SQLiteHunter.yaml

name: Generic.Forensic.SQLiteHunter
description: |
  Hunt for SQLite files.

  SQLite has become the de-facto standard for storing application data,
  in many types of applications:

  - Web Browsers
  - Operating Systems
  - Various applications, such as iMessage, TCC etc

  This artifact can hunt for these artifacts in a mostly automated way.
  More info at https://github.com/Velocidex/SQLiteHunter

  NOTE: If you want to use this artifact on just a bunch of files already
  collected (for example the files collected using the
  Windows.KapeFiles.Targets artifact) you can use the CustomGlob parameter
  (for example set it to "/tmp/unpacked/**" to consider all files in the
  unpacked directory).

column_types:
- name: Image
  type: preview_upload
- name: Payload
  type: preview_upload

export: |
  LET SPEC <= "H4sIAAAAAAAA/+x9+3PbttLov4LR3G9sp4ocO+nj5I5+UCS50akt61pykqbqpWESlnhMETwgZEc9zfe3f4MFQAIkKMkvWenXzjQWgV1gsdgHnov/1CYRvUxrb3+Tv2pva/vnKWHp/ov94/CSYbbYPyFpiick3fenmDeCy1q9xvFE4NROsH86rP1er8V4RmpvazkEm0ciIVTIta/1vIIpnZH9F/sNn8ZX4WR/QukkIi/9KZPpH8kl6mCOjXrakFer194xepsSZlRpQKs6ATicz5ACRq05p1dhFC0jQtb+kpEZ5eRlQNJrThOdmjCB/7y0hfPZpuv/TxrjZP+S4RvxVf+q6XknUob0it9iRuTXS1Xepkhsvx2PQU7H4xfjcStJRBnj8X/OKJ6F8aR+TH0cfXVR+gLkG+rcMmJ/Bj3Yl/VvLZUnoc9oSq/4fjeYbC2Z4/FpQhhGuu+zb44vIzIeb0yVisa0lSRR6GMe0hgN50lCGXdL6VZRaIvmVpGWySMCeXwuG110Yu8ovZ5hdp2uR4UJXkVGDvNwP/as5ElXtmkS7ufNNkXlYzm0LaO32qdtGaFL3Np2UbqGZ9uYZj3EuW0VkSX/tlXUlV3cc5nvopdrU3odkjWpyIGraNAQD/dvz0SY9Gybq/x+Pu3p6Xssb7Y1lFb7sa0hcYkH2xYa1/BdG9Cdh3itLSGv5K+2hK6yp9q8IS76qO4XTuI0pHG6/+LF/gzH4RVJeeNfKY3Xo6qIUkVbXtEjOLBtpFp6ty2h7H6u75mJfyy/+G00o9ppfhv0L/Go30QD1nC3z63MD/HF3wLtJUf9LRBd9uLPTfUKF3+Eb0Jf4KxFiwFdRUYG8nBH/ny0SXe90frv55Q3QuJjud5tIrbawW4TlUvc6BaRuYaz3IwqPcQlbg+FJce3PaSV3duz2OiiE3sfppyyxXo05MBVJGiIh3uwZyJMuq/NVX4/3/X09D2W49oaSqu91taQuMRlbQuNa/irDejOQ5zVlpBX8lRbQlfZTW3eEBd91AkJQozuREcRpYoagHsEb/XsJEq/9Rxk3M+DbZLSx/JlW0hztVfbQmKX+Lfto3YNT7dRbXuIz9s6Qkveb+soLPvB5zTxRY/YJ/yWsmvU8oHoASNB6HPK1iNrCXYVhQrlETzl1pIuPeg2kXc/z7oNLXgsj/sNtaXaE39DjVjiob+dVqzhubehMQ/y6N9MA0qe/puhvDwC2ArSV4wMBoxcEUZi3336STTFSZ2NV0kQ5eGVYtRjbFNuE7XS/z8zRfdz+c9E9GN5+e0mv9qxbzfdS3z5VhO+hvt+LiV9iMfeZppLTnqbiS375S3xIkVXPJxSxv05X3OD1wSvoiWHebjvfVbypLPdNAn3866bovKx3OmW0VvtP7eM0CUOc7soXcNDbkyzHuISt4rIkg/cKurKTu+5zHfJy5FUHtFVP7wXaxIkwR3k6BIfw8c9H3HKw22UgHv6t43Q+GjebZuoXeLbtonMZZ5ti+hcx69tRp8e5NW2h8SyT9se2hwe7VmMddGfjWiChiFf9/KoCV7lV3OYh3u0ZyVP+rRNk3A/r7YpKh/Lr20ZvdWebcsIXeLbtovSNbzbxjTrIf5tq4gsebitoq7s457LfK8R7bRymbQcq06AbijO6ZNTVRnh9ClqfrTYpo9J3BNGNX0GMu8Uz/QZ6LtbJNPNE3i/GKaPqiyPHL1047StE7d040StFbF0S81KK03DlIvvS5ySNektIbkI7+ObcCIZ9RRXy7af9uXmaLuJX89UPVcbHmrGtppul4nbaoKd5m/bxfuE/hFGER6Pj0JGruiX8Xggx8qitUmEfZI20n9HITdpV7BO8os4inSFggaQ7RwyzyQp+1cSdP9FIyBXeB7xDRMCA2hNhE9nMxpvAXHrSKBC38+7cMNUPorU+TIU3t1ILSEVaF0WX29J326alrvK3sboe6j4bYrQR5HAgN7GEcXBHcl1oBUI7miIu8rh81B0V2ncMJUPlcnNkvsoknml4q/cjeIyVoHgpWFdlnT4M5BzV5ncJIkPFcgN0vo40kjZbCrHnnck2YVYpJqy2dJQDss6/TkJu7OEPguxD5bV56C6/TajW4nsPgiqscbwMYwDepuKuVcb+1OS/fjw6qARYF6egvViTlhMePdLElFGWNWsrFCKIrnXRZTBjA8ZMEtZDUAiAX4sf3jOAFEVAgQyuitFAGRVmbDwBnOyf4PZfiyveAXixzzFE1Lur2KtZUircnVp7Lz0AJ6z2uByAzWXeExjjsNYJPp01sBJEpFGn3KS7kuxUXAyCf798KIhBI4E9oJlkUIBOxRwisQ/JXLjOxPZJpqu2tn7mdF5ggyaJyKhkVMeZ2SaVT8xlWZvJoxy4nMS7H9RP/c/DZZKrsq26vg0kLioQ8Sf8hmuCvVu0ziG2jvkJvRJOogwF3Zk/7jxYr/l8/Am5CFJHfqkzIFBlxNcUamgUQ5T1q0KzwmEjseZIRqPVWHjsXW9Yzy+TeJALe2sorUEWqDz46CvV4nQy+W3ogaMThieSWINKocEM386HssM06wYLVA/GmQFvTZcgVhZExoSJvqw9vX3ei2lc+aTtPb2P9mDmp52NiKxL4st59VrH/7fce1tbdg97rZHiIczknI8S3ZJQv1pM8CcoH108Er/h75D//jxp9evfjx89WoPtYZopDHq6MU4Pjo7PUFnoqnxx/fds26ejcbzV69eE9TBnLSuOGGo1e8Us33IfkeuKCPjGAHIrqJ5RL7wOjqjdCYas4ea/42OwogTdkYm5Ms4rtVrQ6MpAn3WYPQ2DOrit09xRFKf7M4avpBEj1E6E9xO62jaCAPZmCkjOOhJjFkjTL0rRmfejIjMXnrE6OyE1MexyG63hl10OyWxDdhEB2j0vttHswb2fTqPuQDuHg+7UA189DuiPFHaYEpj0p/PLglbVeyrqmKzlk0PG2GgWmPUM6LlWmaNVEqPAFCCpBotulz95OQLFwBmDwAvG0GYJhFeeIKBAkJ3i5KAmURAOEUzgRCRK47+RcMYTXEcRJAxRVS0USZ4YYCaaCr7y8bwp5gLeF/CFzoPNZHfEF+SlJcvkbDwbwHLSA9TkY7mcfjvOakjPg1TNMML5ON5ShCNyUtOX85wvIA6ywR4ikxIEMQA9b6kV9AwbQBYkXijuYeAMbUbfKhbDNoicJFoA2cLxCkiUTgLY6GCwVyaE5KiYE5EXkzjl7I5GZbiepFF+zYvJLgQFi0