KAPE Githubリポジトリ調査（Targets/Antivirus,Browsers）

# KAPE Githubリポジトリ調査（Targets/Antivirus,Browsers） ## Targets/Antivirus/AVG.tkape ### 解説 AVGのログ ### Artifact Location ``` Name: AVG AV Logs (XP) Category: Antivirus Path: C:\Documents and Settings\All Users\Application Data\AVG\Antivirus\log Recursive: true - Name: AVG AV Report Logs (XP) Category: Antivirus Path: C:\Documents and Settings\All Users\Application Data\AVG\Antivirus\report Recursive: true - Name: AVG AV Logs Category: Antivirus Path: C:\ProgramData\AVG\Antivirus\log Recursive: true - Name: AVG Report Logs Category: Antivirus Path: C:\ProgramData\AVG\Antivirus\report Recursive: true - Name: AVG Persistent Logs Category: Antivirus Path: C:\ProgramData\AVG\Persistent Data\Antivirus\Logs Recursive: true - Name: AVG FileInfo DB Category: Antivirus Path: C:\ProgramData\AVG\Antivirus FileMask: FileInfo2.db Recursive: true - Name: AVG lsdbj2 JSON Category: Antivirus Path: C:\ProgramData\AVG\Antivirus FileMask: lsdb2.json ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由 AVG利用時に役立つ可能性 ### ToDo kape targetに追加 ## Targets/Antivirus/AVG.tkape ### 解説 Avastのログ ### Artifact Location ``` Name: Avast AV Logs (XP) Category: Antivirus Path: C:\Documents And Settings\All Users\Application Data\Avast Software\Avast\Log\ Recursive: true - Name: Avast AV Logs Category: Antivirus Path: C:\ProgramData\Avast Software\Avast\Log\ Recursive: true - Name: Avast AV User Logs Category: Antivirus Path: C:\Users\%user%\Avast Software\Avast\Log\ Recursive: true - Name: Avast AV Index Category: Antivirus Path: C:\ProgramData\Avast Software\Avast\Chest\ FileMask: index.xml - Name: Avast Persistent Data Logs Category: Antivirus Path: C:\ProgramData\Avast Software\Persistent Data\Avast\Logs Recursive: true - Name: Avast Icarus Logs Category: Antivirus Path: C:\ProgramData\Avast Software\Icarus\Logs Recursive: true ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由 Avast利用時に役立つ可能性 ### ToDo kape targetに追加(元々追加されているが、いくつか対象ファイルが追加されている) ## Targets/Antivirus/AviraAVLogs.tkape ### 解説 Aviraのログ ### Artifact Location ``` Name: Avira Activity Logs Category: Antivirus Path: C:\ProgramData\Avira\Antivirus\LOGFILES\ Recursive: true Comment: "Collects the scan logs of Avira Antivirus" - Name: Avira Security Logs Category: Antivirus Path: C:\ProgramData\Avira\Security\Logs Recursive: true - Name: Avira VPN Logs Category: Antivirus Path: C:\ProgramData\Avira\VPN Recursive: true Comment: "Collects the VPN logs" ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由 Avira利用時に役立つ可能性 ### ToDo kape targetに追加(元々追加されているが、いくつか対象ファイルが追加されている) ## Targets/Antivirus/Bitdefender.tkape ### 解説 BitDefenderのログ ### Artifact Location ``` Name: Bitdefender Endpoint Security Logs Category: Antivirus Path: C:\ProgramData\Bitdefender\Endpoint Security\Logs\ Recursive: true - Name: Bitdefender Internet Security Logs Category: Antivirus Path: C:\ProgramData\Bitdefender\Desktop\Profiles\Logs\ Recursive: true - Name: Bitdefender SQLite DB Files Category: Antivirus Path: C:\Program Files*\Bitdefender*\ Recursive: true FileMask: regex:*.+\.(db|db-wal|db-shm) Comment: "Bitdefender SQLite databases" ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由 BitDefender利用時に役立つ可能性 ### ToDo kape targetに追加(元々追加されているが、いくつか対象ファイルが追加されている) ## Targets/Antivirus/Combofix.tkape ### 解説 Combofixのログ ### Artifact Location ``` Name: ComboFix Category: Antivirus Path: C:\ FileMask: ComboFix.txt ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由 Combofix利用時に役立つ可能性 ### ToDo 不要。