }}])
WHERE get(field=_value)
- LET category_regex <= join(sep="|", array=all_categories._value)
- LET AllGlobs <= filter(list=Specs.globs, condition="x=> x.tags =~ category_regex AND x.rule =~ RuleFilter")
- LET _ <= log(message="Globs for category %v is %v",
- args=[category_regex, CustomGlob || AllGlobs.glob])
- LET AllFiles <= SELECT OSPath FROM glob(globs=CustomGlob || AllGlobs.glob)
- WHERE NOT IsDir AND MaybeUpload(OSPath=OSPath)
-
parameters:
- name: RuleFilter
type: regex
@@ -168,6 +161,17 @@ sources:
SELECT Source, Records FROM ArtifactsWithResults ORDER BY Source
query: |
+ LET category_regex <= join(sep="|", array=all_categories._value)
+
+ LET AllGlobs <= filter(list=Specs.globs,
+ condition="x=> x.tags =~ category_regex AND x.rule =~ RuleFilter")
+
+ LET _ <= log(message="Globs for category %v is %v",
+ args=[category_regex, CustomGlob || AllGlobs.glob])
+
+ LET AllFiles <= SELECT OSPath FROM glob(globs=CustomGlob || AllGlobs.glob)
+ WHERE NOT IsDir AND MaybeUpload(OSPath=OSPath)
+
SELECT * FROM AllFiles
{{ range $_, $v := DictRange .Spec.Sources }}
@@ -179,7 +183,7 @@ sources:
- name: {{ Quote $v.Key }}
notebook:
- - type: vql
+ - type: none
output: "{{ $v.Key }} - Recalculate to view results"
template: |
/*
diff --git a/definitions/EdgeBrowser_Collections.yaml b/definitions/EdgeBrowser_Collections.yaml
new file mode 100644
index 0000000..758d578
--- /dev/null
+++ b/definitions/EdgeBrowser_Collections.yaml
@@ -0,0 +1,112 @@
+Name: Edge Browser Collections
+Author: John Woeltje & David Diehl
+Email: 19861970+jfdubya@users.noreply.github.com
+Reference: https://support.microsoft.com/en-us/microsoft-edge/organize-your-ideas-with-collections-in-microsoft-edge-60fd7bba-6cfd-00b9-3787-b197231b507e
+
+SQLiteIdentifyQuery: |
+ SELECT count(*) AS `Check`
+ FROM sqlite_master WHERE type='table' AND (name='collections' OR name='items');
+SQLiteIdentifyValue: 2
+
+Categories:
+ - Edge
+ - Browser
+FilenameRegex: collectionsSQLite
+
+Globs:
+ - "{{LinuxChromeProfiles}}/*/Collections/collectionsSQLite"
+ - "{{WindowsChromeProfiles}}/*/Collections/collectionsSQLite"
+ - "{{MacOSChromeProfiles}}/*/Collections/collectionsSQLite"
+
+Sources:
+- name: Collections, Items, and Comments
+ Preamble: |
+ LET ExtractImage(Data) = base64decode(
+ string=split(string=parse_json(data=Data).image, sep=",")[1])
+
+ VQL: |
+ SELECT *,
+ timestamp(epoch=Collection_CreationUTC) AS Collection_CreationUTC,
+ timestamp(epoch=Collection_ModifiedUTC) AS Collection_ModifiedUTC,
+ timestamp(epoch=ColletionSync_DateLastSynced) AS ColletionSync_DateLastSynced,
+ timestamp(epoch=Item_CreationUTC) AS Item_CreationUTC,
+ timestamp(epoch=Item_ModifiedUTC) AS Item_ModifiedUTC,
+ parse_json(data= Item_Source) AS Item_Source,
+ upload(accessor="data",
+ file=ExtractImage(Data=Image),
+ name=format(format="Screenshot_%v.png", args=item_id)) AS Image,
+ timestamp(epoch=ItemSync_DaeLastSynced) AS ItemSync_DaeLastSynced
+ FROM Rows
+
+ SQL: |
+ SELECT
+ /* Collections table */
+ collections.date_created AS Collection_CreationUTC,
+ collections.date_modified AS Collection_ModifiedUTC,
+ collections.title as Collection_Title,
+ collections.position as Collection_Position,
+ collections.is_syncable as Collection_IsSyncable,
+ collections.suggestion_url as Collection_SuggestionUrl,
+ collections.suggestion_dismissed as Collection_SuggestionDismissed,
+ collections.suggestion_type as Collection_SuggestionType,
+ cast(collections.thumbnail as varchar) as Collection_Thumbnail,
+ collections.is_custom_thumbnail as Collection_IsCustomThumbnail,
+ collections.tag as Collection_Tag,
+ collections.thumbnail_url as Collection_ThumbnailUrl,
+ collections.is_marked_for_deletion as Collection_IsMarkedForDeletion,
+
+ /* Collections_Sync table */
+ collections_sync.date_last_synced AS ColletionSync_DateLastSynced,
+ collections_sync.is_syncable AS CollectionSync_IsSyncable,
+ collections_sync.server_id AS CollectionSync_ServerId,
+
+ /* Items table */
+ items.date_created AS Item_CreationUTC,
+ items.date_modified AS Item_ModifiedUTC,
+ items.source AS Item_Source,
+ items.Title AS Item_Title,
+ items.entity_blob AS Item_EntityBlob,
+ items.canonical_image_data AS Image,
+ items.third_party_data AS Item_ThirdPartyData,
+ items.favicon_url AS Item_FaviconUrl,
+ items.text_content AS Item_TextContent,
+ items.html_content AS Item_HtmlContent,
+ items.type AS Item_Type,
+ items.tag AS Item_Tag,
+
+ /* Items Offline Data */
+ items_offline_data.offline_file_data AS Item_OfflineFileData,
+
+ /* Items_Sync Data */
+ items_sync.date_last_synced AS ItemSync_DaeLastSynced,
+ items_sync.is_syncable AS ItemSync_IsSyncable,
+
+ /* Comments table */
+ comments.text as Comment_Text,
+ comments.properties as Comment_Properties,
+
+ /* All the raw fields here */
+ collections.id as collection_id,
+ collections.date_created as raw_collection_created,
+ collections.date_modified as raw_collection_modified,
+ items.id AS item_id,
+ items.date_created AS raw_item_created,
+ items.date_modified AS raw_item_modified,
+ comments.id as comment_id,
+ comments.parent_id as comment_parent_id
+
+ FROM items
+ left join collections_items_relationship
+ on items.id = collections_items_relationship.item_id
+ left join collections
+ on collections_items_relationship.parent_id = collections.id
+ left join collections_sync
+ on collections.id = collections_sync.collection_id
+ left join comments
+ on items.id = comments.parent_id
+ left join items_offline_data
+ on items.id = items_offline_data.item_id
+ left join items_sync
+ on items.id = items_sync.item_id
+
+ ORDER BY Collection_Title ASC, items.date_created DESC
diff --git a/definitions/EdgeBrowser_Screenshots.yaml b/definitions/EdgeBrowser_Screenshots.yaml
new file mode 100644
index 0000000..e67a531
--- /dev/null
+++ b/definitions/EdgeBrowser_Screenshots.yaml
@@ -0,0 +1,43 @@
+Name: Edge Browser History Screenshots
+Description: |
+ Extracts the Edge Browser History Screenshots if enabled.
+
+Author: Michal Minar, Reece394
+Email: michal.minar@istrosec.com
+Reference: https://medium.com/@DCSO_CyTec/microsoft-edge-forensics-screenshot-history-703b9b8392f8
+SQLiteIdentifyQuery: |
+ SELECT count(*) AS `Check`
+ FROM sqlite_master WHERE type='table' AND (name='edge_visits');
+
+SQLiteIdentifyValue: 1
+Categories:
+ - Edge
+ - Browser
+
+FilenameRegex: "History"
+Globs:
+ - "{{LinuxChromeProfiles}}/*/History"
+ - "{{WindowsChromeProfiles}}/*/History"
+ - "{{MacOSChromeProfiles}}/*/History"
+
+Sources:
+- name: Screenshots
+ VQL: |
+ SELECT *,
+ timestamp(epoch=VisitTime) AS VisitTime,
+ upload(accessor="data",
+ file=Image,
+ name=format(format="Screenshot_%v.png", args=VisitID)) AS Image
+ FROM Rows
+
+ SQL: |
+ SELECT visit_time AS VisitTime,
+ u.url as URL,
+ u.title as Title,
+ ev.data AS Image,
+ ev.visit_id AS VisitID
+ FROM edge_visits ev
+ JOIN visits v on v.id = ev.visit_id
+ JOIN urls u on u.id=v.url
+ WHERE ev.data NOT NULL
+ ORDER BY visit_time ASC;
diff --git a/docs/content/docs/rules/index.json b/docs/content/docs/rules/index.json
index 81ba8db..f3daef4 100644
--- a/docs/content/docs/rules/index.json
+++ b/docs/content/docs/rules/index.json
@@ -110,7 +110,7 @@
"Name": "Keywords"
}
],
- "RawData": "Name: Chromium Browser History\nDescription: |\n Extracts the Chromium Browser History\n\nAuthor: Andrew Rathbun\nEmail: andrew.d.rathbun@gmail.com\nReference: https://github.com/EricZimmerman/SQLECmd\nSQLiteIdentifyQuery: |\n SELECT count(*) AS `Check`\n FROM sqlite_master\n WHERE type='table'\n AND (name='urls' OR name='visits' OR name='downloads' OR name='segments');\nSQLiteIdentifyValue: 4\nCategories:\n - Chrome\n - Browser\nFilenameRegex: \"History\"\nGlobs:\n - \"{{LinuxChromeProfiles}}/*/History\"\n - \"{{WindowsChromeProfiles}}/*/History\"\n - \"{{MacOSChromeProfiles}}/*/History\"\n\nSources:\n- name: Visits\n VQL: |\n SELECT ID,\n timestamp(winfiletime=(visit_time * 10) || 0) AS VisitTime,\n timestamp(winfiletime=(last_visit_time * 10) || 0) AS LastVisitedTime,\n URLTitle, URL, VisitCount, TypedCount,\n if(condition=hidden =~ '1', then=\"Yes\", else=\"No\") AS Hidden,\n VisitID, FromVisitID,\n visit_duration / 1000000 AS VisitDurationInSeconds,\n OSPath\n FROM Rows\n WHERE VisitTime \u003e DateAfter\n AND VisitTime \u003c DateBefore\n AND (URLTitle, URL) =~ FilterRegex\n SQL: |\n SELECT\n urls.id AS ID,\n visits.visit_time as visit_time,\n urls.last_visit_time as last_visit_time,\n urls.title AS URLTitle,\n urls.url AS URL,\n urls.visit_count AS VisitCount,\n urls.typed_count AS TypedCount,\n urls.hidden as hidden,\n visits.id AS VisitID,\n visits.from_visit AS FromVisitID,\n visits.visit_duration as visit_duration\n FROM urls\n LEFT JOIN visits ON urls.id = visits.url\n ORDER BY visits.visit_time ASC\n\n- name: Downloads\n Preamble: |\n LET StateLookup \u003c= dict(`0`='In Progress', `1`='Complete', `2`=\"Cancelled\", `3`=\"Interrupted\", `4`=\"Interrupted\")\n LET DangerType \u003c= dict(`0`='Not Dangerous', `1`=\"Dangerous\", `2`='Dangerous URL', `3`='Dangerous Content',\n `4`='Content May Be Malicious', `5`='Uncommon Content', `6`='Dangerous But User Validated',\n `7`='Dangerous Host', `8`='Potentially Unwanted', `9`='Whitelisted by Policy')\n LET InterruptReason \u003c= dict(`0`= 'No Interrupt', `1`= 'File Error', `2`='Access Denied', `3`='Disk Full',\n `5`='Path Too Long',`6`='File Too Large', `7`='Virus', `10`='Temporary Problem', `11`='Blocked',\n `12`='Security Check Failed', `13`='Resume Error', `20`='Network Error', `21`='Operation Timed Out',\n `22`='Connection Lost', `23`='Server Down', `30`='Server Error', `31`='Range Request Error',\n `32`='Server Precondition Error', `33`='Unable to get file', `34`='Server Unauthorized',\n `35`='Server Certificate Problem', `36`='Server Access Forbidden', `37`='Server Unreachable',\n `38`='Content Length Mismatch', `39`='Cross Origin Redirect', `40`='Cancelled', `41`='Browser Shutdown',\n `50`='Browser Crashed')\n\n VQL: |\n SELECT ID, GUID, CurrentPath, TargetPath, OriginalMIMEType, ReceivedBytes, TotalBytes,\n timestamp(winfiletime=(start_time * 10) || 0) AS StartTime,\n timestamp(winfiletime=(end_time * 10) || 0) AS EndTime,\n timestamp(winfiletime=(opened * 10) || 0) AS Opened,\n timestamp(winfiletime=(last_access_time * 10) || 0) AS LastAccessTime,\n timestamp(epoch=last_modified) AS LastModified,\n get(item=StateLookup, field=str(str=state), default=\"Unknown\") AS State,\n get(item=DangerType, field=str(str=danger_type), default=\"Unknown\") AS DangerType,\n get(item=InterruptReason, field=str(str=interrupt_reason), default=\"Unknown\") AS InterruptReason,\n ReferrerURL, SiteURL, TabURL, TabReferrerURL, DownloadURL, OSPath\n FROM Rows\n WHERE LastAccessTime \u003e DateAfter AND LastAccessTime \u003c DateBefore\n AND (SiteURL, DownloadURL, TabURL, TabReferrerURL, ReferrerURL, DownloadURL) =~ FilterRegex\n\n SQL: |\n SELECT\n downloads.id AS ID,\n downloads.guid AS GUID,\n downloads.current_path AS CurrentPath,\n downloads.target_path AS TargetPath,\n downloads.original_mime_type AS OriginalMIMEType,\n downloads.received_bytes AS ReceivedBytes,\n downloads.total_bytes AS TotalBytes,\n downloads.start_time,\n downloads.end_time,\n downloads.opened,\n downloads.last_access_time,\n downloads.last_modified,\n downloads.state,\n downloads.danger_type,\n downloads.interrupt_reason,\n downloads.referrer AS ReferrerURL,\n downloads.site_url AS SiteURL,\n downloads.tab_url AS TabURL,\n downloads.tab_referrer_url AS TabReferrerURL,\n DownloadURL.url AS DownloadURL\n FROM downloads\n INNER JOIN downloads_url_chains AS DownloadURL ON downloads.id = DownloadURL.id\n ORDER BY downloads.id ASC\n\n- name: Keywords\n VQL: |\n SELECT KeywordID, URLID,\n timestamp(winfiletime=(last_visit_time * 10) || 0) AS LastVisitedTime,\n KeywordSearchTerm, Title, URL, OSPath\n FROM Rows\n WHERE LastVisitedTime \u003e DateAfter AND LastVisitedTime \u003c DateBefore\n AND (Title, KeywordSearchTerm, URL) =~ FilterRegex\n\n SQL: |\n SELECT\n keyword_search_terms.keyword_id AS KeywordID,\n keyword_search_terms.url_id AS URLID,\n urls.last_visit_time,\n keyword_search_terms.term AS KeywordSearchTerm,\n urls.title AS Title,\n urls.url AS URL\n FROM keyword_search_terms\n INNER JOIN urls ON keyword_search_terms.url_id = urls.id\n ORDER BY keyword_search_terms.keyword_id ASC\n"
