The Velociraptor SQLiteHunter Site #
This repository maintains the source for the
Generic.Forensic.SQLiteHunter VQL artifact. This artifact is
designed to be an efficient and mostly automated artifact to analyze
and collect SQLite based artifacts from various applications on the
endpoint.
The produced artifact is self contained and can be loaded into Velociraptor (https://docs.velociraptor.app) to hunt quickly and efficiently across a large number of endpoints.
You can download the latest artifact pack as a zip file, or as a YAML file and add it manually to Velociraptor.
Parameters #
RuleFilter: If you dont want to run all the rules, you can filter the ones you need using this regular expression.
Rules: Alteratively, the rules may be specified one at the time using a multi-choice selector.
MatchFilename: Rules generally look for SQLite files using known filenames. If this option is unset, we relay on automatic detection to identify the filenames (For example, enumerate the tables in the SQLite file). This makes scanning much slower so by default this setting is enabled.
CustomGlob: Rules default to search for SQLites using known globs. However, if you have a bunch of SQLite files in a different location, you may specify the custom glob to search for files.
DateAfter and DateBefore: These setting allow you to time box the returned rows to only return items that occurred between the specified dates.
FilterRegex: A filter that applies on the entire row (encoded as JSON). This is very useful to find all relevant rows relating to a specific item. For example, if you want to know any rows accessing www.example.com you can specify this filter which will return records like
Visited links,bookmarks,faviconsetc.SQLITE_ALWAYS_MAKE_TEMPFILE: By default Velociraptor will make a temporary copy of the SQLite file before parsing it. This ensure the file is not locked and can be freely accessed. If this setting is set to off parsing might be a lot slower as Velociraptor will have to contend with application locks. There is probably no reason to disable this.
AlsoUpload: This option also uploads the raw SQLite files.
Artifact #
name: Generic.Forensic.SQLiteHunter
description: |
Hunt for SQLite files.
SQLite has become the de-facto standard for storing application data,
in many types of applications:
- Web Browsers
- Operating Systems
- Various applications, such as iMessage, TCC etc
This artifact can hunt for these artifacts in a mostly automated way.
More info at https://github.com/Velocidex/SQLiteHunter
NOTE: If you want to use this artifact on just a bunch of files already
collected (for example the files collected using the
Windows.KapeFiles.Targets artifact) you can use the CustomGlob parameter
(for example set it to "/tmp/unpacked/**" to consider all files in the
unpacked directory).
column_types:
- name: Image
type: preview_upload
- name: Payload
type: preview_upload
export: |
LET SPEC <= "H4sIAAAAAAAA/+y9a3MbN9Iw+ldQrPOWJIembNnJZn2KH2iKirmrCx+RsnNhzhiagUishgMuAEpWNj6//S00gBlgBkNSd3qfpCoWB+gGGo2+4Nr4T2OSsnPRePeb/tV419g9E4SL3Re7h/ScY36ze0SEwBMiduMplq3kvNFsSDxROI0jHJ8MG783Gxmekca7RgHBF6lKoAa58bVZVDBlM7L7YrcVs+yCTnYnjE1S8jKecp3+iZyjfSyxU08X8hrNxnvOrgXhTpUOtKkTgOlihgww6iwku6BpuowIXftLTmZMkpcJEZeSzW3qnCv856WNLmZPXf9/RIbnu+ccX6mv5ldLz3uVMmQX8hpzor9emvKeisTuu/EY5HQ8fjEed+ZzVcZ4/J9Thmc0mzQPWYzTryFKX4B8Q50bRuxPoAe7uv6NpfKIxpwJdiF3e8lkY8kcj0/mhGNk+z7/lvg8JePxk6lS2Zh25vOUxlhSlqHhYj5nXIaldKMo9EVzo0jL5RGBPD6XjS47sfeMXc4wvxTrUeGC15FRwNzfjz0redqVPTUJd/NmT0XlQzm0DaO33qdtGKFL3NpmUbqGZ3syzbqPc9soIiv+baOoq7q45zLfZS/XZeySkjWpKIDraLAQ9/dvz0SY9mxPV/ndfNrj0/dQ3mxjKK33YxtD4hIPtik0ruG7nkB37uO1NoS8ir/aELqqnurpDXHZR/W+SJIJyjKx++LF7gxn9III2fqXYNl6VJVR6mgrKnoAB7aJVGvvtiGU3c31PTPxD+UXv41m1DvNb4P+JR71m2jAGu72uZX5Pr74W6C94qi/BaKrXvy5qV7h4g/wFY0Vzlq0ONB1ZOQg93fkz0ebdtdPWv/dnPKTkPhQrneTiK13sJtE5RI3ukFkruEsn0aV7uMSN4fCiuPbHNKq7u1ZbHTZiX2gQjJ+sx4NBXAdCRbi/h7smQjT7uvpKr+b73p8+h7KcW0MpfVea2NIXOKyNoXGNfzVE+jOfZzVhpBX8VQbQlfVTT29IS77qCOSUIxuRUcZpY4agHsAb/XsJGq/9Rxk3M2DPSWlD+XLNpDmeq+2gcQu8W+bR+0anu5Jte0+Pm/jCK14v42jsOoHn9PElz3iMZHXjF+iTgxEDzhJaCwZX4+sJdh1FBqUB/CUG0u69qCbRN7dPOsmtOChPO431JZ6T/wNNWKJh/52WrGG596ExtzLo38zDah4+m+G8uoIYCNIXzEyGHByQTjJ4vDpJ9WUIHU+Xi1BTNILw6iH2KbcJGq1/39miu7m8p+J6Ify8ptNfr1j32y6l/jyjSZ8Dff9XEp6H4+9yTRXnPQmE1v1yxviRcqueDhlXMYLueYGrwteR0sBc3/f+6zkaWf71CTczbs+FZUP5U43jN56/7lhhC5xmJtF6Roe8sk06z4ucaOIrPjAjaKu6vSey3xXvBwR+oiu+RG9WJMgDR4gx5b4ED7u+YgzHu5JCbijf3sSGh/Mu20StUt82yaRucyzbRCd6/i1p9Gne3m1zSGx6tM2h7aAR3sWY132ZyM2R0Mq17086oLX+dUC5v4e7VnJ0z7tqUm4m1d7Kiofyq9tGL31nm3DCF3i2zaL0jW825Np1n3820YRWfFwG0Vd1cc9l/leI9pp7TJpNVadAn2iOKePTlVthNPHqPnBYps+JHGPGNX0Gci8VTzTZ6DvdpFMn57Au8UwfVBleeDopU9O2zpxS5+cqLUilj6mta1GcUtTAmdhxG5c/B7+zyGVZB2aQkgh4pyKHiTG2waSbSPAbQZpd40P97zUP1z0uG+iHctiy30TDVgaee5baMFacemeWaPvF7XuGyA+ENPuG6A6FPHuWxD5tSYRHSGokOr7HIu1aA8hhWg/xld0ojn5GBfJN5/25ZOPzSZ+vYnJc7XhvpOWjaY7NKHZaIKDk51no/jWIVhqCapcJfTIMLloGHNCMjFlD3JO8FnJqwvH8rgkPFRQlseh8vFCszwrvbcJ0PKshN4qTMtzUnqnYC2PpFkPG7LlGYlcI3DLM1K3TviW5xXJI/YHTVM8Hh9QTi7Yl/F4oF2Nato8xTERLfHv1J+1GNgg1WUcQ7tBQQPIDjqamSZl90KD7r5oJeQCL1L5xISAt7FExGw2Y9kGELeOuBn03aILn5jKB5G6WId3vx2pFaQSrctixi/p26em5bay92T03Vf8norQB5HAhF1nKcPJLckNoJUI3rcQt5XD56HottL4xFTeVyafltwHkcwLE1P0dhRXsUoELw1VuqTDn4Gc28rkU5J4X4F8QlofRhoZn031OPSWJIcQy1QzPlu6frOs05+TsFtL6LMQe29ZfQ6qu+9yuo3I7oKg2mngPqdX5GC4+2J3RiROsMSRriLyXizX0I1mo5uyRdJoNoY3WdxNKcmkQ2iwCEOoLgFBfejIAN518ro5VN+Cv5Rzxk0lrbvQWS0gSCWAkQQdKAF8AA4/O9235nGpR+9BdLCkpdRbIXlg9m9mk9btGc6YjOZ5tIJ7NGJZSaFGqELQKbvHQtmmtqGW98Xy7ieaJexa7H4i510cT0n+4+Or160Ey+qaWj+ThGdE9r7MU8YJr9tVKpViqO73EOOwcIccmKWMByCVAD98bh7h+GTo1OuAmAoBAjmdJxAAeVXOOb3CkuxeYb6b6YBUifqxEHhCqp64XGsV0qvchLg6UyCrq03On6DmCo9ZJjHNVGLMZi08n6ekdcwkEbtabAycToJ/P75oqaEESfzjlWUKFexQwRkS/9TIre9cZJ9otuoewk+cLebIoXmiEloF5VlOplv1I1Pp9uacM0liSZLdL+bn7s+DpZJrsr06fh5oXLRPZPA8So16d1mWQe375IrGRAxSLNUIcfew9WK3E0t6RSUlIqBPxhw4dAXBDZUGGhUwVd2qmRMBoeNxbojGY1PYeOwFoxmPr+dZYramV9FaAS3R+WlwbHe50cvlMZwGnE04nmliHSqHBPN4Oh7rDNesOC0wP1ovVtBr4YLE6prQkHDVh42vvzcbgi14TETj3X8a9IgIpdWRnUaoxGNdbDWv2fj4P4eNd41h77DXHSFJZ0RIPJtvkzmLp+0ES4J20etX9j/0Hfr733588+pve69e7aDOEI0sRhO9GGcHpydH6FQ1Nfv0oXfaK7LRePHq1RuC9rEknQtJOOoc75ezY8h+Ty4YJ+MMAci2oXlEvsim8mQz1Zgd1P7/1ZBCEn5KJuTLOFMO02mKQp+1OLumSVP9jhlOiYjJ9qwVK0mMOGMzxW3RRNMWTXRjppzgpK8xZi0qogvOZtGMqMy+OOBsdkSa40xldzvDHrqekswHbKPXaPShd4xmLRzHbJFJBdw7HPagGvg43lflqdIGU5aR48XsnPBVxb6qKzZv2XSvRRPTGqeeEavWMmsJLT0KwAiSabTqcvNTki9SAbg9ALxsJVTMU3wTKQYqCNstRgJmGgFhgWYKISUXEv2L0QxNcZakkDFFTLVRJ0Q0QW001f3lY8RTLBV8rOFLnYfaKG6pL03Ky5dIWfh3gOWkU6HS0SKj/16QJpJTKtAM36AYLwRBLCMvJXs5w9kN1FklIDJkQoIiBqiPNb2KhmkLwMrEO83dA4yp3+A922LQFoWLVBskv0GSIZLSGc2UCiYLbU6IQMmCqLyMZS91c3Isw/Uyi3Z9XmhwJSxWBBRzFmmqhl+FXABx5mNHCc3J6X7vFL3/xYgI2u8Nu/8vqB1Non8vCL8pzAgI6PYL0KnP3SmJLz8byTDT5BkWknBrJOTNnLS3YF9+C8gDvVfEtrfK3N9CJ6dIZ5n2RlhKHE9nJJMaQrdQ/ZeDipssjhKSEkmSyOCJrZ2c/iucLkjj3ZtmQ5lFux+i+JacN742q/cO7Z2PkJVdA7hkdn866++DZpXtL1KsjmYsoReUaBulLOSRSQjjLASJFB6AnwmybzX6gHIhFZFNdESTJCX69yG2qb0ZpmknSTgRAjBcy4G6bDbH2Y0GHUpOiHRhu1TeqHRVG/qVzrssIU1Vf1dJQxOdDAdYTgM+wpAY9hBeZtA/3K5VS1qxlk/Bti/NGTHRmixoojidd6LXZ5Bie6QZKgG0UrQuVDNyg1o0agnKDJqb4zitX4KUYqeanElBBKIYJ1rwR9mwinhUMOZKXkQrA4lRFfiuJ8S+WPdHTpLbP2EMAZ0WYU0IeLCKMAbqofIGyldiWlewkjQor66zROsPOo9ZAmBWyMOAqtPBEBo17GqvrcQ/iKAS+8fHvVP0j5P+cV1voJPaLC2J7RoRXVW87rpQ8bUF2+5ep3jtrUPEO4WE6tBSq6uwPmipInYf3ynZuh1nFHOSUBnFmCci5IHYxQXhyghgB0n5V8KtJBPhZF2Sm2umyqo4qe89J5XfTVzqpY6wuCQJ6gKRqKuIXMthhfBKvusFyg16aAgOBUQud1raXBpjGQJQTYtYBl8KVJF5kqna61FsfPEhUGmWN2rBwQhesAW3RvCALXgtNPkyj2Ysk1MF3fsyP1K/l0LfEMwN8C8E15d8jrPL3PK9x9llbvaCjaTxZW4mVSvNdy2C+jeiQiy0MVY4ffiqxaCZkHwBYynTTXlCf9+O7qt47vCwrsf/0stcv94zdjnD/HKpEhZAzcaAEzw7h1WAly/RKYkXXNArgi4WmQ6oLxniZM64RHJKUEIk+Ap2gTC6YGmi2HfYG6FTgDmAlG1FXhO9x4KYGTXyVTqeYppt4/Z/FNtevtRjEsTZNSIzairCEiN8zhb6E8dygdO8RmQLtHWg79C4gf5U/3wH3GlZcc7l3vxXDGqvaabYqhLaNJPbNJNtQIVhFk4SNS5+gV6/ykfHHZV2l8LAKixEpUBlIM6EXyZgKVmEKfbNnFQyFzxFf6q2jhsIhgCnhzAIB8mO2Zxs74yzr81xdq45rFjcv9BzU81BNIWpJk0TTjLEodcJoplkiML8v9RhaliM4+k2Z9emyAJES6mGo5LMxLb6VzfeVgGrBuhrEyFQ0UoZ1tSXhaitCy9kqb28w009qvkwtVSSeYRlPKXZBLaJClHUk4YmmmMuSPQvwbJtJXNtTnASqa7ctjrX1qA7ttewN9Oo8VouxzwKmi4LQmoBQxDLoRKxL5po3Dg36hudYz5uWCnR8DVsBAZxxqRoudgOX5UwAfe+gridLyOAySm5Q82AVl9lvKxKNc0mye3r1HjBSo2QNDzjWpjGkHU15xQje15xiY0tg9Yuh7qGYzvmBFZ2o4WMjaX480+k7UXX5J2NuoVFqCmHfJlTTkSomJ7OWqcUsFo4jokIlqSMVwdyvcI+MCH/SW6a2vIi6MQ88z1j6fZHpdNtKiKhDI9eTeiLIXzUgU6lnLMsvTHAH6Scn2TpTRB8ikVkOADgH7CAVgP76iqYEy6okCSTpopBnlCgDDhlXK9GwLr4gPFl6w8eh8KrEAGQ4FpEwcy1FhPsiVtXoJpuhiMhXnqpz728KRMyuiQw2bW97OZXXK7NmGM9ws1lwWbkMlBOtd3t11/0axl+7ndWXrHpL6jc9p0LoLc3IhjfqOl53qumNw2cMwoNcfb+Y1BUHYJ6a5W6Um+JUuLqSHHPM2bFseqqfep9kSTTUTyXWDEHqjpUFCy9IjA6s6vyQnKaTRCeYDXahyzYdCMoobG0A0XAUzXaDZimgVIDxQmRevygk3LVu6AkTdopu46xINu6orb23fojuqZyGnGlEdvwb3vc+P+i6Gj4U7Td+m4niv6fcaNpKGybindak9c7eRXmSFyRaZv15592o0KNKaDtONENxxm9IEIis86ixxs6TXmhew83bGGecQEaDmiWuBxW6GqwPiXpHCletDQ5Otsn5kUT0YvtmGUJVSLctrXYU4FRqpmPSCpIW/Xdds4mOSVZu74VxVi11J7WPuWZHbiZCgSM3mpqB0C7ot5SdY0bO5oruk2GJy6/7ZjvJyL7Mcu2bZ6SrLwafcj28+u9Hz9D15bSf3gbTH6zF0x+/cPn6hjQdnYOjBdyyrhZ71ROWP0AjgbUwaU10yvO0N621ZLOEOWT8xX4CRExp3NwfIFi3GxVWo7HFMV7LZhNCIQFGsIvH2hO+IzqUMAKZFB8+nDKZWCBYFDgyV25m3JB3HHnPFboFvOU4QT0pCpT9UVpkenPlKFxyVKpUUm/CmWxLnxb94DDqKD/dayutQkgskHbm5/jXmJ5c5iSaPX3m0g1tLKt447c0DZMLOdq7pmEhm0mS+/E4Ak5Oz1s2irVb9ha0OzWYwHG2+OGUvVxw3YN9ENEc74ipF3TBeMzLLf1n/a4AZz/P1eteTZRFhjziWj398u9ojtUiUm0dDhlG1U7mPIA/KFUYJyUn7n3lg5NanRO5QzPBei6XbUqeF+BUo2J9MKFQA5nyoB6NcDQGegRAJ7h+Zxmk9ZcFapm/DB+0l3lUW7yit4znLMA48xZPXeL9jJKNEKX+OA5F9p1/LGDVZepS4DzIZXfCY+0mueMptxWOUMqS0Y1ydK+al/XuaBR1WhzDD76SAWVS3W/BFm1AKBuNZO2K4UUqd9lxYfiRtQuhy2b9NUXomQVCiJJUdTZ6eGISjVgAEMC+WZvVk3WE/0bQD37P6VJQjJlT7debzW1lR83flHjAjP2GDeO2bihZ3EArEuBGpQpPOBsZj8gR1OeLPRkrzhhlDNg32T1syFRlGhfVT+Hy7lWMTlWqkoQwembx6G1ZnALnpasEjRNtJy+wQIVX80cq9yFWKBSUgErFVVmEVFTmGcZw5L7A5Wmi8g3H52eLkpUPV6AlAQAQEy/Y4GmRaea5ukmu31qMuDAEvy2Z5wCQKXuzxlkU0wHKyrUSPFgpK2fxlYWz7K9bUtc8NQxVdU+eAqDpYhyrJImwknIbzJ6Ow2TGclkwGa99WxWcTun3hAV9yDXsFoFsDdlVMNy2P0+ZOxyYY/ltWFmuP351ef2Vj9DcASSCLHVRJ9ff25vddlsnhJJ1Pfe5/a40cVZTNKUJMpCfH6jkuBwOF/MpUl8W0nc0ZOCfZxNCFfyGKj8mEkDwBa2+nEjT4GS9z63t/IUpRdbmgYnscsySTK5ZUZEipgtk4aO8A16T9ARTmlMTS3ff25vnWX6clmBjD7/4JX6fiERxEP5iFMK44S8gr95gB+YAPQfP7e3BkwVRnGa3qCz7BpngIY+//1ze+vTlEqSUqEGIOc3aMBSGt/kZb5WDLHdiAYkS9Ssfh+2fkiCPhKu+AZMUp30PmXxJUnQe1sQGmAhrhlP0MCeSQbgvSBwXtGIMXSI+YQUhCjmDkkmqKRXxPIHfcI8U65blfk2CGFqAQjF4n1C5mgY4ywjCRriC6eKH8rZPttP5iTT5KoOgAIVyweczeYSHTCOCmRL049OO88yoS9umCtESsuLyv/u9V5HCBZTGBV+onKKOvo8JhxcUcomtB68cilGB9ApkKE6o5fF/GYOA0seTxVPDKkXjOvpTdE7BdGGnr29O5awVEj23jj8yKXNo95oaK61pwQLllXVFG0dswLKqCnaUoxFPc4ZN4ZiSy+pon2SUc0cUFMqLtHBIk11g0H5YNYBkscUI0DxoDhHGrWWfaTcWAbVASMymzOO+Y3iznlKZmV1MHWA0MPSNpU3CLyA02Ug4KdELGaGfpTXDa/G5SIOyR+wmKIjKmZYxtNctiFrCEuvwixgmrpBUuz76AV7FJEQsQhcpBq4JOhkobtqT9urTB/9R4fGnuxpReRXhIO+2greOhWckn8v1LS6n10pKwVMf1Wg5fW/UfWfKqHPUUwelPlmr8AZcJIPFp0C3oDRVI4SSYYmRC+/QdbbAvks06su9I+8M958X2R3CTdn8YnbhW9+KECMEB0wfg7DFMj/m1sD7PGBxzYV/OjY+0OSTaTfYW+Uwnc5EwKdcDqhGTolCeVEK8pbxa7cw0EKCJRxsMPpQiYF879/5eR1ORZTrUihFQM4QYi6C85JJvXa1EjJtvmtacHpUf+oBzvO6JTEhF6R5P2NJKKJRkziVP+uX3XYFhLz8KxhqHLy+ULdplWWBJF7WbIKlWkrXULUtnsZnrvbUTfb0VIQoEAfioUivHO0Csk7R5uvaTvjn6ZZ0RaSbwvJ23BCcKeZL0KPG2fZZcauMzP7KQ4O5qUV45lyYQnkRMrXLCnSwffKLVnhcuHUZkcc8pfUUC5JL1heEM4Jh5nikEq99jTC5/avB2AHB/Cxxj5bcKJW2mhbMVXLafLqriOwjtq15nhFBBJvolckV08A51mxVubI7q25yu1DStD0HNBRfB+OGSsQzeiMRPYESsU2+EjcGIroXFkHuLHhmY4SKcqOFKAls+IEZMktSSnD2ogy6YWmF4ll5Q5le4epvfplGd5RqlJOWSMqLNIioplTiEupSjUjNFNuK4Llfjy3AEYaq/m2LgewXKUjpHaK7yQZ7cpL9RYJ81RVfATHVUQJX82hPbFuexV6634l8f/vn0f/0xzxW2cancOW3LlJV/787PRwxWLgXRbzTAX6LuCI8FkTuYt7S42wU1i9Fa4ABc2wqTNAzbrW1RyojATgRpLwmWjZRG1XC2bWIihJ18AFu0OrbPUlqH+dypymVFfhapfgDMNDFXgqqtCUDi5rS9uucjm6uJpZ/73qeUQSiiMLsUQ3fcDAOBs05JMa7Svp9haYS+eTrmhCmD2d9FF9BMHwIqE5WEd9LNN3d2MJhDIS9ft+xrMrsh9tx013r3ILa+jrPMU35zi+9AdDeWppOTpPv1bstq3tDMPsz6Fz3leTcc7ePDnAUB9Aj5mMgbAMNYy0QI6W+U18fI3S5DnqYgkIJJlXfVftcYEOoNXqNDDF2teCV+tVBSO88XVP0c8FyG4JRDNhtolgKBPcHpozQauwA5PqwxrH1eGSCtlEnfR8MbPnBU3epmqeYXxYAW3mKp2wcDX6arMd9gfzHZYH8wMuswyCoQsUjOmMIJDqH4CBjgqBmEOCeY1uX4bg1zEKBjZgG4pO+O80D2a9MBpwktBYMr7MMlSB6y+JObd++Yh8ketIPjLXuyIMC57R3Nbj60A92EKoOaEJZ2BrXoXja0Y9oL7tGrGLaEolODd94fXk4gOVYm3kGRWCeOhHkGKkpq6EJuLEno9V80rlZvPMCA4Dc7N66YjxcoY+vstbm+bizlYu63W0O+qwrHgbw2yVjtgV845eZC9kO6gubsiYaEglQb1sgicEhr1LdWc5ZmV39h/Dk+PijOgd7sVYd4Zudz3GvQljT07CFQ5z/7YV6wX1SBApaTYRLfIlJnMdWKszRM4XlK3aMc5Kl43sZSVzfF1xIz/RuvQSl+7CVmmZV02k/fGFt+K7bqmmRVB60Tdq8BqqwoewFdkhBKpcwSoYo1eXSI4fvPsyyGO/hQ8w+fLUmc/Re5xlhN9CCF2kv+TvUeUvv2K3rOr164/ZIk2GU3atu693pWxImY5uCOj2dWXki4xoJiROU/CtEc7oDERI80FM2XUWYoKqO8vrK+uDr3Q7Bu4rMEWn3Uqn8HwenUNDH0Cd3C/koq6tW7UlVBTNbFCaNot8mx1zjm9gn33c2NdbOuNGU5+E6aQpu1ZfcAwH9rjVF5zA6Qj4DQdvzDARnWTpjUr8XhcGIeX6sznjEsOJBqAAjuborf//pcr/KLpf6t/ffLn/vSrva4l75krbQ0s87BRiE2/wbiLvFfE0zgXOtKF2cel6QwUun2k8jrwZNBu6TR9awgLt6wTn9K8FjVMaXxaAXfXpgtUL5NCTw4g6na5o1HeV7iSdcOAmXiwfUxdAt1mcQnc5aKAmknB4tqlmsWk/k6yXUGkWmY2Oa++6797y0QcCzGZDUwdCHJIUjuG9v1FT1KfaSc9pdAlca+uGzTIanbMvytNrfod3cwNwdi5esK8GEMLQ0EyyCELQQGgsh801WKW5ewDC6K/QAyKnlwKwzrUisDOl61ih5pUDQwRgzLaNs+dUB1ldYAiJSw2yXSExYlSFcFYF1ujQJ1kdgGuzToyWClmr7tQWBsC1IWbUIyL7I2RDqkB/BQX4KyjAX0EB/goK8JRBAezmWmgINGJzmJwsHQIVQKuX4rcDO1CKXNg7KafvBIVWsnkkVHVweoHj7NL431Oc6TBsHoTrnIsMf7PI8DrPdjoyWNuTu6WcilWdWfTF16b/rGgeaK/LZuc0I4lNcLp2TYQ1Inm7Aa7Koa2C0btdiLANrEKsvMxbRG4kyYREcGw1iuGdi4hmF6x1wfgsEnSSYbngJLp63bwT2t56aAmbYZqZCFa1GJAtSmHCNPhPpydng6h7ctztjLZX1ZbicwJhwbbeoS31d0llJqjWVhNtQX8Brs6M5phys2an5scRvHMQsfN/kViuR0