追加済み ## Targets/Antivirus/Cybereason.tkape ### 解説 Cybereasonのログ ### Artifact Location ``` Name: Cybereason Anti-Ransomware Logs Category: Antivirus Path: C:\ProgramData\crs1\Logs Recursive: true - Name: Cybereason Sensor Communications and Anti-Malware Logs Category: Antivirus Path: C:\ProgramData\apv2\Logs Recursive: true - Name: Cybereason Application Control and NGAV Logs Category: Antivirus Path: C:\ProgramData\crb1\Logs Recursive: true ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由 cybereason利用時に役立つ可能性 ### ToDo kape targetに追加 ## Targets/Antivirus/ESET.tkape ### 解説 ESETのログ ### Artifact Location ``` Name: ESET NOD32 AV Logs (XP) Category: Antivirus Path: C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Logs\ Recursive: true - Name: ESET NOD32 AV Logs Category: Antivirus Path: C:\ProgramData\ESET\ESET NOD32 Antivirus\Logs\ Recursive: true Comment: "Parser available at https://github.com/laciKE/EsetLogParser" - Name: ESET NOD32 AV Logs Category: Antivirus Path: C:\ProgramData\ESET\ESET Security\Logs Recursive: true - Name: ESET Remote Administrator Logs Category: Antivirus Path: C:\ProgramData\ESET\RemoteAdministrator\Agent\EraAgentApplicationData\Logs Comment: "Remote Administrator logs include information on tasks executed on the target." ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由 ESET利用時に役立つ可能性 ### ToDo kape targetに追加 ## Targets/Antivirus/Emsisoft.tkape ### 解説 Emisoftのログ ### Artifact Location ``` Name: Emsisoft Scan Logs Category: ApplicationLogs Path: C:\ProgramData\Emsisoft\Reports\ FileMask: scan*.txt Comment: "Can contain file detection and quarantine info" ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由 Emisoft利用時に役立つ可能性 ### ToDo kape targetに追加 ## Targets/Antivirus/FSecure.tkape ### 解説 Fsecureのログ ### Artifact Location ``` Name: F-Secure Logs Category: Antivirus Path: C:\ProgramData\F-Secure\Log\ Recursive: true - Name: F-Secure User Logs Category: Antivirus Path: C:\Users\%user%\AppData\Local\F-Secure\Log\ Recursive: true - Name: F-Secure Scheduled Scan Reports Category: Antivirus Path: C:\ProgramData\F-Secure\Antivirus\ScheduledScanReports\ Recursive: true ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由 F-Secure利用時に役立つ可能性 ### ToDo kape targetに追加 ## Targets/Antivirus/HitmanPro.tkape ### 解説 Hitmanproのログ ### Artifact Location ``` Name: HitmanPro Logs Category: Antivirus Path: C:\ProgramData\HitmanPro\Logs\ Recursive: true - Name: HitmanPro Alert Logs Category: Antivirus Path: C:\ProgramData\HitmanPro.Alert\Logs\ Recursive: true - Name: HitmanPro Database Category: Antivirus Path: C:\ProgramData\HitmanPro.Alert\ FileMask: excalibur.db Comment: "SQLite DB" ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由 Hitman Pro利用時に役立つ可能性 ### ToDo kape targetに追加 ## Targets/Antivirus/Malwarebytes.tkape ### 解説 malwarebytesのログ ### Artifact Location ``` Name: MalwareBytes Anti-Malware Logs Category: Antivirus Path: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\ FileMask: 'mbam-log-*.xml' - Name: MalwareBytes Anti-Malware Service Logs Category: Antivirus Path: C:\ProgramData\Malwarebytes\MBAMService\logs\ FileMask: mbamservice.log* - Name: MalwareBytes Anti-Malware Scan Logs Category: Antivirus Path: C:\Users\%user%\AppData\Roaming\Malwarebytes\Malwarebytes Anti-Malware\Logs\ Recursive: true - Name: MalwareBytes Anti-Malware Scan Results Logs Category: Antivirus Path: C:\ProgramData\Malwarebytes\MBAMService\ScanResults Recursive: true ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由 malwarebytes利用時に役立つ可能性 ### ToDo kape targetに追加（追加済みだが、取得ファイルが増えてる） ## Targets/Antivirus/McAfee.tkape ### 解説 mcafeeのログ追加済み ## Targets/Antivirus/McAfee_ePO.tkape ### 解説 Mcafee ePO(資産管理ソフト)のログ取得済み ## Targets/Antivirus/SUPERAntiSpyware.tkape ### 解説 SUPERAntiSpywareのログ取得済み ## Targets/Antivirus/SecureAge.tkape ### 解説 secureageのログ ### Artifact Location ``` Name: SecureAge Antvirus Logs Category: Antivirus Path: C:\ProgramData\SecureAge Technology\SecureAge\log\ Recursive: true ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由 secureage利用時に役立つ可能性 ### ToDo kape targetに追加 ## Targets/Antivirus/SentinelOne.tkape ### 解説 SentinelOneのログ取得済み ## Targets/Antivirus/Sophos.tkape ### 解説 Sophosのログ取得済み ## Targets/Antivirus/Symantec_AV_Logs.tkape ### 解説 symantec avのログ ### Artifact Location ``` Name: Symantec Endpoint Protection Logs (XP) Category: Antivirus Path: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Logs\AV\ Recursive: true - Name: Symantec Endpoint Protection Logs Category: Antivirus Path: C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Logs\ Recursive: true - Name: Symantec Endpoint Protection User Logs Category: Antivirus Path: C:\Users\%user%\AppData\Local\Symantec\Symantec Endpoint