+ "RawData": "Name: Chromium Browser History\nDescription: |\n Extracts the Chromium Browser History\n\nAuthor: Andrew Rathbun\nEmail: andrew.d.rathbun@gmail.com\nReference: https://github.com/EricZimmerman/SQLECmd\nSQLiteIdentifyQuery: |\n SELECT count(*) AS `Check`\n FROM sqlite_master\n WHERE type='table'\n AND (name='urls' OR name='visits' OR name='downloads' OR name='segments');\nSQLiteIdentifyValue: 4\nCategories:\n - Chrome\n - Browser\nFilenameRegex: \"History\"\nGlobs:\n - \"{{LinuxChromeProfiles}}/*/History\"\n - \"{{WindowsChromeProfiles}}/*/History\"\n - \"{{MacOSChromeProfiles}}/*/History\"\n\nSources:\n- name: Visits\n VQL: |\n SELECT ID,\n timestamp(winfiletime=(visit_time * 10) || 0) AS VisitTime,\n timestamp(winfiletime=(last_visit_time * 10) || 0) AS LastVisitedTime,\n URLTitle, URL, VisitCount, TypedCount,\n if(condition=hidden =~ '1', then=\"Yes\", else=\"No\") AS Hidden,\n VisitID, FromVisitID,\n visit_duration / 1000000 AS VisitDurationInSeconds,\n OSPath\n FROM Rows\n WHERE VisitTime \u003e DateAfter\n AND VisitTime \u003c DateBefore\n AND (URLTitle, URL) =~ FilterRegex\n SQL: |\n SELECT\n urls.id AS ID,\n visits.visit_time as visit_time,\n urls.last_visit_time as last_visit_time,\n urls.title AS URLTitle,\n urls.url AS URL,\n urls.visit_count AS VisitCount,\n urls.typed_count AS TypedCount,\n urls.hidden as hidden,\n visits.id AS VisitID,\n visits.from_visit AS FromVisitID,\n visits.visit_duration as visit_duration\n FROM urls\n LEFT JOIN visits ON urls.id = visits.url\n ORDER BY visits.visit_time ASC\n\n- name: Downloads\n Preamble: |\n LET StateLookup \u003c= dict(`0`='In Progress', `1`='Complete', `2`=\"Cancelled\", `3`=\"Interrupted\", `4`=\"Interrupted\")\n LET DangerType \u003c= dict(`0`='Not Dangerous', `1`=\"Dangerous\", `2`='Dangerous URL', `3`='Dangerous Content',\n `4`='Content May Be Malicious', `5`='Uncommon Content', `6`='Dangerous But User Validated',\n `7`='Dangerous Host', `8`='Potentially Unwanted', `9`='Whitelisted by Policy',\n `10`='Download Pending Detailed Verdict', `11`='Blocked By Policy Password Protected', `12`='Blocked By Policy Download Too Large',\n `13`='Sensitive Content Warning', `14`='Sensitive Content Blocked', `15`='Deep Scanned Safe',\n `16`='Deep Scanned Dangerous But Opened By User', `17`='Prompt For Deep Scanning', `18`='Blocked Unsupported Filetype',\n `19`='Dangerous Associated With Account Compromise', `20`='Deep Scan Failed', `21`='Encrypted Archive Prompt for Local Password Scanning',\n `22`='Encrypted Archive Prompt for Local Password Scanning Pending Detailed Verdict', `23`='Blocked by Policy Scan Failed')\n LET InterruptReason \u003c= dict(`0`= 'No Interrupt', `1`= 'File Error', `2`='Access Denied', `3`='Disk Full',\n `5`='Path Too Long',`6`='File Too Large', `7`='Virus', `10`='Temporary Problem', `11`='Blocked',\n `12`='Security Check Failed', `13`='Resume Error File Too Short', `14`='File Hash Mismatch', `15`='File Same As Source',\n `20`='Network Error', `21`='Operation Timed Out', `22`='Connection Lost', `23`='Server Down',\n `24`='Network Request Invalid', `30`='Server Error', `31`='Range Request Error',\n `32`='Server Precondition Error', `33`='Unable to get file', `34`='Server Unauthorized',\n `35`='Server Certificate Problem', `36`='Server Access Forbidden', `37`='Server Unreachable',\n `38`='Content Length Mismatch', `39`='Cross Origin Redirect', `40`='Cancelled', `41`='Browser Shutdown',\n `50`='Browser Crashed')\n\n VQL: |\n SELECT ID, GUID, CurrentPath, TargetPath, OriginalMIMEType, ReceivedBytes, TotalBytes,\n timestamp(winfiletime=(start_time * 10) || 0) AS StartTime,\n timestamp(winfiletime=(end_time * 10) || 0) AS EndTime,\n timestamp(winfiletime=(opened * 10) || 0) AS Opened,\n timestamp(winfiletime=(last_access_time * 10) || 0) AS LastAccessTime,\n timestamp(epoch=last_modified) AS LastModified,\n get(item=StateLookup, field=str(str=state), default=\"Unknown\") AS State,\n get(item=DangerType, field=str(str=danger_type), default=\"Unknown\") AS DangerType,\n get(item=InterruptReason, field=str(str=interrupt_reason), default=\"Unknown\") AS InterruptReason,\n ReferrerURL, SiteURL, TabURL, TabReferrerURL, DownloadURL, OSPath\n FROM Rows\n WHERE LastAccessTime \u003e DateAfter AND LastAccessTime \u003c DateBefore\n AND (SiteURL, DownloadURL, TabURL, TabReferrerURL, ReferrerURL, DownloadURL) =~ FilterRegex\n\n SQL: |\n SELECT\n downloads.id AS ID,\n downloads.guid AS GUID,\n downloads.current_path AS CurrentPath,\n downloads.target_path AS TargetPath,\n downloads.original_mime_type AS OriginalMIMEType,\n downloads.received_bytes AS ReceivedBytes,\n downloads.total_bytes AS TotalBytes,\n downloads.start_time,\n downloads.end_time,\n downloads.opened,\n downloads.last_access_time,\n downloads.last_modified,\n downloads.state,\n downloads.danger_type,\n downloads.interrupt_reason,\n downloads.referrer AS ReferrerURL,\n downloads.site_url AS SiteURL,\n downloads.tab_url AS TabURL,\n downloads.tab_referrer_url AS TabReferrerURL,\n DownloadURL.url AS DownloadURL\n FROM downloads\n INNER JOIN downloads_url_chains AS DownloadURL ON downloads.id = DownloadURL.id\n ORDER BY downloads.id ASC\n\n- name: Keywords\n VQL: |\n SELECT KeywordID, URLID,\n timestamp(winfiletime=(last_visit_time * 10) || 0) AS LastVisitedTime,\n KeywordSearchTerm, Title, URL, OSPath\n FROM Rows\n WHERE LastVisitedTime \u003e DateAfter AND LastVisitedTime \u003c DateBefore\n AND (Title, KeywordSearchTerm, URL) =~ FilterRegex\n\n SQL: |\n SELECT\n keyword_search_terms.keyword_id AS KeywordID,\n keyword_search_terms.url_id AS URLID,\n urls.last_visit_time,\n keyword_search_terms.term AS KeywordSearchTerm,\n urls.title AS Title,\n urls.url AS URL\n FROM keyword_search_terms\n INNER JOIN urls ON keyword_search_terms.url_id = urls.id\n ORDER BY keyword_search_terms.keyword_id ASC\n"
},
{
"Name": "Chromium Browser Media",
@@ -225,6 +225,20 @@
],
"RawData": "Name: Edge Browser Autofill\nAuthor: Chris Hayes - Reliance Cyber\nSQLiteIdentifyQuery: |\n SELECT count(*) AS `Check`\n FROM sqlite_master\n WHERE type='table'\n AND (name='autofill_edge_field_client_info' OR name='autofill_edge_field_values');\nSQLiteIdentifyValue: 2\nCategories:\n - Edge\n - Browser\n\nFilenameRegex: \"Web Data\"\nGlobs:\n - \"{{LinuxChromeProfiles}}/*/Web Data\"\n - \"{{WindowsChromeProfiles}}/*/Web Data\"\n - \"{{MacOSChromeProfiles}}/*/Web Data\"\n\nSources:\n- name: CombinedAutofill\n VQL: |\n SELECT timestamp(epoch=date_last_used) AS DateLastUsed, *\n FROM Rows\n WHERE DateLastUsed \u003e DateAfter AND DateLastUsed \u003c DateBefore\n\n SQL: |\n SELECT\n autofill_edge_field_client_info.form_signature_v1,\n autofill_edge_field_client_info.form_signature_v2,\n autofill_edge_field_client_info.domain_value,\n autofill_edge_field_values.date_last_used,\n GROUP_CONCAT(autofill_edge_field_client_info.label || ': ' || autofill_edge_field_values.value, ', ') AS label_value_pairs,\n json_group_object(autofill_edge_field_client_info.label, autofill_edge_field_values.value) AS label_value_json\n FROM\n autofill_edge_field_values\n JOIN\n autofill_edge_field_client_info\n ON\n autofill_edge_field_values.field_id = autofill_edge_field_client_info.field_id\n GROUP BY\n autofill_edge_field_client_info.form_signature_v1,\n autofill_edge_field_client_info.form_signature_v2,\n autofill_edge_field_client_info.domain_value,\n autofill_edge_field_values.date_last_used;\n"
},
+ {
+ "Name": "Edge Browser Collections",
+ "Author": "John Woeltje \u0026 David Diehl",
+ "Categories": [
+ "Edge",
+ "Browser"
+ ],
+ "Sources": [
+ {
+ "Name": "Collections, Items, and Comments"
+ }
+ ],
+ "RawData": "Name: Edge Browser Collections\nAuthor: John Woeltje \u0026 David Diehl\nEmail: 19861970+jfdubya@users.noreply.github.com\nReference: https://support.microsoft.com/en-us/microsoft-edge/organize-your-ideas-with-collections-in-microsoft-edge-60fd7bba-6cfd-00b9-3787-b197231b507e\n\nSQLiteIdentifyQuery: |\n SELECT count(*) AS `Check`\n FROM sqlite_master WHERE type='table' AND (name='collections' OR name='items');\nSQLiteIdentifyValue: 2\n\nCategories:\n - Edge\n - Browser\nFilenameRegex: collectionsSQLite\n\nGlobs:\n - \"{{LinuxChromeProfiles}}/*/Collections/collectionsSQLite\"\n - \"{{WindowsChromeProfiles}}/*/Collections/collectionsSQLite\"\n - \"{{MacOSChromeProfiles}}/*/Collections/collectionsSQLite\"\n\nSources:\n- name: Collections, Items, and Comments\n Preamble: |\n LET ExtractImage(Data) = base64decode(\n string=split(string=parse_json(data=Data).image, sep=\",\")[1])\n\n VQL: |\n SELECT *,\n timestamp(epoch=Collection_CreationUTC) AS Collection_CreationUTC,\n timestamp(epoch=Collection_ModifiedUTC) AS Collection_ModifiedUTC,\n timestamp(epoch=ColletionSync_DateLastSynced) AS ColletionSync_DateLastSynced,\n timestamp(epoch=Item_CreationUTC) AS Item_CreationUTC,\n timestamp(epoch=Item_ModifiedUTC) AS Item_ModifiedUTC,\n parse_json(data= Item_Source) AS Item_Source,\n upload(accessor=\"data\",\n file=ExtractImage(Data=Image),\n name=format(format=\"Screenshot_%v.png\", args=item_id)) AS Image,\n timestamp(epoch=ItemSync_DaeLastSynced) AS ItemSync_DaeLastSynced\n FROM Rows\n\n SQL: |\n SELECT\n /* Collections table */\n collections.date_created AS Collection_CreationUTC,\n collections.date_modified AS Collection_ModifiedUTC,\n collections.title as Collection_Title,\n collections.position as Collection_Position,\n collections.is_syncable as Collection_IsSyncable,\n collections.suggestion_url as Collection_SuggestionUrl,\n collections.suggestion_dismissed as Collection_SuggestionDismissed,\n collections.suggestion_type as Collection_SuggestionType,\n cast(collections.thumbnail as varchar) as Collection_Thumbnail,\n collections.is_custom_thumbnail as Collection_IsCustomThumbnail,\n collections.tag as Collection_Tag,\n collections.thumbnail_url as Collection_ThumbnailUrl,\n collections.is_marked_for_deletion as Collection_IsMarkedForDeletion,\n\n /* Collections_Sync table */\n collections_sync.date_last_synced AS ColletionSync_DateLastSynced,\n collections_sync.is_syncable AS CollectionSync_IsSyncable,\n collections_sync.server_id AS CollectionSync_ServerId,\n\n /* Items table */\n items.date_created AS Item_CreationUTC,\n items.date_modified AS Item_ModifiedUTC,\n items.source AS Item_Source,\n items.Title AS Item_Title,\n items.entity_blob AS Item_EntityBlob,\n items.canonical_image_data AS Image,\n items.third_party_data AS Item_ThirdPartyData,\n items.favicon_url AS Item_FaviconUrl,\n items.text_content AS Item_TextContent,\n items.html_content AS Item_HtmlContent,\n items.type AS Item_Type,\n items.tag AS Item_Tag,\n\n /* Items Offline Data */\n items_offline_data.offline_file_data AS Item_OfflineFileData,\n\n /* Items_Sync Data */\n items_sync.date_last_synced AS ItemSync_DaeLastSynced,\n items_sync.is_syncable AS ItemSync_IsSyncable,\n\n /* Comments table */\n comments.text as Comment_Text,\n comments.properties as Comment_Properties,\n\n /* All the raw fields here */\n collections.id as collection_id,\n collections.date_created as raw_collection_created,\n collections.date_modified as raw_collection_modified,\n items.id AS item_id,\n items.date_created AS raw_item_created,\n items.date_modified AS raw_item_modified,\n comments.id as comment_id,\n comments.parent_id as comment_parent_id\n\n FROM items\n left join collections_items_relationship\n on items.id = collections_items_relationship.item_id\n left join collections\n on collections_items_relationship.parent_id = collections.id\n left join collections_sync\n on collections.id = collections_sync.collection_id\n left join comments\n on items.id = comments.parent_id\n left join items_offline_data\n on items.id = items_offline_data.item_id\n left join items_sync\n on items.id = items_sync.item_id\n\n ORDER BY Collection_Title ASC, items.date_created DESC\n"
+ },
{
"Name": "Edge Browser Navigation History",
"Author": "Suyash Tripathi",
@@ -239,6 +253,21 @@
],
"RawData": "Name: Edge Browser Navigation History\nAuthor: Suyash Tripathi\nEmail: suyash.tripathi@cybercx.com.au\nReference: https://github.com/EricZimmerman/SQLECmd\nSQLiteIdentifyQuery: |\n SELECT count(*) AS `Check`\n FROM sqlite_master\n WHERE type='table'\n AND name='navigation_history';\nSQLiteIdentifyValue: 1\nCategories:\n - Edge\n - Browser\nFilenameRegex: \"WebAssistDatabase\"\nGlobs:\n - \"{{WindowsChromeProfiles}}/*/WebAssistDatabase\"\n - \"{{MacOSChromeProfiles}}/*/WebAssistDatabase\"\n\nSources:\n- name: Navigation History\n VQL: |\n SELECT ID,\n timestamp(epoch=`Last Visited Time`) AS `Last Visited Time`,\n Title, URL, VisitCount, OSPath\n FROM Rows\n WHERE `Last Visited Time` \u003e DateAfter\n AND `Last Visited Time` \u003c DateBefore\n AND (Title, URL) =~ FilterRegex\n\n SQL: |\n SELECT\n navigation_history.id AS ID,\n navigation_history.last_visited_time AS 'Last Visited Time',\n navigation_history.title AS Title,\n navigation_history.url AS URL,\n navigation_history.num_visits AS VisitCount\n FROM\n navigation_history\n ORDER BY\n navigation_history.last_visited_time ASC;\n"
},
+ {
+ "Name": "Edge Browser History Screenshots",
+ "Author": "Michal Minar, Reece394",
+ "Description": "Extracts the Edge Browser History Screenshots if enabled.\n",
+ "Categories": [
+ "Edge",
+ "Browser"
+ ],
+ "Sources": [
+ {
+ "Name": "Screenshots"
+ }
+ ],
+ "RawData": "Name: Edge Browser History Screenshots\nDescription: |\n Extracts the Edge Browser History Screenshots if enabled.\n\nAuthor: Michal Minar, Reece394\nEmail: michal.minar@istrosec.com\nReference: https://medium.com/@DCSO_CyTec/microsoft-edge-forensics-screenshot-history-703b9b8392f8\nSQLiteIdentifyQuery: |\n SELECT count(*) AS `Check`\n FROM sqlite_master WHERE type='table' AND (name='edge_visits');\n\nSQLiteIdentifyValue: 1\nCategories:\n - Edge\n - Browser\n\nFilenameRegex: \"History\"\nGlobs:\n - \"{{LinuxChromeProfiles}}/*/History\"\n - \"{{WindowsChromeProfiles}}/*/History\"\n - \"{{MacOSChromeProfiles}}/*/History\"\n\nSources:\n- name: Screenshots\n VQL: |\n SELECT *,\n timestamp(epoch=VisitTime) AS VisitTime,\n upload(accessor=\"data\",\n file=Image,\n name=format(format=\"Screenshot_%v.png\", args=VisitID)) AS Image\n FROM Rows\n\n SQL: |\n SELECT visit_time AS VisitTime,\n u.url as URL,\n u.title as Title,\n ev.data AS Image,\n ev.visit_id AS VisitID\n FROM edge_visits ev\n JOIN visits v on v.id = ev.visit_id\n JOIN urls u on u.id=v.url\n WHERE ev.data NOT NULL\n ORDER BY visit_time ASC;\n"
+ },
{
"Name": "Firefox Places",
"Author": "Andrew Rathbun",
diff --git a/output/SQLiteHunter.yaml b/output/SQLiteHunter.yaml
deleted file mode 100644
index c3cd3b2..0000000
--- a/output/SQLiteHunter.yaml
+++ /dev/null
@@ -1,1724 +0,0 @@
-name: Generic.Forensic.SQLiteHunter
-description: |
- Hunt for SQLite files.