RzZdWVSiG6Qx7AdAn+OPvHSf94HfaPs5N6OEOM/vCjg9bJgAEdZ9ArJlTof4/EPUHA7RXUO/avnupVBtENjuiZty5LU/OeReT8bqK+JDPRRDhLUJfNyptqdy+jsgLV+yI5jiWEPIA4ZTuojc6xID+8TUjMEh07xQSoEfOUSj/MTbFaBcg63EATCTJvjxvNcWPnt9e/h5agygfGtNUu6I+cOYRZxQ9lrSzGLgoFinGylhSjQIc3WRxZ0z+E4G1FYTUA4SJVn1SaVk5cglpuTjlRo5a7RoPpEWOBpr81xqqwGkVsjYrAtOGnHxslGHKjeEs8KgXeoIocmpSjbwRZYFhd7opwVjkmYsU3775w9QeBiUAvdiEvLjK0WYJxtA6OsUwaK3h20XKV/LmIemyIhYtQnO3xQO2ZpBK0PQdWRVBTmZsshrb6OH0xNBlVLLGYTIjQ8wielhCHeeYZT5fiJlTAyY+ktoR9C7G0HFhyqiuiCFAaYyG3PcZOF7PzzER4v8I8nmK+U2a0hQnyLl4IyWaRV5DHwy4ALClE4km5RjwJgNkSAgzPSw/ym4pohvklSaILxvVDEFUB6YsjgDlgfN9AmOdSSmoRwaNqdboBsuT4bR3ccj3zWCnGFU1PW6CIJeKp0U0gY5oEkPX1SHjsxrYRPKTfMFjUr6h72EI7sK6Kh22yBtaT+KAJ1gAjOyeEfEfjdTbJJJU30XnKznOgHqS9T9m5CxnjjGU0xmnkRADyzasGlFPKk2iOubwpgKBylTFQ6bDT5KDYADRmZgvQNtKPFUdTOPkiI7P2XBRMvkizBu3CTuUsrcB+kLM0AGsXnHV5ubabTDwp8kCx/A4/ubhIaQZTO+z1e8R0DvChZT8gLL/HGVPAAdVRucoVaH2pll6rKGHn1SyjlpQjx/LUotBfPeQr661O1RsSYA8gISoOCOYgc87mhMNjZg7gIE91KuukKUT94/ha38sUaEp40JNSMPxFSkQDdt7TPyxUuZGDYnJWudsqonexzkiLNhZmCFJRbMcIqLIAzKu+xgjkwH6VOXMtG2Ym9nyZ95ibmPQOVJ44thFjoPKx/3yTYxO17HCS6p3pKZ2bQRrLisa3V6C0DGtqqynKXFFQ0ah2SSTqm6AEPlhBlXTQEU+wysVq5tbwoMx5H7lqH4LFBMxIkH2FVutiQqVonbfYznJgeUiIOsNuMyS0+71HX+zN2e9MlIGSVXNiB3X4P4dUksrk+Bhf0Yk+RWGvH1aT6mbF6yGvDGKm5x2flVFG5oYgbEZ+1oyrpusC6uKO1W6/BEqqjexVC7vsxuK61xOznEmRfUbdO3MeyC+uHJqrFwp8q0LkVh1+4M5EAKq0ih6AyBYmEhdsGRdsL5bwqkj+GztrNu6x3oFT/WWOfFcI2Spr0+vyClNHCKrjzZ5jUdUmI/KomIWLyPldp0er0MLrOvU7tUVYuvzJiVIEQGQj6Y2MKOUffXd/c50VC1iw6LuxQO+wOGHiuTmLE8tWFZAXhC3UtkXLzOaK80+Qms/4nUG/+o9ctQJjd5Oja/Oi0xnqYJHSqAO50ivUNqLclfI3V9rXOIUYILisu1AgixZN2lc62JwWWUvM8ckIHZ8dHpaD0D2UiqzwO07jqn7mdd0V2wPKyQX7ggYp9s+wljIqi6T2/QU10RCl+E9wDvXs9NDGYhs39KMPRSi4IZljjiXjcLA0dEF3AGMO633ykCd+veWIJyviqBSTotDWWEe/I1N9QSYUSOZoaRyZ/MKhfyP/gHFCJxkcr1h66sAWVn/owId4CC+XP6jhO7ciWY8C9UEAp28KgDzgRpGUeJws0tMyx5xq7NKdc2+zXFHVO87YH9EcRLXsFQu0C9iQLjrBvmXF/ojsWyvgJnMMN/BkUQE6OfYLbbu1e3f1Szx9guevFCXGPVZu5XsNDT2EVTSjhEWz+UJar7vi/r7hg3lVvWJigiEqa0FKhgHyIUCWu/zx2Mr86Kpq45Ct8541+yPCWcZEC/hs3Jzliw/hrBu5/PJ10m2/oxBQgm2n+oiwlJyeLyTU2T9G26+bezvuo295vXkFf4m8lufqvKwGoOJl9VipGgj19ef21ui0czzsj/onx9Fh//ifNqCikzz6ZdDbtzEVnfT3Jyf/POqc/tPEp3vr5/aO3mus7z+3kZtx2tvvn/a6o2jQOz3qHPeORzYAagho1DsanJx2Tn8xtfzNh9s/+XR8eNLZt0FQnayD085Rbz9v1N/LFQBaYNhQH2u68j6yExImfyY5j3iTP5bszVN1UDHtU8vHf53xSd5j5bGJGQsuH6EU2FCseyoSAhtW4ms7EBDOOR/nGNt1wElMsvimiQacXFFyDePlNeMD1T/JHABZMQa5/dHyil4HIk5XYZYHn3YcdUkEytnL42fXDzecnOXDlBUnyqstKwSoXJQTm9utPpcCJ/HCyINmjpGNEsxcS4rZJLEvGvji47gKjeXFNqoQr8ZMTg1F3IV2sJtLbiXcY//rvUv1cbtyTmBe9YEJaQ93fyyOH1UspD0gq684OwfYQ+8SOFZVn4Z2xlI2YQkenAq+Kc63Oye9HfuGqDlkHjhx7oPZ4+X2tPloNIDT5usc9a6JiWYtWhgwaPuAyYEjtUDmekdqlajkx6S9J5OdjCnToVOgZ8uZlUPdbqZ+D1RZt1wQ3Oy43ONuptvXlUzdoZVk6vaZn2G7zLEr1cPbFXY8wXnfospVqyr5ofSKoi6b8tTOdZSyajUtgv2avXETGbRGm4QN4RsI6BvQPR2ztxK/91ZaakKamhjER/iL+VWrbzlVtYpWgghpWEC/wieaVCfWRHAt5VXfIvbzZ3RGRmaf3YuzWoIrzjS4xxl8GB3tFeWBXjWM8PuLuF3i48cLzt/bAK1eD4QIN30ChJvfjq45UUQ9bXvywJ9epas0zuF3RecCT3dVsoLLjuE3tmrUgUQzEdSIgOTX2PfAq1YwbMATIqJrk133tpRTgHP4pER7AZTT7HR99empPDWSTNNhh2/OY1FVoOK9qFJZXlO8ogpcaGBesN/4yniw1JinGwiWX52qNqSU6TVkVbSh/HWtgDQzPgts7wazA1J9oGai7phP3x4tHjSvSPcF5fpGB7DuwH4tGfiduYO+AlYHtF8ePa/2asmyayV2lJW37X5DLf9ZOVWm9QUF81RWYMwkLS+RvZabN//CY1zqcsaNGO6o4wXjs8pGLHrK5WOHglUG2AF1hPYnxiYpQfucXhF0ZEJtRfD6hf1yZHgd6BUXm+x5Ij0t3Mm7QYEEbzVBh7vvm+ViZ942y9ErcmmeOxudnvV2FOeCRWkZDZflSnGosG14VFXHMGyiPML7WksmAnrVHp0yf6R+caJpADi3jxeKiF1n5tZ4Xo/NuoAdO+M/HPbqYqaYk0Q/5DsjRfoVJdcQYd5LhcOCgv6Rly3Z7FxIlukEt71Q+OJcxJye2wchCJ5FiZKOKG+ef9RrpVKMG6AV48bdTh7oszvLNcFGlItM2cl5vSbAyWKS6IORKzXBh152k3OlQLx8iUZTguacSYZili5mGaICYfT+8OQ9XIqZ4RvEyb8XlBNEvkjCM5wiyVgq4FGhi0Wawk0Kmk1aqkQoykai14RG31ivUM4ZN28+iSj/XN45S5FWWCst7zMIyDoT/yXmyjK9ieKULRLn+0rJ2XrmSxfly2zJpGUsMaYGioWf5nhiCLtEnEoq0VdA2R5xoLwkA5V8H8VKboWJQWsgy8mGGmv1NFT+aWyetbc6N//U5hV+Qryj/Co9FRFnzN5un4HYgb49vro5la1SOg2py28tUzlr48pqlKevp4RrFvPXIOKvQcSGDyK05pS8VkiF4DbFKYOTh+qnPl9Vqyp14OXRRGCCtq0MDjxJ1ERWnCAIPE3WkiZAN0JkEc2syfZVUYP6wvotxUiyS7OnJW6y2HnNhwhJs2KppXgBiIpodqN7WUOyOPcDcLmEkCzC54KlC0mgQtNeRcATiABUs0IENC/yAGi+CPR7iHEEZ1E/kfMujqfk46vXUSdN9VXqovdXQVYOGhxhGU9pNgETWoTfWyOSnk7qskximhEutk08vqKQkeKFjaoO13CJIFGMJU7ZBOL42Rh+loeAoaRr3MgLjhTb7ZV+W6auvJOmH6gM1FwX1Q+VACrUFwR9bbrh+tDSAFCwCHhTLKfnn3oppPYAsD1/k2O6CStw3c0owK3utymyW2dmm5qn4Mxs0NW8P9x+aOoLUm1gchGib1XARE+GmoEohwbH7y6H1Xn/L92KA41abw9ONTpgo/xD4lY7WgmWS7TsA51MUzqZeufCV8M+ANu8HvVlw5Ux1dqxDcS44Tw+wvHJEHXm89SGCEUA4rC2FsTnaL4gGenhkTdsc5biW++xgHU7p0S7xSL5TdTf1ztgkt/kL9QTLszpjI/6p06fYjGN8nXAD1hM7dYN43hCorl+Nhc23yBFv6Orgbh+SbUS8HOeUiG1EloQHcqliSrn+UHPzZOsAWwxZ5kgK9E1mMHHXBanbu1H7VaGsdK141sQjCVDVis7Tl+sGkug+AKeslMiENk2tty+s79zo2c7sOn0WLPUS023QwrMQqCaBW8KWMvaEq9t1LEApd6miAtwnrJzfZP25HhFG9thxBygtg7z9CO/Uz0eslPXYy9Fh2h0dleCrAidwalty6rtGLA2ZuSljZF5DuJM4EnVUnmZK+aa6NdR/6g3HHWOBug79Pe//fjm1d/2Xr3aqVqvKuZB/3Q4qkeHrZoVZRz2P/ais2Hnp15UX9AhvSLQGL+wX9+fHe8f9o47Rz04K7/IktQePf51cHrStTkDzpTdyTdOfv3UP+j3j1XWJ3pB+1mRenI2ssknC2nSP3WODTTOcuBPnWMLjLOkAO6f9vZt2ZwkReGnvf28dE4KjJ81dPSzBf3ZgEU/5zDR4J8+I5Sc5ps1tWuuwIXecNgqOrnpp/tdqDNVn0CXOGhQe6CvzI0upyt89rv89rjsstbjqMdGn3c5vwo+VSiOBv9sGrYUye7tCdt2ZXwKPigGt72CPnSGJvfxDUxRr2NWLHGrrupmRC6UTDjbXsYMMD8qo5tafSAUJM4E4tR+9rfXEPbdhvNViOpvfoR0mNH5XB8WUXna9UX6p0oslD1mMcMwR+jqu8+jYXGQr5gfhBAOsZD6Te5993S0TlqGuE+5Hp9qp+5h27xi7NWJ8/O1kfmtkvfh1R+mD5DlH7p5HSlxPJ2RTFrDUqQMzepQkXJmXmP21taq2crhT0lmRsm/vdv7HX2HtnYP6TnH/Gb3J84Wc2eOuAuR9loxm7XwfJ6SVqZ6d9e0QOweshin5msXntna3ULflciCGvxk1SI9hcuTVFElbh2bbenI+XayjUDkX06WPbgUOd8qe7LI/qBzG8NMBzyzsfRzuazZuy9Eon4HvwwT3scPRho9OdUxQ1Zu4aOsZe21jWubtX49Phn1EBa5FqH4tTKvo8Pea/9WqUofHvcHg95IZThKBln9/d7xqH/Q753a0ozgqMzuaa8z6p8c73dGvTcI4oJYfcthDk4O93unRyf7/YN+N4cGLlc1Jsc67AxHJ4PecW/fQvuKqQH3Wr92ut2Ts+PRG1W5o0iQB83d01H+Hb2CPL9dJVVD8VvlqoyvVyVXdA/FbzTIsP9rCWSY73y8LdcTUMD4+9aveTW+XENeqQBXuCHfMGD0y8AtIj+dl7V+3e+MOtBICFOhXVW/qwTE5kDkFsdl9bvdw5Oz/eEvx93+8U8n7/+hxAwLFL+GIfRrLV6A3Tbit24Je1DCnvWAhYSsW8AbKOCNJqFtRX1d7LeA/bb1a2c06nQ/HPWOR6/bUNwt2vA9FPK92wbTC3vOwRW4ZvnonrzoSNeVh0hf5deVbqtZu3Xsf4Ln/tj6Tk0bSWICVmqn/vOAM3guR7+aU4omXw+zxqp7ImsPxtqsoBW9oiyF5z75IiVNRL6Q2KzdmykUPU9JIEXQSUazSR50R2PGiZo4m2LEFO99/4OPZgG8ogAOrdwcsEth5EoHoHnc6BG6lhWL7z8P9GzvE80Sdi3g2b8rCtGeYDIYmYSbAY4v8YT0E6e/b4FUEoBy3IX/8+rnl6X/88gLv0GzTIn95LdX797+3nQT3r77wU/44d2PvzdLWD++e/3Kh3r96t3v6HezgGxTAW2QYqlIayLTAH2OsDjwqhcflx54hVcq3ILXK9WUZvGinIOPb1JsnY49qZIRyDyZE03/qtWFQkzcdYZaIeqmdH7OMF9L4grg6lppafRfWRxwbyznewrlxJWYJ1kX4gVXsG0GlODfTXBvHwzwTcqwFsDgvMiPx1sJvxvpF9Ig0mvODVPozm+vfrd3o/WEqATg1IrcZw+OZCGTD36ZoUzEuuazInj/9brxaXBsI/qgl0veGRMBVVkftxLEx0S9QH/+icaNcaOIg2FnkOEHpTqc0yucFttzxbdB9CanJQtoJeqVszStZqo1lfnIRfxhOCCypd+OSbZKFxYcUqqeaO9L7noK872DOqLsJhD6dDzsJy57IMFGRCw189Px0LFEt2ymj1xupm6fD1NPxb34XcGvpaXCbg23OmIT7Om4hqk+XpOBKsVqsmGaTG4eJ7E+ALSrCK2+d1vKy9o64QnhWyrf/AwAfcBZkhKui8k/qoAmqzXgdIb5jYav7NUFMXQ0mqSskSFY89euhDifAdJH5Re8/GxrqAve1gPZopzPUIU6SGse+NjLHDdgHUqrVv4RAHQsTNDgeMDF/nGdUQix0VXdgo1dNwZoCM0dQjh4frSVEKI2LY5JqYU7gKds7RqZ+62xPh0PBwsx7U5xlpG0Zf7qwu3HfhD0jFO9YdsPl+SzpGJ+qhg+60M2otKzucn1x+lGo11YE7cswCQ1bQ/x7pTEjCf9BLVrFNhdz/ebooosNa5Q+/bS2pylgv5DBOdc44qhS44apfhGdctQ2BGC6Mv+pXy/oQGAEceZUGPckY7RVgFwCdgPbkR+7w2HrudZYgYtpaHQkGAeT9GQ8Csak2h4IySZ9bOEfIl+klMeGACtwrj7wTB9FOsAnJGS3/fbox3UrhkW6ZH6Oc0wv4HXNFD+nOsocGKhiYTki1g5uQXN5A9vz8eNnZ1qnY9ZZbXGIf3D1PgAZd/zhJXtl2HM5hAha5/Fi5mO0oaG+86pCK+HvElb7QvlcLBaCdJ4vXNjaNwoCxa0sDh89FCRsyxhq04gaelv3U59BnJ6ew1SSA/WkXbSoSMB3J37AzktdcCjMM3EQb+BBdTbsc5HrVihn/0Tp+Yik4dkLjQJlDJ2iVJ6SQBOiw7HWcJmWtBeajTggGDomsBTPnM10AcMDQvHfhC7uECSIfNgMqIS6Qjw6U3LWALg3z6N5bb6B8wPiyBIF8SDcs/xmaeCyDwy6xXjxktjDNRXdEludn57/buaQtnjYXAqybzFPA48sgx16n7V9Ki2ATsCh2G1OrvWsv1zS3dCpLsm+gnLKeFF8IiaTLckbQWdkugfPrLdCKqpWSm1Z4EC6avwvaAzgfRV+GaoVkY3yWacUT1FXKwNlMTAvM8N5RWdV+k9cxa5dDx2qXL7uu0pAGg4Ql/1oWWtDe1xw9T/YB7GOTxcFrbQMdNAb4QNfi1g5TXBh7NR4UO99ynlITj8ifFLx2EvV0IHIFe0Iq2qRH6eN2VDCOVaoag7uc5U3+QqkadVwfuSzFTXm4fkHaRSThjVTo9LSWGyOjYQpSjRVmRUEQ33OgvJhovZDPObqn1zMr89GYfg5DSb2FnhanmuYDyE7P7cCohCvQzk68YmQKmZZAeSQ0j7fgi9UPo6Hamm5uZIfKXa/PLDrTvkTBBuCzxkkwnNJqv7JIT0MN1yZ0Utu01Lnn1CYuiFm6rNXbu8XpbUluYFqPKFwYJ05nN/ecTLuJM4lEpwr1DUNLZ2I2gFxtpm4OvX/xsAAP//ijfZOkNcAQA="
LET Specs <= parse_json(data=gunzip(string=base64decode(string=SPEC)))
LET CheckHeader(OSPath) = read_file(filename=OSPath, length=12) = "SQLite forma"
LET Bool(Value) = if(condition=Value, then="Yes", else="No")
-- In fast mode we check the filename, then the header then run the sqlite precondition
LET matchFilename(SourceName, OSPath) = OSPath =~ get(item=Specs.sources, field=SourceName).filename
AND CheckHeader(OSPath=OSPath)
AND Identify(SourceName= SourceName, OSPath= OSPath)
AND log(message=format(format="%v matched by filename %v",
args=[OSPath, get(item=Specs.sources, field=SourceName).filename]))
-- If the user wanted to also upload the file, do so now
LET MaybeUpload(OSPath) = if(condition=AlsoUpload, then=upload(file=OSPath)) OR TRUE
LET Identify(SourceName, OSPath) = SELECT if(
condition=CheckHeader(OSPath=OSPath),
then={
SELECT *
FROM sqlite(file=OSPath, query=get(item=Specs.sources, field=SourceName).id_query)
}) AS Hits
FROM scope()
WHERE if(condition=Hits[0].Check = get(item=Specs.sources, field=SourceName).id_value,
then= log(message="%v was identified as %v",
args=[OSPath, get(item=Specs.sources, field=SourceName).Name]),
else=log(message="%v was not identified as %v (got %v, wanted %v)",
args=[OSPath, get(item=Specs.sources, field=SourceName).Name, str(str=Hits),
get(item=Specs.sources, field=SourceName).id_value]) AND FALSE)
LET ApplyFile(SourceName) = SELECT * FROM foreach(row={
SELECT OSPath FROM AllFiles
WHERE if(condition=MatchFilename, then=matchFilename(SourceName=SourceName, OSPath=OSPath),
else=Identify(SourceName= SourceName, OSPath= OSPath))
}, query={
SELECT *, OSPath FROM sqlite(
file=OSPath, query=get(item=Specs.sources, field=SourceName).SQL)
})
-- Filter for matching files without sqlite checks.
LET FilterFile(SourceName) =
SELECT OSPath FROM AllFiles
WHERE if(condition=MatchFilename,
then=OSPath =~ get(item=Specs.sources, field=SourceName).filename)
-- Build a regex for all enabled categories.
LET all_categories = SELECT if(condition=_value = "All", then=".", else=_value) AS _value
FROM foreach(row=["All","MacOS","Chrome","Browser","Edge","Firefox","Google","Cloud","SyncClient","InternetExplorer","Windows"])
WHERE get(field=_value)
parameters:
- name: RuleFilter
type: regex
description: Only collect rules matching this regex filter.
default: "."
- name: Rules
type: multichoice
description: Only collect these rules
default: '[]'
choices:
- "Chromium Browser Autofill"
- "Chromium Browser Bookmarks"
- "Chromium Browser Cookies"
- "Chromium Browser Extensions"
- "Chromium Browser Favicons"
- "Chromium Browser History"
- "Chromium Browser Media"
- "Chromium Browser Network"
- "Chromium Browser Notifications"
- "Chromium Browser Shortcuts"
- "Chromium Browser Top Sites"
- "Chromium Sessions"
- "Edge Browser Autofill"
- "Edge Browser Collections"
- "Edge Browser History Screenshots"
- "Edge Browser Navigation History"
- "Firefox Cookies"
- "Firefox Downloads"
- "Firefox Favicons"
- "Firefox Form History"
- "Firefox Places"
- "Google Drive Metadata"
- "Google Drive Mirrored Files"
- "Google Drive Mirrored Metadata Files"
- "Google Drive Sync Roots"
- "IE or Edge WebCacheV01"
- "MacOS Applications Cache"
- "MacOS NetworkUsage"
- "MacOS Notes"
- "MacOS XProtect Detections"
- "Windows Activities Cache"
- "Windows Search Service"
- "Windows WPNDatabase - Notifications"
- "iMessage"
- name: MatchFilename
description: |
If set we use the filename to detect the type of sqlite file.
When unset we use heristics (slower)
type: bool
default: Y
- name: CustomGlob
description: Specify this glob to select other files
- name: DateAfter
description: Timebox output to rows after this time.
type: timestamp
default: "1970-01-01T00:00:00Z"
- name: DateBefore
description: Timebox output to rows after this time.
type: timestamp
default: "2100-01-01T00:00:00Z"
- name: FilterRegex
description: Filter critical rows by this regex
type: regex
default: .
- name: All
description: Select all tagrgets
type: bool
default: Y
- name: MacOS
description: Select targets with category MacOS
type: bool
default: N
- name: Chrome
description: Select targets with category Chrome
type: bool
default: N
- name: Browser
description: Select targets with category Browser
type: bool
default: N
- name: Edge
description: Select targets with category Edge
type: bool
default: N
- name: Firefox
description: Select targets with category Firefox
type: bool
default: N
- name: Google
description: Select targets with category Google
type: bool
default: N
- name: Cloud
description: Select targets with category Cloud
type: bool
default: N
- name: SyncClient
description: Select targets with category SyncClient
type: bool
default: N
- name: InternetExplorer
description: Select targets with category InternetExplorer
type: bool
default: N
- name: Windows
description: Select targets with category Windows
type: bool
default: N
- name: SQLITE_ALWAYS_MAKE_TEMPFILE
type: bool
default: Y
- name: AlsoUpload
description: If specified we also upload the identified file.
type: bool
sources:
- name: AllFiles
notebook:
- type: vql
template: |
// This cell generates other cells to preview the collected
// data. DO NOT recalculate this cell - each time new cells
// will be added. Instead delete the notebook and allow
// Velociraptor to recreate the entire notebook.