CgjnzKBLDr1wugDj1sSeE5vSs0z1D735VIoI63WH7/4LahYH37zlhi9yMgIDuvgCdumhPiX99oSRDOlFvhlNOmDYSfJGQ5g7sBO0AeaD3gtjmTpH7O+j0DMks1V4Pc4796YzEXELIFor/MtB0EfteQCLCSeApvHRnL6P/BkdzUnv7ul4TZlGvmqm3ir/Wyyd59C6qy8quAVwwuz+f9zqgWUX7iwSrvRkNwquQSBslLOSJSnDjzFPiCTwAP09JR2v0UchSLoiso5MwCCIifx9jndqd4TBqBQEjaQoYpuVAbTpLcLyQoEPOCOEmbDvkC5EuakOfw6RNA1IX9beFNNTR6XCA+dThIxSJbg9hZTr9w91ataQVa/kUrPtSHYVKG5N5GAhOZ51o9Rmk6B6pu0oArUwbV6IZmUHNG7UEZQbNzXCM1i9BirBRTcYkJwIRjEsb8EfYsJJ4lDASIS9pIwaJERXYrsfFPl/2R0aS2T9ujBQ6zcOSEPBgJWF01BPyBZQvxLSqYCFpUF5VZ6WNP8LEpwGAaSF3A4pOB0Oo1LAtvbYQfyeCSOz1+90z9M/TXr+qN9BpZZaUxGaFiK4qXnadq/jKgnV3r1O89NYu4o1CXHVIqZVVaB+0VBHbT++UdN2GM/IZCULu+ZgFqcsD0asrwoQRwAaS8K+EaUkmqZF1TRa3VJRVclLfW04qO+2z1Eud4PSaBKgNRKK2IHIth+XCK/iuFygz6K4hOBTgmdxpSHOpjKULQDTNozF8CVBB5mksaq9G0RF7hkClWt6oBAcjeEXnTBvBIzpnldDkS+LNaMynArr7JTkRv5dCLwhmCvhXgqtLvsTxdWb53uH4OjN7zkaG/nVmJkUr1XclgvjXC9N0Lo2xwOnBVyVGGKeczWEspbopS+h19Oi+jGcOD6t6/G+9dDylukQJzTdZB4zg2SWsArx8ic6IP2dpeEPQ1TyWIao4RYwklHHEpwQFhIOvoFcIoysaBYJ9x90ROgOYI0jZFeTV0TucEjWjRrZK+1Mcxru4+R/Btpcv5ZgEMXqLyCxUFWGOEb6kc/mJfT7HUVYj0gXqOtB3aFxDf4p/vgPuNLQ4Z3Kv/ssHtbdhLNgqEpphzHfDmDcBFYZZOAjEuPgFOniVjY5bIu0+hYFVmKelAoWBOE/tMgFLyCJMsRcJKWXOWYT+FG0d1xAMAc6OYRAOku3ThOzujeOv9XF8KTksWNy7knNTyUE0halmGAWMxIhBrxMUxpyiEOb/hQ4Tw2LsT3cZvVVF5iBSSiVcyMks3RX/ysbrKmDVAH2tIwQqWipDm/qiEDVl4bksNZd3uKpHNB+mlkIyTzD3p2E8ORKuPBdFOWmoowSzlHj/Smm8K2SuyQgOPNGVu1rnmhJ0T/catmYaFV7L5JhFQd1kgUstYAiiOVQg9kUdjWuXSn29S8zGNS0lEr6CjcAgRilPGya2wVchTMC9ryBul8sIoHxK7lEzoFVX6S+rUkyzSXD3OiWes1IlJDXLuJpPUZcNpzrN4ulTLUtsbBG0cjnUNBy7PiOwsuvNua8sxZ9/Imkv2irvfNTOLUJFOeRLEjKSuorpyqx1SgGrhX2fpM6ShPFqQa5V2Hua8l/Ioi4tL4JOzDLfURrtfhA63QxTLxWGR64m9NIhfFSBTjlPaBwtFPB7zpPTOFo4wac49RQHAPw9TqHVwL6qChLC0jDlJOaqikGWkKMMWEiZXI2AdfEBZcvWHywOuVchHCDOtYicmWstJuhzWaZA1c0MQ0Ks9EKfW3lTmnLvmsBkV/eymV9yuTojwXKEm8mCzshkoJiqu9uuP+/XInxid1ZWseovqFz3nQkgtzc8GN+I6XnWq6o3FZwxCnVx9uFjUFQeglprlbJSa4mS4/JI8dAyZvnhu7J9Ml47XGLFDKjyUDGl0Q2B0ZlelU85C+MJwhMsRvuQBZtuBAWhz/VAEfBEjXoDpq6gxEBxQrgcP8ikTPWuQhIFzYje+jglu7KipvTd8sO7DfnUY0IjduHf5rj2/z3vZPizt9v4bs/z/s+4VlcUNlXFe43JwV5WhTo4kWfqZv35p96oEGMKaDsOZMPV25JIrbPI8YZME17owcMNXZhlXICGozAOTA4LdDFYn5IoQYIXDUmOzLaJeVFH4dWuT+MgFCLc1LXosyNeJJmPSJSSpui73YxNfEriZnUr8rFqoT2NTshiPXBTFaQwequoHQD1ijo83jmu7UmuyDYpnpj81mO+nwnv+TTe1XlCsrJq5FGsi4PDny6gawvpP7xxJr8+dCYf/HBRHgPqzs6A8ZxPKVPrncIJix/AUYc6mLTGcsUZ2tvUWtIaomxyvgI/IKnPwgQcn6MYM1uUluFRQfFhA2YTKcIpGsIvGyghbBbK4BoCZJB/2nDCZeAUwaDAkrtiN2WCuGfOebTQzZOI4gD0pCxT1UVJkenNhKExyRKpXkG/cmXRLnxX9oDBKKf/Nayu/d6sy/Zmp/2WWF7jpT9LtHqdOhINLW3rmCM3tAsTy0TMPQPXsE1lyZ0YPCHnZ8d1XaX4DVsLkt1yLEBZc1wTqj6u6a6BfvDCjK8ISdd0RdkM8135pzmuAef/66aRxBNhgTGbpM1ep9grskOFmHhLh1O6UZWDKQvAHko5xknZyUxr6VClepchn+EkBV3Xq1Y570tQojGeXLhIkcGZIqBcDVB0OnoEgGc4ScJ40khEoWLGD+Mn2VUW5Sov7z3FOQ0wjo3Vc7NoK6NAI3SJDZ5xoVnFHz1YNZm6BDgbUtmd8ESrecZoymyVMaTSZJSTNO2r9nWNY7xljVaHJb0PYRrypbpfgCxbAFC3iknbjUDyxO+i4kNxo1Avhy2b9FUXImQVCiJBXtT52fEo5GLAAIYE8tXerJisB/I3gFr2fxoGAYmFPd052KlLKz+u/SrGBWrsMa716bgmZ3EALEuBGoQpPGJ0pj8gR1IezOVkLz9hlDGgo7J68ZAISqSvqp7DZVwrmRwtVQUI5/TN4tBaM7g5iwpWCZqWNoy+wSnKv+oZVrELcYoKSTksF1SpRURJYZalDEvmD0SaLCLbfDR6Oi9R9HgOUhAAAFH9jlM0zTtVNU822exTlQEHluC3PuPkACp0f8YgnaI6WFAhRopHI2n9JLaweJrtTV3inEWGqSr3wSYMliDKsEqSCCMhu+9i7TRMZiTmDpv1xrJZ+RnuakOU35ZZw2rlwNaUUQzLYff7mNLruT6W14SZ4e7Fq4vmTi9GcASSpOlOHV0cXDR32nSWRIQT8X140RzX2jj2SRSRQFiIi9ciCQ6Hs3nCVeKbUuKenBR0cDwhTMijo/I+5QqAznX141qWAiUfXjR3shShFzuSBiOxTWNOYr6jRkSCmB2Vhk7wAr0j6ARHoR+qWr6/aO6cx/IKQo6MLn6wSn035wgu5X/AUQjjhKyCHy3A9zQF9J8umjsDKgoLcRQt0Hl8i2NAQxf/uGjufJyGnERhKgYglws0oFHoL3YUnzLenRGc0rjMLLTTpzmUYhbaORIz0C5jlKnu2pELW6hD4lDWDcwK02t0NI8i2QZgAYz9RpSiYxpPdurQfCgO0jCbgASItn4Imeof0WsjMksow2whJOcyIjPIEZLzLqL+tebTxYGgBhYYQ75AoIvoCIeRpOpAkHVG0vnMpB+kQm3+5qmibAgwAPZFWP0Anc5Vh18cHsr+juXRaXSs+uPwNdTPbgiDq2fAi1d5Wlb+a1H+mehPdEb+PRfTFJUH5b8+zHEGjGSe1CjgNUiUsCKIUzQhcm0Cst7kyOexnJKGf2Q8ev19nt0mTB1UJiZnX/+Qg6i+PaLsEmw45P9o1gAbIGDOVAU/GcpwTOIJn6KTMJ1h7k8BW0hmm9E0RacsnIQxOiNByIgPLHwj2JWpP6RAP2dhi+c8AM5KoXpl5LUZTqck2Nkrz9TFGAKOV6H2nDESczlxHwmRU78lLTg66Z10YTsOnRGfhDckeLfgJK2jEeU4kr+rp2S7KcfMPaQaipxsMFW1oh8HTuRuHKxCpQmJy9PAU0hdhmcuBVcNBaUUOCiQJwahCOuQoUCyDhlmC36Gc6ir5b6Us92UsyYcn9qrZyt