-
- SQLite has become the de-facto standard for storing application data,
- in many types of applications:
-
- - Web Browsers
- - Operating Systems
- - Various applications, such as iMessage, TCC etc
-
- This artifact can hunt for these artifacts in a mostly automated way.
- More info at https://github.com/Velocidex/SQLiteHunter
-
- NOTE: If you want to use this artifact on just a bunch of files already
- collected (for example the files collected using the
- Windows.KapeFiles.Targets artifact) you can use the CustomGlob parameter
- (for example set it to "/tmp/unpacked/**" to consider all files in the
- unpacked directory).
-
-column_types:
-- name: Image
- type: preview_upload
-- name: Payload
- type: preview_upload
-
-export: |
- LET SPEC <= "H4sIAAAAAAAA/+x9+3PbttLov4LR3G9sp4ocO+nj5I5+UCS50akt61pykqbqpWESlnhMETwgZEc9zfe3f4MFQAIkKMkvWenXzjQWgV1gsdgHnov/1CYRvUxrb3+Tv2pva/vnKWHp/ov94/CSYbbYPyFpiick3fenmDeCy1q9xvFE4NROsH86rP1er8V4RmpvazkEm0ciIVTIta/1vIIpnZH9F/sNn8ZX4WR/QukkIi/9KZPpH8kl6mCOjXrakFer194xepsSZlRpQKs6ATicz5ACRq05p1dhFC0jQtb+kpEZ5eRlQNJrThOdmjCB/7y0hfPZpuv/TxrjZP+S4RvxVf+q6XknUob0it9iRuTXS1Xepkhsvx2PQU7H4xfjcStJRBnj8X/OKJ6F8aR+TH0cfXVR+gLkG+rcMmJ/Bj3Yl/VvLZUnoc9oSq/4fjeYbC2Z4/FpQhhGuu+zb44vIzIeb0yVisa0lSRR6GMe0hgN50lCGXdL6VZRaIvmVpGWySMCeXwuG110Yu8ovZ5hdp2uR4UJXkVGDvNwP/as5ElXtmkS7ufNNkXlYzm0LaO32qdtGaFL3Np2UbqGZ9uYZj3EuW0VkSX/tlXUlV3cc5nvopdrU3odkjWpyIGraNAQD/dvz0SY9Gybq/x+Pu3p6Xssb7Y1lFb7sa0hcYkH2xYa1/BdG9Cdh3itLSGv5K+2hK6yp9q8IS76qO4XTuI0pHG6/+LF/gzH4RVJeeNfKY3Xo6qIUkVbXtEjOLBtpFp6ty2h7H6u75mJfyy/+G00o9ppfhv0L/Go30QD1nC3z63MD/HF3wLtJUf9LRBd9uLPTfUKF3+Eb0Jf4KxFiwFdRUYG8nBH/ny0SXe90frv55Q3QuJjud5tIrbawW4TlUvc6BaRuYaz3IwqPcQlbg+FJce3PaSV3duz2OiiE3sfppyyxXo05MBVJGiIh3uwZyJMuq/NVX4/3/X09D2W49oaSqu91taQuMRlbQuNa/irDejOQ5zVlpBX8lRbQlfZTW3eEBd91AkJQozuREcRpYoagHsEb/XsJEq/9Rxk3M+DbZLSx/JlW0hztVfbQmKX+Lfto3YNT7dRbXuIz9s6Qkveb+soLPvB5zTxRY/YJ/yWsmvU8oHoASNB6HPK1iNrCXYVhQrlETzl1pIuPeg2kXc/z7oNLXgsj/sNtaXaE39DjVjiob+dVqzhubehMQ/y6N9MA0qe/puhvDwC2ArSV4wMBoxcEUZi3336STTFSZ2NV0kQ5eGVYtRjbFNuE7XS/z8zRfdz+c9E9GN5+e0mv9qxbzfdS3z5VhO+hvt+LiV9iMfeZppLTnqbiS375S3xIkVXPJxSxv05X3OD1wSvoiWHebjvfVbypLPdNAn3866bovKx3OmW0VvtP7eM0CUOc7soXcNDbkyzHuISt4rIkg/cKurKTu+5zHfJy5FUHtFVP7wXaxIkwR3k6BIfw8c9H3HKw22UgHv6t43Q+GjebZuoXeLbtonMZZ5ti+hcx69tRp8e5NW2h8SyT9se2hwe7VmMddGfjWiChiFf9/KoCV7lV3OYh3u0ZyVP+rRNk3A/r7YpKh/Lr20ZvdWebcsIXeLbtovSNbzbxjTrIf5tq4gsebitoq7s457LfK8R7bRymbQcq06AbijO6ZNTVRnh9ClqfrTYpo9J3BNGNX0GMu8Uz/QZ6LtbJNPNE3i/GKaPqiyPHL1047StE7d040StFbF0S81KK03DlIvvS5ySNektIbkI7+ObcCIZ9RRXy7af9uXmaLuJX89UPVcbHmrGtppul4nbaoKd5m/bxfuE/hFGER6Pj0JGruiX8Xggx8qitUmEfZI20n9HITdpV7BO8os4inSFggaQ7RwyzyQp+1cSdP9FIyBXeB7xDRMCA2hNhE9nMxpvAXHrSKBC38+7cMNUPorU+TIU3t1ILSEVaF0WX29J326alrvK3sboe6j4bYrQR5HAgN7GEcXBHcl1oBUI7miIu8rh81B0V2ncMJUPlcnNkvsoknml4q/cjeIyVoHgpWFdlnT4M5BzV5ncJIkPFcgN0vo40kjZbCrHnnck2YVYpJqy2dJQDss6/TkJu7OEPguxD5bV56C6/TajW4nsPgiqscbwMYwDepuKuVcb+1OS/fjw6qARYF6egvViTlhMePdLElFGWNWsrFCKIrnXRZTBjA8ZMEtZDUAiAX4sf3jOAFEVAgQyuitFAGRVmbDwBnOyf4PZfiyveAXixzzFE1Lur2KtZUircnVp7Lz0AJ6z2uByAzWXeExjjsNYJPp01sBJEpFGn3KS7kuxUXAyCf798KIhBI4E9oJlkUIBOxRwisQ/JXLjOxPZJpqu2tn7mdF5ggyaJyKhkVMeZ2SaVT8xlWZvJoxy4nMS7H9RP/c/DZZKrsq26vg0kLioQ8Sf8hmuCvVu0ziG2jvkJvRJOogwF3Zk/7jxYr/l8/Am5CFJHfqkzIFBlxNcUamgUQ5T1q0KzwmEjseZIRqPVWHjsXW9Yzy+TeJALe2sorUEWqDz46CvV4nQy+W3ogaMThieSWINKocEM386HssM06wYLVA/GmQFvTZcgVhZExoSJvqw9vX3ei2lc+aTtPb2P9mDmp52NiKxL4st59VrH/7fce1tbdg97rZHiIczknI8S3ZJQv1pM8CcoH108Er/h75D//jxp9evfjx89WoPtYZopDHq6MU4Pjo7PUFnoqnxx/fds26ejcbzV69eE9TBnLSuOGGo1e8Us33IfkeuKCPjGAHIrqJ5RL7wOjqjdCYas4ea/42OwogTdkYm5Ms4rtVrQ6MpAn3WYPQ2DOrit09xRFKf7M4avpBEj1E6E9xO62jaCAPZmCkjOOhJjFkjTL0rRmfejIjMXnrE6OyE1MexyG63hl10OyWxDdhEB2j0vttHswb2fTqPuQDuHg+7UA189DuiPFHaYEpj0p/PLglbVeyrqmKzlk0PG2GgWmPUM6LlWmaNVEqPAFCCpBotulz95OQLFwBmDwAvG0GYJhFeeIKBAkJ3i5KAmURAOEUzgRCRK47+RcMYTXEcRJAxRVS0USZ4YYCaaCr7y8bwp5gLeF/CFzoPNZHfEF+SlJcvkbDwbwHLSA9TkY7mcfjvOakjPg1TNMML5ON5ShCNyUtOX85wvIA6ywR4ikxIEMQA9b6kV9AwbQBYkXijuYeAMbUbfKhbDNoicJFoA2cLxCkiUTgLY6GCwVyaE5KiYE5EXkzjl7I5GZbiepFF+zYvJLgQFi0CgjnzKBLDr1wugDj1sSeE5vSs0z1D735VIoI63WH7/4LahYH37zlhi9yMgIDuvgCdumhPiX99oSRDOlFvhlNOmDYSfJGQ5g7sBO0AeaD3gtjmTpH7O+j0DMks1V4Pc4796YzEXELIFor/MtB0EfteQCLCSeApvHRnL6P/BkdzUnv7ul4TZlGvmqm3ir/Wyyd59C6qy8quAVwwuz+f9zqgWUX7iwSrvRkNwquQSBslLOSJSnDjzFPiCTwAP09JR2v0UchSLoiso5MwCCIifx9jndqd4TBqBQEjaQoYpuVAbTpLcLyQoEPOCOEmbDvkC5EuakOfw6RNA1IX9beFNNTR6XCA+dThIxSJbg9hZTr9w91ataQVa/kUrPtSHYVKG5N5GAhOZ51o9Rmk6B6pu0oArUwbV6IZmUHNG7UEZQbNzXCM1i9BirBRTcYkJwIRjEsb8EfYsJJ4lDASIS9pIwaJERXYrsfFPl/2R0aS2T9ujBQ6zcOSEPBgJWF01BPyBZQvxLSqYCFpUF5VZ6WNP8LEpwGAaSF3A4pOB0Oo1LAtvbYQfyeCSOz1+90z9M/TXr+qN9BpZZaUxGaFiK4qXnadq/jKgnV3r1O89NYu4o1CXHVIqZVVaB+0VBHbT++UdN2GM/IZCULu+ZgFqcsD0asrwoQRwAaS8K+EaUkmqZF1TRa3VJRVclLfW04qO+2z1Eud4PSaBKgNRKK2IHIth+XCK/iuFygz6K4hOBTgmdxpSHOpjKULQDTNozF8CVBB5mksaq9G0RF7hkClWt6oBAcjeEXnTBvBIzpnldDkS+LNaMynArr7JTkRv5dCLwhmCvhXgqtLvsTxdWb53uH4OjN7zkaG/nVmJkUr1XclgvjXC9N0Lo2xwOnBVyVGGKeczWEspbopS+h19Oi+jGcOD6t6/G+9dDylukQJzTdZB4zg2SWsArx8ic6IP2dpeEPQ1TyWIao4RYwklHHEpwQFhIOvoFcIoysaBYJ9x90ROgOYI0jZFeTV0TucEjWjRrZK+1Mcxru4+R/Btpcv5ZgEMXqLyCxUFWGOEb6kc/mJfT7HUVYj0gXqOtB3aFxDf4p/vgPuNLQ4Z3Kv/ssHtbdhLNgqEpphzHfDmDcBFYZZOAjEuPgFOniVjY5bIu0+hYFVmKelAoWBOE/tMgFLyCJMsRcJKWXOWYT+FG0d1xAMAc6OYRAOku3ThOzujeOv9XF8KTksWNy7knNTyUE0halmGAWMxIhBrxMUxpyiEOb/hQ4Tw2LsT3cZvVVF5iBSSiVcyMks3RX/ysbrKmDVAH2tIwQqWipDm/qiEDVl4bksNZd3uKpHNB+mlkIyTzD3p2E8ORKuPBdFOWmoowSzlHj/Smm8K2SuyQgOPNGVu1rnmhJ0T/catmYaFV7L5JhFQd1kgUstYAiiOVQg9kUdjWuXSn29S8zGNS0lEr6CjcAgRilPGya2wVchTMC9ryBul8sIoHxK7lEzoFVX6S+rUkyzSXD3OiWes1IlJDXLuJpPUZcNpzrN4ulTLUtsbBG0cjnUNBy7PiOwsuvNua8sxZ9/Imkv2irvfNTOLUJFOeRLEjKSuorpyqx1SgGrhX2fpM6ShPFqQa5V2Hua8l/Ioi4tL4JOzDLfURrtfhA63QxTLxWGR64m9NIhfFSBTjlPaBwtFPB7zpPTOFo4wac49RQHAPw9TqHVwL6qChLC0jDlJOaqikGWkKMMWEiZXI2AdfEBZcvWHywOuVchHCDOtYicmWstJuhzWaZA1c0MQ0Ks9EKfW3lTmnLvmsBkV/eymV9yuTojwXKEm8mCzshkoJiqu9uuP+/XInxid1ZWseovqFz3nQkgtzc8GN+I6XnWq6o3FZwxCnVx9uFjUFQeglprlbJSa4mS4/JI8dAyZvnhu7J9Ml47XGLFDKjyUDGl0Q2B0ZlelU85C+MJwhMsRvuQBZtuBAWhz/VAEfBEjXoDpq6gxEBxQrgcP8ikTPWuQhIFzYje+jglu7KipvTd8sO7DfnUY0IjduHf5rj2/z3vZPizt9v4bs/z/s+4VlcUNlXFe43JwV5WhTo4kWfqZv35p96oEGMKaDsOZMPV25JIrbPI8YZME17owcMNXZhlXICGozAOTA4LdDFYn5IoQYIXDUmOzLaJeVFH4dWuT+MgFCLc1LXosyNeJJmPSJSSpui73YxNfEriZnUr8rFqoT2NTshiPXBTFaQwequoHQD1ijo83jmu7UmuyDYpnpj81mO+nwnv+TTe1XlCsrJq5FGsi4PDny6gawvpP7xxJr8+dCYf/HBRHgPqzs6A8ZxPKVPrncIJix/AUYc6mLTGcsUZ2tvUWtIaomxyvgI/IKnPwgQcn6MYM1uUluFRQfFhA2YTKcIpGsIvGyghbBbK4BoCZJB/2nDCZeAUwaDAkrtiN2WCuGfOebTQzZOI4gD0pCxT1UVJkenNhKExyRKpXkG/cmXRLnxX9oDBKKf/Nayu/d6sy/Zmp/2WWF7jpT9LtHqdOhINLW3rmCM3tAsTy0TMPQPXsE1lyZ0YPCHnZ8d1XaX4DVsLkt1yLEBZc1wTqj6u6a6BfvDCjK8ISdd0RdkM8135pzmuAef/66aRxBNhgTGbpM1ep9grskOFmHhLh1O6UZWDKQvAHko5xknZyUxr6VClepchn+EkBV3Xq1Y570tQojGeXLhIkcGZIqBcDVB0OnoEgGc4ScJ40khEoWLGD+Mn2VUW5Sov7z3FOQ0wjo3Vc7NoK6NAI3SJDZ5xoVnFHz1YNZm6BDgbUtmd8ESrecZoymyVMaTSZJSTNO2r9nWNY7xljVaHJb0PYRrypbpfgCxbAFC3iknbjUDyxO+i4kNxo1Avhy2b9FUXImQVCiJBXtT52fEo5GLAAIYE8tXerJisB/I3gFr2fxoGAYmFPd052KlLKz+u/SrGBWrsMa716bgmZ3EALEuBGoQpPGJ0pj8gR1IezOVkLz9hlDGgo7J68ZAISqSvqp7DZVwrmRwtVQUI5/TN4tBaM7g5iwpWCZqWNoy+wSnKv+oZVrELcYoKSTksF1SpRURJYZalDEvmD0SaLCLbfDR6Oi9R9HgOUhAAAFH9jlM0zTtVNU822exTlQEHluC3PuPkACp0f8YgnaI6WFAhRopHI2n9JLaweJrtTV3inEWGqSr3wSYMliDKsEqSCCMhu+9i7TRMZiTmDpv1xrJZ+RnuakOU35ZZw2rlwNaUUQzLYff7mNLruT6W14SZ4e7Fq4vmTi9GcASSpOlOHV0cXDR32nSWRIQT8X140RzX2jj2SRSRQFiIi9ciCQ6Hs3nCVeKbUuKenBR0cDwhTMijo/I+5QqAznX141qWAiUfXjR3shShFzuSBiOxTWNOYr6jRkSCmB2Vhk7wAr0j6ARHoR+qWr6/aO6cx/IKQo6MLn6wSn035wgu5X/AUQjjhKyCHy3A9zQF9J8umjsDKgoLcRQt0Hl8i2NAQxf/uGjufJyGnERhKgYglws0oFHoL3YUnzLenRGc0rjMLLTTpzmUYhbaORIz0C5jlKnu2pELW6hD4lDWDcwK02t0NI8i2QZgAYz9RpSiYxpPdurQfCgO0jCbgASItn4Imeof0WsjMksow2whJOcyIjPIEZLzLqL+tebTxYGgBhYYQ75AoIvoCIeRpOpAkHVG0vnMpB+kQm3+5qmibAgwAPZFWP0Anc5Vh18cHsr+juXRaXSs+uPwNdTPbgiDq2fAi1d5Wlb+a1H+mehPdEb+PRfTFJUH5b8+zHEGjGSe1CjgNUiUsCKIUzQhcm0Cst7kyOexnJKGf2Q8ev19nt0mTB1UJiZnX/+Qg6i+PaLsEmw45P9o1gAbIGDOVAU/GcpwTOIJn6KTMJ1h7k8BW0hmm9E0RacsnIQxOiNByIgPLHwj2JWpP6RAP2dhi+c8AM5KoXpl5LUZTqck2Nkrz9TFGAKOV6H2nDESczlxHwmRU78lLTg66Z10YTsOnRGfhDckeLfgJK2jEeU4kr+rp2S7KcfMPaQaipxsMFW1oh8HTuRuHKxCpQmJy9PAU0hdhmcuBVcNBaUUOCiQJwahCOuQoUCyDhlmC36Gc6ir5b6Us92UsyYcn9qrZyt049p5fB3T21gNDfNTVVlpubEvFhZAjifc7ZIiDXyr3IJxLBYe6myPQf6SGoolydWcK8IYYTCMHoZcTsxH+FL/tQC0p4WPNTYhnKPYwi7EinFsRpNVdxWBVdSuNQDOL/Fao+A8uXw8MsvypTJ7euPBVG4bkoOmZ4CG4ttwVFkBbxbOiKe350u2wUZiylB4l8I6wHF2y3QUSBF2JActmBXjTnNmSQoZ2kYUSc81PU8sKrcr2zppatXPi/CGUhVyihpRYpEUEcmcXFwKVYrhspqPaBEs9uOlBlDSWM7XdRmAxSoNIdXzHyNJaVdWqrWCkqWK4j3Yy08L+GKCYYl106rQWhQpiP9ff5Lxizr/tM4cI4MtuHOVLvz5+dnxipWS+6x0qArkRakRYbM6Mlc+lhpho7BqK1wCcpphVaeDmnWtqzpt5qWA63HCZmlDJ0q7mjOzEkFIugTO2e1agqguQfxrVGY0pbxEUbk+oRjuqsBSUYEmdHBZW5p6CcDQxdXM+uuqJzxL7WmIJbppAzrG2aAhH8VoX0i3tfpWOLxxEwaE6qMbH8SHEwzPgzADa4mPZfpurrqDUHpp9aaI8uyC7CfbjpDdK9zCGvqaRHhxif1rezCUpRbW6rL0W8Fu3drW0M3+DDrjfTkZZ+zNkh0MtQHkmEkZCM1QxUgNZGiZ3cSn1yhJnqEumgBHknpEYNUGgP3We7U6DVSx+nGC1XpVwnDvCjxQ9DMB0uul3ixVa+gwlHGunSc0DcuwA5VqwyrH1WI8THkdtaLL+UwfplJ526p5ivFuBdSZq3RCw1Xoq8422O/MN1juzHe4zCIIhi4QMKoznECifwAGOsoFok5QZTWafemCX8coKFiHbcg74a9pHtSCo5c/DL3EMpSBq2/QGFci2Yh84etIPlJ3XzwMq5leouuxdaAabJ6KOaG6661rXoVja0Y1oLwK6NErbxpycG7yNuDp1fuQp2sjz8I0JRb6CaQoqakqoY4Y0YcHxbxSuNks04OTkkytXhpivJyhT+/y1qY5v9CSyXoV7YY6LCt+RjiGyzArdKTyhXSnupjxNLxhyAnqxhM8ITDsXao7yzFLW1f/HJ728wN097g0oN0ZutvdAfOagD5WBufb1eXEhi8X1L2UcB7Gk7RBvvgkkVGHWkNkfEHZoh3juHATQ9/kUGd7BTey435Lb7jILmwUlnnFRNoeX1grvuuWqloEped9IwavripsCF2RHkKg0v2UnDFydYlk+M6LAeYzwaslsZUk6B2OY8LuIIQm0t/y96Tyl90/Wlb1+vX7dB4Fwym9ld3XvRE2pEhH2wV097pi8oV7YZxyHEXgWz0chzMQIcmHdEpvYxcTRN1xVl9RH2yl21NwX4EpMu1OOoWTxLuEhj6COplfyERdW7cqSygpmtqgVG1Os91vzBhewPb3uNaRWzrjWl0eE2hFEb0VX3BGAbaexRccT2il8BtOJahhIjqNo4VI/F4WBvG2erOEMo5jrimAcwtyR/5/qfI/ie4X+vc3W+5/L8v7WuIem9L22BIPO4VYBWO7n8hbRWzGucCBH9TMb6RuqcBlM42nkTeFpuNayXNxOEUdmWAcjdSgfhT61zlgW3yaYNUCObTk0AuNThc0yosc95LO/FXoJfJnPi+9/uIUus9BAzGRhJOFdTGLjXoxp90g5GqRWem49K4d8wqEPBCgNhvqMkrckEQQufDdQkxRN7WTntFoErjW1g2dxaF3Sb8ITy/57d7NdcDpuXjOvgpAiNERxpx6EJ8D4gYZbK7AKszdHRBKf1M5IDJ6yQFr3LkAO1O4q+JqXvHWvANGbdsYe05VkOUFBpe4VCDrFRIlRmUIY1VgjQ7dyOoA3Ck0AliUyFp14dB8O778AK+XvcTrsCFloL9vTP99Y/rvG9N/35je5I1pvbnmGgLlT6wuGQKZb7WuWorfdexACXJh76SYvucUWk4TLxXVwekFhuNr5X/PcCxjVFkQpnPOM+zNIsXrLNvoSGdtG3dLGRWrOtN8E9f9UqHXprPLMCZB9nRh3rVrIqwR5tiM/lOM++MMbWxCuG1gGWLlTcc8rB0JJsSDY6ueH4UQkCu+oo0rymZeGk5izOeMeDcH9XuhHa6HFtAZDmMV3qcSA7LTQgwlCf7z2en5wGuf9tut0e6q2iJ8SSBm0s5btCP+LqlMRRzaqaMd6C/AlZlegkOm1uzE/NiDIPAevfwX8fl6RNRXVl2qFK6+Z9Edl+CP43+e9vrrsH8cn1bDKWLkhx06sUoGFOg4hl5RcRT/OhK3gWjEK6g37F811asMohk5bsVDhZ7j7cIK27ge8spLrNJeXgirhtQhSJhvXUjultNlAVX3TitHmI6SKm92VsIuO5S57gnMOGOSpx9bsbbVHfn5qUp1ukSA75SI3KnCdxwLcUAVBgoOiHiubmKm9iXQ3EqVkewYq2s27qnigIv+UrvaJUJ2ikp0UFSiwuOfX+vF9xZzTSlklFZedbyx0SIhaeGmHWwtnJ8d67uH45oMcpZffRySBDPMKYO9AteZywFmEGBTKkt2i8Wut3iJZcXVmDwmoWu005JxE8sRE113g06WXg3KzpDZh6yPKCPhJIYZ89KJpC6seh5pQzyGVmcB5GxlzpMT6BE5tzP6JgfI7lDkSYHFyTw9KnLMqEaxzjyKV6yobA1m9A9PPSlasAI52hXMMfJO0LFb6R+eji0IZiHDMC9a5xWg075daNOs3Tp+XeDpBsK9CkqUOSgdtLYa6gr8mjejgBXGyZxrK7PiSLb9sGvJxDivZFeCFAwD5MOdR7kCuxllfnJV1VdL13m/hf7h4TimaQP4rE4jar7YEGrJ2lixlidkLYaY7TcUAkrQ7RQfHuachZdzDnX2+mj3oH64ZwY5zurNKvhb5KU8l8ehFQAlLysjdJQv/h9cNHdGZ63+sDfqnfa9417/F3113Uge/TrodvTtdSP93enpLyets1/UleM3dm735J3E+v6iicyMs26nd9Ztj7xB9+yk1e/2R/rCvwto1D0ZnJ61zn5Vtfxow3VOP/aPT1sdfenfyDo6a510O1mj/lGsANAcw4bq2Cql90CMWz7ZsyDZJabscRBrXC7viUqfWtzRMcYnWY8VxybqTtHyEUqOPS5eG4G76qV4MgYEhC/JxjnKdh0x4pPYX9TRgJGbkNxC4Ko1r3xVP0HiAFkxBrn7bmFJrx0RVsowy4OtGI66IALF7OXxYqqHG0bO8mHKik3CcstyASoWZcSiMavPpMBIvFLyIJmjZKMAk0hJkXHAsghetvgYrkJiWdfVSsSLMZNRQ36Uvuns5oJbcffY/3rvUg7mXMxxzKve05Tr/boP+YpSyULqPQ95atXYk3TF4TKsqtzgMsZSOmEJHmz0LPItS2PzzrBvKFT7ho5NRBtM7xjqDcTRaAAbiOvs3lVcc9UWzQ3otH3AZMcuCZC53i6JEJVs58t6IsTImFJ5GwZ6tphZ2qczM2X8e2HdMkEws/1ij5uZZl+XMmWHlpJDs8/sDN1lhl0p78eV2LGBLZy8yrKe2usr2T5jSVGXTXkq5zpCWdUTXln8FrlnqaO8VGhTqqOyOGK0OHRPhmEphWS5k5aqKBUqrMwJ/qJ+VepbRlWlohUgXBrm0C/3BpLoxIqgHIW88tsbdv4snJGROqtjhc4owMm95nyb2QUjA3igLHaHhEnt/iJml9j4/pyxdzrmhtUDLsJVnwDh6reha0ZgCEvbNh7Lwap0lcYZ/C7pnCNUbSnLuezojilboQ7Em6VOjXBIfoV9d0RxhWEDnpDUu1XZVbFUjQJ8GnuliKoFoIxmo+vLoVazVI9TSYcevhnBUctAeXzUQllWU6yiclxoYFaw3fjSeLDQmM0NBItRVssNKWRaDVl1gSyLJuuQZvPReodEm9kOqT4SM1FzzCcPBOYP+JSkG55ePNfjuCP9tWTgd24O+nJYGaNs+YXoytMCy04K6FFW1raHDbXsMMqizPzdSc08keUYM3HNy+ykZdb8K4txkckZMwiUoY5XlM1KG09ok8vHBgWrDLABaghtr4soQ7DV+pFcwiPnH14deK0okpu4ufyugiythy19EmnpGX6ZlD+Dv6tuAuSFjARH9H1uuElAUuL5mOOITszg7XvZS94QrLD532hcywr2xrX8MIEuU1beiqL3IXfUXP1WlQ1Qoj4n6Kv1OhNaevQUfNUiH/Vln9nhRzeeXibOMM2EFbjmnAlwy9NCQXbjXK2msAhOGOnrXll/mP1QRyDETWByfjngsR61srvLYHXW/0tnjKBW600VRaOXh+Y3tKMRYL5Ey96Hk2kUTqbWhYfVsI/ANqtHbdkwZUy0dqyvgGw5j0+wfzpErUS+NA63UQDEYG0liM3RzG968m1/7SnEhzlibLzDKbgXo0Q9E+Bs4fU6cqLG2SILHE5YqhYRP8ifMn2K06mXuav3OJ3qGQZlYrSVQOxcOUeEFBlMVwIxGcO1dNUoicKUSyXUIPIQWR2V3lsAPVfBYB3YaULjlKxEl2AKHzOebw7rjxW7dBmf3eJTyHbJjtEXq+abyL+CIHryvXlFfMPsO/07P2muOrBu9Fi90Et1s0Psw/xSoOo5b3JYzdoCr/V5Zwel1tjdBLiM6KV8IeK0v6KNTTdiBlBZhwo6ye5Vj4Vs1PXkj/E7aDTfWnWxwrVUXNmWVbMGsDbqTX5pjFQgivMUT8qWyspccQYYfR71TrrDUetkgL5D//jxp9evfjx8JW+E2NarjHnUOxuOqtFhRrGijOPeh653Pmz93PWqCzoObwg0xi7s87vzfue422+ddOFIxzwOIr1D/nlwdtrWOQNGhd3JxvefP/aOer2+yPoYXoW9OE89PR/p5NM5V+kfW30FjeMM+GOrr4FxHOTAvbNuR5fNSJAXftbtZKUzkmN8ktDeJw36SYF5nzIYb/CLzQghp9mconLtAbjQHQ4beSfX7XS7C2Wm6BPoEgMNanf0lXpxx+gKm/0mvy0um6y1OGqx0eZdxq+cTyWKvcEvdcWWPNk85KPbLoxPzgfB4KZV0PvWUOU+vYHJ6zXMiiZu1cHZmPC5kAljdqbMALXvg5ip5dCkIHHqCpD0s78dwIVzfZFQIIq/2U7nMA6TRK5pijzp+jz5UyTmyu5Tn2KYI8AOEwlGw3y/KZ8fuBCOccplNPCOuYkvk5YhdkImx6fSqVvYOi8fe7X8bBvYU79FcgfiDVG5z5F9yOa1OMf+dEZirg1LnjIM/yiknKs40NYTM+Vs/ZyY6oG3h7+j79DO/nF4yTBb7P/M6Dwx5oj7cMa/4dNZAydJRBqx6N191YJ0H54MU1/7EOBrfwd9VyALarCT5cvYYoiaJYmiCtzqq9UTz/g2spVAZF9Gll5f94xvkT2Zx3+EiX5BsYM5zm/xZ3JZscSUi0T1QlMRxr3c5LzjdHqG5DuFq1aaUNzQ9lrfqIsbn/unoy7CaaZFyD8Q5nV03D0QyfnxAZE+7PcGg+4InrbLlQyyep1uf9Q76nXPdGlKcERm+6zbGvVO+53WqPsawf18rW8ZzNHpcad7dnLa6R312hk0cLmsMRnWcWs4Oh10+92OhrYVUwIeNj632u3T8/7otajcUCTIg+YeyvgChl5Bnt2ugqoh/41wVcrXi5JLuof81xJk2PtcANHKCKXY9TgU0P++8TmrxpZryCsUYAo35CsGjH4dmEVkm0hx43OnNWpBI/PXuj/32kJAdA4EwjFcVq/dPj497wx/7bd7/Z9P3/1TiBlOkX8AQ+gDKV6A3VTit24Jh1DCofaAuYSsW8BrKOC1JKGpRX1d7DeA/abxuTUatdrvT7r90UETirtDG76HQr4326B64dBYX4XTwE/uyfOONF25i/RVfl3otpi1a8f+J3juD43vxLSRBOqqjHTqnwaMQqAeGa+ncI+9Gqa4JOQwrQGv3L/VWU4rehPSCAKNsjk81vqF+PCQQTZVDS8j4khJw0kcxhMv1DFKANMPxMRZFZNO8eH3P9hoGsAqCuDQypNoeimMQNSrp77UIWtZcZHj00DO9j6GcUBvUwg4eBPykKilJ08lLAbYv8YT0guM/r4DUkEAis9j/terTy8L/2fPZP4GzVIl9oLfXr1983vdTHjz9gc74Ye3P/1eL2D99PbglQ118Ort7+h3tYCsUwFtEGEuSKsj1QC53ZXvy8rFx6X7shAfwyx4vVJVaRrPyzj49CZF12nYkzIZjszsIahVqwu5mJjrDJVC1I7C5JJitpbE5cDltdLC6L+0OGAerM/2FIqJKzFP4zbcVCxh6wwowT5CYx6SGeBFRLEUQOe8CF3ilPzwJiA+DQqPf8M1XBmbDYJVZdxQhe799up3fYRfTogKAEatyAy4cMJzmXz0MzdFItY1nyXB+8vrxsdBX1+0Qy+XRDhLHaqyPm7RSeuLc+jPP9G4Nq7l17X0DNIdyqrFWHiDo3x7Lv9WiNbktGABtUS9MpamxUy1ojIbOX8yGx5O3ZFRa4Kdwrkag5SyJzr8krme3HzvoVZadBMIfewPe4HJHkioj2NXMz/2h4YlumMzbeRiM2X7bJhqKh7E7xJ+JS0ldku4VS9qqze1TcME/zmf1VZQFQ9rq9xxvGr90lKLRs861Gdl7ZyygLAdka9+OoDe4ziICJPFZB9lQJXVGLBwhtlCwpf26pwY8tJkUNRIF6z6q1dCjE8H6aNi7DA7WxvqnLfVQLoo49NVIZ7IU4sTR+a4ButQUrWyDwegYWGcBscCzvePq4yCi42m6uZsVKnVaOYQwsCzLwW6EKVpMUxKJdwRBNHVa2Tmt8T62B8O5um0PcVxTKKG+isL1x8dJ+g5C+WGbc9dks2SkvkpY9isd9mIUs9mJtcepyuNNmFl4A8Xk8S03cW7M+JTFvQC1KxQYHM9326KKLLQuFztm0trM5YKegHqdDdwEtYkR4xSbKO6oyhspSmRd1IK+XZDHQAjhuNUjHFHMgRVCcAkoOPciPzeGg7dJnGgBi2FoZB8GwsNCbsJfeINFykns14ckC/ez3zKHAOgVRj3Pxgmj2IdgTMS8vtud7SHmhXDIjlSvwxjzBa7wJ4skOzIcWKhjlLO5r5wcvMw5j+8uRzX9vbKdT5lleUah+EfqsZHKPuBJ6x0vwx9msBF7g715zMZTAANO8apCKuHrElbZWx0MRGBCfp4vXNjaFwrCha0MD989FgXvDVhq04gSelvkDupz4BP765BAunROlJPOuSFlftzf8CnhQ54EqYNGE0I4wtYQL0b62zUkhX6ZJ84ffkSjabwDnWOhHwazWdxiiJKr1EUXhOAk6LDcBzQmRS0lxINOJBSdEuENoaJGOgDhoSFYz+IXl0hTpEK1YxCjhJAjhYNZQmAf53Q57viHzA/1IO75HBt2TzHlyZRyHdTknhqvWJce6mMgfjyrsli77eD38UUSh8Pg1NJKgr02BHeGeqU/SrpEW0DdjgOw0p1Nq1l81NDdoInu8b7GfMpYfkdp4pMsyRpBY2Swj9sZL0RVFGzUGrLAjnSV+FbdyMd6avw1VCtiK6S1TijfIo4XxsoiIGKDA7l5Z1X6j395oRtJ5Yqt63blgKAhiP0VR5altrQHNdU/Y/mYYzDw0Vhcx0zdfSG2+BXApbiGD6ejXIf6n1IKY/B4Y+UXRsOe7kSGgCZouVpZSWy86wpG0Io0wpB3eltLF9hLqaVwXuczETXqxD2BlIhx42qp8eFJDdZLR0vJS3QlmeUERX3WnNOh/PZDLNF2b4Zmd+ejEPsvTCe6FnhankuYTyG7H5qOEShWgaydWMVR0dNsh3JLqSOHenBlb5OR4qpuToSX6rW9TLCeh1ynhKmCzymk0kYT1b3iQvpcbrl3opadJuaPB3ZcWjdiq7MXbu8bhxUlmbdo7aFQYO0ksReHrEy7iUOhRLMKxQVja3cCFqBsbYZ+Pr1fwIAAP//vmHbqCwlAQA="
- LET Specs <= parse_json(data=gunzip(string=base64decode(string=SPEC)))
- LET CheckHeader(OSPath) = read_file(filename=OSPath, length=12) = "SQLite forma"
- LET Bool(Value) = if(condition=Value, then="Yes", else="No")
-
- -- In fast mode we check the filename, then the header then run the sqlite precondition
- LET matchFilename(SourceName, OSPath) = OSPath =~ get(item=Specs.sources, field=SourceName).filename
- AND CheckHeader(OSPath=OSPath)
- AND Identify(SourceName= SourceName, OSPath= OSPath)
- AND log(message=format(format="%v matched by filename %v",
- args=[OSPath, get(item=Specs.sources, field=SourceName).filename]))
-
- -- If the user wanted to also upload the file, do so now
- LET MaybeUpload(OSPath) = if(condition=AlsoUpload, then=upload(file=OSPath)) OR TRUE
-
- LET Identify(SourceName, OSPath) = SELECT if(
- condition=CheckHeader(OSPath=OSPath),
- then={
- SELECT *
- FROM sqlite(file=OSPath, query=get(item=Specs.sources, field=SourceName).id_query)
- }) AS Hits
- FROM scope()
- WHERE if(condition=Hits[0].Check = get(item=Specs.sources, field=SourceName).id_value,
- then= log(message="%v was identified as %v",
- args=[OSPath, get(item=Specs.sources, field=SourceName).Name]),
- else=log(message="%v was not identified as %v (got %v, wanted %v)",
- args=[OSPath, get(item=Specs.sources, field=SourceName).Name, str(str=Hits),
- get(item=Specs.sources, field=SourceName).id_value]) AND FALSE)
-
- LET ApplyFile(SourceName) = SELECT * FROM foreach(row={
- SELECT OSPath FROM AllFiles
- WHERE if(condition=MatchFilename, then=matchFilename(SourceName=SourceName, OSPath=OSPath),
- else=Identify(SourceName= SourceName, OSPath= OSPath))
-
- }, query={
- SELECT *, OSPath FROM sqlite(
- file=OSPath, query=get(item=Specs.sources, field=SourceName).SQL)
- })
-
- -- Filter for matching files without sqlite checks.
- LET FilterFile(SourceName) =
- SELECT OSPath FROM AllFiles
- WHERE if(condition=MatchFilename,
- then=OSPath =~ get(item=Specs.sources, field=SourceName).filename)
-
- -- Build a regex for all enabled categories.
- LET all_categories = SELECT if(condition=_value = "All", then=".", else=_value) AS _value
- FROM foreach(row=["All","MacOS","Chrome","Browser","Edge","Firefox","InternetExplorer","Windows"])
- WHERE get(field=_value)
-
- LET category_regex <= join(sep="|", array=all_categories._value)
- LET AllGlobs <= filter(list=Specs.globs, condition="x=> x.tags =~ category_regex AND x.rule =~ RuleFilter")
- LET _ <= log(message="Globs for category %v is %v",
- args=[category_regex, CustomGlob || AllGlobs.glob])
- LET AllFiles <= SELECT OSPath FROM glob(globs=CustomGlob || AllGlobs.glob)
- WHERE NOT IsDir AND MaybeUpload(OSPath=OSPath)
-
-parameters:
-- name: RuleFilter
- type: regex
- description: Only collect rules matching this filter.
- default: "."
-
-- name: MatchFilename
- description: |
- If set we use the filename to detect the type of sqlite file.
- When unset we use heristics (slower)
- type: bool
- default: Y
-
-- name: CustomGlob
- description: Specify this glob to select other files
-
-- name: DateAfter
- description: Timebox output to rows after this time.
- type: timestamp
- default: "1970-01-01T00:00:00Z"
-
-- name: DateBefore
- description: Timebox output to rows after this time.
- type: timestamp
- default: "2100-01-01T00:00:00Z"
-
-- name: FilterRegex
- description: Filter critical rows by this regex
- type: regex
- default: .
-
-- name: All
- description: Select all tagrgets
- type: bool
- default: Y
-
-- name: MacOS
- description: Select targets with category MacOS
- type: bool
- default: N
-
-- name: Chrome
- description: Select targets with category Chrome
- type: bool
- default: N
-
-- name: Browser
- description: Select targets with category Browser
- type: bool
- default: N
-
-- name: Edge
- description: Select targets with category Edge
- type: bool
- default: N
-
-- name: Firefox
- description: Select targets with category Firefox
- type: bool
- default: N
-
-- name: InternetExplorer
- description: Select targets with category InternetExplorer
- type: bool
- default: N
-
-- name: Windows
- description: Select targets with category Windows
- type: bool
- default: N
-
-- name: SQLITE_ALWAYS_MAKE_TEMPFILE
- type: bool
- default: Y
-
-- name: AlsoUpload
- description: If specified we also upload the identified file.
- type: bool
-
-sources:
-- name: AllFiles
- notebook:
- - type: vql
- template: |
- // This cell generates other cells to preview the collected
- // data. DO NOT recalculate this cell - each time new cells
- // will be added. Instead delete the notebook and allow
- // Velociraptor to recreate the entire notebook.
