use super::super::types::{
ArtifactDescriptor, ArtifactType, DataScope, Decoder, OsScope, TriagePriority,
};
pub(crate) static BROWSER_CHROME_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_chrome_history",
name: "Chrome History (browser-forensic)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\History"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome browsing history SQLite database (URLs, visit counts, typed counts).",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"URL visited, not necessarily user-initiated; could be redirect or prefetch",
"History can be cleared by user or extensions; absence is not evidence of non-visit",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale:
"Overwritten by browser activity; no fixed size limit but old entries pruned",
};
pub(crate) static BROWSER_CHROME_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_chrome_cookies",
name: "Chrome Cookies (browser-forensic)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Network\\Cookies"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome cookies SQLite database — session tokens and tracking data.",
mitre_techniques: &["T1539"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Cookie presence proves domain contact, not user intent; third-party cookies common",
"Expiration and creation timestamps useful for timeline reconstruction",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Cookies expire or are overwritten by site updates",
};
pub(crate) static BROWSER_CHROME_DOWNLOADS: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_chrome_downloads",
name: "Chrome Downloads (browser-forensic)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\History"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome downloads table within History SQLite database.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"File was downloaded; user may not have opened or executed it",
"Download record persists even if file was deleted from disk",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Download records persist until user clears download history",
};
pub(crate) static BROWSER_CHROME_BOOKMARKS: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_chrome_bookmarks",
name: "Chrome Bookmarks (browser-forensic)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Bookmarks"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome bookmarks JSON file.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Circumstantial),
evidence_caveats: &[
"Bookmark proves awareness of URL, not visit frequency",
"May be synced from another device; check sync metadata",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Bookmarks persist until deleted by user",
};
pub(crate) static BROWSER_CHROME_EXTENSIONS: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_chrome_extensions",
name: "Chrome Extensions (browser-forensic)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Extensions"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome extensions directory.",
mitre_techniques: &["T1176"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Extension installed, possibly auto-installed by enterprise policy",
"Extension version and update timestamps useful for timeline",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Extensions persist until uninstalled",
};
pub(crate) static BROWSER_CHROME_LOGIN_DATA_V2: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_chrome_login_data_v2",
name: "Chrome Login Data v2 (browser-forensic)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Login Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning:
"Chrome saved credentials SQLite database (passwords encrypted with DPAPI/OS keystore).",
mitre_techniques: &["T1555.003"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Credential saved; timestamp shows last use; passwords encrypted by OS credential store",
"Presence proves user entered credentials on the site at least once",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Credentials persist until deleted from browser or profile deletion",
};
pub(crate) static BROWSER_CHROME_AUTOFILL: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_chrome_autofill",
name: "Chrome Autofill (browser-forensic)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Web Data"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome autofill form data SQLite database.",
mitre_techniques: &["T1555.003", "T1005"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Form data was saved; may have been auto-populated not manually typed",
"Timestamps show when autofill entry was created and last used",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Autofill data persists until browser data cleared",
};
pub(crate) static BROWSER_CHROME_CACHE: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_chrome_cache",
name: "Chrome Cache (browser-forensic)",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Cache"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome disk cache directory (Simple Cache format).",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Cache entry proves resource was fetched; evicted under size pressure",
"Response headers (Last-Modified, ETag) may reveal server-side timestamps",
],
volatility: Some(crate::volatility::VolatilityClass::RotatingBuffer),
volatility_rationale: "Evicted when cache size limit reached; newest entries overwrite oldest",
};
pub(crate) static BROWSER_CHROME_SESSION: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_chrome_session",
name: "Chrome Session (browser-forensic)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Sessions"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome SNSS session file — open tabs and navigation state.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &["browser_chrome_session_memory"],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Tab state reflects last browser close; unreliable if crash occurred",
