Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add retrieval browser data "Snapshots" folder #680

Merged
merged 3 commits into from
Jul 22, 2024
Merged

Add retrieval browser data "Snapshots" folder #680

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fc00fbc
Add retrieval of browser data from "Snapshots" folder for Chrome and …
mick-314 May 31, 2024
9103085
Add test cases "Snapshots" directory for Chrome and Edge browsers on …
mick-314 Jun 1, 2024
20acb4f
Merge branch 'main' into fix/include-browser-snapshots-folder
Horofic Jul 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions dissect/target/plugins/apps/browser/chrome.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ class ChromePlugin(ChromiumMixin, BrowserPlugin):
DIRS = [
# Windows
"AppData/Local/Google/Chrome/User Data/Default",
"AppData/Local/Google/Chrome/User Data/Snapshots/*/Default",
"AppData/Local/Google/Chrome/continuousUpdates/User Data/Default",
"Local Settings/Application Data/Google/Chrome/User Data/Default",
# Linux
Expand Down
11 changes: 6 additions & 5 deletions dissect/target/plugins/apps/browser/chromium.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,11 +79,12 @@
users_dirs: list[tuple] = []
for user_details in self.target.user_details.all_with_home():
for d in hist_paths:
cur_dir: TargetPath = user_details.home_path.joinpath(d)
cur_dir = cur_dir.resolve()
if not cur_dir.exists() or (user_details, cur_dir) in users_dirs:
continue
users_dirs.append((user_details, cur_dir))
home_dir: TargetPath = user_details.home_path
for cur_dir in home_dir.glob(d):
cur_dir = cur_dir.resolve()
if not cur_dir.exists() or (user_details.user, cur_dir) in users_dirs:
continue

Check warning on line 86 in dissect/target/plugins/apps/browser/chromium.py

View check run for this annotation

Codecov / codecov/patch

dissect/target/plugins/apps/browser/chromium.py#L86 

Added line #L86 was not covered by tests
users_dirs.append((user_details, cur_dir))
return users_dirs

def _iter_db(
Expand Down
1 change: 1 addition & 0 deletions dissect/target/plugins/apps/browser/edge.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ class EdgePlugin(ChromiumMixin, BrowserPlugin):
".var/app/com.microsoft.Edge/config/microsoft-edge/Default",
# Windows
"AppData/Local/Microsoft/Edge/User Data/Default",
"AppData/Local/Microsoft/Edge/User Data/Snapshots/*/Default",
# Macos
"Library/Application Support/Microsoft Edge/Default",
]
Expand Down
54 changes: 51 additions & 3 deletions tests/plugins/apps/browser/test_chrome.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,9 +32,21 @@ def target_chrome_unix(target_unix_users: Target, fs_unix: VirtualFilesystem) ->
yield target_unix_users


@pytest.fixture
def target_chrome_win_snapshot(target_win_users: Target, fs_win: VirtualFilesystem) -> Iterator[Target]:
fs_win.map_dir(
"Users\\John\\AppData\\Local\\Google\\Chrome\\User Data\\Snapshots\\116.0.5038.150\\Default",
absolute_path("_data/plugins/apps/browser/chrome/"),
)

target_win_users.add_plugin(ChromePlugin)

yield target_win_users


@pytest.mark.parametrize(
"target_platform",
["target_chrome_win", "target_chrome_unix"],
["target_chrome_win", "target_chrome_unix", "target_chrome_win_snapshot"],
)
def test_chrome_history(target_platform: Target, request: pytest.FixtureRequest) -> None:
target_platform = request.getfixturevalue(target_platform)
Expand All @@ -54,7 +66,7 @@ def test_chrome_history(target_platform: Target, request: pytest.FixtureRequest)

@pytest.mark.parametrize(
"target_platform",
["target_chrome_win", "target_chrome_unix"],
["target_chrome_win", "target_chrome_unix", "target_chrome_win_snapshot"],
)
def test_chrome_downloads(target_platform: Target, request: pytest.FixtureRequest) -> None:
target_platform = request.getfixturevalue(target_platform)
Expand All @@ -71,7 +83,7 @@ def test_chrome_downloads(target_platform: Target, request: pytest.FixtureReques

@pytest.mark.parametrize(
"target_platform",
["target_chrome_win", "target_chrome_unix"],
["target_chrome_win", "target_chrome_unix", "target_chrome_win_snapshot"],
)
def test_chrome_extensions(target_platform: Target, request: pytest.FixtureRequest) -> None:
target_platform = request.getfixturevalue(target_platform)
Expand Down Expand Up @@ -204,3 +216,39 @@ def test_windows_chrome_cookies_dpapi(target_win_users_dpapi: Target, fs_win: Vi
"GPS": "1",
"PREF": "tz=Europe.Berlin",
}