- LET ArtifactsWithResults <=
- SELECT pathspec(accessor="fs", parse=Data.VFSPath)[4] AS Artifact ,
- pathspec(accessor="fs", parse=Data.VFSPath)[-1][:-5] AS Source ,
- stat(accessor="fs", filename=Data.VFSPath + ".index").Size / 8 AS Records
- FROM enumerate_flow(client_id=ClientId, flow_id=FlowId)
- WHERE Type =~ "Result" AND Records > 0
-
- LET _ <= SELECT notebook_update_cell(notebook_id=NotebookId, type="vql",
- input=format(format='''
- /*
- # Results From %v
- */
- SELECT * FROM source(source=%q)
- ''', args=[Source, Source]),
- output=format(format='''
- Recalculate to show Results from %v with %v rows
- ''', args=[Source, Records])) AS NotebookModification
- FROM ArtifactsWithResults
-
- /*
- # Results Overview
- */
- SELECT Source, Records FROM ArtifactsWithResults ORDER BY Source
-
- query: |
- SELECT * FROM AllFiles
-
-
-
-
-- name: "iMessage_Profiles"
- notebook:
- - type: vql
- output: "iMessage_Profiles - Recalculate to view results"
- template: |
- /*
- # iMessage_Profiles
- */
- SELECT * FROM source(source="iMessage_Profiles")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="iMessage_Profiles")
-
-
-
- LET Output = SELECT timestamp(epoch=date / 1000000000 + 978307200) AS Timestamp, *
- FROM Rows
- WHERE Timestamp > DateAfter AND Timestamp < DateBefore
- AND (MessageText, RoomName) =~ FilterRegex
-
- SELECT * FROM
- if(condition="iMessage_Profiles" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Chromium Browser Autofill_Profiles"
- notebook:
- - type: vql
- output: "Chromium Browser Autofill_Profiles - Recalculate to view results"
- template: |
- /*
- # Chromium Browser Autofill_Profiles
- */
- SELECT * FROM source(source="Chromium Browser Autofill_Profiles")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Autofill_Profiles")
-
-
-
- LET Output = SELECT GUID,
- timestamp(epoch= date_modified) AS DateModified,
- timestamp(epoch= use_date) AS UseDate,
- FirstName, MiddleName, LastName, EmailAddress,
- PhoneNumber, CompanyName, StreetAddress,
- City, State, ZipCode, UseCount, OSPath
- FROM Rows
- WHERE UseDate > DateAfter AND UseDate < DateBefore
- AND (FirstName, MiddleName, LastName, EmailAddress, CompanyName, StreetAddress) =~ FilterRegex
-
- SELECT * FROM
- if(condition="Chromium Browser Autofill_Profiles" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Chromium Browser Autofill_Masked Credit Cards"
- notebook:
- - type: vql
- output: "Chromium Browser Autofill_Masked Credit Cards - Recalculate to view results"
- template: |
- /*
- # Chromium Browser Autofill_Masked Credit Cards
- */
- SELECT * FROM source(source="Chromium Browser Autofill_Masked Credit Cards")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Autofill_Masked Credit Cards")
-
-
-
- LET Output = SELECT * FROM Rows
-
- SELECT * FROM
- if(condition="Chromium Browser Autofill_Masked Credit Cards" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-- name: "Chromium Browser Bookmarks"
- notebook:
- - type: vql
- output: "Chromium Browser Bookmarks - Recalculate to view results"
- template: |
- /*
- # Chromium Browser Bookmarks
- */
- SELECT * FROM source(source="Chromium Browser Bookmarks")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Bookmarks")
-
- -- Recursive function to report the details of a folder
- LET ReportFolder(Data, BaseName) = SELECT * FROM chain(a={
- -- First row emit the data about the actual folder
- SELECT BaseName + " | " + Data.name AS Name,
- timestamp(winfiletime=int(int=Data.date_added) * 10) AS DateAdded,
- timestamp(winfiletime=int(int=Data.date_last_used) * 10) AS DateLastUsed,
- Data.type AS Type,
- Data.url || "" AS URL
- FROM scope()
- },
- b={
- -- If this folder has children recurse into it
- SELECT * FROM foreach(row={
- SELECT _value FROM items(item=Data.children)
- }, query={
- SELECT * FROM ReportFolder(Data=_value, BaseName=BaseName + " | " + Data.name)
- })
- })
-
- LET MatchingFiles = SELECT OSPath, parse_json(data=read_file(filename=OSPath)) AS Data
- FROM Rows
-
- LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
- SELECT * FROM chain(
- a={
- SELECT OSPath, *, "bookmark_bar" AS Type
- FROM ReportFolder(Data=Data.roots.bookmark_bar, BaseName="")
- },
- b={
- SELECT OSPath, *, "other" AS Type
- FROM ReportFolder(Data=Data.roots.other, BaseName="")
- },
- c={
- SELECT OSPath, *, "synced" AS Type
- FROM ReportFolder(Data=Data.roots.synced, BaseName="")
- })
- })
-
- SELECT * FROM
- if(condition="Chromium Browser Bookmarks" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Chromium Browser Cookies_Cookies"
- notebook:
- - type: vql
- output: "Chromium Browser Cookies_Cookies - Recalculate to view results"
- template: |
- /*
- # Chromium Browser Cookies_Cookies
- */
- SELECT * FROM source(source="Chromium Browser Cookies_Cookies")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Cookies_Cookies")
-
-
-
- LET Output = SELECT timestamp(winfiletime=(creation_utc * 10) || 0) AS CreationUTC,
- timestamp(winfiletime=(expires_utc * 10) || 0) AS ExpiresUTC,
- timestamp(winfiletime=(last_access_utc * 10) || 0) AS LastAccessUTC,
- HostKey, Name, Path,
- Bool(Value=is_secure) AS IsSecure,
- Bool(Value=is_httponly) AS IsHttpOnly,
- Bool(Value=has_expires) AS HasExpiration,
- Bool(Value=is_persistent) AS IsPersistent,
- Priority, SourcePort, OSPath
- FROM Rows
- WHERE LastAccessUTC > DateAfter AND LastAccessUTC < DateBefore
- AND (Name, Path) =~ FilterRegex
-
- SELECT * FROM
- if(condition="Chromium Browser Cookies_Cookies" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-- name: "Chromium Browser Extensions"
- notebook:
- - type: vql
- output: "Chromium Browser Extensions - Recalculate to view results"
- template: |
- /*
- # Chromium Browser Extensions
- */
- SELECT * FROM source(source="Chromium Browser Extensions")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Extensions")
-
- -- Resolve the message string against the Locale dict
- LET ResolveName(Message, Locale) = get(item=Locale,
- field=lowcase(string=parse_string_with_regex(regex="^__MSG_(.+)__$", string=Message).g1),
- default=Message).message || Message
-
- -- Read the manifest files
- LET ManifestData = SELECT OSPath, parse_json(data=read_file(filename=OSPath)) AS Manifest
- FROM Rows
-
- -- Find the Locale file to help with.
- LET LocaleData = SELECT *, if(condition=Manifest.default_locale, else=dict(),
- then=parse_json(data=read_file(
- filename=OSPath.Dirname + "_locales" + Manifest.default_locale + "messages.json"))) AS Locale
- FROM ManifestData
-
- LET GetIcon(Manifest) = Manifest.icons.`128` || Manifest.icons.`64` || Manifest.icons.`32` || Manifest.icons.`16`
-
- LET Output = SELECT OSPath, Manifest.author.email AS Email,
- ResolveName(Message = Manifest.name, Locale=Locale) AS name,
- ResolveName(Message = Manifest.description, Locale=Locale) AS description,
- Manifest.oauth2.scopes as Scopes,
- Manifest.permissions as Permissions,
- Manifest.key as Key, if(condition=GetIcon(Manifest=Manifest),
- then=upload(file=OSPath.Dirname + GetIcon(Manifest=Manifest))) AS Image,
- Manifest AS _Manifest
- FROM LocaleData
- WHERE (name, description) =~ FilterRegex
-
- SELECT * FROM
- if(condition="Chromium Browser Extensions" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Chromium Browser Favicons"
- notebook:
- - type: vql
- output: "Chromium Browser Favicons - Recalculate to view results"
- template: |
- /*
- # Chromium Browser Favicons
- */
- SELECT * FROM source(source="Chromium Browser Favicons")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Favicons")
-
-
-
- LET Output = SELECT ID, IconID,
- timestamp(winfiletime= (LastUpdated * 10) || 0) AS LastUpdated,
- PageURL, FaviconURL,
- upload(accessor="data",
- file=_image,
- name=format(format="Image%v.png", args=ID)) AS Image,
- OSPath as _OSPath
- FROM Rows
- WHERE LastUpdated > DateAfter AND LastUpdated < DateBefore
-
- SELECT * FROM
- if(condition="Chromium Browser Favicons" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Chromium Browser History_Visits"
- notebook:
- - type: vql
- output: "Chromium Browser History_Visits - Recalculate to view results"
- template: |
- /*
- # Chromium Browser History_Visits
- */
- SELECT * FROM source(source="Chromium Browser History_Visits")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser History_Visits")
-
-
-
- LET Output = SELECT ID,
- timestamp(winfiletime=(visit_time * 10) || 0) AS VisitTime,
- timestamp(winfiletime=(last_visit_time * 10) || 0) AS LastVisitedTime,
- URLTitle, URL, VisitCount, TypedCount,
- if(condition=hidden =~ '1', then="Yes", else="No") AS Hidden,
- VisitID, FromVisitID,
- visit_duration / 1000000 AS VisitDurationInSeconds,
- OSPath
- FROM Rows
- WHERE VisitTime > DateAfter
- AND VisitTime < DateBefore
- AND (URLTitle, URL) =~ FilterRegex
-
- SELECT * FROM
- if(condition="Chromium Browser History_Visits" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Chromium Browser History_Downloads"
- notebook:
- - type: vql
- output: "Chromium Browser History_Downloads - Recalculate to view results"
- template: |
- /*
- # Chromium Browser History_Downloads
- */
- SELECT * FROM source(source="Chromium Browser History_Downloads")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser History_Downloads")
-
- LET StateLookup <= dict(`0`='In Progress', `1`='Complete', `2`="Cancelled", `3`="Interrupted", `4`="Interrupted")
- LET DangerType <= dict(`0`='Not Dangerous', `1`="Dangerous", `2`='Dangerous URL', `3`='Dangerous Content',
- `4`='Content May Be Malicious', `5`='Uncommon Content', `6`='Dangerous But User Validated',
- `7`='Dangerous Host', `8`='Potentially Unwanted', `9`='Whitelisted by Policy')
- LET InterruptReason <= dict(`0`= 'No Interrupt', `1`= 'File Error', `2`='Access Denied', `3`='Disk Full',
- `5`='Path Too Long',`6`='File Too Large', `7`='Virus', `10`='Temporary Problem', `11`='Blocked',
- `12`='Security Check Failed', `13`='Resume Error', `20`='Network Error', `21`='Operation Timed Out',
- `22`='Connection Lost', `23`='Server Down', `30`='Server Error', `31`='Range Request Error',
- `32`='Server Precondition Error', `33`='Unable to get file', `34`='Server Unauthorized',
- `35`='Server Certificate Problem', `36`='Server Access Forbidden', `37`='Server Unreachable',
- `38`='Content Length Mismatch', `39`='Cross Origin Redirect', `40`='Cancelled', `41`='Browser Shutdown',
- `50`='Browser Crashed')
-
- LET Output = SELECT ID, GUID, CurrentPath, TargetPath, OriginalMIMEType, ReceivedBytes, TotalBytes,
- timestamp(winfiletime=(start_time * 10) || 0) AS StartTime,
- timestamp(winfiletime=(end_time * 10) || 0) AS EndTime,
- timestamp(winfiletime=(opened * 10) || 0) AS Opened,
- timestamp(winfiletime=(last_access_time * 10) || 0) AS LastAccessTime,
- timestamp(epoch=last_modified) AS LastModified,
- get(item=StateLookup, field=str(str=state), default="Unknown") AS State,
- get(item=DangerType, field=str(str=danger_type), default="Unknown") AS DangerType,
- get(item=InterruptReason, field=str(str=interrupt_reason), default="Unknown") AS InterruptReason,
- ReferrerURL, SiteURL, TabURL, TabReferrerURL, DownloadURL, OSPath
- FROM Rows
- WHERE LastAccessTime > DateAfter AND LastAccessTime < DateBefore
- AND (SiteURL, DownloadURL, TabURL, TabReferrerURL, ReferrerURL, DownloadURL) =~ FilterRegex
-
- SELECT * FROM
- if(condition="Chromium Browser History_Downloads" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Chromium Browser History_Keywords"
- notebook:
- - type: vql
- output: "Chromium Browser History_Keywords - Recalculate to view results"
- template: |
- /*
- # Chromium Browser History_Keywords
- */
- SELECT * FROM source(source="Chromium Browser History_Keywords")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser History_Keywords")
-
-
-
- LET Output = SELECT KeywordID, URLID,
- timestamp(winfiletime=(last_visit_time * 10) || 0) AS LastVisitedTime,
- KeywordSearchTerm, Title, URL, OSPath
- FROM Rows
- WHERE LastVisitedTime > DateAfter AND LastVisitedTime < DateBefore
- AND (Title, KeywordSearchTerm, URL) =~ FilterRegex
-
- SELECT * FROM
- if(condition="Chromium Browser History_Keywords" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Chromium Browser Media_History"
- notebook:
- - type: vql
- output: "Chromium Browser Media_History - Recalculate to view results"
- template: |
- /*
- # Chromium Browser Media_History
- */
- SELECT * FROM source(source="Chromium Browser Media_History")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Media_History")
-
-
-
- LET Output = SELECT ID, URL, WatchTimeSeconds,
- Bool(Value=has_video) AS HasVideo,
- Bool(Value=has_audio) AS HasAudio,
- timestamp(winfiletime=last_updated_time_s || 0) AS LastUpdated,
- OriginID, OSPath
- FROM Rows
- WHERE LastUpdated > DateAfter AND LastUpdated < DateBefore
- AND URL =~ FilterRegex
-
- SELECT * FROM
- if(condition="Chromium Browser Media_History" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Chromium Browser Media_Playback Session"
- notebook:
- - type: vql
- output: "Chromium Browser Media_Playback Session - Recalculate to view results"
- template: |
- /*
- # Chromium Browser Media_Playback Session
- */
- SELECT * FROM source(source="Chromium Browser Media_Playback Session")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Media_Playback Session")
-
-
-
- LET Output = SELECT ID,
- timestamp(winfiletime=last_updated_time_s || 0) AS LastUpdated, URL,
- duration_ms / 1000 AS DurationInSeconds,
- position_ms / 1000 AS PositionInSeconds,
- Title, Artist, Album, SourceTitle, OriginID, OSPath
- FROM Rows
- WHERE LastUpdated > DateAfter AND LastUpdated < DateBefore
- AND URL =~ FilterRegex
-
- SELECT * FROM
- if(condition="Chromium Browser Media_Playback Session" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Chromium Browser Network_Predictor"
- notebook:
- - type: vql
- output: "Chromium Browser Network_Predictor - Recalculate to view results"
- template: |
- /*
- # Chromium Browser Network_Predictor
- */
- SELECT * FROM source(source="Chromium Browser Network_Predictor")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Network_Predictor")
-
-
-
- LET Output = SELECT * FROM Rows
- WHERE UserText =~ FilterRegex
-
- SELECT * FROM
