mnerv/artif
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add typed URLs extraction with multi-profile support

Browse Source 
Add Get-TypedURLs.ps1 for browser typed URL forensics:
- IE (registry), Edge, Chrome, Chromium (all profiles), Firefox
- Auto-detects all browser profiles (Default, Profile 1, 2, etc.)
- Shows typed counts and visit frequencies
- Proper DB locking/cleanup with finally blocks
- Requires sqlite3.exe for Chromium-based browsers

Update README.md and TODO.md with recent scripts.
This commit is contained in:
mnerv
2026-02-03 22:25:56 +01:00
parent d41fa4d4bd
commit aa4e6fa88f
3 changed files with 242 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
README.md
View File

@@ -28,6 +28,15 @@ Scripts located in `windows/` directory. Run as Administrator for full access.
- **Get-RecentDocs.ps1** - Recently opened documents from OpenSavePidlMRU
- Supports `-ShowAll` or `-MaxPerType N` parameters
- Parses PIDL binary data to extract file paths
- **Get-JumpLists.ps1** - Jump List artifacts per application
- Shows automatic/custom destinations and recent LNK files
- Smart app detection via content analysis
- Supports `-ShowAll` or `-MaxPerApp N` parameters
- **Get-TypedURLs.ps1** - Manually typed URLs from browsers
- IE (registry), Edge, Chrome, Chromium, Firefox
- Shows typed counts and visit frequencies
- Supports all browser profiles automatically
- Requires sqlite3.exe for Chromium-based browsers
#### System Information
- **Get-Info.ps1** - Comprehensive system information (user, OS, network, disk, etc.)
@@ -35,6 +44,16 @@ Scripts located in `windows/` directory. Run as Administrator for full access.
- `-Mode simple` - Just usernames (default)
- `-Mode detailed` - Key info with last logon times
- `-Mode full` - Complete details including groups and SIDs
- **winfetch.ps1** - System info display with ASCII art (fastfetch-inspired)
- Windows 11 logo with ANSI colors
- `-Logo small` for compact output
#### Developer & Security Artifacts
- **Get-SSHArtifacts.ps1** - SSH forensic artifacts
- Known hosts with connection counts
- SSH config, keys, authorized_keys
- PuTTY sessions and OpenSSH server logs
- Supports `-ShowKeys` to display public key contents
### Usage Examples

2
TODO.md
View File

@@ -24,7 +24,7 @@
### Browser & Search History
- [ ] Browser history - Edge, Chrome, Firefox artifacts
- [ ] Typed URLs - URLs manually typed in browsers
- [x] Typed URLs - URLs manually typed in browsers
- [ ] Search terms - Windows Search history
### File Access