LET ArtifactsWithResults <=
SELECT pathspec(accessor="fs", parse=Data.VFSPath)[4] AS Artifact ,
pathspec(accessor="fs", parse=Data.VFSPath)[-1][:-5] AS Source ,
stat(accessor="fs", filename=Data.VFSPath + ".index").Size / 8 AS Records
FROM enumerate_flow(client_id=ClientId, flow_id=FlowId)
WHERE Type =~ "Result" AND Records > 0
LET _ <= SELECT notebook_update_cell(notebook_id=NotebookId, type="vql",
input=format(format='''
/*
# Results From %v
*/
SELECT * FROM source(source=%q)
''', args=[Source, Source]),
output=format(format='''
<i>Recalculate</i> to show Results from <b>%v</b> with <b>%v</b> rows
''', args=[Source, Records])) AS NotebookModification
FROM ArtifactsWithResults
/*
# Results Overview
*/
SELECT Source, Records FROM ArtifactsWithResults ORDER BY Source
query: |
LET category_regex <= join(sep="|", array=all_categories._value)
LET RuleFilter <= if(condition=Rules,
then=join(array=Rules, sep="|"),
else=RuleFilter)
LET _ <= log(level="DEBUG", message="Rule Filter is %v", args=RuleFilter)
LET AllGlobs <= filter(list=Specs.globs,
condition="x=> x.tags =~ category_regex AND x.rule =~ RuleFilter")
LET _ <= log(message="Globs for category %v is %v",
args=[category_regex, CustomGlob || AllGlobs.glob])
LET AllFiles <= SELECT OSPath FROM glob(globs=CustomGlob || AllGlobs.glob)
WHERE NOT IsDir AND MaybeUpload(OSPath=OSPath)
SELECT * FROM AllFiles
- name: "iMessage_Profiles"
notebook:
- type: none
output: "iMessage_Profiles - Recalculate to view results"
template: |
/*
# iMessage_Profiles
*/
SELECT * FROM source(source="iMessage_Profiles")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="iMessage_Profiles")
LET Output = SELECT timestamp(epoch=date / 1000000000 + 978307200) AS Timestamp, *
FROM Rows
WHERE Timestamp > DateAfter AND Timestamp < DateBefore
AND (MessageText, RoomName) =~ FilterRegex
SELECT * FROM
if(condition="iMessage_Profiles" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser Autofill_Profiles"
notebook:
- type: none
output: "Chromium Browser Autofill_Profiles - Recalculate to view results"
template: |
/*
# Chromium Browser Autofill_Profiles
*/
SELECT * FROM source(source="Chromium Browser Autofill_Profiles")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Autofill_Profiles")
LET Output = SELECT GUID,
timestamp(epoch= date_modified) AS DateModified,
timestamp(epoch= use_date) AS UseDate,
FirstName, MiddleName, LastName, EmailAddress,
PhoneNumber, CompanyName, StreetAddress,
City, State, ZipCode, UseCount, OSPath
FROM Rows
WHERE UseDate > DateAfter AND UseDate < DateBefore
AND (FirstName, MiddleName, LastName, EmailAddress, CompanyName, StreetAddress) =~ FilterRegex
SELECT * FROM
if(condition="Chromium Browser Autofill_Profiles" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser Autofill_Masked Credit Cards"
notebook:
- type: none
output: "Chromium Browser Autofill_Masked Credit Cards - Recalculate to view results"
template: |
/*
# Chromium Browser Autofill_Masked Credit Cards
*/
SELECT * FROM source(source="Chromium Browser Autofill_Masked Credit Cards")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Autofill_Masked Credit Cards")
LET Output = SELECT * FROM Rows
SELECT * FROM
if(condition="Chromium Browser Autofill_Masked Credit Cards" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser Bookmarks"
notebook:
- type: none
output: "Chromium Browser Bookmarks - Recalculate to view results"
template: |
/*
# Chromium Browser Bookmarks
*/
SELECT * FROM source(source="Chromium Browser Bookmarks")
LIMIT 50
query: |
LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Bookmarks")
-- Recursive function to report the details of a folder
LET ReportFolder(Data, BaseName) = SELECT * FROM chain(a={
-- First row emit the data about the actual folder
SELECT BaseName + " | " + Data.name AS Name,
timestamp(winfiletime=int(int=Data.date_added) * 10) AS DateAdded,
timestamp(winfiletime=int(int=Data.date_last_used) * 10) AS DateLastUsed,
Data.type AS Type,
Data.url || "" AS URL
FROM scope()
},
b={
-- If this folder has children recurse into it
SELECT * FROM foreach(row={
SELECT _value FROM items(item=Data.children)
}, query={
SELECT * FROM ReportFolder(Data=_value, BaseName=BaseName + " | " + Data.name)
})
})
LET MatchingFiles = SELECT OSPath, parse_json(data=read_file(filename=OSPath)) AS Data
FROM Rows
LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
SELECT * FROM chain(
a={
SELECT OSPath, *, "bookmark_bar" AS Type
FROM ReportFolder(Data=Data.roots.bookmark_bar, BaseName="")
},
b={
SELECT OSPath, *, "other" AS Type
FROM ReportFolder(Data=Data.roots.other, BaseName="")
},
c={
SELECT OSPath, *, "synced" AS Type
FROM ReportFolder(Data=Data.roots.synced, BaseName="")
})
})
SELECT * FROM
if(condition="Chromium Browser Bookmarks" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser Cookies_Cookies"
notebook:
- type: none
output: "Chromium Browser Cookies_Cookies - Recalculate to view results"
template: |
/*
# Chromium Browser Cookies_Cookies
*/
SELECT * FROM source(source="Chromium Browser Cookies_Cookies")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Cookies_Cookies")
LET Output = SELECT timestamp(winfiletime=(creation_utc * 10) || 0) AS CreationUTC,
timestamp(winfiletime=(expires_utc * 10) || 0) AS ExpiresUTC,
timestamp(winfiletime=(last_access_utc * 10) || 0) AS LastAccessUTC,
HostKey, Name, Path,
Bool(Value=is_secure) AS IsSecure,
Bool(Value=is_httponly) AS IsHttpOnly,
Bool(Value=has_expires) AS HasExpiration,
Bool(Value=is_persistent) AS IsPersistent,
Priority, SourcePort, OSPath
FROM Rows
WHERE LastAccessUTC > DateAfter AND LastAccessUTC < DateBefore
AND (Name, Path) =~ FilterRegex
SELECT * FROM
if(condition="Chromium Browser Cookies_Cookies" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser Extensions"
notebook:
- type: none
output: "Chromium Browser Extensions - Recalculate to view results"
template: |
/*
# Chromium Browser Extensions
*/
SELECT * FROM source(source="Chromium Browser Extensions")
LIMIT 50
query: |
LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Extensions")
-- Resolve the message string against the Locale dict
LET ResolveName(Message, Locale) = get(item=Locale,
field=lowcase(string=parse_string_with_regex(regex="^__MSG_(.+)__$", string=Message).g1),
default=Message).message || Message
-- Read the manifest files
LET ManifestData = SELECT OSPath, parse_json(data=read_file(filename=OSPath)) AS Manifest
FROM Rows
-- Find the Locale file to help with.
LET LocaleData = SELECT *, if(condition=Manifest.default_locale, else=dict(),
then=parse_json(data=read_file(
filename=OSPath.Dirname + "_locales" + Manifest.default_locale + "messages.json"))) AS Locale
FROM ManifestData
LET GetIcon(Manifest) = Manifest.icons.`128` || Manifest.icons.`64` || Manifest.icons.`32` || Manifest.icons.`16`
LET Output = SELECT OSPath, Manifest.author.email AS Email,
ResolveName(Message = Manifest.name, Locale=Locale) AS name,
ResolveName(Message = Manifest.description, Locale=Locale) AS description,
Manifest.oauth2.scopes as Scopes,
Manifest.permissions as Permissions,
Manifest.key as Key, if(condition=GetIcon(Manifest=Manifest),
then=upload(file=OSPath.Dirname + GetIcon(Manifest=Manifest))) AS Image,
Manifest AS _Manifest
FROM LocaleData
WHERE (name, description) =~ FilterRegex
SELECT * FROM
if(condition="Chromium Browser Extensions" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser Favicons"
notebook:
- type: none
output: "Chromium Browser Favicons - Recalculate to view results"
template: |
/*
# Chromium Browser Favicons
*/
SELECT * FROM source(source="Chromium Browser Favicons")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Favicons")
LET Output = SELECT ID, IconID,
timestamp(winfiletime= (LastUpdated * 10) || 0) AS LastUpdated,
PageURL, FaviconURL,
upload(accessor="data",
file=_image,
name=format(format="Image%v.png", args=ID)) AS Image,
OSPath as _OSPath
FROM Rows
WHERE LastUpdated > DateAfter AND LastUpdated < DateBefore
SELECT * FROM
if(condition="Chromium Browser Favicons" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser History_Visits"
notebook:
- type: none
output: "Chromium Browser History_Visits - Recalculate to view results"
template: |
/*
# Chromium Browser History_Visits
*/
SELECT * FROM source(source="Chromium Browser History_Visits")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser History_Visits")
LET Output = SELECT ID,
timestamp(winfiletime=(visit_time * 10) || 0) AS VisitTime,
timestamp(winfiletime=(last_visit_time * 10) || 0) AS LastVisitedTime,
URLTitle, URL, VisitCount, TypedCount,
if(condition=hidden =~ '1', then="Yes", else="No") AS Hidden,
VisitID, FromVisitID,
visit_duration / 1000000 AS VisitDurationInSeconds,
OSPath
FROM Rows
WHERE VisitTime > DateAfter
AND VisitTime < DateBefore
AND (URLTitle, URL) =~ FilterRegex
SELECT * FROM
if(condition="Chromium Browser History_Visits" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser History_Downloads"
notebook:
- type: none
output: "Chromium Browser History_Downloads - Recalculate to view results"
template: |
/*
# Chromium Browser History_Downloads
*/
SELECT * FROM source(source="Chromium Browser History_Downloads")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser History_Downloads")
LET StateLookup <= dict(`0`='In Progress', `1`='Complete', `2`="Cancelled", `3`="Interrupted", `4`="Interrupted")
LET DangerType <= dict(`0`='Not Dangerous', `1`="Dangerous", `2`='Dangerous URL', `3`='Dangerous Content',
`4`='Content May Be Malicious', `5`='Uncommon Content', `6`='Dangerous But User Validated',
`7`='Dangerous Host', `8`='Potentially Unwanted', `9`='Whitelisted by Policy',
`10`='Download Pending Detailed Verdict', `11`='Blocked By Policy Password Protected', `12`='Blocked By Policy Download Too Large',
`13`='Sensitive Content Warning', `14`='Sensitive Content Blocked', `15`='Deep Scanned Safe',
`16`='Deep Scanned Dangerous But Opened By User', `17`='Prompt For Deep Scanning', `18`='Blocked Unsupported Filetype',
`19`='Dangerous Associated With Account Compromise', `20`='Deep Scan Failed', `21`='Encrypted Archive Prompt for Local Password Scanning',
`22`='Encrypted Archive Prompt for Local Password Scanning Pending Detailed Verdict', `23`='Blocked by Policy Scan Failed')
LET InterruptReason <= dict(`0`= 'No Interrupt', `1`= 'File Error', `2`='Access Denied', `3`='Disk Full',
`5`='Path Too Long',`6`='File Too Large', `7`='Virus', `10`='Temporary Problem', `11`='Blocked',
`12`='Security Check Failed', `13`='Resume Error File Too Short', `14`='File Hash Mismatch', `15`='File Same As Source',
`20`='Network Error', `21`='Operation Timed Out', `22`='Connection Lost', `23`='Server Down',
`24`='Network Request Invalid', `30`='Server Error', `31`='Range Request Error',
`32`='Server Precondition Error', `33`='Unable to get file', `34`='Server Unauthorized',
`35`='Server Certificate Problem', `36`='Server Access Forbidden', `37`='Server Unreachable',
`38`='Content Length Mismatch', `39`='Cross Origin Redirect', `40`='Cancelled', `41`='Browser Shutdown',
`50`='Browser Crashed')
LET Output = SELECT ID, GUID, CurrentPath, TargetPath, OriginalMIMEType, ReceivedBytes, TotalBytes,
timestamp(winfiletime=(start_time * 10) || 0) AS StartTime,
timestamp(winfiletime=(end_time * 10) || 0) AS EndTime,
timestamp(winfiletime=(opened * 10) || 0) AS Opened,
timestamp(winfiletime=(last_access_time * 10) || 0) AS LastAccessTime,
timestamp(epoch=last_modified) AS LastModified,
get(item=StateLookup, field=str(str=state), default="Unknown") AS State,
get(item=DangerType, field=str(str=danger_type), default="Unknown") AS DangerType,
get(item=InterruptReason, field=str(str=interrupt_reason), default="Unknown") AS InterruptReason,
ReferrerURL, SiteURL, TabURL, TabReferrerURL, DownloadURL, OSPath
FROM Rows
