Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extract Microsoft Edge Screenshots from History file #69

Open
istrosec-mino opened this issue Jan 12, 2024 · 1 comment
Open

Extract Microsoft Edge Screenshots from History file #69

istrosec-mino opened this issue Jan 12, 2024 · 1 comment
Assignees
@EricZimmerman @AndrewRathbun
Labels
enhancement New feature or request

Comments

@istrosec-mino
Copy link

SQLECmd version
1.0.0.0

Describe the solution you'd like
I already implemented smap file (provided below), but I would like to see if its possible to add image extraction of the data column. The column is stored as BLOB in the table edge_visits. For now I added a simple hint to the output so users can find these images themselves.

Description: Chromium Browser History Screenshots
Author: Michal Minar
Email: [email protected]
Id: 2ff9fe76-b191-422b-abf7-976e8e540326
Version: 1.0
CSVPrefix: ChromiumBrowser
FileName: History
IdentifyQuery: SELECT count(*) FROM sqlite_master WHERE type='table' AND (name='edge_visits');
IdentifyValue: 1
Queries:
    -
        Name: Chromium Browser History Screenshots
        Query: |
                SELECT 
                datetime( visit_time / 1000000 + ( strftime( '%s', '1601-01-01' ) ), 'unixepoch', 'localtime' ) as VisitTime, 
                u.url as URL, 
                u.title as Title,
                'See the image yourself under History (file)/edge_visits (table)/data (column)' as Hint
                FROM edge_visits ev 
                JOIN visits v 
                on v.id = ev.visit_id 
                JOIN urls u 
                on u.id=v.url 
                WHERE ev.data NOT NULL
                ORDER BY visit_time ASC;
        BaseFileName: ScreenshotsList

# Documentation
# https://medium.com/@DCSO_CyTec/microsoft-edge-forensics-screenshot-history-703b9b8392f8
# So far I found only a few (one to be precise) articles regarding screenshots saved into History file when browsing the Web using Microsoft Edge.

Additional context
MS Edge added a new settings option to their browser, which saves screenshots when browsing the web. So far I found only one article and I was able to extract screenshots on my local machine using the steps provided that article.
@istrosec-mino istrosec-mino added the enhancement New feature or request label Jan 12, 2024
@AndrewRathbun
Copy link
Collaborator

Assigned @EricZimmerman to provide insight re: blob extraction capabilities. Maybe this is already a part of the sqlite dll but I don't know at this time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EricZimmerman EricZimmerman

@AndrewRathbun AndrewRathbun

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@EricZimmerman @AndrewRathbun @istrosec-mino