"SNSS format is binary and partially documented",
"Live memory counterpart (browser_chrome_session_memory) captures current open tabs not yet flushed to disk",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale:
"Sessions file on disk; overwritten on every browser launch by normal Chrome activity",
};
pub(crate) static BROWSER_CHROME_SESSION_MEMORY: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_chrome_session_memory",
name: "Chrome Session In-Memory Tab State",
artifact_type: ArtifactType::MemoryRegion,
hive: None,
key_path: "",
value_name: None,
file_path: None,
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome open tab URLs extracted from chrome.exe heap pages — captures current session not yet written to SNSS on-disk file.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["browser_chrome_session", "browser_chrome_history"],
sources: &[
"https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome",
"https://github.com/SecurityRonin/memory-forensic",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Requires live memory acquisition; not obtainable from disk image alone",
"URL strings in heap reflect current session; may include pre-rendered tabs",
"Heap scan yields raw URL bytes — no tab ordering or window grouping",
],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "In RAM; lost on reboot or Chrome process termination",
};
pub(crate) static BROWSER_FIREFOX_SESSION_MEMORY: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_firefox_session_memory",
name: "Firefox Session In-Memory Tab State",
artifact_type: ArtifactType::MemoryRegion,
hive: None,
key_path: "",
value_name: None,
file_path: None,
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Firefox open tab URLs extracted from firefox.exe heap pages — captures current session not yet checkpointed to sessionstore-backups on disk.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &["browser_firefox_history", "browser_firefox_downloads"],
sources: &[
"https://forensicswiki.xyz/wiki/index.php?title=Mozilla_Firefox",
"https://github.com/SecurityRonin/memory-forensic",
],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Requires live memory acquisition; not obtainable from disk image alone",
"URL strings in heap reflect current session; sessionstore-backups.jsonlz4 is the on-disk equivalent",
"Heap scan yields raw URL bytes — no tab ordering or window grouping",
],
volatility: Some(crate::volatility::VolatilityClass::Volatile),
volatility_rationale: "In RAM; lost on reboot or Firefox process termination",
};
pub(crate) static BROWSER_FIREFOX_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_firefox_history",
name: "Firefox History (browser-forensic)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Mozilla\\Firefox\\Profiles\\*.default*\\places.sqlite"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Firefox places.sqlite — moz_places and moz_historyvisits tables.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Mozilla_Firefox"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Same caveats as Chrome history; stored in places.sqlite",
"Firefox uses moz_places + moz_historyvisits join for full timeline",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Overwritten by browser activity; no fixed size limit",
};
pub(crate) static BROWSER_FIREFOX_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_firefox_cookies",
name: "Firefox Cookies (browser-forensic)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Mozilla\\Firefox\\Profiles\\*.default*\\cookies.sqlite"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Firefox cookies SQLite database (moz_cookies table — host, name, value, expiry, sameSite flags).",
mitre_techniques: &["T1539"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Mozilla_Firefox"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Same caveats as Chrome cookies; stored in cookies.sqlite",
"Firefox stores isHttpOnly and sameSite flags useful for security analysis",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Cookies expire or are overwritten by site updates",
};
pub(crate) static BROWSER_FIREFOX_DOWNLOADS: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_firefox_downloads",
name: "Firefox Downloads (browser-forensic)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Mozilla\\Firefox\\Profiles\\*.default*\\places.sqlite"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Firefox downloads stored as moz_annos annotations in places.sqlite.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Mozilla_Firefox"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Strong),
evidence_caveats: &[
"Same caveats as Chrome downloads; stored in places.sqlite moz_annos",
"Download annotations reference moz_places entries",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Download records persist until user clears history",
};
pub(crate) static BROWSER_SAFARI_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "browser_safari_history",
name: "Safari History (browser-forensic)",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Safari/History.db"),
scope: DataScope::Mixed,
os_scope: OsScope::MacOS,
decoder: Decoder::Identity,
meaning: "Safari History.db — history_items, history_visits, history_tombstones.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Corroborative),
evidence_caveats: &[
"Same caveats as Chrome history; stored in History.db",
"Safari has history_tombstones table tracking deleted URLs with timestamps",
],
volatility: Some(crate::volatility::VolatilityClass::ActivityDriven),
volatility_rationale: "Overwritten by browser activity; tombstones provide deletion evidence",
};