WHERE LastAccessTime > DateAfter AND LastAccessTime < DateBefore
AND (SiteURL, DownloadURL, TabURL, TabReferrerURL, ReferrerURL, DownloadURL) =~ FilterRegex
SELECT * FROM
if(condition="Chromium Browser History_Downloads" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser History_Keywords"
notebook:
- type: none
output: "Chromium Browser History_Keywords - Recalculate to view results"
template: |
/*
# Chromium Browser History_Keywords
*/
SELECT * FROM source(source="Chromium Browser History_Keywords")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser History_Keywords")
LET Output = SELECT KeywordID, URLID,
timestamp(winfiletime=(last_visit_time * 10) || 0) AS LastVisitedTime,
KeywordSearchTerm, Title, URL, OSPath
FROM Rows
WHERE LastVisitedTime > DateAfter AND LastVisitedTime < DateBefore
AND (Title, KeywordSearchTerm, URL) =~ FilterRegex
SELECT * FROM
if(condition="Chromium Browser History_Keywords" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser Media_History"
notebook:
- type: none
output: "Chromium Browser Media_History - Recalculate to view results"
template: |
/*
# Chromium Browser Media_History
*/
SELECT * FROM source(source="Chromium Browser Media_History")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Media_History")
LET Output = SELECT ID, URL, WatchTimeSeconds,
Bool(Value=has_video) AS HasVideo,
Bool(Value=has_audio) AS HasAudio,
timestamp(winfiletime=last_updated_time_s || 0) AS LastUpdated,
OriginID, OSPath
FROM Rows
WHERE LastUpdated > DateAfter AND LastUpdated < DateBefore
AND URL =~ FilterRegex
SELECT * FROM
if(condition="Chromium Browser Media_History" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser Media_Playback Session"
notebook:
- type: none
output: "Chromium Browser Media_Playback Session - Recalculate to view results"
template: |
/*
# Chromium Browser Media_Playback Session
*/
SELECT * FROM source(source="Chromium Browser Media_Playback Session")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Media_Playback Session")
LET Output = SELECT ID,
timestamp(winfiletime=last_updated_time_s || 0) AS LastUpdated, URL,
duration_ms / 1000 AS DurationInSeconds,
position_ms / 1000 AS PositionInSeconds,
Title, Artist, Album, SourceTitle, OriginID, OSPath
FROM Rows
WHERE LastUpdated > DateAfter AND LastUpdated < DateBefore
AND URL =~ FilterRegex
SELECT * FROM
if(condition="Chromium Browser Media_Playback Session" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser Network_Predictor"
notebook:
- type: none
output: "Chromium Browser Network_Predictor - Recalculate to view results"
template: |
/*
# Chromium Browser Network_Predictor
*/
SELECT * FROM source(source="Chromium Browser Network_Predictor")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Network_Predictor")
LET Output = SELECT * FROM Rows
WHERE UserText =~ FilterRegex
SELECT * FROM
if(condition="Chromium Browser Network_Predictor" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser Notifications_Site Engagements"
notebook:
- type: none
output: "Chromium Browser Notifications_Site Engagements - Recalculate to view results"
template: |
/*
# Chromium Browser Notifications_Site Engagements
*/
SELECT * FROM source(source="Chromium Browser Notifications_Site Engagements")
LIMIT 50
query: |
LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Notifications_Site Engagements")
LET JSON = SELECT parse_json(data=read_file(filename=OSPath)) AS Data, OSPath FROM Rows
LET Output = SELECT * FROM foreach(row={
SELECT OSPath, Data.profile.content_settings.exceptions AS exceptions FROM JSON
}, query={
SELECT _key AS Site,
timestamp(winfiletime=int(int=_value.last_modified) * 10 || 0) AS LastModified,
timestamp(winfiletime=int(int=_value.setting.lastEngagementTime) * 10 || 0) AS LastEngagementTime,
OSPath
FROM items(item=exceptions.site_engagement)
})
SELECT * FROM
if(condition="Chromium Browser Notifications_Site Engagements" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser Notifications_App Banners"
notebook:
- type: none
output: "Chromium Browser Notifications_App Banners - Recalculate to view results"
template: |
/*
# Chromium Browser Notifications_App Banners
*/
SELECT * FROM source(source="Chromium Browser Notifications_App Banners")
LIMIT 50
query: |
LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Notifications_App Banners")
LET JSON = SELECT parse_json(data=read_file(filename=OSPath)) AS Data, OSPath FROM Rows
LET Output = SELECT * FROM foreach(row={
SELECT OSPath, Data.profile.content_settings.exceptions AS exceptions FROM JSON
}, query={
SELECT _key AS Site,
timestamp(winfiletime=int(int=_value.last_modified) * 10 || 0) AS LastModified,
{
SELECT _key AS Site,
timestamp(winfiletime=int(int=_value.couldShowBannerEvents) * 10 || 0) AS CouldShowBannerEvents,
timestamp(winfiletime=int(int=_value.next_install_text_animation.last_shown) * 10 || 0) AS LastShown
FROM items(item=_value.setting)
} AS Setting,
OSPath
FROM items(item=exceptions.app_banner)
})
SELECT * FROM
if(condition="Chromium Browser Notifications_App Banners" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser Notifications_Notification Preferences"
notebook:
- type: none
output: "Chromium Browser Notifications_Notification Preferences - Recalculate to view results"
template: |
/*
# Chromium Browser Notifications_Notification Preferences
*/
SELECT * FROM source(source="Chromium Browser Notifications_Notification Preferences")
LIMIT 50
query: |
LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Notifications_Notification Preferences")
LET ContentSettings <= array(`0`="Default",`1`="Allow",`2`="Block",`3`="Ask",`4`="Session Only",`5`="Detect Important Content")
LET JSON = SELECT parse_json(data=read_file(filename=OSPath)) AS Data, OSPath FROM Rows
LET Output = SELECT * FROM foreach(row={
SELECT OSPath, Data.profile.content_settings.exceptions AS exceptions FROM JSON
}, query={
SELECT _key AS Site,
timestamp(winfiletime=int(int=_value.last_modified) * 10 || 0) AS LastModified,
ContentSettings[_value.setting] AS Setting,
OSPath
FROM items(item=exceptions.notifications)
})
SELECT * FROM
if(condition="Chromium Browser Notifications_Notification Preferences" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser Notifications_Notification Interactions"
notebook:
- type: none
output: "Chromium Browser Notifications_Notification Interactions - Recalculate to view results"
template: |
/*
# Chromium Browser Notifications_Notification Interactions
*/
SELECT * FROM source(source="Chromium Browser Notifications_Notification Interactions")
LIMIT 50
query: |
LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Notifications_Notification Interactions")
LET JSON = SELECT parse_json(data=read_file(filename=OSPath)) AS Data, OSPath FROM Rows
LET S = scope()
LET Output = SELECT * FROM foreach(row={
SELECT OSPath, Data.profile.content_settings.exceptions AS exceptions FROM JSON
}, query={
SELECT _key AS URL,
timestamp(winfiletime=int(int=_value.last_modified) * 10 || 0) AS LastModified,
_value.display_count as DisplayCount,
_value.click_count as ClickCount,
OSPath
FROM items(item=S.notification_interactions || dict())
})
SELECT * FROM
if(condition="Chromium Browser Notifications_Notification Interactions" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser Shortcuts"
notebook:
- type: none
output: "Chromium Browser Shortcuts - Recalculate to view results"
template: |
/*
# Chromium Browser Shortcuts
*/
SELECT * FROM source(source="Chromium Browser Shortcuts")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Shortcuts")
LET Output = SELECT ID,
timestamp(winfiletime= (last_access_time * 10) || 0) AS LastAccessTime,
TextTyped, FillIntoEdit, URL, Contents,
Description, Type, Keyword, TimesSelectedByUser, OSPath
FROM Rows
WHERE LastAccessTime > DateAfter AND LastAccessTime < DateBefore
AND (Contents, Description) =~ FilterRegex
SELECT * FROM
if(condition="Chromium Browser Shortcuts" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Sessions_Sessions"
notebook:
- type: none
output: "Chromium Sessions_Sessions - Recalculate to view results"
template: |
/*
# Chromium Sessions_Sessions
*/
SELECT * FROM source(source="Chromium Sessions_Sessions")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Sessions_Sessions")
LET Output = SELECT timestamp(winfiletime=(creation_utc * 10) || 0) AS CreationUTC,
timestamp(winfiletime=(expires_utc * 10) || 0) AS ExpiresUTC,
timestamp(winfiletime=(last_access_utc * 10) || 0) AS LastAccessUTC,
HostKey, Name, Path,
Bool(Value=is_secure) AS IsSecure,
Bool(Value=is_httponly) AS IsHttpOnly,
Bool(Value=has_expires) AS HasExpiration,
Bool(Value=is_persistent) AS IsPersistent,
Priority, SourcePort, OSPath
FROM Rows
WHERE LastAccessUTC > DateAfter AND LastAccessUTC < DateBefore
AND (Name, Path) =~ FilterRegex
SELECT * FROM
if(condition="Chromium Sessions_Sessions" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Chromium Browser Top Sites"
notebook:
- type: none
output: "Chromium Browser Top Sites - Recalculate to view results"
template: |
/*
# Chromium Browser Top Sites
*/
SELECT * FROM source(source="Chromium Browser Top Sites")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Top Sites")
LET Output = SELECT * FROM Rows
WHERE ( URL =~ FilterRegex OR Title =~ FilterRegex )
SELECT * FROM
if(condition="Chromium Browser Top Sites" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Edge Browser Autofill_CombinedAutofill"
notebook:
- type: none
output: "Edge Browser Autofill_CombinedAutofill - Recalculate to view results"
template: |
/*
# Edge Browser Autofill_CombinedAutofill
*/
SELECT * FROM source(source="Edge Browser Autofill_CombinedAutofill")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Edge Browser Autofill_CombinedAutofill")
LET Output = SELECT timestamp(epoch=date_last_used) AS DateLastUsed, *
FROM Rows
WHERE DateLastUsed > DateAfter AND DateLastUsed < DateBefore
SELECT * FROM
if(condition="Edge Browser Autofill_CombinedAutofill" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Edge Browser Collections_Collections, Items, and Comments"
notebook:
- type: none
output: "Edge Browser Collections_Collections, Items, and Comments - Recalculate to view results"
template: |
/*
# Edge Browser Collections_Collections, Items, and Comments
*/
SELECT * FROM source(source="Edge Browser Collections_Collections, Items, and Comments")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Edge Browser Collections_Collections, Items, and Comments")
LET ExtractImage(Data) = base64decode(
string=split(string=parse_json(data=Data).image, sep=",")[1])
LET Output = SELECT *,
timestamp(epoch=Collection_CreationUTC) AS Collection_CreationUTC,
timestamp(epoch=Collection_ModifiedUTC) AS Collection_ModifiedUTC,
timestamp(epoch=ColletionSync_DateLastSynced) AS ColletionSync_DateLastSynced,
timestamp(epoch=Item_CreationUTC) AS Item_CreationUTC,
timestamp(epoch=Item_ModifiedUTC) AS Item_ModifiedUTC,
parse_json(data= Item_Source) AS Item_Source,
upload(accessor="data",
file=ExtractImage(Data=Image),
name=format(format="Screenshot_%v.png", args=item_id)) AS Image,
timestamp(epoch=ItemSync_DaeLastSynced) AS ItemSync_DaeLastSynced
FROM Rows
SELECT * FROM
if(condition="Edge Browser Collections_Collections, Items, and Comments" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Edge Browser Navigation History_Navigation History"
notebook:
- type: none
output: "Edge Browser Navigation History_Navigation History - Recalculate to view results"
template: |
/*
# Edge Browser Navigation History_Navigation History
*/
SELECT * FROM source(source="Edge Browser Navigation History_Navigation History")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Edge Browser Navigation History_Navigation History")
LET Output = SELECT ID,