Protection\Logs\ Recursive: true - Name: Symantec Event Log Win7+ Category: EventLogs Path: C:\Windows\System32\winevt\logs\ FileMask: Symantec Endpoint Protection Client.evtx Comment: "Symantec specific Windows event log" - Name: Symantec Event Log Win7+ Category: EventLogs Path: C:\Windows.old\Windows\System32\winevt\logs\ FileMask: Symantec Endpoint Protection Client.evtx Comment: "Symantec specific Windows event log" - Name: Symantec Endpoint Protection Manager (SEPM) Application Events Category: EventLogs Path: ApplicationEvents.tkape Comment: "Contains SEPM entries, documented here: https://support.symantec.com/us/en/article.tech196455.html" - Name: Symantec Endpoint Protection Quarantine (XP) Category: Antivirus Path: C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\Quarantine\ Recursive: true - Name: Symantec Endpoint Protection Quarantine Category: Antivirus Path: C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\Quarantine\ Recursive: true - Name: ccSubSDK Database Category: Antivirus Path: C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\CmnClnt\ccSubSDK\ Recursive: true - Name: registrationInfo.xml Category: Antivirus Path: C:\ProgramData\Symantec\Symantec Endpoint Protection\*\Data\ FileMask: registrationInfo.xml ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由 symantec av利用時に役立つ可能性 ### ToDo kape targetに追加 ## Targets/Antivirus/TotalAV.tkape ### 解説 totalavのログ ### Artifact Location ``` Name: TotalAV Logs Category: Antivirus Path: C:\Program Files*\TotalAV\logs Recursive: true - Name: TotalAV Logs Category: Antivirus Path: C:\ProgramData\TotalAV\logs Recursive: true ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由 total av利用時に役立つ可能性 ### ToDo kape targetに追加 ## Targets/Antivirus/TrendMicro.tkape ### 解説 trendmicro avのログ取得済み ## Targets/Antivirus/VIPRE.tkape ### 解説 vipre businessのログ取得済み ## Targets/Antivirus/Webroot.tkape ### 解説 webrootのログ取得済み ## Targets/Antivirus/WinDefendDetectionHist.tkape ### 解説 windows defenderの検知履歴 ### Artifact Location ``` Name: DetectionHistory Category: Antivirus Path: C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\*\ Recursive: true ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由自明 ### ToDo kape targetに追加 ## Targets/Antivirus/WindowsDefender.tkape ### 解説 windows defenderのログ ### Artifact Location ``` Name: Windows Defender Logs Category: Antivirus Path: C:\ProgramData\Microsoft\Microsoft AntiMalware\Support\ Recursive: true - Name: Windows Defender Event Logs Category: EventLogs Path: C:\Windows\System32\winevt\Logs\ FileMask: Microsoft-Windows-Windows Defender*.evtx - Name: Windows Defender Event Logs Category: EventLogs Path: C:\Windows.old\Windows\System32\winevt\Logs\ FileMask: Microsoft-Windows-Windows Defender*.evtx - Name: Windows Defender Logs Category: Antivirus Path: C:\ProgramData\Microsoft\Windows Defender\Support\ Recursive: true - Name: Windows Defender Logs Category: Antivirus Path: C:\Windows\Temp\ FileMask: MpCmdRun.log - Name: Windows Defender Logs Category: Antivirus Path: C:\Windows.old\Windows\Temp\ FileMask: MpCmdRun.log ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由自明 ### ToDo kape targetに追加（元々追加されているが、対象ファイルが増えてる） ## Targets/Browsers/BraveBrowser.tkape ### 解説 Brave Browserの各種データ ### Artifact Location ``` Name: Bookmarks Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: Bookmarks* - Name: Cookies Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: Cookies* - Name: Current Session Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: Current Session - Name: Current Tabs Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: Current Tabs - Name: Download Metadata Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: DownloadMetadata - Name: Favicons Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: Favicons* - Name: History Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: History* - Name: Sessions Folder Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Sessions\ Recursive: false - Name: Login Data Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: Login Data - Name: Network Action Predictor Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: Network Action Predictor - Name: Network Persistent State Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: Network Persistent State - Name: Preferences Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: Preferences - Name: Quota Manager Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: QuotaManager - Name: Reporting and NEL Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: Reporting and NEL - Name: Shortcuts Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: Shortcuts* - Name: Publisher Info DB/Brave Rewards Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: publisher_info_db* Comment: SQLite Database related to "Brave Rewards" containing an event_log table - Name: Top Sites Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: Top Sites* - Name: Visited Links Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: Visited Links* - Name: Web Data Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: Web Data* - Name: Secure Preferences Category: Communications Path: C:\Users\%user%\AppData\Local\BraveSoftware\Brave-Browser\User Data\*\ FileMask: Secure Preferences* Comment: Contains additional preferences data ``` ### 調査要否 * ファストフォレンジック対象：（存在チェックのみ) * フルフォレンジック対象：(内容調査） ### 判断理由稀に使われているイメージなので存在チェックのみで良いと判断 ### ToDo reporterに追加元々追加されてるtargetは破棄？ ## Targets/Browsers/BrowserCache.tkape ### 解説各ブラウザのキャッシュ ### Artifact Location ``` Name: Chrome Cache Folder Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Cache\ Recursive: true - Name: Chromium Edge Cache Folder Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Cache\ Recursive: true - Name: Firefox Cache Folder Category: Communications Path: C:\Users\%user%\AppData\Local\Mozilla\Firefox\Profiles\*\ Recursive: true - Name: IE 9/10 Cache Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Windows\Temporary Internet Files\ Recursive: true - Name: IE Index.dat temp internet files Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Temporary Internet Files\Content.IE5\ FileMask: index.dat - Name: IE 11 Cache Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Windows\INetCache\ Recursive: true - Name: Edge WebcacheV01.dat Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Windows\WebCache\ - Name: Brave Cache Folder Category: Communications Path: C:\Users\%users%\AppData\Local\BraveSoftware\Brave-Browser\User Data\Default\Cache\Cache_Data Recursive: true ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由調査に必要 ### ToDo 一部重複がありそう。他のtargetと重複が無い場合、kape targetに追加 ## Targets/Browsers/Chrome.tkape ### 解説 Chromeのデータ ### Artifact Location ``` Name: Chrome bookmarks XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\ FileMask: Bookmarks* - Name: Chrome Cookies XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\ FileMask: Cookies* - Name: Chrome Current Session XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\ FileMask: Current Session - Name: Chrome Current Tabs XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\ FileMask: Current Tabs - Name: Chrome Favicons XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\ FileMask: Favicons* - Name: Chrome History XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\ FileMask: History* - Name: Chrome Last Session XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\ FileMask: Last Session - Name: Chrome Last Tabs XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\ FileMask: Last Tabs - Name: Chrome Login Data XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\ FileMask: Login Data - Name: Chrome Preferences XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\ FileMask: Preferences - Name: Chrome Shortcuts XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\ FileMask: Shortcuts* - Name: Chrome Top Sites XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\ FileMask: Top Sites* - Name: Chrome Visited Links XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\ FileMask: Visited Links - Name: Chrome Web Data XP Category: Communications Path: C:\Documents and Settings\%user%\Local Settings\Application Data\Google\Chrome\User Data\*\ FileMask: Web Data* - Name: Chrome