049p5fB3T21gNDfNTVVlpubEvFhZAjifc7ZIiDXyr3IJxLBYe6myPQf6SGoolydWcK8IYYTCMHoZcTsxH+FL/tQC0p4WPNTYhnKPYwi7EinFsRpNVdxWBVdSuNQDOL/Fao+A8uXw8MsvypTJ7euPBVG4bkoOmZ4CG4ttwVFkBbxbOiKe350u2wUZiylB4l8I6wHF2y3QUSBF2JActmBXjTnNmSQoZ2kYUSc81PU8sKrcr2zppatXPi/CGUhVyihpRYpEUEcmcXFwKVYrhspqPaBEs9uOlBlDSWM7XdRmAxSoNIdXzHyNJaVdWqrWCkqWK4j3Yy08L+GKCYYl106rQWhQpiP9ff5Lxizr/tM4cI4MtuHOVLvz5+dnxipWS+6x0qArkRakRYbM6Mlc+lhpho7BqK1wCcpphVaeDmnWtqzpt5qWA63HCZmlDJ0q7mjOzEkFIugTO2e1agqguQfxrVGY0pbxEUbk+oRjuqsBSUYEmdHBZW5p6CcDQxdXM+uuqJzxL7WmIJbppAzrG2aAhH8VoX0i3tfpWOLxxEwaE6qMbH8SHEwzPgzADa4mPZfpurrqDUHpp9aaI8uyC7CfbjpDdK9zCGvqaRHhxif1rezCUpRbW6rL0W8Fu3drW0M3+DDrjfTkZZ+zNkh0MtQHkmEkZCM1QxUgNZGiZ3cSn1yhJnqEumgBHknpEYNUGgP3We7U6DVSx+nGC1XpVwnDvCjxQ9DMB0uul3ixVa+gwlHGunSc0DcuwA5VqwyrH1WI8THkdtaLL+UwfplJ526p5ivFuBdSZq3RCw1Xoq8422O/MN1juzHe4zCIIhi4QMKoznECifwAGOsoFok5QZTWafemCX8coKFiHbcg74a9pHtSCo5c/DL3EMpSBq2/QGFci2Yh84etIPlJ3XzwMq5leouuxdaAabJ6KOaG6661rXoVja0Y1oLwK6NErbxpycG7yNuDp1fuQp2sjz8I0JRb6CaQoqakqoY4Y0YcHxbxSuNks04OTkkytXhpivJyhT+/y1qY5v9CSyXoV7YY6LCt+RjiGyzArdKTyhXSnupjxNLxhyAnqxhM8ITDsXao7yzFLW1f/HJ728wN097g0oN0ZutvdAfOagD5WBufb1eXEhi8X1L2UcB7Gk7RBvvgkkVGHWkNkfEHZoh3juHATQ9/kUGd7BTey435Lb7jILmwUlnnFRNoeX1grvuuWqloEped9IwavripsCF2RHkKg0v2UnDFydYlk+M6LAeYzwaslsZUk6B2OY8LuIIQm0t/y96Tyl90/Wlb1+vX7dB4Fwym9ld3XvRE2pEhH2wV097pi8oV7YZxyHEXgWz0chzMQIcmHdEpvYxcTRN1xVl9RH2yl21NwX4EpMu1OOoWTxLuEhj6COplfyERdW7cqSygpmtqgVG1Os91vzBhewPb3uNaRWzrjWl0eE2hFEb0VX3BGAbaexRccT2il8BtOJahhIjqNo4VI/F4WBvG2erOEMo5jrimAcwtyR/5/qfI/ie4X+vc3W+5/L8v7WuIem9L22BIPO4VYBWO7n8hbRWzGucCBH9TMb6RuqcBlM42nkTeFpuNayXNxOEUdmWAcjdSgfhT61zlgW3yaYNUCObTk0AuNThc0yosc95LO/FXoJfJnPi+9/uIUus9BAzGRhJOFdTGLjXoxp90g5GqRWem49K4d8wqEPBCgNhvqMkrckEQQufDdQkxRN7WTntFoErjW1g2dxaF3Sb8ITy/57d7NdcDpuXjOvgpAiNERxpx6EJ8D4gYZbK7AKszdHRBKf1M5IDJ6yQFr3LkAO1O4q+JqXvHWvANGbdsYe05VkOUFBpe4VCDrFRIlRmUIY1VgjQ7dyOoA3Ck0AliUyFp14dB8O778AK+XvcTrsCFloL9vTP99Y/rvG9N/35je5I1pvbnmGgLlT6wuGQKZb7WuWorfdexACXJh76SYvucUWk4TLxXVwekFhuNr5X/PcCxjVFkQpnPOM+zNIsXrLNvoSGdtG3dLGRWrOtN8E9f9UqHXprPLMCZB9nRh3rVrIqwR5tiM/lOM++MMbWxCuG1gGWLlTcc8rB0JJsSDY6ueH4UQkCu+oo0rymZeGk5izOeMeDcH9XuhHa6HFtAZDmMV3qcSA7LTQgwlCf7z2en5wGuf9tut0e6q2iJ8SSBm0s5btCP+LqlMRRzaqaMd6C/AlZlegkOm1uzE/NiDIPAevfwX8fl6RNRXVl2qFK6+Z9Edl+CP43+e9vrrsH8cn1bDKWLkhx06sUoGFOg4hl5RcRT/OhK3gWjEK6g37F811asMohk5bsVDhZ7j7cIK27ge8spLrNJeXgirhtQhSJhvXUjultNlAVX3TitHmI6SKm92VsIuO5S57gnMOGOSpx9bsbbVHfn5qUp1ukSA75SI3KnCdxwLcUAVBgoOiHiubmKm9iXQ3EqVkewYq2s27qnigIv+UrvaJUJ2ikp0UFSiwuOfX+vF9xZzTSlklFZedbyx0SIhaeGmHWwtnJ8d67uH45oMcpZffRySBDPMKYO9AteZywFmEGBTKkt2i8Wut3iJZcXVmDwmoWu005JxE8sRE113g06WXg3KzpDZh6yPKCPhJIYZ89KJpC6seh5pQzyGVmcB5GxlzpMT6BE5tzP6JgfI7lDkSYHFyTw9KnLMqEaxzjyKV6yobA1m9A9PPSlasAI52hXMMfJO0LFb6R+eji0IZiHDMC9a5xWg075daNOs3Tp+XeDpBsK9CkqUOSgdtLYa6gr8mjejgBXGyZxrK7PiSLb9sGvJxDivZFeCFAwD5MOdR7kCuxllfnJV1VdL13m/hf7h4TimaQP4rE4jar7YEGrJ2lixlidkLYaY7TcUAkrQ7RQfHuachZdzDnX2+mj3oH64ZwY5zurNKvhb5KU8l8ehFQAlLysjdJQv/h9cNHdGZ63+sDfqnfa9417/F3113Uge/TrodvTtdSP93enpLyets1/UleM3dm735J3E+v6iicyMs26nd9Ztj7xB9+yk1e/2R/rCvwto1D0ZnJ61zn5Vtfxow3VOP/aPT1sdfenfyDo6a510O1mj/lGsANAcw4bq2Cql90CMWz7ZsyDZJabscRBrXC7viUqfWtzRMcYnWY8VxybqTtHyEUqOPS5eG4G76qV4MgYEhC/JxjnKdh0x4pPYX9TRgJGbkNxC4Ko1r3xVP0HiAFkxBrn7bmFJrx0RVsowy4OtGI66IALF7OXxYqqHG0bO8mHKik3CcstyASoWZcSiMavPpMBIvFLyIJmjZKMAk0hJkXHAsghetvgYrkJiWdfVSsSLMZNRQ36Uvuns5oJbcffY/3rvUg7mXMxxzKve05Tr/boP+YpSyULqPQ95atXYk3TF4TKsqtzgMsZSOmEJHmz0LPItS2PzzrBvKFT7ho5NRBtM7xjqDcTRaAAbiOvs3lVcc9UWzQ3otH3AZMcuCZC53i6JEJVs58t6IsTImFJ5GwZ6tphZ2qczM2X8e2HdMkEws/1ij5uZZl+XMmWHlpJDs8/sDN1lhl0p78eV2LGBLZy8yrKe2usr2T5jSVGXTXkq5zpCWdUTXln8FrlnqaO8VGhTqqOyOGK0OHRPhmEphWS5k5aqKBUqrMwJ/qJ+VepbRlWlohUgXBrm0C/3BpLoxIqgHIW88tsbdv4snJGROqtjhc4owMm95nyb2QUjA3igLHaHhEnt/iJml9j4/pyxdzrmhtUDLsJVnwDh6reha0ZgCEvbNh7Lwap0lcYZ/C7pnCNUbSnLuezojilboQ7Em6VOjXBIfoV9d0RxhWEDnpDUu1XZVbFUjQJ8GnuliKoFoIxmo+vLoVazVI9TSYcevhnBUctAeXzUQllWU6yiclxoYFaw3fjSeLDQmM0NBItRVssNKWRaDVl1gSyLJuuQZvPReodEm9kOqT4SM1FzzCcPBOYP+JSkG55ePNfjuCP9tWTgd24O+nJYGaNs+YXoytMCy04K6FFW1raHDbXsMMqizPzdSc08keUYM3HNy+ykZdb8K4txkckZMwiUoY5XlM1KG09ok8vHBgWrDLABaghtr4soQ7DV+pFcwiPnH14deK0okpu4ufyugiythy