222
windows/Get-TypedURLs.ps1 Normal file
View File

@@ -0,0 +1,222 @@
# Get-TypedURLs.ps1
# Extracts manually typed URLs from browsers (IE, Edge, Chrome, Firefox)
param(
[int]$MaxPerBrowser = 20,
[switch]$ShowAll
)
Write-Host "=== Typed URLs ===" -ForegroundColor Cyan
Write-Host "URLs manually typed into browser address bars`n"
if ($ShowAll) {
$MaxPerBrowser = [int]::MaxValue
}
$foundAny = $false
# Internet Explorer - TypedURLs from Registry
Write-Host "--- Internet Explorer (Registry) ---" -ForegroundColor Yellow
try {
$ieTypedURLs = "HKCU:\Software\Microsoft\Internet Explorer\TypedURLs"
if (Test-Path $ieTypedURLs) {
$urls = Get-ItemProperty -Path $ieTypedURLs -ErrorAction SilentlyContinue
$urlList = @()
# IE stores as url1, url2, url3, etc.
for ($i = 1; $i -le 50; $i++) {
$urlKey = "url$i"
if ($urls.$urlKey) {
$urlList += $urls.$urlKey
}
}
if ($urlList.Count -gt 0) {
$foundAny = $true
$count = 0
foreach ($url in $urlList) {
$count++
Write-Host " $count. $url" -ForegroundColor Green
if ($count -ge $MaxPerBrowser) { break }
}
Write-Host " Total: $($urlList.Count)" -ForegroundColor Gray
} else {
Write-Host " No typed URLs found" -ForegroundColor Gray
}
} else {
Write-Host " Registry key not found" -ForegroundColor Gray
}
} catch {
Write-Host " Error: $_" -ForegroundColor Red
}
# Function to parse Chrome/Edge History SQLite database
function Get-ChromiumTypedURLs {
param(
[string]$historyPath,
[string]$browserName,
[int]$maxResults
)
Write-Host " Checking: $historyPath" -ForegroundColor Gray
if (-not (Test-Path $historyPath)) {
Write-Host " History database not found" -ForegroundColor Gray
return
}
try {
# Copy database to temp (Chrome locks it when running)
$tempDB = "$env:TEMP\history_temp_$(Get-Random).db"
# Try to copy, might fail if browser is running
try {
Copy-Item -Path $historyPath -Destination $tempDB -Force -ErrorAction Stop
} catch {
Write-Host " Database locked - close $browserName and try again" -ForegroundColor Yellow
return
}
# Load SQLite assembly (if available)
try {
Add-Type -Path "System.Data.SQLite.dll" -ErrorAction Stop
} catch {
# Try to use sqlite3.exe if available
$sqlite3 = Get-Command sqlite3.exe -ErrorAction SilentlyContinue
if ($sqlite3) {
$query = "SELECT url, typed_count FROM urls WHERE typed_count > 0 ORDER BY typed_count DESC LIMIT $maxResults;"
$result = & sqlite3.exe $tempDB $query
if ($result) {
$foundAny = $true
$count = 0
foreach ($line in $result) {
$parts = $line -split '\|'
if ($parts.Length -ge 2) {
$count++
Write-Host " $count. $($parts[0])" -ForegroundColor Green
Write-Host " Typed: $($parts[1]) times" -ForegroundColor Gray
}
}
} else {
Write-Host " No typed URLs found" -ForegroundColor Gray
}
} else {
Write-Host " SQLite not available - install sqlite3.exe or System.Data.SQLite" -ForegroundColor Yellow
Write-Host " Database location: $historyPath" -ForegroundColor Cyan
}
}
} catch {
Write-Host " Error reading database: $_" -ForegroundColor Red
} finally {
# Always clean up temp database
if (Test-Path $tempDB -ErrorAction SilentlyContinue) {
Remove-Item -Path $tempDB -Force -ErrorAction SilentlyContinue
}
}
}
# Microsoft Edge
Write-Host "`n--- Microsoft Edge ---" -ForegroundColor Yellow
$edgeHistory = "$env:LOCALAPPDATA\Microsoft\Edge\User Data\Default\History"
Get-ChromiumTypedURLs -historyPath $edgeHistory -browserName "Edge" -maxResults $MaxPerBrowser
# Google Chrome
Write-Host "`n--- Google Chrome ---" -ForegroundColor Yellow
$chromeHistory = "$env:LOCALAPPDATA\Google\Chrome\User Data\Default\History"
Get-ChromiumTypedURLs -historyPath $chromeHistory -browserName "Chrome" -maxResults $MaxPerBrowser
# Ungoogled Chromium / Chromium - Check all profiles
Write-Host "`n--- Chromium (Ungoogled) ---" -ForegroundColor Yellow
$chromiumUserData = "$env:LOCALAPPDATA\Chromium\User Data"
if (Test-Path $chromiumUserData) {
# Check Default profile
$chromiumHistory = "$chromiumUserData\Default\History"
if (Test-Path $chromiumHistory) {
Write-Host " Profile: Default" -ForegroundColor Cyan
Get-ChromiumTypedURLs -historyPath $chromiumHistory -browserName "Chromium" -maxResults $MaxPerBrowser
}
# Check numbered profiles (Profile 1, Profile 2, etc.)
$profiles = Get-ChildItem -Path $chromiumUserData -Directory -Filter "Profile*" -ErrorAction SilentlyContinue
foreach ($profile in $profiles) {
$profileHistory = Join-Path $profile.FullName "History"
if (Test-Path $profileHistory) {
Write-Host " Profile: $($profile.Name)" -ForegroundColor Cyan
Get-ChromiumTypedURLs -historyPath $profileHistory -browserName "Chromium" -maxResults $MaxPerBrowser
}
}
} else {
Write-Host " Chromium not installed" -ForegroundColor Gray
}
# Firefox
Write-Host "`n--- Mozilla Firefox ---" -ForegroundColor Yellow
try {
$firefoxProfiles = "$env:APPDATA\Mozilla\Firefox\Profiles"
if (Test-Path $firefoxProfiles) {
$profiles = Get-ChildItem -Path $firefoxProfiles -Directory -ErrorAction SilentlyContinue
if ($profiles) {
foreach ($profile in $profiles) {
$placesDB = Join-Path $profile.FullName "places.sqlite"
if (Test-Path $placesDB) {
Write-Host " Profile: $($profile.Name)" -ForegroundColor Cyan
# Copy to temp
$tempDB = "$env:TEMP\places_temp_$(Get-Random).db"
Copy-Item -Path $placesDB -Destination $tempDB -Force -ErrorAction Stop
# Try sqlite3.exe
$sqlite3 = Get-Command sqlite3.exe -ErrorAction SilentlyContinue
if ($sqlite3) {
# Firefox uses visit_count in moz_places, but doesn't track typed specifically
# We look for high visit counts as proxy
$query = "SELECT url, visit_count FROM moz_places WHERE visit_count > 5 ORDER BY visit_count DESC LIMIT $MaxPerBrowser;"
$result = & sqlite3.exe $tempDB $query
if ($result) {
$foundAny = $true
$count = 0
foreach ($line in $result) {
$parts = $line -split '\|'
if ($parts.Length -ge 2) {
$count++
Write-Host " $count. $($parts[0])" -ForegroundColor Green
Write-Host " Visits: $($parts[1])" -ForegroundColor Gray
}
}
} else {
Write-Host " No frequently visited URLs found" -ForegroundColor Gray
}
} else {
Write-Host " SQLite not available" -ForegroundColor Yellow
Write-Host " Database location: $placesDB" -ForegroundColor Cyan
}
Remove-Item -Path $tempDB -Force -ErrorAction SilentlyContinue
}
}
} else {
Write-Host " No Firefox profiles found" -ForegroundColor Gray
}
} else {
Write-Host " Firefox not installed or no profiles" -ForegroundColor Gray
}
} catch {
Write-Host " Error: $_" -ForegroundColor Red
}
if (-not $foundAny) {
Write-Host "`nNo typed URLs found in any browser" -ForegroundColor Gray
}
Write-Host "`nNote: Requires sqlite3.exe in PATH for Chrome/Edge/Firefox parsing" -ForegroundColor Yellow
Write-Host "Download from: https://www.sqlite.org/download.html" -ForegroundColor Cyan
Write-Host "Or install via: winget install SQLite.SQLite" -ForegroundColor Cyan