bookmarks Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Bookmarks* - Name: Chrome Cookies Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ Recursive: true FileMask: Cookies* - Name: Chrome Current Session Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Current Session - Name: Chrome Current Tabs Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Current Tabs - Name: Chrome Download Metadata Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: DownloadMetadata - Name: Chrome Extension Cookies Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Extension Cookies - Name: Chrome Favicons Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Favicons* - Name: Chrome History Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: History* - Name: Chrome Last Session Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Last Session - Name: Chrome Last Tabs Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Last Tabs - Name: Chrome Sessions Folder Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Sessions\ Recursive: false - Name: Chrome Login Data Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Login Data - Name: Chrome Media History Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Media History* - Name: Chrome Network Action Predictor Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Network Action Predictor - Name: Chrome Network Persistent State Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Network Persistent State - Name: Chrome Preferences Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Preferences - Name: Chrome Quota Manager Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: QuotaManager - Name: Chrome Reporting and NEL Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Reporting and NEL - Name: Chrome Shortcuts Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Shortcuts* - Name: Chrome Top Sites Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Top Sites* - Name: Chrome Trust Tokens Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Trust Tokens* - Name: Chrome SyncData Database Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\Sync Data FileMask: SyncData.sqlite3 - Name: Chrome Visited Links Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Visited Links - Name: Chrome Web Data Category: Communications Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\ FileMask: Web Data* - Name: Windows Protect Folder Category: FileSystem Path: C:\Users\%user%\AppData\Roaming\Microsoft\Protect\*\ Recursive: true Comment: "Required for offline decryption" ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由調査に必要 ### ToDo kape targetに追加（元々追加されているが、対象ファイルが増えてる） ## Targets/Browsers/ChromeExtensions.tkape ### 解説 Chromeの拡張機能追加済み ## Targets/Browsers/ChromeFileSystem.tkape ### 解説 Chrome HTML5 file system apiのコンテンツ ### Artifact Location ``` Name: Chrome HTML5 File System Folder Category: Communication Path: C:\Users\%user%\AppData\Local\Google\Chrome\User Data\*\File System\ Recursive: true ``` ### 調査要否 * ファストフォレンジック対象：（存在チェック) * フルフォレンジック対象：(内容調査） ### 判断理由調査に必要か不明。 ### ToDo reporterに追加 ## Targets/Browsers/Edge.tkape ### 解説 Edgeのデータ取得済み ## Targets/Browsers/EdgeChromium.tkape ### 解説 Edgeのデータ ### Artifact Location ``` Name: Edge bookmarks Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Bookmarks* - Name: Edge Collections Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Collections FileMask: collectionsSQLite - Name: Edge Cookies Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Cookies* - Name: Edge Current Session Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Current Session - Name: Edge Current Tabs Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Current Tabs - Name: Edge Favicons Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Favicons* - Name: Edge History Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: History* - Name: Edge Last Session Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Last Session - Name: Edge Last Tabs Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Last Tabs - Name: Edge Sessions Folder Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Sessions\ Recursive: false - Name: Edge Login Data Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Login Data - Name: Edge Media History Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Media History* - Name: Edge Network Action Predictor Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Network Action Predictor - Name: Edge Preferences Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Preferences - Name: Edge Shortcuts Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Shortcuts* - Name: Edge Top Sites Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Top Sites* - Name: Edge SyncData Database Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\Sync Data FileMask: SyncData.sqlite3 - Name: Edge Bookmarks Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Bookmarks* - Name: Edge Visited Links Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Visited Links - Name: Edge Web Data Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\ FileMask: Web Data* - Name: Windows Protect Folder Category: FileSystem Path: C:\Users\%user%\AppData\Roaming\Microsoft\Protect\*\ Recursive: true Comment: "Required for offline DPAPI decryption" - Name: Edge Snapshots Folder Category: Communications Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\Snapshots\*\ Recursive: true Comment: "Grabs folder that appears to have snapshots of Edge Chromium SQLite DBs organized by version #. In testing, there were 3 previous versions of Edge Chromium separated into different folders" ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由調査に必要 ### ToDo kape targetに追加 ## Targets/Browsers/EdgeFileSystem.tkape ### 解説 Edgeのデータ ### Artifact Location ``` Name: Edge HTML5 File System Folder Category: Communication Path: C:\Users\%user%\AppData\Local\Microsoft\Edge\User Data\*\File System\ Recursive: true ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由調査に必要 ### ToDo kape targetに追加 ## Targets/Browsers/Firefox.tkape ### 解説 firefoxのデータ ### Artifact Location ``` Name: Addons Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: addons.sqlite* - Name: Bookmarks Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\weave\ FileMask: bookmarks.sqlite* - Name: Bookmarks Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\bookmarkbackups Recursive: true - Name: Cookies Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: cookies.sqlite* - Name: Cookies Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: firefox_cookies.sqlite* - Name: Downloads Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: downloads.sqlite* - Name: Extensions Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: extensions.json - Name: Favicons Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: favicons.sqlite* - Name: Form history Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: formhistory.sqlite* - Name: Permissions Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: permissions.sqlite* - Name: Places Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: places.sqlite* - Name: Protections Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: protections.sqlite* - Name: Search Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: search.sqlite* - Name: Signons Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: signons.sqlite* - Name: Storage Sync Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: storage-sync.sqlite* - Name: Webappstore Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: webappstore.sqlite* - Name: Password Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: key*.db - Name: Password Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: signon*.