#![allow(clippy::too_many_lines)]
use super::super::super::types::{
ArtifactDescriptor, ArtifactType, DataScope, Decoder, HiveTarget, OsScope, TriagePriority,
};
pub(crate) static BROWSERS_CHROME_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_chrome_history",
name: "Chrome History DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\History"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome browsing history SQLite database.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_CHROME_PROFILE_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_chrome_profile_dir",
name: "Chrome Profile Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome user profile directory containing history, cookies, extensions.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_CHROME_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_chrome_cookies",
name: "Chrome Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Network\\Cookies"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome cookies SQLite database — may contain session tokens.",
mitre_techniques: &["T1539"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_CHROME_CACHE_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_chrome_cache_dir",
name: "Chrome Cache Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Cache"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome disk cache. May contain cached pages and files from visited sites.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_CHROME_EXTENSIONS_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_chrome_extensions_dir",
name: "Chrome Extensions",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default\\Extensions"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Chrome extensions directory. Malicious extensions may harvest credentials or intercept traffic.",
mitre_techniques: &["T1176"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_EDGE_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_edge_history",
name: "Edge (Chromium) History DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\History"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Microsoft Edge (Chromium-based) browsing history SQLite database.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Microsoft_Edge"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_EDGE_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_edge_cookies",
name: "Edge (Chromium) Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default\\Network\\Cookies"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Edge cookies database — may contain session tokens.",
mitre_techniques: &["T1539"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Microsoft_Edge"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_EDGE_PROFILE_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_edge_profile_dir",
name: "Edge Profile Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Microsoft\\Edge\\User Data\\Default"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Microsoft Edge user profile directory.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_FIREFOX_PROFILE_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_firefox_profile_dir",
name: "Firefox Profile Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Mozilla\\Firefox\\Profiles\\*.default-release"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Firefox user profile directory — contains places.sqlite, cookies, logins.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Mozilla_Firefox"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_FIREFOX_PLACES_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_firefox_places_db",
name: "Firefox Places (History) DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Mozilla\\Firefox\\Profiles\\*.default-release\\places.sqlite"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Firefox history, bookmarks, and downloads SQLite database.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_FIREFOX_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_firefox_cookies",
name: "Firefox Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Mozilla\\Firefox\\Profiles\\*.default-release\\cookies.sqlite"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Firefox cookies database — may contain active session tokens.",
mitre_techniques: &["T1539"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Mozilla_Firefox"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_FIREFOX_LOGINS: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_firefox_logins",
name: "Firefox Saved Logins",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Mozilla\\Firefox\\Profiles\\*.default-release\\logins.json"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Firefox saved passwords (encrypted). If master password not set, decryptable.",
mitre_techniques: &["T1555.003"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Critical,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Mozilla_Firefox"],
evidence_strength: Some(crate::evidence::EvidenceStrength::Definitive),
evidence_caveats: &[
"Encrypted browser passwords; key in OS credential store; timestamp shows last use",
],
volatility: Some(crate::volatility::VolatilityClass::Persistent),
volatility_rationale: "Credential store persists until browser profile deletion",
};
pub(crate) static BROWSERS_BRAVE_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_brave_history",
name: "Brave History DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\BraveSoftware\\Brave-Browser\\User Data\\Default\\History"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Brave browser browsing history SQLite database.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://brave.com/privacy/"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_BRAVE_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_brave_cookies",
name: "Brave Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some(
"%LOCALAPPDATA%\\BraveSoftware\\Brave-Browser\\User Data\\Default\\Network\\Cookies",
),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Brave cookies — may contain session tokens.",
mitre_techniques: &["T1539"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://brave.com/privacy/"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_OPERA_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_opera_history",
name: "Opera History DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Opera Software\\Opera Stable\\History"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Opera (Chromium-based) browsing history SQLite database.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://www.opera.com/features/privacy"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_OPERA_PROFILE_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_opera_profile_dir",
name: "Opera Profile Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Opera Software\\Opera Stable"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Opera browser user profile directory.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_VIVALDI_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_vivaldi_history",
name: "Vivaldi History DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Vivaldi\\User Data\\Default\\History"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi browsing history SQLite database.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://vivaldi.com/privacy/"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_VIVALDI_PROFILE_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_vivaldi_profile_dir",
name: "Vivaldi Profile Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Vivaldi\\User Data\\Default"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Vivaldi browser user profile directory.",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_SAFARI_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_safari_history",