19EmnpGX6ZlD+Dv6tuAuSFjARH9H1uuElAUuL5mOOITszg7XvZS94QrLD532hcywr2xrX8MIEuU1beiqL3IXfUXP1WlQ1Qoj4n6Kv1OhNaevQUfNUiH/Vln9nhRzeeXibOMM2EFbjmnAlwy9NCQXbjXK2msAhOGOnrXll/mP1QRyDETWByfjngsR61srvLYHXW/0tnjKBW600VRaOXh+Y3tKMRYL5Ey96Hk2kUTqbWhYfVsI/ANqtHbdkwZUy0dqyvgGw5j0+wfzpErUS+NA63UQDEYG0liM3RzG968m1/7SnEhzlibLzDKbgXo0Q9E+Bs4fU6cqLG2SILHE5YqhYRP8ifMn2K06mXuav3OJ3qGQZlYrSVQOxcOUeEFBlMVwIxGcO1dNUoicKUSyXUIPIQWR2V3lsAPVfBYB3YaULjlKxEl2AKHzOebw7rjxW7dBmf3eJTyHbJjtEXq+abyL+CIHryvXlFfMPsO/07P2muOrBu9Fi90Et1s0Psw/xSoOo5b3JYzdoCr/V5Zwel1tjdBLiM6KV8IeK0v6KNTTdiBlBZhwo6ye5Vj4Vs1PXkj/E7aDTfWnWxwrVUXNmWVbMGsDbqTX5pjFQgivMUT8qWyspccQYYfR71TrrDUetkgL5D//jxp9evfjx8JW+E2NarjHnUOxuOqtFhRrGijOPeh653Pmz93PWqCzoObwg0xi7s87vzfue422+ddOFIxzwOIr1D/nlwdtrWOQNGhd3JxvefP/aOer2+yPoYXoW9OE89PR/p5NM5V+kfW30FjeMM+GOrr4FxHOTAvbNuR5fNSJAXftbtZKUzkmN8ktDeJw36SYF5nzIYb/CLzQghp9mconLtAbjQHQ4beSfX7XS7C2Wm6BPoEgMNanf0lXpxx+gKm/0mvy0um6y1OGqx0eZdxq+cTyWKvcEvdcWWPNk85KPbLoxPzgfB4KZV0PvWUOU+vYHJ6zXMiiZu1cHZmPC5kAljdqbMALXvg5ip5dCkIHHqCpD0s78dwIVzfZFQIIq/2U7nMA6TRK5pijzp+jz5UyTmyu5Tn2KYI8AOEwlGw3y/KZ8fuBCOccplNPCOuYkvk5YhdkImx6fSqVvYOi8fe7X8bBvYU79FcgfiDVG5z5F9yOa1OMf+dEZirg1LnjIM/yiknKs40NYTM+Vs/ZyY6oG3h7+j79DO/nF4yTBb7P/M6Dwx5oj7cMa/4dNZAydJRBqx6N191YJ0H54MU1/7EOBrfwd9VyALarCT5cvYYoiaJYmiCtzqq9UTz/g2spVAZF9Gll5f94xvkT2Zx3+EiX5BsYM5zm/xZ3JZscSUi0T1QlMRxr3c5LzjdHqG5DuFq1aaUNzQ9lrfqIsbn/unoy7CaaZFyD8Q5nV03D0QyfnxAZE+7PcGg+4InrbLlQyyep1uf9Q76nXPdGlKcERm+6zbGvVO+53WqPsawf18rW8ZzNHpcad7dnLa6R312hk0cLmsMRnWcWs4Oh10+92OhrYVUwIeNj632u3T8/7otajcUCTIg+YeyvgChl5Bnt2ugqoh/41wVcrXi5JLuof81xJk2PtcANHKCKXY9TgU0P++8TmrxpZryCsUYAo35CsGjH4dmEVkm0hx43OnNWpBI/PXuj/32kJAdA4EwjFcVq/dPj497wx/7bd7/Z9P3/1TiBlOkX8AQ+gDKV6A3VTit24Jh1DCofaAuYSsW8BrKOC1JKGpRX1d7DeA/abxuTUatdrvT7r90UETirtDG76HQr4326B64dBYX4XTwE/uyfOONF25i/RVfl3otpi1a8f+J3juD43vxLSRBOqqjHTqnwaMQqAeGa+ncI+9Gqa4JOQwrQGv3L/VWU4rehPSCAKNsjk81vqF+PCQQTZVDS8j4khJw0kcxhMv1DFKANMPxMRZFZNO8eH3P9hoGsAqCuDQypNoeimMQNSrp77UIWtZcZHj00DO9j6GcUBvUwg4eBPykKilJ08lLAbYv8YT0guM/r4DUkEAis9j/terTy8L/2fPZP4GzVIl9oLfXr1983vdTHjz9gc74Ye3P/1eL2D99PbglQ118Ort7+h3tYCsUwFtEGEuSKsj1QC53ZXvy8rFx6X7shAfwyx4vVJVaRrPyzj49CZF12nYkzIZjszsIahVqwu5mJjrDJVC1I7C5JJitpbE5cDltdLC6L+0OGAerM/2FIqJKzFP4zbcVCxh6wwowT5CYx6SGeBFRLEUQOe8CF3ilPzwJiA+DQqPf8M1XBmbDYJVZdxQhe799up3fYRfTogKAEatyAy4cMJzmXz0MzdFItY1nyXB+8vrxsdBX1+0Qy+XRDhLHaqyPm7RSeuLc+jPP9G4Nq7l17X0DNIdyqrFWHiDo3x7Lv9WiNbktGABtUS9MpamxUy1ojIbOX8yGx5O3ZFRa4Kdwrkag5SyJzr8krme3HzvoVZadBMIfewPe4HJHkioj2NXMz/2h4YlumMzbeRiM2X7bJhqKh7E7xJ+JS0ldku4VS9qqze1TcME/zmf1VZQFQ9rq9xxvGr90lKLRs861Gdl7ZyygLAdka9+OoDe4ziICJPFZB9lQJXVGLBwhtlCwpf26pwY8tJkUNRIF6z6q1dCjE8H6aNi7DA7WxvqnLfVQLoo49NVIZ7IU4sTR+a4ButQUrWyDwegYWGcBscCzvePq4yCi42m6uZsVKnVaOYQwsCzLwW6EKVpMUxKJdwRBNHVa2Tmt8T62B8O5um0PcVxTKKG+isL1x8dJ+g5C+WGbc9dks2SkvkpY9isd9mIUs9mJtcepyuNNmFl4A8Xk8S03cW7M+JTFvQC1KxQYHM9326KKLLQuFztm0trM5YKegHqdDdwEtYkR4xSbKO6oyhspSmRd1IK+XZDHQAjhuNUjHFHMgRVCcAkoOPciPzeGg7dJnGgBi2FoZB8GwsNCbsJfeINFykns14ckC/ez3zKHAOgVRj3Pxgmj2IdgTMS8vtud7SHmhXDIjlSvwxjzBa7wJ4skOzIcWKhjlLO5r5wcvMw5j+8uRzX9vbKdT5lleUah+EfqsZHKPuBJ6x0vwx9msBF7g715zMZTAANO8apCKuHrElbZWx0MRGBCfp4vXNjaFwrCha0MD989FgXvDVhq04gSelvkDupz4BP765BAunROlJPOuSFlftzf8CnhQ54EqYNGE0I4wtYQL0b62zUkhX6ZJ84ffkSjabwDnWOhHwazWdxiiJKr1EUXhOAk6LDcBzQmRS0lxINOJBSdEuENoaJGOgDhoSFYz+IXl0hTpEK1YxCjhJAjhYNZQmAf53Q57viHzA/1IO75HBt2TzHlyZRyHdTknhqvWJce6mMgfjyrsli77eD38UUSh8Pg1NJKgr02BHeGeqU/SrpEW0DdjgOw0p1Nq1l81NDdoInu8b7GfMpYfkdp4pMsyRpBY2Swj9sZL0RVFGzUGrLAjnSV+FbdyMd6avw1VCtiK6S1TijfIo4XxsoiIGKDA7l5Z1X6j395oRtJ5Yqt63blgKAhiP0VR5altrQHNdU/Y/mYYzDw0Vhcx0zdfSG2+BXApbiGD6ejXIf6n1IKY/B4Y+UXRsOe7kSGgCZouVpZSWy86wpG0Io0wpB3eltLF9hLqaVwXuczETXqxD2BlIhx42qp8eFJDdZLR0vJS3QlmeUERX3WnNOh/PZDLNF2b4Zmd+ejEPsvTCe6FnhankuYTyG7H5qOEShWgaydWMVR0dNsh3JLqSOHenBlb5OR4qpuToSX6rW9TLCeh1ynhKmCzymk0kYT1b3iQvpcbrl3opadJuaPB3ZcWjdiq7MXbu8bhxUlmbdo7aFQYO0ksReHrEy7iUOhRLMKxQVja3cCFqBsbYZ+Pr1fwIAAP//vmHbqCwlAQA="
  LET Specs <= parse_json(data=gunzip(string=base64decode(string=SPEC)))
  LET CheckHeader(OSPath) = read_file(filename=OSPath, length=12) = "SQLite forma"
  LET Bool(Value) = if(condition=Value, then="Yes", else="No")

