Extracts and analyzes browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge using SQLite queries and bash scripts for digital forensics.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 在取证检查中调查用户网络活动时
Extracts and analyzes browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge SQLite databases for digital forensics investigations.
Extracts and analyzes browser history, cookies, cache, downloads, and bookmarks from Chrome, Firefox, and Edge using SQLite queries for digital forensics of web activity.
Uses Hindsight to analyze Chromium-based browser profiles from Chrome, Edge, Brave, Opera, extracting history, downloads, cookies, cache, autofill, passwords, extensions for digital forensics investigations.
Share bugs, ideas, or general feedback.
# 挂载取证镜像
mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/evidence.dd /mnt/evidence
# Chrome 制品位置(Windows)
CHROME_WIN="/mnt/evidence/Users/suspect/AppData/Local/Google/Chrome/User Data/Default"
# 关键文件:History、Cookies、Login Data、Web Data、Bookmarks、Preferences
# Firefox 制品位置(Windows)
FIREFOX_WIN="/mnt/evidence/Users/suspect/AppData/Roaming/Mozilla/Firefox/Profiles/*.default-release"
# 关键文件:places.sqlite、cookies.sqlite、formhistory.sqlite、logins.json
# Edge(Chromium)制品位置(Windows)
EDGE_WIN="/mnt/evidence/Users/suspect/AppData/Local/Microsoft/Edge/User Data/Default"
# 复制制品到工作目录
mkdir -p /cases/case-2024-001/browser/{chrome,firefox,edge}
cp -r "$CHROME_WIN"/{History,Cookies,Downloads,"Login Data","Web Data",Bookmarks} \
/cases/case-2024-001/browser/chrome/ 2>/dev/null
# 对制品进行哈希验证以确保完整性
find /cases/case-2024-001/browser/ -type f -exec sha256sum {} \; \
> /cases/case-2024-001/browser/artifact_hashes.txt
# 查询 Chrome History 数据库
sqlite3 /cases/case-2024-001/browser/chrome/History << 'SQL'
.headers on
.mode csv
.output /cases/case-2024-001/analysis/chrome_history.csv
SELECT
urls.url,
urls.title,
datetime(urls.last_visit_time/1000000-11644473600, 'unixepoch') AS last_visit,
urls.visit_count,
urls.typed_count,
visits.transition & 0xFF AS transition_type
FROM urls
LEFT JOIN visits ON urls.id = visits.url
ORDER BY urls.last_visit_time DESC;
SQL
# 提取 Chrome 下载记录
sqlite3 /cases/case-2024-001/browser/chrome/History << 'SQL'
.headers on
.mode csv
.output /cases/case-2024-001/analysis/chrome_downloads.csv
SELECT
current_path,
tab_url AS source_url,
total_bytes,
datetime(start_time/1000000-11644473600, 'unixepoch') AS start_time,
datetime(end_time/1000000-11644473600, 'unixepoch') AS end_time,
state,
danger_type,
mime_type
FROM downloads
ORDER BY start_time DESC;
SQL
# 从 Firefox places.sqlite 查询历史记录
sqlite3 /cases/case-2024-001/browser/firefox/places.sqlite << 'SQL'
.headers on
.mode csv
.output /cases/case-2024-001/analysis/firefox_history.csv
SELECT
moz_places.url,
moz_places.title,
datetime(moz_historyvisits.visit_date/1000000, 'unixepoch') AS visit_date,
moz_places.visit_count,
moz_historyvisits.visit_type
FROM moz_places
JOIN moz_historyvisits ON moz_places.id = moz_historyvisits.place_id
ORDER BY moz_historyvisits.visit_date DESC;
SQL
# 提取 Chrome Cookie
sqlite3 /cases/case-2024-001/browser/chrome/Cookies << 'SQL'
.headers on
.mode csv
.output /cases/case-2024-001/analysis/chrome_cookies.csv
SELECT host_key, name, path,
datetime(creation_utc/1000000-11644473600, 'unixepoch') AS created,
datetime(last_access_utc/1000000-11644473600, 'unixepoch') AS last_access,
is_secure, is_httponly
FROM cookies ORDER BY last_access_utc DESC;
SQL
# 注意:Chrome Login Data 使用 DPAPI(Windows)或密钥链(Mac)加密
# 提取存储的登录 URL(密码已加密)
sqlite3 /cases/case-2024-001/browser/chrome/"Login Data" << 'SQL'
.headers on
.mode csv
.output /cases/case-2024-001/analysis/chrome_logins.csv
SELECT origin_url, action_url, username_value,
datetime(date_created/1000000-11644473600, 'unixepoch') AS date_created,
times_used
FROM logins ORDER BY date_last_used DESC;
SQL
# 安装 Hindsight
pip install pyhindsight
# 对 Chrome 配置文件运行 Hindsight
hindsight -i "/cases/case-2024-001/browser/chrome/" \
-o /cases/case-2024-001/analysis/hindsight_report \
-f xlsx
# Hindsight 自动提取:
# - 带时间戳的浏览历史
# - 含来源 URL 的下载记录
# - Cookie(尽可能解密)
# - 缓存记录、Local Storage 条目、自动填充数据
# - 已保存密码(加密状态)、会话/标签恢复数据
| 概念 | 描述 |
|---|---|
| Chrome 时间戳 | 自 1601 年 1 月 1 日起的微秒数(WebKit/Chrome 纪元) |
| Firefox 时间戳 | 自 1970 年 1 月 1 日起的微秒数(Unix 纪元,微秒级) |
| 跳转类型(Transition types) | URL 的访问方式:直接输入(1)、链接(0)、重定向(5/6) |
| DPAPI 加密 | Windows 数据保护 API,用于加密存储的密码和 Cookie |
| places.sqlite | Firefox 合并的历史记录和书签数据库 |
| SQLite WAL | 预写日志,可能包含最近删除的浏览器记录 |
| 工具 | 用途 |
|---|---|
| Hindsight | 全面的 Chrome/Chromium 取证分析工具 |
| sqlite3 | SQLite 数据库命令行查询工具 |
| DB Browser for SQLite | 用于浏览 SQLite 数据库的 GUI 工具 |
| BrowsingHistoryView | NirSoft 跨浏览器历史记录查看工具 |
| KAPE | 包含浏览器数据的自动化制品收集工具 |
| Autopsy | 带有浏览器制品摄取模块的完整取证平台 |
场景 1:钓鱼调查 提取报告的钓鱼事件时间段附近的浏览器历史,识别被访问的钓鱼 URL,检查恶意附件的下载记录,检查可能已被盗取的会话令牌 Cookie。
场景 2:通过云服务进行数据外泄 搜索云存储 URL(Dropbox、Google Drive、OneDrive、Mega),检查下载和上传记录,查看调查期间活跃的云服务会话 Cookie。
场景 3:违规行为调查 提取调查期间的完整浏览历史,对访问的网站进行分类,记录时间戳和访问时长,与网络代理日志相关联进行验证。
场景 4:恶意软件投递向量分析 追踪导致偷渡式下载的重定向链,检查下载数据库中的恶意软件负载,检查漏洞利用工具包落地页的缓存。