name: "Safari History DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Safari/History.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Safari browsing history SQLite database (macOS).",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_SAFARI_COOKIES: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_safari_cookies",
name: "Safari Cookies",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Cookies/Cookies.binarycookies"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Safari cookies binary file (macOS) — may contain session tokens.",
mitre_techniques: &["T1539"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_SAFARI_DOWNLOADS: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_safari_downloads",
name: "Safari Downloads Plist",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/Library/Safari/Downloads.plist"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Safari download history plist (macOS).",
mitre_techniques: &[],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Apple_Safari"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_IE_HISTORY_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_ie_history_dir",
name: "Internet Explorer History",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Microsoft\\Windows\\History"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Internet Explorer cached history (WebCache). Contains visited URLs.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_IE_WEBCACHE_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_ie_webcache_db",
name: "Internet Explorer WebCache DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Microsoft\\Windows\\WebCache\\WebCacheV01.dat"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Internet Explorer / Edge Legacy WebCache ESE database — contains history, cookies, downloads.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://www.sans.org/blog/how-to-use-ie-history-as-a-forensic-artifact/"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_IE_TYPED_URLS: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_ie_typed_urls",
name: "Internet Explorer Typed URLs",
artifact_type: ArtifactType::RegistryKey,
hive: Some(HiveTarget::NtUser),
key_path: "Software\\Microsoft\\Internet Explorer\\TypedURLs",
value_name: None,
file_path: None,
scope: DataScope::User,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "URLs manually typed into the IE address bar (NTUSER.DAT).",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_TOR_PROFILE_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_tor_profile_dir",
name: "Tor Browser Profile Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\tor-browser\\Browser\\TorBrowser\\Data\\Browser\\profile.default"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Tor Browser Firefox profile — usage indicates anonymous browsing intent.",
mitre_techniques: &["T1090", "T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_TOR_PLACES_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_tor_places_db",
name: "Tor Browser Places DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\tor-browser\\Browser\\TorBrowser\\Data\\Browser\\profile.default\\places.sqlite"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Tor Browser history database — may contain .onion URLs.",
mitre_techniques: &["T1090"],
fields: &[],
retention: None,
triage_priority: TriagePriority::High,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_WATERFOX_PROFILE_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_waterfox_profile_dir",
name: "Waterfox Profile Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Waterfox\\Profiles\\*.default"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Waterfox (Firefox fork) user profile directory.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_LIBREWOLF_PROFILE_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_librewolf_profile_dir",
name: "LibreWolf Profile Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\librewolf\\Profiles\\*.default"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "LibreWolf (privacy-focused Firefox fork) user profile directory.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_CHROMIUM_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_chromium_history",
name: "Chromium History DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Chromium\\User Data\\Default\\History"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Open-source Chromium browser browsing history database.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Medium,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Google_Chrome"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_PALEMOON_PROFILE_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_palemoon_profile_dir",
name: "Pale Moon Profile Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Moonchild Productions\\Pale Moon\\Profiles\\*.default"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Pale Moon (Goanna-based) browser user profile directory.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_SEAMONKEY_PROFILE_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_seamonkey_profile_dir",
name: "SeaMonkey Profile Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Mozilla\\SeaMonkey\\Profiles\\*.default"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "SeaMonkey internet suite (browser + email) profile directory.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_BASILISK_PROFILE_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_basilisk_profile_dir",
name: "Basilisk Profile Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Moonchild Productions\\Basilisk\\Profiles\\*.default"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Basilisk (Goanna-based Firefox fork) browser profile directory.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_FALKON_PROFILE_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_falkon_profile_dir",
name: "Falkon Profile Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\falkon\\profiles\\default"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Falkon (formerly QupZilla) Qt-based browser profile directory.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_MIDORI_CONFIG_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_midori_config_dir",
name: "Midori Config Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("~/.config/midori"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Midori lightweight browser configuration and history (Linux/macOS).",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_MIN_HISTORY_DB: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_min_history_db",
name: "Min Browser History",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\min\\userdata\\history.db"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Min (Electron-based minimalist browser) history SQLite database.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_MAXTHON_USER_DATA_DIR: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_maxthon_user_data_dir",
name: "Maxthon User Data Directory",
artifact_type: ArtifactType::Directory,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%APPDATA%\\Maxthon5\\Users\\guest\\History"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Maxthon browser history directory.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://forensicswiki.xyz/wiki/index.php?title=Browsers"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};
pub(crate) static BROWSERS_SLIMJET_HISTORY: ArtifactDescriptor = ArtifactDescriptor {
id: "browsers_slimjet_history",
name: "Slimjet History DB",
artifact_type: ArtifactType::File,
hive: None,
key_path: "",
value_name: None,
file_path: Some("%LOCALAPPDATA%\\Slimjet\\User Data\\Default\\History"),
scope: DataScope::Mixed,
os_scope: OsScope::Win7Plus,
decoder: Decoder::Identity,
meaning: "Slimjet (Chromium-based) browsing history database.",
mitre_techniques: &["T1217"],
fields: &[],
retention: None,
triage_priority: TriagePriority::Low,
related_artifacts: &[],
sources: &["https://www.slimjet.com/"],
evidence_strength: None,
evidence_caveats: &[],
volatility: None,
volatility_rationale: "",
};