  -- In fast mode we check the filename, then the header then run the sqlite precondition
  LET matchFilename(SourceName, OSPath) = OSPath =~ get(item=Specs.sources, field=SourceName).filename
    AND CheckHeader(OSPath=OSPath)
    AND Identify(SourceName= SourceName, OSPath= OSPath)
    AND log(message=format(format="%v matched by filename %v",
            args=[OSPath, get(item=Specs.sources, field=SourceName).filename]))

  -- If the user wanted to also upload the file, do so now
  LET MaybeUpload(OSPath) = if(condition=AlsoUpload, then=upload(file=OSPath)) OR TRUE

  LET Identify(SourceName, OSPath) = SELECT if(
    condition=CheckHeader(OSPath=OSPath),
    then={
      SELECT *
      FROM sqlite(file=OSPath, query=get(item=Specs.sources, field=SourceName).id_query)
    }) AS Hits
  FROM scope()
  WHERE if(condition=Hits[0].Check = get(item=Specs.sources, field=SourceName).id_value,
    then= log(message="%v was identified as %v",
            args=[OSPath, get(item=Specs.sources, field=SourceName).Name]),
    else=log(message="%v was not identified as %v (got %v, wanted %v)",
             args=[OSPath, get(item=Specs.sources, field=SourceName).Name, str(str=Hits),
                   get(item=Specs.sources, field=SourceName).id_value]) AND FALSE)

  LET ApplyFile(SourceName) = SELECT * FROM foreach(row={
     SELECT OSPath FROM AllFiles
     WHERE if(condition=MatchFilename,  then=matchFilename(SourceName=SourceName, OSPath=OSPath),
      else=Identify(SourceName= SourceName, OSPath= OSPath))

  }, query={
     SELECT *, OSPath FROM sqlite(
        file=OSPath, query=get(item=Specs.sources, field=SourceName).SQL)
  })

  -- Filter for matching files without sqlite checks.
  LET FilterFile(SourceName) =
     SELECT OSPath FROM AllFiles
     WHERE if(condition=MatchFilename,
              then=OSPath =~ get(item=Specs.sources, field=SourceName).filename)

  -- Build a regex for all enabled categories.
  LET all_categories = SELECT if(condition=_value = "All", then=".", else=_value) AS _value
  FROM foreach(row=["All","MacOS","Chrome","Browser","Edge","Firefox","InternetExplorer","Windows"])
  WHERE get(field=_value)

  LET category_regex <= join(sep="|", array=all_categories._value)
  LET AllGlobs <= filter(list=Specs.globs, condition="x=> x.tags =~ category_regex AND x.rule =~ RuleFilter")
  LET _ <= log(message="Globs for category %v is %v",
       args=[category_regex, CustomGlob || AllGlobs.glob])
  LET AllFiles <= SELECT OSPath FROM glob(globs=CustomGlob || AllGlobs.glob)
    WHERE NOT IsDir AND MaybeUpload(OSPath=OSPath)

parameters:
- name: RuleFilter
  type: regex
  description: Only collect rules matching this filter.
  default: "."