def test_chrome_windows_snapshots(target_win_users: Target, fs_win: VirtualFilesystem) -> None:
base_dir = "Users\\John\\AppData\\Local\\Google\\Chrome\\User Data\\Default"
snapshot_dirs = [
"Users\\John\\AppData\\Local\\Google\\Chrome\\User Data\\Snapshots\\116.0.5038.150\\Default",
"Users\\John\\AppData\\Local\\Google\\Chrome\\User Data\\Snapshots\\119.0.7845.119\\Default",
]
profile_dirs = [base_dir] + snapshot_dirs

for dir in profile_dirs:
fs_win.map_dir(
dir,
absolute_path("_data/plugins/apps/browser/chrome/"),
)

target_win_users.add_plugin(ChromePlugin)

records_list = [
list(target_win_users.chrome.history()),
list(target_win_users.chrome.extensions()),
list(target_win_users.chrome.downloads()),
]

# Loop over the different types of records and verify we have the same amount of records in each profile directory.
for records in records_list:
assert set(["chrome"]) == set(record.browser for record in records)

base_path_records = [r for r in records if str(r.source.parent).endswith(base_dir)]

for snapshot_dir in snapshot_dirs:
# Retrieve records that are in the snapshot's directory.
snapshot_records = [r for r in records if str(r.source.parent).endswith(snapshot_dir)]

# We map the same files in each of the snapshot directories.
assert len(base_path_records) == len(snapshot_records)
54 changes: 51 additions & 3 deletions tests/plugins/apps/browser/test_edge.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,9 +31,21 @@ def target_edge_unix(target_unix_users, fs_unix):
yield target_unix_users


@pytest.fixture
def target_edge_win_snapshot(target_win_users: Target, fs_win: VirtualFilesystem) -> Iterator[Target]:
fs_win.map_dir(
"Users\\John\\AppData\\Local\\Microsoft\\Edge\\User Data\\Snapshots\\116.0.5038.150\\Default",
absolute_path("_data/plugins/apps/browser/edge/"),
)

target_win_users.add_plugin(EdgePlugin)

yield target_win_users


@pytest.mark.parametrize(
"target_platform",
["target_edge_win", "target_edge_unix"],
["target_edge_win", "target_edge_unix", "target_edge_win_snapshot"],
)
def test_edge_history(target_platform: Target, request: pytest.FixtureRequest) -> None:
target_platform = request.getfixturevalue(target_platform)
Expand All @@ -50,7 +62,7 @@ def test_edge_history(target_platform: Target, request: pytest.FixtureRequest) -

@pytest.mark.parametrize(
"target_platform",
["target_edge_win", "target_edge_unix"],
["target_edge_win", "target_edge_unix", "target_edge_win_snapshot"],
)
def test_edge_downloads(target_platform: Target, request: pytest.FixtureRequest) -> None:
target_platform = request.getfixturevalue(target_platform)
Expand All @@ -67,7 +79,7 @@ def test_edge_downloads(target_platform: Target, request: pytest.FixtureRequest)

@pytest.mark.parametrize(
"target_platform",
["target_edge_win", "target_edge_unix"],
["target_edge_win", "target_edge_unix", "target_edge_win_snapshot"],
)
def test_edge_extensions(target_platform: Target, request: pytest.FixtureRequest) -> None:
target_platform = request.getfixturevalue(target_platform)
Expand Down Expand Up @@ -129,3 +141,39 @@ def test_unix_edge_passwords_gnome_plugin(target_edge_unix: Target, fs_unix: Vir
assert records[0].decrypted_username == "username"
assert records[0].decrypted_password is None
assert records[0].url == "https://test.com/"


def test_edge_windows_snapshots(target_win_users: Target, fs_win: VirtualFilesystem) -> None:
base_dir = "Users\\John\\AppData\\Local\\Microsoft\\Edge\\User Data\\Default"
snapshot_dirs = [
"Users\\John\\AppData\\Local\\Microsoft\\Edge\\User Data\\Snapshots\\116.0.5038.150\\Default",
"Users\\John\\AppData\\Local\\Microsoft\\Edge\\User Data\\Snapshots\\119.0.7845.119\\Default",
]
profile_dirs = [base_dir] + snapshot_dirs

for dir in profile_dirs:
fs_win.map_dir(
dir,
absolute_path("_data/plugins/apps/browser/edge/"),
)

target_win_users.add_plugin(EdgePlugin)

records_list = [
list(target_win_users.edge.history()),
list(target_win_users.edge.extensions()),
list(target_win_users.edge.downloads()),
]

# Loop over the different types of records and verify we have the same amount of records in each profile directory.
for records in records_list:
assert set(["edge"]) == set(record.browser for record in records)

base_path_records = [r for r in records if str(r.source.parent).endswith(base_dir)]

for snapshot_dir in snapshot_dirs:
# Retrieve records that are in the snapshot's directory.
snapshot_records = [r for r in records if str(r.source.parent).endswith(snapshot_dir)]

# We map the same files in each of the snapshot directories.
assert len(base_path_records) == len(snapshot_records)
Loading