- if(condition="Chromium Browser Network_Predictor" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-- name: "Chromium Browser Notifications_Site Engagements"
- notebook:
- - type: vql
- output: "Chromium Browser Notifications_Site Engagements - Recalculate to view results"
- template: |
- /*
- # Chromium Browser Notifications_Site Engagements
- */
- SELECT * FROM source(source="Chromium Browser Notifications_Site Engagements")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Notifications_Site Engagements")
-
- LET JSON = SELECT parse_json(data=read_file(filename=OSPath)) AS Data, OSPath FROM Rows
-
- LET Output = SELECT * FROM foreach(row={
- SELECT OSPath, Data.profile.content_settings.exceptions AS exceptions FROM JSON
- }, query={
- SELECT _key AS Site,
- timestamp(winfiletime=int(int=_value.last_modified) * 10 || 0) AS LastModified,
- timestamp(winfiletime=int(int=_value.setting.lastEngagementTime) * 10 || 0) AS LastEngagementTime,
- OSPath
- FROM items(item=exceptions.site_engagement)
- })
-
- SELECT * FROM
- if(condition="Chromium Browser Notifications_Site Engagements" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-- name: "Chromium Browser Notifications_App Banners"
- notebook:
- - type: vql
- output: "Chromium Browser Notifications_App Banners - Recalculate to view results"
- template: |
- /*
- # Chromium Browser Notifications_App Banners
- */
- SELECT * FROM source(source="Chromium Browser Notifications_App Banners")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Notifications_App Banners")
-
- LET JSON = SELECT parse_json(data=read_file(filename=OSPath)) AS Data, OSPath FROM Rows
-
- LET Output = SELECT * FROM foreach(row={
- SELECT OSPath, Data.profile.content_settings.exceptions AS exceptions FROM JSON
- }, query={
- SELECT _key AS Site,
- timestamp(winfiletime=int(int=_value.last_modified) * 10 || 0) AS LastModified,
- {
- SELECT _key AS Site,
- timestamp(winfiletime=int(int=_value.couldShowBannerEvents) * 10 || 0) AS CouldShowBannerEvents,
- timestamp(winfiletime=int(int=_value.next_install_text_animation.last_shown) * 10 || 0) AS LastShown
- FROM items(item=_value.setting)
- } AS Setting,
- OSPath
- FROM items(item=exceptions.app_banner)
- })
-
- SELECT * FROM
- if(condition="Chromium Browser Notifications_App Banners" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-- name: "Chromium Browser Notifications_Notification Preferences"
- notebook:
- - type: vql
- output: "Chromium Browser Notifications_Notification Preferences - Recalculate to view results"
- template: |
- /*
- # Chromium Browser Notifications_Notification Preferences
- */
- SELECT * FROM source(source="Chromium Browser Notifications_Notification Preferences")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Notifications_Notification Preferences")
-
- LET ContentSettings <= array(`0`="Default",`1`="Allow",`2`="Block",`3`="Ask",`4`="Session Only",`5`="Detect Important Content")
-
- LET JSON = SELECT parse_json(data=read_file(filename=OSPath)) AS Data, OSPath FROM Rows
-
- LET Output = SELECT * FROM foreach(row={
- SELECT OSPath, Data.profile.content_settings.exceptions AS exceptions FROM JSON
- }, query={
- SELECT _key AS Site,
- timestamp(winfiletime=int(int=_value.last_modified) * 10 || 0) AS LastModified,
- ContentSettings[_value.setting] AS Setting,
- OSPath
- FROM items(item=exceptions.notifications)
- })
-
- SELECT * FROM
- if(condition="Chromium Browser Notifications_Notification Preferences" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-- name: "Chromium Browser Notifications_Notification Interactions"
- notebook:
- - type: vql
- output: "Chromium Browser Notifications_Notification Interactions - Recalculate to view results"
- template: |
- /*
- # Chromium Browser Notifications_Notification Interactions
- */
- SELECT * FROM source(source="Chromium Browser Notifications_Notification Interactions")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Notifications_Notification Interactions")
-
- LET JSON = SELECT parse_json(data=read_file(filename=OSPath)) AS Data, OSPath FROM Rows
- LET S = scope()
-
- LET Output = SELECT * FROM foreach(row={
- SELECT OSPath, Data.profile.content_settings.exceptions AS exceptions FROM JSON
- }, query={
- SELECT _key AS URL,
- timestamp(winfiletime=int(int=_value.last_modified) * 10 || 0) AS LastModified,
- _value.display_count as DisplayCount,
- _value.click_count as ClickCount,
- OSPath
- FROM items(item=S.notification_interactions || dict())
- })
-
- SELECT * FROM
- if(condition="Chromium Browser Notifications_Notification Interactions" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Chromium Browser Shortcuts"
- notebook:
- - type: vql
- output: "Chromium Browser Shortcuts - Recalculate to view results"
- template: |
- /*
- # Chromium Browser Shortcuts
- */
- SELECT * FROM source(source="Chromium Browser Shortcuts")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Shortcuts")
-
-
-
- LET Output = SELECT ID,
- timestamp(winfiletime= (last_access_time * 10) || 0) AS LastAccessTime,
- TextTyped, FillIntoEdit, URL, Contents,
- Description, Type, Keyword, TimesSelectedByUser, OSPath
- FROM Rows
- WHERE LastAccessTime > DateAfter AND LastAccessTime < DateBefore
- AND (Contents, Description) =~ FilterRegex
-
- SELECT * FROM
- if(condition="Chromium Browser Shortcuts" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Chromium Sessions_Sessions"
- notebook:
- - type: vql
- output: "Chromium Sessions_Sessions - Recalculate to view results"
- template: |
- /*
- # Chromium Sessions_Sessions
- */
- SELECT * FROM source(source="Chromium Sessions_Sessions")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Sessions_Sessions")
-
-
-
- LET Output = SELECT timestamp(winfiletime=(creation_utc * 10) || 0) AS CreationUTC,
- timestamp(winfiletime=(expires_utc * 10) || 0) AS ExpiresUTC,
- timestamp(winfiletime=(last_access_utc * 10) || 0) AS LastAccessUTC,
- HostKey, Name, Path,
- Bool(Value=is_secure) AS IsSecure,
- Bool(Value=is_httponly) AS IsHttpOnly,
- Bool(Value=has_expires) AS HasExpiration,
- Bool(Value=is_persistent) AS IsPersistent,
- Priority, SourcePort, OSPath
- FROM Rows
- WHERE LastAccessUTC > DateAfter AND LastAccessUTC < DateBefore
- AND (Name, Path) =~ FilterRegex
-
- SELECT * FROM
- if(condition="Chromium Sessions_Sessions" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Chromium Browser Top Sites"
- notebook:
- - type: vql
- output: "Chromium Browser Top Sites - Recalculate to view results"
- template: |
- /*
- # Chromium Browser Top Sites
- */
- SELECT * FROM source(source="Chromium Browser Top Sites")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Top Sites")
-
-
-
- LET Output = SELECT * FROM Rows
- WHERE ( URL =~ FilterRegex OR Title =~ FilterRegex )
-
- SELECT * FROM
- if(condition="Chromium Browser Top Sites" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Edge Browser Autofill_CombinedAutofill"
- notebook:
- - type: vql
- output: "Edge Browser Autofill_CombinedAutofill - Recalculate to view results"
- template: |
- /*
- # Edge Browser Autofill_CombinedAutofill
- */
- SELECT * FROM source(source="Edge Browser Autofill_CombinedAutofill")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Edge Browser Autofill_CombinedAutofill")
-
-
-
- LET Output = SELECT timestamp(epoch=date_last_used) AS DateLastUsed, *
- FROM Rows
- WHERE DateLastUsed > DateAfter AND DateLastUsed < DateBefore
-
- SELECT * FROM
- if(condition="Edge Browser Autofill_CombinedAutofill" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Edge Browser Navigation History_Navigation History"
- notebook:
- - type: vql
- output: "Edge Browser Navigation History_Navigation History - Recalculate to view results"
- template: |
- /*
- # Edge Browser Navigation History_Navigation History
- */
- SELECT * FROM source(source="Edge Browser Navigation History_Navigation History")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Edge Browser Navigation History_Navigation History")
-
-
-
- LET Output = SELECT ID,
- timestamp(epoch=`Last Visited Time`) AS `Last Visited Time`,
- Title, URL, VisitCount, OSPath
- FROM Rows
- WHERE `Last Visited Time` > DateAfter
- AND `Last Visited Time` < DateBefore
- AND (Title, URL) =~ FilterRegex
-
- SELECT * FROM
- if(condition="Edge Browser Navigation History_Navigation History" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Firefox Places"
- notebook:
- - type: vql
- output: "Firefox Places - Recalculate to view results"
- template: |
- /*
- # Firefox Places
- */
- SELECT * FROM source(source="Firefox Places")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Places")
-
- LET BookmarkTypes <= dict(`1`="URL", `2`="Folder", `3`="Separator")
-
- LET Output = SELECT ID, ParentID,
- get(item= BookmarkTypes, field=str(str=type), default="Unknown") AS Type,
- timestamp(epoch=dateAdded) AS DateAdded,
- timestamp(epoch=lastModified) AS LastModified,
- Position, Title, URL, ForeignKey, OSPath
- FROM Rows
- WHERE LastModified > DateAfter AND LastModified < DateBefore
- AND (Title, URL) =~ FilterRegex
-
- SELECT * FROM
- if(condition="Firefox Places" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Firefox Places_Downloads"
- notebook:
- - type: vql
- output: "Firefox Places_Downloads - Recalculate to view results"
- template: |
- /*
- # Firefox Places_Downloads
- */
- SELECT * FROM source(source="Firefox Places_Downloads")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Places_Downloads")
-
-
-
- LET Output = SELECT PlaceID, Content,
- timestamp(epoch=dateAdded) AS DateAdded,
- timestamp(epoch=lastModified) AS LastModified,
- OSPath
- FROM Rows
- WHERE LastModified > DateAfter AND LastModified < DateBefore
- AND Content =~ FilterRegex
-
- SELECT * FROM
- if(condition="Firefox Places_Downloads" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Firefox Places_History"
- notebook:
- - type: vql
- output: "Firefox Places_History - Recalculate to view results"
- template: |
- /*
- # Firefox Places_History
- */
- SELECT * FROM source(source="Firefox Places_History")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Places_History")
-
- LET VisitType <= dict(`1`='TRANSITION_LINK', `2`='TRANSITION_TYPED', `3`='TRANSITION_BOOKMARK',
- `4`='TRANSITION_EMBED', `5`= 'TRANSITION_REDIRECT_PERMANENT', `6`='TRANSITION_REDIRECT_TEMPORARY',
- `7`='TRANSITION_DOWNLOAD', `8`='TRANSITION_FRAMED_LINK', `9`='TRANSITION_RELOAD')
-
- LET Output = SELECT VisitID, FromVisitID,
- timestamp(epoch= last_visit_date) AS LastVisitDate,
- VisitCount, URL, Title, Description,
- get(item= VisitType, field=str(str=visit_type), default="Unknown") AS VisitType,
- Bool(Value=hidden) AS Hidden,
- Bool(Value=typed) AS Typed,
- Frecency, PreviewImageURL, OSPath
- FROM Rows
- WHERE LastVisitDate > DateAfter AND LastVisitDate < DateBefore
- AND (Title, URL, Description) =~ FilterRegex
-
- SELECT * FROM
- if(condition="Firefox Places_History" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Firefox Cookies"
- notebook:
- - type: vql
- output: "Firefox Cookies - Recalculate to view results"
- template: |
- /*
- # Firefox Cookies
- */
- SELECT * FROM source(source="Firefox Cookies")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Cookies")
-
-
-
- LET Output = SELECT ID, Host, Name, Value,
- timestamp(epoch= creationTime) AS CreationTime,
- timestamp(epoch= lastAccessed) AS LastAccessedTime,
- timestamp(epoch= expiry) AS Expiration,
- Bool(Value= isSecure) AS IsSecure,
- Bool(Value= isHttpOnly) AS IsHTTPOnly, OSPath
- FROM Rows
- WHERE LastAccessedTime > DateAfter
- AND LastAccessedTime < DateBefore
- AND ( Name =~ FilterRegex OR Value =~ FilterRegex )
-
- SELECT * FROM
- if(condition="Firefox Cookies" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Firefox Downloads"
- notebook:
- - type: vql
- output: "Firefox Downloads - Recalculate to view results"
- template: |
- /*
- # Firefox Downloads
- */
- SELECT * FROM source(source="Firefox Downloads")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Downloads")
-
-
-
- LET Output = SELECT ID, Name, MIMEType, Source, Target,
- timestamp(epoch= startTime) AS StartTime,
- timestamp(epoch= endTime) AS EndTime,
- timestamp(epoch= expiry) AS Expiration,
- CurrentBytes, MaxBytes, OSPath
- FROM Rows
- WHERE StartTime > DateAfter
- AND StartTime < DateBefore
- AND Name =~ FilterRegex
-
- SELECT * FROM
- if(condition="Firefox Downloads" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Firefox Favicons"
- notebook:
- - type: vql
- output: "Firefox Favicons - Recalculate to view results"
- template: |
- /*
- # Firefox Favicons
- */
- SELECT * FROM source(source="Firefox Favicons")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Favicons")
-
-
-
- LET Output = SELECT ID, PageURL, FaviconURL,
- timestamp(epoch= expire_ms) AS Expiration,
- OSPath
- FROM Rows
-
- SELECT * FROM
- if(condition="Firefox Favicons" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Firefox Form History"
- notebook:
- - type: vql
- output: "Firefox Form History - Recalculate to view results"
- template: |
- /*
- # Firefox Form History
- */
- SELECT * FROM source(source="Firefox Form History")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Form History")
-
-
-
- LET Output = SELECT ID, FieldName, Value, TimesUsed,
- timestamp(epoch= firstUsed) AS FirstUsed,
- timestamp(epoch= lastUsed) AS LastUsed,
- GUID, OSPath
- FROM Rows
- WHERE LastUsed > DateAfter AND LastUsed < DateBefore
- AND ( FieldName =~ FilterRegex OR Value =~ FilterRegex )
-
- SELECT * FROM
- if(condition="Firefox Form History" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-- name: "IE or Edge WebCacheV01_All Data"
- notebook:
- - type: vql
- output: "IE or Edge WebCacheV01_All Data - Recalculate to view results"
- template: |
- /*
- # IE or Edge WebCacheV01_All Data
- */
- SELECT * FROM source(source="IE or Edge WebCacheV01_All Data")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM FilterFile(SourceName="IE or Edge WebCacheV01_All Data")
-
- LET MatchingFiles = SELECT OSPath FROM Rows
- LET S = scope()
-
- LET Containers(OSPath) = SELECT Table
- FROM parse_ese_catalog(file=OSPath)
- WHERE Table =~ "Container_"
- GROUP BY Table
-
- LET AllHits(OSPath) = SELECT * FROM foreach(row={
- SELECT * FROM Containers(OSPath=OSPath)
- }, query={