timestamp(epoch=`Last Visited Time`) AS `Last Visited Time`,
Title, URL, VisitCount, OSPath
FROM Rows
WHERE `Last Visited Time` > DateAfter
AND `Last Visited Time` < DateBefore
AND (Title, URL) =~ FilterRegex
SELECT * FROM
if(condition="Edge Browser Navigation History_Navigation History" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Edge Browser History Screenshots_Screenshots"
notebook:
- type: none
output: "Edge Browser History Screenshots_Screenshots - Recalculate to view results"
template: |
/*
# Edge Browser History Screenshots_Screenshots
*/
SELECT * FROM source(source="Edge Browser History Screenshots_Screenshots")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Edge Browser History Screenshots_Screenshots")
LET Output = SELECT *,
timestamp(winfiletime=VisitTime * 10) AS VisitTime,
VisitTime AS VisitTimeInt,
upload(accessor="data",
file=Image,
name=format(format="Screenshot_%v.png", args=VisitID)) AS Image
FROM Rows
SELECT * FROM
if(condition="Edge Browser History Screenshots_Screenshots" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Firefox Places"
notebook:
- type: none
output: "Firefox Places - Recalculate to view results"
template: |
/*
# Firefox Places
*/
SELECT * FROM source(source="Firefox Places")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Places")
LET BookmarkTypes <= dict(`1`="URL", `2`="Folder", `3`="Separator")
LET Output = SELECT ID, ParentID,
get(item= BookmarkTypes, field=str(str=type), default="Unknown") AS Type,
timestamp(epoch=dateAdded) AS DateAdded,
timestamp(epoch=lastModified) AS LastModified,
Position, Title, URL, ForeignKey, OSPath
FROM Rows
WHERE LastModified > DateAfter AND LastModified < DateBefore
AND (Title, URL) =~ FilterRegex
SELECT * FROM
if(condition="Firefox Places" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Firefox Places_Downloads"
notebook:
- type: none
output: "Firefox Places_Downloads - Recalculate to view results"
template: |
/*
# Firefox Places_Downloads
*/
SELECT * FROM source(source="Firefox Places_Downloads")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Places_Downloads")
LET Output = SELECT PlaceID, Content,
timestamp(epoch=dateAdded) AS DateAdded,
timestamp(epoch=lastModified) AS LastModified,
OSPath
FROM Rows
WHERE LastModified > DateAfter AND LastModified < DateBefore
AND Content =~ FilterRegex
SELECT * FROM
if(condition="Firefox Places_Downloads" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Firefox Places_History"
notebook:
- type: none
output: "Firefox Places_History - Recalculate to view results"
template: |
/*
# Firefox Places_History
*/
SELECT * FROM source(source="Firefox Places_History")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Places_History")
LET VisitType <= dict(`1`='TRANSITION_LINK', `2`='TRANSITION_TYPED', `3`='TRANSITION_BOOKMARK',
`4`='TRANSITION_EMBED', `5`= 'TRANSITION_REDIRECT_PERMANENT', `6`='TRANSITION_REDIRECT_TEMPORARY',
`7`='TRANSITION_DOWNLOAD', `8`='TRANSITION_FRAMED_LINK', `9`='TRANSITION_RELOAD')
LET Output = SELECT VisitID, FromVisitID,
timestamp(epoch= last_visit_date) AS LastVisitDate,
VisitCount, URL, Title, Description,
get(item= VisitType, field=str(str=visit_type), default="Unknown") AS VisitType,
Bool(Value=hidden) AS Hidden,
Bool(Value=typed) AS Typed,
Frecency, PreviewImageURL, OSPath
FROM Rows
WHERE LastVisitDate > DateAfter AND LastVisitDate < DateBefore
AND (Title, URL, Description) =~ FilterRegex
SELECT * FROM
if(condition="Firefox Places_History" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Firefox Cookies"
notebook:
- type: none
output: "Firefox Cookies - Recalculate to view results"
template: |
/*
# Firefox Cookies
*/
SELECT * FROM source(source="Firefox Cookies")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Cookies")
LET Output = SELECT ID, Host, Name, Value,
timestamp(epoch= creationTime) AS CreationTime,
timestamp(epoch= lastAccessed) AS LastAccessedTime,
timestamp(epoch= expiry) AS Expiration,
Bool(Value= isSecure) AS IsSecure,
Bool(Value= isHttpOnly) AS IsHTTPOnly, OSPath
FROM Rows
WHERE LastAccessedTime > DateAfter
AND LastAccessedTime < DateBefore
AND ( Name =~ FilterRegex OR Value =~ FilterRegex )
SELECT * FROM
if(condition="Firefox Cookies" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Firefox Downloads"
notebook:
- type: none
output: "Firefox Downloads - Recalculate to view results"
template: |
/*
# Firefox Downloads
*/
SELECT * FROM source(source="Firefox Downloads")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Downloads")
LET Output = SELECT ID, Name, MIMEType, Source, Target,
timestamp(epoch= startTime) AS StartTime,
timestamp(epoch= endTime) AS EndTime,
timestamp(epoch= expiry) AS Expiration,
CurrentBytes, MaxBytes, OSPath
FROM Rows
WHERE StartTime > DateAfter
AND StartTime < DateBefore
AND Name =~ FilterRegex
SELECT * FROM
if(condition="Firefox Downloads" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Firefox Favicons"
notebook:
- type: none
output: "Firefox Favicons - Recalculate to view results"
template: |
/*
# Firefox Favicons
*/
SELECT * FROM source(source="Firefox Favicons")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Favicons")
LET Output = SELECT ID, PageURL, FaviconURL,
timestamp(epoch= expire_ms) AS Expiration,
OSPath
FROM Rows
SELECT * FROM
if(condition="Firefox Favicons" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Firefox Form History"
notebook:
- type: none
output: "Firefox Form History - Recalculate to view results"
template: |
/*
# Firefox Form History
*/
SELECT * FROM source(source="Firefox Form History")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Form History")
LET Output = SELECT ID, FieldName, Value, TimesUsed,
timestamp(epoch= firstUsed) AS FirstUsed,
timestamp(epoch= lastUsed) AS LastUsed,
GUID, OSPath
FROM Rows
WHERE LastUsed > DateAfter AND LastUsed < DateBefore
AND ( FieldName =~ FilterRegex OR Value =~ FilterRegex )
SELECT * FROM
if(condition="Firefox Form History" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Google Drive Metadata_File Metadata"
notebook:
- type: none
output: "Google Drive Metadata_File Metadata - Recalculate to view results"
template: |
/*
# Google Drive Metadata_File Metadata
*/
SELECT * FROM source(source="Google Drive Metadata_File Metadata")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Google Drive Metadata_File Metadata")
LET Output = SELECT timestamp(epoch=modified_date ) AS Timestamp, *
FROM Rows
WHERE
if(condition=DateAfter, then=Timestamp > DateAfter, else=TRUE) AND
if(condition=DateBefore, then=Timestamp < DateBefore, else=TRUE) AND
(local_title, mime_type) =~ FilterRegex
SELECT * FROM
if(condition="Google Drive Metadata_File Metadata" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Google Drive Metadata_Deleted Items"
notebook:
- type: none
output: "Google Drive Metadata_Deleted Items - Recalculate to view results"
template: |
/*
# Google Drive Metadata_Deleted Items
*/
SELECT * FROM source(source="Google Drive Metadata_Deleted Items")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Google Drive Metadata_Deleted Items")
LET Output = SELECT * FROM Rows
SELECT * FROM
if(condition="Google Drive Metadata_Deleted Items" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Google Drive Mirrored Files_Mirrored Items"
notebook:
- type: none
output: "Google Drive Mirrored Files_Mirrored Items - Recalculate to view results"
template: |
/*
# Google Drive Mirrored Files_Mirrored Items
*/
SELECT * FROM source(source="Google Drive Mirrored Files_Mirrored Items")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Google Drive Mirrored Files_Mirrored Items")
LET Output = SELECT timestamp(epoch=local_mtime_ms ) AS Timestamp, *
FROM Rows
WHERE
if(condition=DateAfter, then=Timestamp > DateAfter, else=TRUE) AND
if(condition=DateBefore, then=Timestamp < DateBefore, else=TRUE) AND
(local_filename, cloud_filename, volume) =~ FilterRegex
SELECT * FROM
if(condition="Google Drive Mirrored Files_Mirrored Items" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Google Drive Mirrored Metadata Files_Mirrored Metadata Items"
notebook:
- type: none
output: "Google Drive Mirrored Metadata Files_Mirrored Metadata Items - Recalculate to view results"
template: |
/*
# Google Drive Mirrored Metadata Files_Mirrored Metadata Items
*/
SELECT * FROM source(source="Google Drive Mirrored Metadata Files_Mirrored Metadata Items")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Google Drive Mirrored Metadata Files_Mirrored Metadata Items")
LET Output = SELECT timestamp(epoch=modified_date ) AS Timestamp, *
FROM Rows
WHERE
if(condition=DateAfter, then=Timestamp > DateAfter, else=TRUE) AND
if(condition=DateBefore, then=Timestamp < DateBefore, else=TRUE) AND
(local_title, mime_type) =~ FilterRegex
SELECT * FROM
if(condition="Google Drive Mirrored Metadata Files_Mirrored Metadata Items" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Google Drive Sync Roots_Sync Folders"
notebook:
- type: none
output: "Google Drive Sync Roots_Sync Folders - Recalculate to view results"
template: |
/*
# Google Drive Sync Roots_Sync Folders
*/
SELECT * FROM source(source="Google Drive Sync Roots_Sync Folders")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Google Drive Sync Roots_Sync Folders")
LET Output = SELECT *
FROM Rows
WHERE (root_path, title, media_id) =~ FilterRegex
SELECT * FROM
if(condition="Google Drive Sync Roots_Sync Folders" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "IE or Edge WebCacheV01_All Data"
notebook:
- type: none
output: "IE or Edge WebCacheV01_All Data - Recalculate to view results"
template: |
/*
# IE or Edge WebCacheV01_All Data
*/
SELECT * FROM source(source="IE or Edge WebCacheV01_All Data")
LIMIT 50
query: |
LET Rows = SELECT * FROM FilterFile(SourceName="IE or Edge WebCacheV01_All Data")
LET MatchingFiles = SELECT OSPath FROM Rows
LET S = scope()
LET Containers(OSPath) = SELECT Table
FROM parse_ese_catalog(file=OSPath)
WHERE Table =~ "Container_"
GROUP BY Table
LET AllHits(OSPath) = SELECT * FROM foreach(row={
SELECT * FROM Containers(OSPath=OSPath)
}, query={
SELECT timestamp(winfiletime=ExpiryTime) AS ExpiryTime,
timestamp(winfiletime=ModifiedTime) AS ModifiedTime,
timestamp(winfiletime=AccessedTime) AS AccessedTime,
S.Url AS Url, *
FROM parse_ese(file=OSPath, table=Table)
})
LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
SELECT * FROM AllHits(OSPath=OSPath)
})
WHERE AccessedTime > DateAfter AND AccessedTime < DateBefore
AND Url =~ FilterRegex
SELECT * FROM
if(condition="IE or Edge WebCacheV01_All Data" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "IE or Edge WebCacheV01_Highlights"
notebook:
- type: none
output: "IE or Edge WebCacheV01_Highlights - Recalculate to view results"
template: |
/*
# IE or Edge WebCacheV01_Highlights
*/
SELECT * FROM source(source="IE or Edge WebCacheV01_Highlights")
LIMIT 50
query: |
LET Rows = SELECT * FROM FilterFile(SourceName="IE or Edge WebCacheV01_Highlights")
LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
SELECT AccessedTime, ModifiedTime, ExpiryTime, Url
FROM AllHits(OSPath=OSPath)
})
WHERE AccessedTime > DateAfter AND AccessedTime < DateBefore
AND Url =~ FilterRegex
SELECT * FROM
if(condition="IE or Edge WebCacheV01_Highlights" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "MacOS Applications Cache"
notebook:
- type: none
output: "MacOS Applications Cache - Recalculate to view results"
template: |
/*
# MacOS Applications Cache
*/
SELECT * FROM source(source="MacOS Applications Cache")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="MacOS Applications Cache")
LET Output = SELECT
time_stamp AS Timestamp,
OSPath.Base AS Application,
entry_ID AS EntryID,
version AS Version,
hash_value AS Hash,
storage_policy AS StoragePolicy,
request_key AS URL,