- name: MatchFilename
  description: |
    If set we use the filename to detect the type of sqlite file.
    When unset we use heristics (slower)
  type: bool
  default: Y

- name: CustomGlob
  description: Specify this glob to select other files

- name: DateAfter
  description: Timebox output to rows after this time.
  type: timestamp
  default: "1970-01-01T00:00:00Z"

- name: DateBefore
  description: Timebox output to rows after this time.
  type: timestamp
  default: "2100-01-01T00:00:00Z"

- name: FilterRegex
  description: Filter critical rows by this regex
  type: regex
  default: .

- name: All
  description: Select all tagrgets
  type: bool
  default: Y

- name: MacOS
  description: Select targets with category MacOS
  type: bool
  default: N

- name: Chrome
  description: Select targets with category Chrome
  type: bool
  default: N

- name: Browser
  description: Select targets with category Browser
  type: bool
  default: N

- name: Edge
  description: Select targets with category Edge
  type: bool
  default: N

- name: Firefox
  description: Select targets with category Firefox
  type: bool
  default: N

- name: InternetExplorer
  description: Select targets with category InternetExplorer
  type: bool
  default: N

- name: Windows
  description: Select targets with category Windows
  type: bool
  default: N

- name: SQLITE_ALWAYS_MAKE_TEMPFILE
  type: bool
  default: Y

- name: AlsoUpload
  description: If specified we also upload the identified file.
  type: bool

sources:
- name: AllFiles
  notebook:
   - type: vql
     template: |
       // This cell generates other cells to preview the collected
       // data.  DO NOT recalculate this cell - each time new cells
       // will be added. Instead delete the notebook and allow
       // Velociraptor to recreate the entire notebook.
       LET ArtifactsWithResults <=
         SELECT pathspec(accessor="fs", parse=Data.VFSPath)[4] AS Artifact ,
           pathspec(accessor="fs", parse=Data.VFSPath)[-1][:-5] AS Source ,
           stat(accessor="fs", filename=Data.VFSPath + ".index").Size / 8 AS Records
         FROM enumerate_flow(client_id=ClientId, flow_id=FlowId)
         WHERE Type =~ "Result" AND Records > 0

       LET _ <= SELECT notebook_update_cell(notebook_id=NotebookId, type="vql",
       input=format(format='''
       /*
       # Results From %v
       */
       SELECT * FROM source(source=%q)
       ''', args=[Source, Source]),
       output=format(format='''
       <i>Recalculate</i> to show Results from <b>%v</b> with <b>%v</b> rows
       ''', args=[Source, Records])) AS NotebookModification
       FROM ArtifactsWithResults

       /*
       # Results Overview
       */
       SELECT Source, Records FROM ArtifactsWithResults ORDER BY Source

  query: |
    SELECT * FROM AllFiles



  
- name: "iMessage_Profiles"
  notebook:
    - type: vql
      output: "iMessage_Profiles - Recalculate to view results"
      template: |
        /*
        # iMessage_Profiles
        */
        SELECT * FROM source(source="iMessage_Profiles")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="iMessage_Profiles")

    

    LET Output = SELECT timestamp(epoch=date / 1000000000 + 978307200) AS Timestamp, *
    FROM Rows
    WHERE Timestamp > DateAfter AND Timestamp < DateBefore
      AND (MessageText, RoomName) =~ FilterRegex

    SELECT * FROM
    if(condition="iMessage_Profiles" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Chromium Browser Autofill_Profiles"
  notebook:
    - type: vql
      output: "Chromium Browser Autofill_Profiles - Recalculate to view results"
      template: |
        /*
        # Chromium Browser Autofill_Profiles
        */
        SELECT * FROM source(source="Chromium Browser Autofill_Profiles")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Autofill_Profiles")

    

    LET Output = SELECT GUID,
      timestamp(epoch= date_modified) AS DateModified,
      timestamp(epoch= use_date) AS UseDate,
      FirstName, MiddleName, LastName, EmailAddress,
      PhoneNumber, CompanyName, StreetAddress,
      City, State, ZipCode, UseCount, OSPath
    FROM Rows
    WHERE UseDate > DateAfter AND UseDate < DateBefore
      AND (FirstName, MiddleName, LastName, EmailAddress, CompanyName, StreetAddress) =~ FilterRegex

    SELECT * FROM
    if(condition="Chromium Browser Autofill_Profiles" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Chromium Browser Autofill_Masked Credit Cards"
  notebook:
    - type: vql
      output: "Chromium Browser Autofill_Masked Credit Cards - Recalculate to view results"
      template: |
        /*
        # Chromium Browser Autofill_Masked Credit Cards
        */
        SELECT * FROM source(source="Chromium Browser Autofill_Masked Credit Cards")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Autofill_Masked Credit Cards")

    

    LET Output = SELECT * FROM Rows

    SELECT * FROM
    if(condition="Chromium Browser Autofill_Masked Credit Cards" =~ RuleFilter, then={
       SELECT * FROM Output
    })


- name: "Chromium Browser Bookmarks"
  notebook:
    - type: vql
      output: "Chromium Browser Bookmarks - Recalculate to view results"
      template: |
        /*
        # Chromium Browser Bookmarks
        */
        SELECT * FROM source(source="Chromium Browser Bookmarks")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Bookmarks")

    -- Recursive function to report the details of a folder
    LET ReportFolder(Data, BaseName) = SELECT * FROM chain(a={
      -- First row emit the data about the actual folder
      SELECT BaseName + " | " + Data.name AS Name,
             timestamp(winfiletime=int(int=Data.date_added) * 10) AS DateAdded,
             timestamp(winfiletime=int(int=Data.date_last_used) * 10) AS DateLastUsed,
             Data.type AS Type,
             Data.url || ""  AS URL
      FROM scope()
    },
    b={
       -- If this folder has children recurse into it
       SELECT * FROM foreach(row={
          SELECT _value FROM items(item=Data.children)
       },  query={
          SELECT * FROM ReportFolder(Data=_value, BaseName=BaseName + " | " + Data.name)
       })
    })
    
    LET MatchingFiles = SELECT OSPath, parse_json(data=read_file(filename=OSPath)) AS Data
    FROM Rows

    LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
      SELECT * FROM chain(
      a={
        SELECT OSPath, *, "bookmark_bar" AS Type
        FROM ReportFolder(Data=Data.roots.bookmark_bar, BaseName="")
      },
      b={
        SELECT OSPath, *, "other" AS Type
        FROM ReportFolder(Data=Data.roots.other, BaseName="")
      },
      c={
        SELECT OSPath, *, "synced" AS Type
        FROM ReportFolder(Data=Data.roots.synced, BaseName="")
      })
    })

    SELECT * FROM
    if(condition="Chromium Browser Bookmarks" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Chromium Browser Cookies_Cookies"
  notebook:
    - type: vql
      output: "Chromium Browser Cookies_Cookies - Recalculate to view results"
      template: |
        /*
        # Chromium Browser Cookies_Cookies
        */
        SELECT * FROM source(source="Chromium Browser Cookies_Cookies")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Cookies_Cookies")

    

    LET Output = SELECT timestamp(winfiletime=(creation_utc * 10) || 0) AS CreationUTC,
           timestamp(winfiletime=(expires_utc * 10) || 0) AS ExpiresUTC,
           timestamp(winfiletime=(last_access_utc * 10) || 0) AS LastAccessUTC,
           HostKey, Name, Path,
           Bool(Value=is_secure) AS IsSecure,
           Bool(Value=is_httponly) AS IsHttpOnly,
           Bool(Value=has_expires) AS HasExpiration,
           Bool(Value=is_persistent) AS IsPersistent,
           Priority, SourcePort, OSPath
    FROM Rows
    WHERE LastAccessUTC > DateAfter AND LastAccessUTC < DateBefore
      AND (Name, Path) =~ FilterRegex

    SELECT * FROM
    if(condition="Chromium Browser Cookies_Cookies" =~ RuleFilter, then={
       SELECT * FROM Output
    })


- name: "Chromium Browser Extensions"
  notebook:
    - type: vql
      output: "Chromium Browser Extensions - Recalculate to view results"
      template: |
        /*
        # Chromium Browser Extensions
        */
        SELECT * FROM source(source="Chromium Browser Extensions")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Extensions")