- SELECT timestamp(winfiletime=ExpiryTime) AS ExpiryTime,
- timestamp(winfiletime=ModifiedTime) AS ModifiedTime,
- timestamp(winfiletime=AccessedTime) AS AccessedTime,
- S.Url AS Url, *
- FROM parse_ese(file=OSPath, table=Table)
- })
-
- LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
- SELECT * FROM AllHits(OSPath=OSPath)
- })
- WHERE AccessedTime > DateAfter AND AccessedTime < DateBefore
- AND Url =~ FilterRegex
-
- SELECT * FROM
- if(condition="IE or Edge WebCacheV01_All Data" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-- name: "IE or Edge WebCacheV01_Highlights"
- notebook:
- - type: vql
- output: "IE or Edge WebCacheV01_Highlights - Recalculate to view results"
- template: |
- /*
- # IE or Edge WebCacheV01_Highlights
- */
- SELECT * FROM source(source="IE or Edge WebCacheV01_Highlights")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM FilterFile(SourceName="IE or Edge WebCacheV01_Highlights")
-
-
-
- LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
- SELECT AccessedTime, ModifiedTime, ExpiryTime, Url
- FROM AllHits(OSPath=OSPath)
- })
- WHERE AccessedTime > DateAfter AND AccessedTime < DateBefore
- AND Url =~ FilterRegex
-
- SELECT * FROM
- if(condition="IE or Edge WebCacheV01_Highlights" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "MacOS Applications Cache"
- notebook:
- - type: vql
- output: "MacOS Applications Cache - Recalculate to view results"
- template: |
- /*
- # MacOS Applications Cache
- */
- SELECT * FROM source(source="MacOS Applications Cache")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="MacOS Applications Cache")
-
-
-
- LET Output = SELECT
- time_stamp AS Timestamp,
- OSPath.Base AS Application,
- entry_ID AS EntryID,
- version AS Version,
- hash_value AS Hash,
- storage_policy AS StoragePolicy,
- request_key AS URL,
- plist(file=request_object, accessor="data") AS Request,
- plist(file=response_object, accessor="data") AS Response,
- partition AS Partition,
- OSPath
- FROM Rows
- WHERE Timestamp > DateAfter AND Timestamp < DateBefore
- AND Application =~ FilterRegex
-
- SELECT * FROM
- if(condition="MacOS Applications Cache" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "MacOS NetworkUsage"
- notebook:
- - type: vql
- output: "MacOS NetworkUsage - Recalculate to view results"
- template: |
- /*
- # MacOS NetworkUsage
- */
- SELECT * FROM source(source="MacOS NetworkUsage")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="MacOS NetworkUsage")
-
-
-
- LET Output = SELECT timestamp(epoch= ZTIMESTAMP + 978307200) AS Timestamp,
- timestamp(epoch= ZFIRSTTIMESTAMP + 978307200) AS FirstTimestamp,
- timestamp(epoch= LIVE_USAGE_TIMESTAMP + 978307200) AS LiveUsageTimestamp,
- ZBUNDLENAME AS BundleID,
- ZPROCNAME AS ProcessName,
- ZWIFIIN AS WifiIn,
- ZWIFIOUT AS WifiOut,
- ZWWANIN AS WanIn,
- ZWWANOUT AS WandOut,
- ZWIREDIN AS WiredIn,
- ZWIREDOUT AS WiredOut,
- ZXIN AS _XIn,
- ZXOUT AS _XOut,
- Z_PK AS LiveUsageTableID
- FROM Rows
-
- SELECT * FROM
- if(condition="MacOS NetworkUsage" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "MacOS Notes"
- notebook:
- - type: vql
- output: "MacOS Notes - Recalculate to view results"
- template: |
- /*
- # MacOS Notes
- */
- SELECT * FROM source(source="MacOS Notes")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="MacOS Notes")
-
-
-
- LET Output = SELECT Key AS _Key,
- OSPath[1] AS User,
- Note,
- Title,
- Snippet,
- NoteID AS _NoteID,
- timestamp(cocoatime=CreatedTS) AS CreatedTime,
- timestamp(cocoatime=LastOpenedDate) AS LastOpenedTime,
- timestamp(cocoatime=DirModificationDate) AS LastDirModifcation,
- Account AS _Account,
- Directory,
- DirectoryID,
- AttachmentName,
- AttachmentSize,
- AttachmentUUID,
- if(condition=AttachmentUUID,
- then=OSPath[:2] + '/Library/Group Containers/group.com.apple.notes/Accounts/LocalAccount/Media/' + AttachmentUUID + '/' + AttachmentName) AS AttachmentLocation,
- AccountName AS _AccountName,
- AccountID AS _AccountID,
- AccountType AS _AccountType,
- gunzip(string=Data) AS Data,
- OSPath
- FROM Rows
- WHERE LastOpenedTime > DateAfter AND LastOpenedTime < DateBefore
- AND ( Title =~ FilterRegex OR Data =~ FilterRegex )
-
- SELECT * FROM
- if(condition="MacOS Notes" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "MacOS XProtect Detections"
- notebook:
- - type: vql
- output: "MacOS XProtect Detections - Recalculate to view results"
- template: |
- /*
- # MacOS XProtect Detections
- */
- SELECT * FROM source(source="MacOS XProtect Detections")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="MacOS XProtect Detections")
-
-
-
- LET Output = SELECT *
- FROM Rows
- WHERE dt > DateAfter
- AND dt < DateBefore
- AND (violated_rule, exec_path, responsible_path, responsible_signing_id,
- exec_cdhash, exec_sha256, responsible_cdhash, responsible_sha256 ) =~ FilterRegex
-
- SELECT * FROM
- if(condition="MacOS XProtect Detections" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Windows Activities Cache_ActivityPackageId"
- notebook:
- - type: vql
- output: "Windows Activities Cache_ActivityPackageId - Recalculate to view results"
- template: |
- /*
- # Windows Activities Cache_ActivityPackageId
- */
- SELECT * FROM source(source="Windows Activities Cache_ActivityPackageId")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Windows Activities Cache_ActivityPackageId")
-
-
-
- LET Output = SELECT format(format="%0X-%0X-%0X-%0X-%0X", args=[
- ActivityId[0:4], ActivityId[4:6], ActivityId[6:8],
- ActivityId[8:10], ActivityId[10:] ]) AS ActivityId,
- Platform, PackageName, ExpirationTime, OSPath
- FROM Rows
-
- SELECT * FROM
- if(condition="Windows Activities Cache_ActivityPackageId" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Windows Activities Cache_Clipboard"
- notebook:
- - type: vql
- output: "Windows Activities Cache_Clipboard - Recalculate to view results"
- template: |
- /*
- # Windows Activities Cache_Clipboard
- */
- SELECT * FROM source(source="Windows Activities Cache_Clipboard")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Windows Activities Cache_Clipboard")
-
-
-
- LET Output = SELECT
- CreatedTime,
- timestamp(epoch=LastModifiedTime) AS LastModifiedTime,
- timestamp(epoch=LastModifiedOnClient) AS LastModifiedOnClient,
- StartTime,
- EndTime,
- Payload,
- OSPath[1] AS User,
- base64decode(string=parse_json_array(data=ClipboardPayload)[0].content) AS ClipboardPayload,
- OSPath AS Path,
- Mtime
- FROM Rows
- WHERE StartTime > DateAfter
- AND StartTime < DateBefore
- AND ClipboardPayload =~ FilterRegex
-
- SELECT * FROM
- if(condition="Windows Activities Cache_Clipboard" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-
-
-- name: "Windows WPNDatabase - Notifications_Notifications"
- notebook:
- - type: vql
- output: "Windows WPNDatabase - Notifications_Notifications - Recalculate to view results"
- template: |
- /*
- # Windows WPNDatabase - Notifications_Notifications
- */
- SELECT * FROM source(source="Windows WPNDatabase - Notifications_Notifications")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM ApplyFile(SourceName="Windows WPNDatabase - Notifications_Notifications")
-
-
-
- LET Output = SELECT *, Parent || "" AS Parent,
- timestamp(winfiletime= ArrivalTime) AS ArrivalTime,
- if(condition= ExpirationTime > 0,
- then=timestamp(winfiletime= ExpirationTime),
- else='Expired') AS ExpirationTime,
- format(format="%02x", args=ActivityId) As ActivityId,
- WNSId || "" AS WNSId,
-
- if(condition= WNSCreatedTime > 0,
- then=timestamp(winfiletime= WNSCreatedTime),
- else='') AS WNSCreatedTime,
-
- if(condition= WNSExpirationTime > 0,
- then=timestamp(winfiletime= WNSExpirationTime),
- else='') AS WNSExpirationTime,
-
- upload(accessor="data",
- file=Payload,
- name=format(format="Payload%v.png", args=ID)) AS Payload
-
- FROM Rows
-
- SELECT * FROM
- if(condition="Windows WPNDatabase - Notifications_Notifications" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-- name: "Windows Search Service_SystemIndex_Gthr"
- notebook:
- - type: vql
- output: "Windows Search Service_SystemIndex_Gthr - Recalculate to view results"
- template: |
- /*
- # Windows Search Service_SystemIndex_Gthr
- */
- SELECT * FROM source(source="Windows Search Service_SystemIndex_Gthr")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_Gthr")
-
- LET MatchingFiles = SELECT OSPath FROM Rows
-
- LET FormatTimeB(T) = timestamp(winfiletime=parse_binary(
- filename=T, accessor="data", struct="uint64b"))
-
- LET FormatTime(T) = timestamp(winfiletime=parse_binary(
- filename=T, accessor="data", struct="uint64"))
-
- LET FormatSize(T) = parse_binary(
- filename=T, accessor="data", struct="uint64")
-
- LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
- SELECT ScopeID, DocumentID, SDID,
- FormatTimeB(T=LastModified) AS LastModified,
- FileName
- FROM parse_ese(file=OSPath, table= "SystemIndex_Gthr")
- })
- WHERE LastModified > DateAfter AND LastModified < DateBefore
- AND FileName =~ FilterRegex
-
- SELECT * FROM
- if(condition="Windows Search Service_SystemIndex_Gthr" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-- name: "Windows Search Service_SystemIndex_GthrPth"
- notebook:
- - type: vql
- output: "Windows Search Service_SystemIndex_GthrPth - Recalculate to view results"
- template: |
- /*
- # Windows Search Service_SystemIndex_GthrPth
- */
- SELECT * FROM source(source="Windows Search Service_SystemIndex_GthrPth")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_GthrPth")
-
-
-
- LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
- SELECT Scope, Parent, Name
- FROM parse_ese(file=OSPath, table= "SystemIndex_GthrPth")
- })
- WHERE Name =~ FilterRegex
-
- SELECT * FROM
- if(condition="Windows Search Service_SystemIndex_GthrPth" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-- name: "Windows Search Service_SystemIndex_PropertyStore"
- notebook:
- - type: vql
- output: "Windows Search Service_SystemIndex_PropertyStore - Recalculate to view results"
- template: |
- /*
- # Windows Search Service_SystemIndex_PropertyStore
- */
- SELECT * FROM source(source="Windows Search Service_SystemIndex_PropertyStore")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_PropertyStore")
-
- LET X = scope()
-
- -- The PropertyStore columns look like
- -- -ProperName so we strip the
- -- random part off to display it properly.
- LET FilterDict(Dict) = to_dict(item={
- SELECT split(sep_string="-", string=_key)[1] || _key AS _key, _value
- FROM items(item=Dict)
- })
-
- LET PropStore(OSPath) = SELECT *,
- FormatTime(T=X.System_Search_GatherTime) AS System_Search_GatherTime,
- FormatSize(T=X.System_Size) AS System_Size,
- FormatTime(T=X.System_DateModified) AS System_DateModified,
- FormatTime(T=X.System_DateAccessed) AS System_DateAccessed,
- FormatTime(T=X.System_DateCreated) AS System_DateCreated
- FROM foreach(row={
- SELECT *, FilterDict(Dict=_value) AS _value
- FROM items(item={
- SELECT * FROM parse_ese(file=OSPath, table="SystemIndex_PropertyStore")
- })
- }, column="_value")
-
- LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
- SELECT *
- FROM PropStore(OSPath=OSPath)
- })
- WHERE System_DateAccessed > DateAfter AND System_DateAccessed < DateBefore
-
- SELECT * FROM
- if(condition="Windows Search Service_SystemIndex_PropertyStore" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-- name: "Windows Search Service_SystemIndex_PropertyStore_Highlights"
- notebook:
- - type: vql
- output: "Windows Search Service_SystemIndex_PropertyStore_Highlights - Recalculate to view results"
- template: |
- /*
- # Windows Search Service_SystemIndex_PropertyStore_Highlights
- */
- SELECT * FROM source(source="Windows Search Service_SystemIndex_PropertyStore_Highlights")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_PropertyStore_Highlights")
-
-
-
- LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
- SELECT WorkID,
- System_Search_GatherTime,
- System_Size,
- System_DateModified,
- System_DateCreated,
- X.System_FileOwner AS System_FileOwner,
- X.System_ItemPathDisplay AS System_ItemPathDisplay,
- X.System_ItemType AS System_ItemType,
- X.System_FileAttributes AS System_FileAttributes,
- X.System_Search_AutoSummary AS System_Search_AutoSummary
- FROM PropStore(OSPath=OSPath)
- })
- WHERE System_DateAccessed > DateAfter AND System_DateAccessed < DateBefore
-
- SELECT * FROM
- if(condition="Windows Search Service_SystemIndex_PropertyStore_Highlights" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-- name: "Windows Search Service_BrowsingActivity"
- notebook:
- - type: vql
- output: "Windows Search Service_BrowsingActivity - Recalculate to view results"
- template: |
- /*
- # Windows Search Service_BrowsingActivity
- */
- SELECT * FROM source(source="Windows Search Service_BrowsingActivity")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_BrowsingActivity")
-
-
-
- LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
- SELECT X.ItemPathDisplay AS ItemPathDisplay,
- X.Activity_ContentUri AS Activity_ContentUri,
- X.Activity_Description AS Activity_Description
- FROM PropStore(OSPath=OSPath)
- WHERE Activity_ContentUri
- })
-
- SELECT * FROM
- if(condition="Windows Search Service_BrowsingActivity" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-
-- name: "Windows Search Service_UserActivityLogging"
- notebook:
- - type: vql
- output: "Windows Search Service_UserActivityLogging - Recalculate to view results"
- template: |
- /*
- # Windows Search Service_UserActivityLogging
- */
- SELECT * FROM source(source="Windows Search Service_UserActivityLogging")
- LIMIT 50
- query: |
- LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_UserActivityLogging")
-
-
-
- LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
- SELECT X.System_ItemPathDisplay AS System_ItemPathDisplay,
- FormatTime(T=X.ActivityHistory_StartTime) AS ActivityHistory_StartTime,
- FormatTime(T=X.ActivityHistory_EndTime) AS ActivityHistory_EndTime,
- X.ActivityHistory_AppId AS ActivityHistory_AppId
- FROM PropStore(OSPath=OSPath)
- WHERE ActivityHistory_AppId
- })
- WHERE ActivityHistory_StartTime > DateAfter
- AND ActivityHistory_StartTime < DateBefore
-
- SELECT * FROM
- if(condition="Windows Search Service_UserActivityLogging" =~ RuleFilter, then={
- SELECT * FROM Output
- })
-
-