plist(file=request_object, accessor="data") AS Request,
plist(file=response_object, accessor="data") AS Response,
partition AS Partition,
OSPath
FROM Rows
WHERE Timestamp > DateAfter AND Timestamp < DateBefore
AND Application =~ FilterRegex
SELECT * FROM
if(condition="MacOS Applications Cache" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "MacOS NetworkUsage"
notebook:
- type: none
output: "MacOS NetworkUsage - Recalculate to view results"
template: |
/*
# MacOS NetworkUsage
*/
SELECT * FROM source(source="MacOS NetworkUsage")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="MacOS NetworkUsage")
LET Output = SELECT timestamp(epoch= ZTIMESTAMP + 978307200) AS Timestamp,
timestamp(epoch= ZFIRSTTIMESTAMP + 978307200) AS FirstTimestamp,
timestamp(epoch= LIVE_USAGE_TIMESTAMP + 978307200) AS LiveUsageTimestamp,
ZBUNDLENAME AS BundleID,
ZPROCNAME AS ProcessName,
ZWIFIIN AS WifiIn,
ZWIFIOUT AS WifiOut,
ZWWANIN AS WanIn,
ZWWANOUT AS WandOut,
ZWIREDIN AS WiredIn,
ZWIREDOUT AS WiredOut,
ZXIN AS _XIn,
ZXOUT AS _XOut,
Z_PK AS LiveUsageTableID
FROM Rows
SELECT * FROM
if(condition="MacOS NetworkUsage" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "MacOS Notes"
notebook:
- type: none
output: "MacOS Notes - Recalculate to view results"
template: |
/*
# MacOS Notes
*/
SELECT * FROM source(source="MacOS Notes")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="MacOS Notes")
LET Output = SELECT Key AS _Key,
OSPath[1] AS User,
Note,
Title,
Snippet,
NoteID AS _NoteID,
timestamp(cocoatime=CreatedTS) AS CreatedTime,
timestamp(cocoatime=LastOpenedDate) AS LastOpenedTime,
timestamp(cocoatime=DirModificationDate) AS LastDirModifcation,
Account AS _Account,
Directory,
DirectoryID,
AttachmentName,
AttachmentSize,
AttachmentUUID,
if(condition=AttachmentUUID,
then=OSPath[:2] + '/Library/Group Containers/group.com.apple.notes/Accounts/LocalAccount/Media/' + AttachmentUUID + '/' + AttachmentName) AS AttachmentLocation,
AccountName AS _AccountName,
AccountID AS _AccountID,
AccountType AS _AccountType,
gunzip(string=Data) AS Data,
OSPath
FROM Rows
WHERE LastOpenedTime > DateAfter AND LastOpenedTime < DateBefore
AND ( Title =~ FilterRegex OR Data =~ FilterRegex )
SELECT * FROM
if(condition="MacOS Notes" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "MacOS XProtect Detections"
notebook:
- type: none
output: "MacOS XProtect Detections - Recalculate to view results"
template: |
/*
# MacOS XProtect Detections
*/
SELECT * FROM source(source="MacOS XProtect Detections")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="MacOS XProtect Detections")
LET Output = SELECT *
FROM Rows
WHERE dt > DateAfter
AND dt < DateBefore
AND (violated_rule, exec_path, responsible_path, responsible_signing_id,
exec_cdhash, exec_sha256, responsible_cdhash, responsible_sha256 ) =~ FilterRegex
SELECT * FROM
if(condition="MacOS XProtect Detections" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Windows Activities Cache_ActivityPackageId"
notebook:
- type: none
output: "Windows Activities Cache_ActivityPackageId - Recalculate to view results"
template: |
/*
# Windows Activities Cache_ActivityPackageId
*/
SELECT * FROM source(source="Windows Activities Cache_ActivityPackageId")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Windows Activities Cache_ActivityPackageId")
LET Output = SELECT format(format="%0X-%0X-%0X-%0X-%0X", args=[
ActivityId[0:4], ActivityId[4:6], ActivityId[6:8],
ActivityId[8:10], ActivityId[10:] ]) AS ActivityId,
Platform, PackageName, ExpirationTime, OSPath
FROM Rows
SELECT * FROM
if(condition="Windows Activities Cache_ActivityPackageId" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Windows Activities Cache_Clipboard"
notebook:
- type: none
output: "Windows Activities Cache_Clipboard - Recalculate to view results"
template: |
/*
# Windows Activities Cache_Clipboard
*/
SELECT * FROM source(source="Windows Activities Cache_Clipboard")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Windows Activities Cache_Clipboard")
LET Output = SELECT
CreatedTime,
timestamp(epoch=LastModifiedTime) AS LastModifiedTime,
timestamp(epoch=LastModifiedOnClient) AS LastModifiedOnClient,
StartTime,
EndTime,
Payload,
OSPath[1] AS User,
base64decode(string=parse_json_array(data=ClipboardPayload)[0].content) AS ClipboardPayload,
OSPath AS Path,
Mtime
FROM Rows
WHERE StartTime > DateAfter
AND StartTime < DateBefore
AND ClipboardPayload =~ FilterRegex
SELECT * FROM
if(condition="Windows Activities Cache_Clipboard" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Windows WPNDatabase - Notifications_Notifications"
notebook:
- type: none
output: "Windows WPNDatabase - Notifications_Notifications - Recalculate to view results"
template: |
/*
# Windows WPNDatabase - Notifications_Notifications
*/
SELECT * FROM source(source="Windows WPNDatabase - Notifications_Notifications")
LIMIT 50
query: |
LET Rows = SELECT * FROM ApplyFile(SourceName="Windows WPNDatabase - Notifications_Notifications")
LET Output = SELECT *, Parent || "" AS Parent,
timestamp(winfiletime= ArrivalTime) AS ArrivalTime,
if(condition= ExpirationTime > 0,
then=timestamp(winfiletime= ExpirationTime),
else='Expired') AS ExpirationTime,
format(format="%02x", args=ActivityId) As ActivityId,
WNSId || "" AS WNSId,
if(condition= WNSCreatedTime > 0,
then=timestamp(winfiletime= WNSCreatedTime),
else='') AS WNSCreatedTime,
if(condition= WNSExpirationTime > 0,
then=timestamp(winfiletime= WNSExpirationTime),
else='') AS WNSExpirationTime,
upload(accessor="data",
file=Payload,
name=format(format="Payload%v.png", args=ID)) AS Payload
FROM Rows
SELECT * FROM
if(condition="Windows WPNDatabase - Notifications_Notifications" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Windows Search Service_SystemIndex_Gthr"
notebook:
- type: none
output: "Windows Search Service_SystemIndex_Gthr - Recalculate to view results"
template: |
/*
# Windows Search Service_SystemIndex_Gthr
*/
SELECT * FROM source(source="Windows Search Service_SystemIndex_Gthr")
LIMIT 50
query: |
LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_Gthr")
LET MatchingFiles = SELECT OSPath FROM Rows
LET FormatTimeB(T) = timestamp(winfiletime=parse_binary(
filename=T, accessor="data", struct="uint64b"))
LET FormatTime(T) = timestamp(winfiletime=parse_binary(
filename=T, accessor="data", struct="uint64"))
LET FormatSize(T) = parse_binary(
filename=T, accessor="data", struct="uint64")
LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
SELECT ScopeID, DocumentID, SDID,
FormatTimeB(T=LastModified) AS LastModified,
FileName
FROM parse_ese(file=OSPath, table= "SystemIndex_Gthr")
})
WHERE LastModified > DateAfter AND LastModified < DateBefore
AND FileName =~ FilterRegex
SELECT * FROM
if(condition="Windows Search Service_SystemIndex_Gthr" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Windows Search Service_SystemIndex_GthrPth"
notebook:
- type: none
output: "Windows Search Service_SystemIndex_GthrPth - Recalculate to view results"
template: |
/*
# Windows Search Service_SystemIndex_GthrPth
*/
SELECT * FROM source(source="Windows Search Service_SystemIndex_GthrPth")
LIMIT 50
query: |
LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_GthrPth")
LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
SELECT Scope, Parent, Name
FROM parse_ese(file=OSPath, table= "SystemIndex_GthrPth")
})
WHERE Name =~ FilterRegex
SELECT * FROM
if(condition="Windows Search Service_SystemIndex_GthrPth" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Windows Search Service_SystemIndex_PropertyStore"
notebook:
- type: none
output: "Windows Search Service_SystemIndex_PropertyStore - Recalculate to view results"
template: |
/*
# Windows Search Service_SystemIndex_PropertyStore
*/
SELECT * FROM source(source="Windows Search Service_SystemIndex_PropertyStore")
LIMIT 50
query: |
LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_PropertyStore")
LET X = scope()
-- The PropertyStore columns look like
-- <random>-ProperName so we strip the
-- random part off to display it properly.
LET FilterDict(Dict) = to_dict(item={
SELECT split(sep_string="-", string=_key)[1] || _key AS _key, _value
FROM items(item=Dict)
})
LET PropStore(OSPath) = SELECT *,
FormatTime(T=X.System_Search_GatherTime) AS System_Search_GatherTime,
FormatSize(T=X.System_Size) AS System_Size,
FormatTime(T=X.System_DateModified) AS System_DateModified,
FormatTime(T=X.System_DateAccessed) AS System_DateAccessed,
FormatTime(T=X.System_DateCreated) AS System_DateCreated
FROM foreach(row={
SELECT *, FilterDict(Dict=_value) AS _value
FROM items(item={
SELECT * FROM parse_ese(file=OSPath, table="SystemIndex_PropertyStore")
})
}, column="_value")
LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
SELECT *
FROM PropStore(OSPath=OSPath)
})
WHERE System_DateAccessed > DateAfter AND System_DateAccessed < DateBefore
SELECT * FROM
if(condition="Windows Search Service_SystemIndex_PropertyStore" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Windows Search Service_SystemIndex_PropertyStore_Highlights"
notebook:
- type: none
output: "Windows Search Service_SystemIndex_PropertyStore_Highlights - Recalculate to view results"
template: |
/*
# Windows Search Service_SystemIndex_PropertyStore_Highlights
*/
SELECT * FROM source(source="Windows Search Service_SystemIndex_PropertyStore_Highlights")
LIMIT 50
query: |
LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_PropertyStore_Highlights")
LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
SELECT WorkID,
System_Search_GatherTime,
System_Size,
System_DateModified,
System_DateCreated,
X.System_FileOwner AS System_FileOwner,
X.System_ItemPathDisplay AS System_ItemPathDisplay,
X.System_ItemType AS System_ItemType,
X.System_FileAttributes AS System_FileAttributes,
X.System_Search_AutoSummary AS System_Search_AutoSummary
FROM PropStore(OSPath=OSPath)
})
WHERE System_DateAccessed > DateAfter AND System_DateAccessed < DateBefore
SELECT * FROM
if(condition="Windows Search Service_SystemIndex_PropertyStore_Highlights" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Windows Search Service_BrowsingActivity"
notebook:
- type: none
output: "Windows Search Service_BrowsingActivity - Recalculate to view results"
template: |
/*
# Windows Search Service_BrowsingActivity
*/
SELECT * FROM source(source="Windows Search Service_BrowsingActivity")
LIMIT 50
query: |
LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_BrowsingActivity")
LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
SELECT X.ItemPathDisplay AS ItemPathDisplay,
X.Activity_ContentUri AS Activity_ContentUri,
X.Activity_Description AS Activity_Description
FROM PropStore(OSPath=OSPath)
WHERE Activity_ContentUri
})
SELECT * FROM
if(condition="Windows Search Service_BrowsingActivity" =~ RuleFilter, then={
SELECT * FROM Output
})
- name: "Windows Search Service_UserActivityLogging"
notebook:
- type: none
output: "Windows Search Service_UserActivityLogging - Recalculate to view results"
template: |
/*
# Windows Search Service_UserActivityLogging
*/
SELECT * FROM source(source="Windows Search Service_UserActivityLogging")
LIMIT 50
query: |
LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_UserActivityLogging")
LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
SELECT X.System_ItemPathDisplay AS System_ItemPathDisplay,
FormatTime(T=X.ActivityHistory_StartTime) AS ActivityHistory_StartTime,
FormatTime(T=X.ActivityHistory_EndTime) AS ActivityHistory_EndTime,
X.ActivityHistory_AppId AS ActivityHistory_AppId
FROM PropStore(OSPath=OSPath)
WHERE ActivityHistory_AppId
})
WHERE ActivityHistory_StartTime > DateAfter
AND ActivityHistory_StartTime < DateBefore
SELECT * FROM
if(condition="Windows Search Service_UserActivityLogging" =~ RuleFilter, then={
SELECT * FROM Output
})
docs/../static/artifact/SQLiteHunter.yaml