    -- Resolve the message string against the Locale dict
    LET ResolveName(Message, Locale) = get(item=Locale,
          field=lowcase(string=parse_string_with_regex(regex="^__MSG_(.+)__$", string=Message).g1),
          default=Message).message || Message
    
    -- Read the manifest files
    LET ManifestData = SELECT OSPath, parse_json(data=read_file(filename=OSPath)) AS Manifest
    FROM Rows
    
    -- Find the Locale file to help with.
    LET LocaleData = SELECT *, if(condition=Manifest.default_locale, else=dict(),
         then=parse_json(data=read_file(
            filename=OSPath.Dirname + "_locales" + Manifest.default_locale + "messages.json"))) AS Locale
    FROM ManifestData
    
    LET GetIcon(Manifest) = Manifest.icons.`128` || Manifest.icons.`64` || Manifest.icons.`32` || Manifest.icons.`16`

    LET Output = SELECT OSPath, Manifest.author.email AS Email,
      ResolveName(Message = Manifest.name, Locale=Locale) AS name,
      ResolveName(Message = Manifest.description, Locale=Locale) AS description,
      Manifest.oauth2.scopes as Scopes,
      Manifest.permissions as Permissions,
      Manifest.key as Key, if(condition=GetIcon(Manifest=Manifest),
                then=upload(file=OSPath.Dirname + GetIcon(Manifest=Manifest))) AS Image,
      Manifest AS _Manifest
    FROM LocaleData
    WHERE (name, description) =~ FilterRegex

    SELECT * FROM
    if(condition="Chromium Browser Extensions" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Chromium Browser Favicons"
  notebook:
    - type: vql
      output: "Chromium Browser Favicons - Recalculate to view results"
      template: |
        /*
        # Chromium Browser Favicons
        */
        SELECT * FROM source(source="Chromium Browser Favicons")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Favicons")

    

    LET Output = SELECT ID, IconID,
      timestamp(winfiletime= (LastUpdated * 10) || 0) AS LastUpdated,
      PageURL, FaviconURL,
      upload(accessor="data",
         file=_image,
         name=format(format="Image%v.png", args=ID)) AS Image,
      OSPath as _OSPath
    FROM Rows
    WHERE LastUpdated > DateAfter AND LastUpdated < DateBefore

    SELECT * FROM
    if(condition="Chromium Browser Favicons" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Chromium Browser History_Visits"
  notebook:
    - type: vql
      output: "Chromium Browser History_Visits - Recalculate to view results"
      template: |
        /*
        # Chromium Browser History_Visits
        */
        SELECT * FROM source(source="Chromium Browser History_Visits")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser History_Visits")

    

    LET Output = SELECT ID,
       timestamp(winfiletime=(visit_time * 10) || 0) AS VisitTime,
       timestamp(winfiletime=(last_visit_time * 10) || 0) AS LastVisitedTime,
       URLTitle, URL, VisitCount, TypedCount,
       if(condition=hidden =~ '1', then="Yes", else="No") AS Hidden,
       VisitID, FromVisitID,
       visit_duration / 1000000 AS VisitDurationInSeconds,
       OSPath
    FROM Rows
    WHERE VisitTime > DateAfter
      AND VisitTime < DateBefore
      AND (URLTitle, URL) =~ FilterRegex

    SELECT * FROM
    if(condition="Chromium Browser History_Visits" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Chromium Browser History_Downloads"
  notebook:
    - type: vql
      output: "Chromium Browser History_Downloads - Recalculate to view results"
      template: |
        /*
        # Chromium Browser History_Downloads
        */
        SELECT * FROM source(source="Chromium Browser History_Downloads")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser History_Downloads")

    LET StateLookup <= dict(`0`='In Progress', `1`='Complete', `2`="Cancelled", `3`="Interrupted", `4`="Interrupted")
    LET DangerType <= dict(`0`='Not Dangerous', `1`="Dangerous", `2`='Dangerous URL', `3`='Dangerous Content',
        `4`='Content May Be Malicious', `5`='Uncommon Content', `6`='Dangerous But User Validated',
        `7`='Dangerous Host', `8`='Potentially Unwanted', `9`='Whitelisted by Policy')
    LET InterruptReason <= dict(`0`= 'No Interrupt', `1`= 'File Error', `2`='Access Denied', `3`='Disk Full',
      `5`='Path Too Long',`6`='File Too Large', `7`='Virus', `10`='Temporary Problem', `11`='Blocked',
      `12`='Security Check Failed', `13`='Resume Error', `20`='Network Error', `21`='Operation Timed Out',
      `22`='Connection Lost', `23`='Server Down', `30`='Server Error', `31`='Range Request Error',
      `32`='Server Precondition Error', `33`='Unable to get file', `34`='Server Unauthorized',
      `35`='Server Certificate Problem', `36`='Server Access Forbidden', `37`='Server Unreachable',
      `38`='Content Length Mismatch', `39`='Cross Origin Redirect', `40`='Cancelled', `41`='Browser Shutdown',
      `50`='Browser Crashed')

    LET Output = SELECT ID, GUID, CurrentPath, TargetPath, OriginalMIMEType, ReceivedBytes, TotalBytes,
      timestamp(winfiletime=(start_time * 10) || 0) AS StartTime,
      timestamp(winfiletime=(end_time * 10) || 0) AS EndTime,
      timestamp(winfiletime=(opened * 10) || 0) AS Opened,
      timestamp(winfiletime=(last_access_time * 10) || 0) AS LastAccessTime,
      timestamp(epoch=last_modified) AS LastModified,
      get(item=StateLookup, field=str(str=state), default="Unknown") AS State,
      get(item=DangerType, field=str(str=danger_type), default="Unknown") AS DangerType,
      get(item=InterruptReason, field=str(str=interrupt_reason), default="Unknown") AS InterruptReason,
      ReferrerURL, SiteURL, TabURL, TabReferrerURL, DownloadURL, OSPath
    FROM Rows
    WHERE LastAccessTime > DateAfter AND LastAccessTime < DateBefore
      AND (SiteURL, DownloadURL, TabURL, TabReferrerURL, ReferrerURL, DownloadURL) =~ FilterRegex

    SELECT * FROM
    if(condition="Chromium Browser History_Downloads" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Chromium Browser History_Keywords"
  notebook:
    - type: vql
      output: "Chromium Browser History_Keywords - Recalculate to view results"
      template: |
        /*
        # Chromium Browser History_Keywords
        */
        SELECT * FROM source(source="Chromium Browser History_Keywords")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser History_Keywords")

    

    LET Output = SELECT KeywordID, URLID,
       timestamp(winfiletime=(last_visit_time * 10) || 0) AS LastVisitedTime,
       KeywordSearchTerm, Title, URL, OSPath
    FROM Rows
    WHERE LastVisitedTime > DateAfter AND LastVisitedTime < DateBefore
      AND (Title, KeywordSearchTerm, URL) =~ FilterRegex

    SELECT * FROM
    if(condition="Chromium Browser History_Keywords" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Chromium Browser Media_History"
  notebook:
    - type: vql
      output: "Chromium Browser Media_History - Recalculate to view results"
      template: |
        /*
        # Chromium Browser Media_History
        */
        SELECT * FROM source(source="Chromium Browser Media_History")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Media_History")

    

    LET Output = SELECT ID, URL, WatchTimeSeconds,
       Bool(Value=has_video) AS HasVideo,
       Bool(Value=has_audio) AS HasAudio,
       timestamp(winfiletime=last_updated_time_s || 0) AS LastUpdated,
       OriginID, OSPath
    FROM Rows
    WHERE LastUpdated > DateAfter AND LastUpdated < DateBefore
      AND URL =~ FilterRegex

    SELECT * FROM
    if(condition="Chromium Browser Media_History" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Chromium Browser Media_Playback Session"
  notebook:
    - type: vql
      output: "Chromium Browser Media_Playback Session - Recalculate to view results"
      template: |
        /*
        # Chromium Browser Media_Playback Session
        */
        SELECT * FROM source(source="Chromium Browser Media_Playback Session")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Media_Playback Session")