* - Name: Password Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: logins.json - Name: Preferences Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: prefs.js - Name: Sessionstore Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\ FileMask: sessionstore* - Name: Sessionstore Folder Category: Communications Path: C:\Users\%user%\AppData\Roaming\Mozilla\Firefox\Profiles\*\sessionstore-backups Recursive: true - Name: Places XP Category: Communications Path: C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\ FileMask: places.sqlite* - Name: Downloads XP Category: Communications Path: C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\ FileMask: downloads.sqlite* - Name: Form history XP Category: Communications Path: C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\ FileMask: formhistory.sqlite* - Name: Cookies XP Category: Communications Path: C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\ FileMask: cookies.sqlite* - Name: Signons XP Category: Communications Path: C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\ FileMask: signons.sqlite* - Name: Webappstore XP Category: Communications Path: C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\ FileMask: webappstore.sqlite* - Name: Favicons XP Category: Communications Path: C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\ FileMask: favicons.sqlite* - Name: Addons XP Category: Communications Path: C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\ FileMask: addons.sqlite* - Name: Search XP Category: Communications Path: C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\ FileMask: search.sqlite* - Name: Password XP Category: Communications Path: C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\ FileMask: key*.db - Name: Password XP Category: Communications Path: C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\ FileMask: signon*.* - Name: Password XP Category: Communications Path: C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\ FileMask: logins.json - Name: Sessionstore XP Category: Communications Path: C:\Documents and Settings\%user%\Application Data\Mozilla\Firefox\Profiles\*\ FileMask: sessionstore* ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由調査に必要 ### ToDo kape targetに追加（元々追加されているが、対象ファイルが増えている） ## Targets/Browsers/InternetExplorer.tkape ### 解説 IEのデータ追加済み（一部対象ファイルが削減されてる） ## Targets/Browsers/Opera.tkape ### 解説 operaのデータ ### Artifact Location ``` Name: Opera - Local Folder Category: Communications Path: C:\Users\%user%\AppData\Local\Opera Software\Opera Stable Recursive: true Comment: Grabs entire contents of the Opera AppData\Local folder - Name: Opera - Roaming Folder Category: Communications Path: C:\Users\%user%\AppData\Roaming\Opera Software\Opera Stable Recursive: true Comment: Grabs entire contents of the Opera AppData\Roaming folder ``` ### 調査要否 * ファストフォレンジック対象：（内容調査) * フルフォレンジック対象：(内容調査） ### 判断理由調査に必要 ### ToDo kape targetに追加（元々追加されているが、対象ファイルが変更されている） ## Targets/Browsers/PuffinSecureBrowser.tkape ### 解説 puffin secure browserのデータ ### Artifact Location ``` Name: Puffin - data.db Category: Communications Path: C:\Users\%user%\AppData\Local\PuffinSecureBrowser FileMask: data.db Comment: "Grabs an important database file that contains browser history" - Name: Puffin - Autocomplete Data Category: Communications Path: C:\Users\%user%\AppData\Local\PuffinSecureBrowser FileMask: autocompletes.dat Comment: "Grabs a file that stores autocomplete data" - Name: Puffin - Password Forms Data Category: Communications Path: C:\Users\%user%\AppData\Local\PuffinSecureBrowser FileMask: passwordForms.dat Comment: "Grabs a file that stores some saved password data" - Name: Puffin - Password (Encrypted) Category: Communications Path: C:\Users\%user%\AppData\Local\PuffinSecureBrowser FileMask: credential.dat Comment: "Grabs a file that stores passwords in an encrypted format" - Name: Puffin - Subscription Data Category: Communications Path: C:\Users\%user%\AppData\Local\PuffinSecureBrowser FileMask: subscription Comment: "Grabs a file that stores the user's email address that's associated with their Puffin subscription" - Name: Puffin - Cookies Category: Communications Path: C:\Users\%user%\AppData\Local\PuffinSecureBrowser FileMask: cookies.dat Comment: "Grabs a file that stores information related to cookies" - Name: Puffin - Image Cache Category: Communications Path: C:\Users\%user%\AppData\Local\PuffinSecureBrowser\image_cache Recursive: true Comment: "Grabs a directory that caches images from websites visited" ``` ### 調査要否 * ファストフォレンジック対象：（存在チェックのみ) * フルフォレンジック対象：(内容調査） ### 判断理由あれば役立ちそう ### ToDo reporterに追加