diff --git a/README.md b/README.md index 1ac7580..68126b9 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,15 @@ Scripts located in `windows/` directory. Run as Administrator for full access. - **Get-RecentDocs.ps1** - Recently opened documents from OpenSavePidlMRU - Supports `-ShowAll` or `-MaxPerType N` parameters - Parses PIDL binary data to extract file paths +- **Get-JumpLists.ps1** - Jump List artifacts per application + - Shows automatic/custom destinations and recent LNK files + - Smart app detection via content analysis + - Supports `-ShowAll` or `-MaxPerApp N` parameters +- **Get-TypedURLs.ps1** - Manually typed URLs from browsers + - IE (registry), Edge, Chrome, Chromium, Firefox + - Shows typed counts and visit frequencies + - Supports all browser profiles automatically + - Requires sqlite3.exe for Chromium-based browsers #### System Information - **Get-Info.ps1** - Comprehensive system information (user, OS, network, disk, etc.) @@ -35,6 +44,16 @@ Scripts located in `windows/` directory. Run as Administrator for full access. - `-Mode simple` - Just usernames (default) - `-Mode detailed` - Key info with last logon times - `-Mode full` - Complete details including groups and SIDs +- **winfetch.ps1** - System info display with ASCII art (fastfetch-inspired) + - Windows 11 logo with ANSI colors + - `-Logo small` for compact output + +#### Developer & Security Artifacts +- **Get-SSHArtifacts.ps1** - SSH forensic artifacts + - Known hosts with connection counts + - SSH config, keys, authorized_keys + - PuTTY sessions and OpenSSH server logs + - Supports `-ShowKeys` to display public key contents ### Usage Examples diff --git a/TODO.md b/TODO.md index c550ad2..6beb266 100644 --- a/TODO.md +++ b/TODO.md @@ -24,7 +24,7 @@ ### Browser & Search History - [ ] Browser history - Edge, Chrome, Firefox artifacts -- [ ] Typed URLs - URLs manually typed in browsers +- [x] Typed URLs - URLs manually typed in browsers - [ ] Search terms - Windows Search history ### File Access diff --git a/windows/Get-TypedURLs.ps1 b/windows/Get-TypedURLs.ps1 new file mode 100644 index 0000000..640bb4e --- /dev/null +++ b/windows/Get-TypedURLs.ps1 @@ -0,0 +1,222 @@ +# Get-TypedURLs.ps1 +# Extracts manually typed URLs from browsers (IE, Edge, Chrome, Firefox) + +param( + [int]$MaxPerBrowser = 20, + [switch]$ShowAll +) + +Write-Host "=== Typed URLs ===" -ForegroundColor Cyan +Write-Host "URLs manually typed into browser address bars`n" + +if ($ShowAll) { + $MaxPerBrowser = [int]::MaxValue +} + +$foundAny = $false + +# Internet Explorer - TypedURLs from Registry +Write-Host "--- Internet Explorer (Registry) ---" -ForegroundColor Yellow +try { + $ieTypedURLs = "HKCU:\Software\Microsoft\Internet Explorer\TypedURLs" + + if (Test-Path $ieTypedURLs) { + $urls = Get-ItemProperty -Path $ieTypedURLs -ErrorAction SilentlyContinue + $urlList = @() + + # IE stores as url1, url2, url3, etc. + for ($i = 1; $i -le 50; $i++) { + $urlKey = "url$i" + if ($urls.$urlKey) { + $urlList += $urls.$urlKey + } + } + + if ($urlList.Count -gt 0) { + $foundAny = $true + $count = 0 + foreach ($url in $urlList) { + $count++ + Write-Host " $count. $url" -ForegroundColor Green + if ($count -ge $MaxPerBrowser) { break } + } + Write-Host " Total: $($urlList.Count)" -ForegroundColor Gray + } else { + Write-Host " No typed URLs found" -ForegroundColor Gray + } + } else { + Write-Host " Registry key not found" -ForegroundColor Gray + } +} catch { + Write-Host " Error: $_" -ForegroundColor Red +} + +# Function to parse Chrome/Edge History SQLite database +function Get-ChromiumTypedURLs { + param( + [string]$historyPath, + [string]$browserName, + [int]$maxResults + ) + + Write-Host " Checking: $historyPath" -ForegroundColor Gray + + if (-not (Test-Path $historyPath)) { + Write-Host " History database not found" -ForegroundColor Gray + return + } + + try { + # Copy database to temp (Chrome locks it when running) + $tempDB = "$env:TEMP\history_temp_$(Get-Random).db" + + # Try to copy, might fail if browser is running + try { + Copy-Item -Path $historyPath -Destination $tempDB -Force -ErrorAction Stop + } catch { + Write-Host " Database locked - close $browserName and try again" -ForegroundColor Yellow + return + } + + # Load SQLite assembly (if available) + try { + Add-Type -Path "System.Data.SQLite.dll" -ErrorAction Stop + } catch { + # Try to use sqlite3.exe if available + $sqlite3 = Get-Command sqlite3.exe -ErrorAction SilentlyContinue + + if ($sqlite3) { + $query = "SELECT url, typed_count FROM urls WHERE typed_count > 0 ORDER BY typed_count DESC LIMIT $maxResults;" + $result = & sqlite3.exe $tempDB $query + + if ($result) { + $foundAny = $true + $count = 0 + foreach ($line in $result) { + $parts = $line -split '\|' + if ($parts.Length -ge 2) { + $count++ + Write-Host " $count. $($parts[0])" -ForegroundColor Green + Write-Host " Typed: $($parts[1]) times" -ForegroundColor Gray + } + } + } else { + Write-Host " No typed URLs found" -ForegroundColor Gray + } + } else { + Write-Host " SQLite not available - install sqlite3.exe or System.Data.SQLite" -ForegroundColor Yellow + Write-Host " Database location: $historyPath" -ForegroundColor Cyan + } + } + } catch { + Write-Host " Error reading database: $_" -ForegroundColor Red + } finally { + # Always clean up temp database + if (Test-Path $tempDB -ErrorAction SilentlyContinue) { + Remove-Item -Path $tempDB -Force -ErrorAction SilentlyContinue + } + } +} + +# Microsoft Edge +Write-Host "`n--- Microsoft Edge ---" -ForegroundColor Yellow +$edgeHistory = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\History" +Get-ChromiumTypedURLs -historyPath $edgeHistory -browserName "Edge" -maxResults $MaxPerBrowser + +# Google Chrome +Write-Host "`n--- Google Chrome ---" -ForegroundColor Yellow +$chromeHistory = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\History" +Get-ChromiumTypedURLs -historyPath $chromeHistory -browserName "Chrome" -maxResults $MaxPerBrowser + +# Ungoogled Chromium / Chromium - Check all profiles +Write-Host "`n--- Chromium (Ungoogled) ---" -ForegroundColor Yellow +$chromiumUserData = "$env:LOCALAPPDATA\Chromium\User Data" + +if (Test-Path $chromiumUserData) { + # Check Default profile + $chromiumHistory = "$chromiumUserData\Default\History" + if (Test-Path $chromiumHistory) { + Write-Host " Profile: Default" -ForegroundColor Cyan + Get-ChromiumTypedURLs -historyPath $chromiumHistory -browserName "Chromium" -maxResults $MaxPerBrowser + } + + # Check numbered profiles (Profile 1, Profile 2, etc.) + $profiles = Get-ChildItem -Path $chromiumUserData -Directory -Filter "Profile*" -ErrorAction SilentlyContinue + foreach ($profile in $profiles) { + $profileHistory = Join-Path $profile.FullName "History" + if (Test-Path $profileHistory) { + Write-Host " Profile: $($profile.Name)" -ForegroundColor Cyan + Get-ChromiumTypedURLs -historyPath $profileHistory -browserName "Chromium" -maxResults $MaxPerBrowser + } + } +} else { + Write-Host " Chromium not installed" -ForegroundColor Gray +} + +# Firefox +Write-Host "`n--- Mozilla Firefox ---" -ForegroundColor Yellow +try { + $firefoxProfiles = "$env:APPDATA\Mozilla\Firefox\Profiles" + + if (Test-Path $firefoxProfiles) { + $profiles = Get-ChildItem -Path $firefoxProfiles -Directory -ErrorAction SilentlyContinue + + if ($profiles) { + foreach ($profile in $profiles) { + $placesDB = Join-Path $profile.FullName "places.sqlite" + + if (Test-Path $placesDB) { + Write-Host " Profile: $($profile.Name)" -ForegroundColor Cyan + + # Copy to temp + $tempDB = "$env:TEMP\places_temp_$(Get-Random).db" + Copy-Item -Path $placesDB -Destination $tempDB -Force -ErrorAction Stop + + # Try sqlite3.exe + $sqlite3 = Get-Command sqlite3.exe -ErrorAction SilentlyContinue + + if ($sqlite3) { + # Firefox uses visit_count in moz_places, but doesn't track typed specifically + # We look for high visit counts as proxy + $query = "SELECT url, visit_count FROM moz_places WHERE visit_count > 5 ORDER BY visit_count DESC LIMIT $MaxPerBrowser;" + $result = & sqlite3.exe $tempDB $query + + if ($result) { + $foundAny = $true + $count = 0 + foreach ($line in $result) { + $parts = $line -split '\|' + if ($parts.Length -ge 2) { + $count++ + Write-Host " $count. $($parts[0])" -ForegroundColor Green + Write-Host " Visits: $($parts[1])" -ForegroundColor Gray + } + } + } else { + Write-Host " No frequently visited URLs found" -ForegroundColor Gray + } + } else { + Write-Host " SQLite not available" -ForegroundColor Yellow + Write-Host " Database location: $placesDB" -ForegroundColor Cyan + } + + Remove-Item -Path $tempDB -Force -ErrorAction SilentlyContinue + } + } + } else { + Write-Host " No Firefox profiles found" -ForegroundColor Gray + } + } else { + Write-Host " Firefox not installed or no profiles" -ForegroundColor Gray + } +} catch { + Write-Host " Error: $_" -ForegroundColor Red +} + +if (-not $foundAny) { + Write-Host "`nNo typed URLs found in any browser" -ForegroundColor Gray +} + +Write-Host "`nNote: Requires sqlite3.exe in PATH for Chrome/Edge/Firefox parsing" -ForegroundColor Yellow +Write-Host "Download from: https://www.sqlite.org/download.html" -ForegroundColor Cyan +Write-Host "Or install via: winget install SQLite.SQLite" -ForegroundColor Cyan