    

    LET Output = SELECT ID,
      timestamp(winfiletime=last_updated_time_s || 0) AS LastUpdated, URL,
      duration_ms / 1000 AS DurationInSeconds,
      position_ms / 1000 AS PositionInSeconds,
      Title, Artist, Album, SourceTitle, OriginID, OSPath
    FROM Rows
    WHERE LastUpdated > DateAfter AND LastUpdated < DateBefore
      AND URL =~ FilterRegex

    SELECT * FROM
    if(condition="Chromium Browser Media_Playback Session" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Chromium Browser Network_Predictor"
  notebook:
    - type: vql
      output: "Chromium Browser Network_Predictor - Recalculate to view results"
      template: |
        /*
        # Chromium Browser Network_Predictor
        */
        SELECT * FROM source(source="Chromium Browser Network_Predictor")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Network_Predictor")

    

    LET Output = SELECT * FROM Rows
    WHERE UserText =~ FilterRegex

    SELECT * FROM
    if(condition="Chromium Browser Network_Predictor" =~ RuleFilter, then={
       SELECT * FROM Output
    })


- name: "Chromium Browser Notifications_Site Engagements"
  notebook:
    - type: vql
      output: "Chromium Browser Notifications_Site Engagements - Recalculate to view results"
      template: |
        /*
        # Chromium Browser Notifications_Site Engagements
        */
        SELECT * FROM source(source="Chromium Browser Notifications_Site Engagements")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Notifications_Site Engagements")

    LET JSON = SELECT parse_json(data=read_file(filename=OSPath)) AS Data, OSPath FROM Rows

    LET Output = SELECT * FROM foreach(row={
      SELECT OSPath, Data.profile.content_settings.exceptions AS exceptions FROM JSON
    },  query={
      SELECT _key AS Site,
         timestamp(winfiletime=int(int=_value.last_modified) * 10 || 0) AS LastModified,
         timestamp(winfiletime=int(int=_value.setting.lastEngagementTime) * 10 || 0) AS LastEngagementTime,
         OSPath
      FROM items(item=exceptions.site_engagement)
    })

    SELECT * FROM
    if(condition="Chromium Browser Notifications_Site Engagements" =~ RuleFilter, then={
       SELECT * FROM Output
    })


- name: "Chromium Browser Notifications_App Banners"
  notebook:
    - type: vql
      output: "Chromium Browser Notifications_App Banners - Recalculate to view results"
      template: |
        /*
        # Chromium Browser Notifications_App Banners
        */
        SELECT * FROM source(source="Chromium Browser Notifications_App Banners")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Notifications_App Banners")

    LET JSON = SELECT parse_json(data=read_file(filename=OSPath)) AS Data, OSPath FROM Rows

    LET Output = SELECT * FROM foreach(row={
      SELECT OSPath, Data.profile.content_settings.exceptions AS exceptions FROM JSON
    },  query={
      SELECT _key AS Site,
         timestamp(winfiletime=int(int=_value.last_modified) * 10 || 0) AS LastModified,
         {
           SELECT _key AS Site,
              timestamp(winfiletime=int(int=_value.couldShowBannerEvents) * 10 || 0) AS CouldShowBannerEvents,
              timestamp(winfiletime=int(int=_value.next_install_text_animation.last_shown) * 10 || 0) AS LastShown
           FROM items(item=_value.setting)
         } AS Setting,
         OSPath
      FROM items(item=exceptions.app_banner)
    })

    SELECT * FROM
    if(condition="Chromium Browser Notifications_App Banners" =~ RuleFilter, then={
       SELECT * FROM Output
    })


- name: "Chromium Browser Notifications_Notification Preferences"
  notebook:
    - type: vql
      output: "Chromium Browser Notifications_Notification Preferences - Recalculate to view results"
      template: |
        /*
        # Chromium Browser Notifications_Notification Preferences
        */
        SELECT * FROM source(source="Chromium Browser Notifications_Notification Preferences")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Notifications_Notification Preferences")

    LET ContentSettings <= array(`0`="Default",`1`="Allow",`2`="Block",`3`="Ask",`4`="Session Only",`5`="Detect Important Content")
    
    LET JSON = SELECT parse_json(data=read_file(filename=OSPath)) AS Data, OSPath FROM Rows

    LET Output = SELECT * FROM foreach(row={
      SELECT OSPath, Data.profile.content_settings.exceptions AS exceptions FROM JSON
    },  query={
      SELECT _key AS Site,
        timestamp(winfiletime=int(int=_value.last_modified) * 10 || 0) AS LastModified,
        ContentSettings[_value.setting] AS Setting,
        OSPath
      FROM items(item=exceptions.notifications)
    })

    SELECT * FROM
    if(condition="Chromium Browser Notifications_Notification Preferences" =~ RuleFilter, then={
       SELECT * FROM Output
    })


- name: "Chromium Browser Notifications_Notification Interactions"
  notebook:
    - type: vql
      output: "Chromium Browser Notifications_Notification Interactions - Recalculate to view results"
      template: |
        /*
        # Chromium Browser Notifications_Notification Interactions
        */
        SELECT * FROM source(source="Chromium Browser Notifications_Notification Interactions")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM FilterFile(SourceName="Chromium Browser Notifications_Notification Interactions")

    LET JSON = SELECT parse_json(data=read_file(filename=OSPath)) AS Data, OSPath FROM Rows
    LET S = scope()

    LET Output = SELECT * FROM foreach(row={
      SELECT OSPath, Data.profile.content_settings.exceptions AS exceptions FROM JSON
    },  query={
      SELECT _key AS URL,
        timestamp(winfiletime=int(int=_value.last_modified) * 10 || 0) AS LastModified,
        _value.display_count as DisplayCount,
        _value.click_count as ClickCount,
        OSPath
      FROM items(item=S.notification_interactions || dict())
    })

    SELECT * FROM
    if(condition="Chromium Browser Notifications_Notification Interactions" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Chromium Browser Shortcuts"
  notebook:
    - type: vql
      output: "Chromium Browser Shortcuts - Recalculate to view results"
      template: |
        /*
        # Chromium Browser Shortcuts
        */
        SELECT * FROM source(source="Chromium Browser Shortcuts")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Shortcuts")

    

    LET Output = SELECT ID,
      timestamp(winfiletime= (last_access_time * 10) || 0) AS LastAccessTime,
      TextTyped, FillIntoEdit, URL, Contents,
      Description, Type, Keyword, TimesSelectedByUser, OSPath
    FROM Rows
    WHERE LastAccessTime > DateAfter AND LastAccessTime < DateBefore
      AND (Contents, Description) =~ FilterRegex

    SELECT * FROM
    if(condition="Chromium Browser Shortcuts" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Chromium Sessions_Sessions"
  notebook:
    - type: vql
      output: "Chromium Sessions_Sessions - Recalculate to view results"
      template: |
        /*
        # Chromium Sessions_Sessions
        */
        SELECT * FROM source(source="Chromium Sessions_Sessions")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Sessions_Sessions")

    

    LET Output = SELECT timestamp(winfiletime=(creation_utc * 10) || 0) AS CreationUTC,
           timestamp(winfiletime=(expires_utc * 10) || 0) AS ExpiresUTC,
           timestamp(winfiletime=(last_access_utc * 10) || 0) AS LastAccessUTC,
           HostKey, Name, Path,
           Bool(Value=is_secure) AS IsSecure,
           Bool(Value=is_httponly) AS IsHttpOnly,
           Bool(Value=has_expires) AS HasExpiration,
           Bool(Value=is_persistent) AS IsPersistent,
           Priority, SourcePort, OSPath
    FROM Rows
    WHERE LastAccessUTC > DateAfter AND LastAccessUTC < DateBefore
      AND (Name, Path) =~ FilterRegex

    SELECT * FROM
    if(condition="Chromium Sessions_Sessions" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Chromium Browser Top Sites"
  notebook:
    - type: vql
      output: "Chromium Browser Top Sites - Recalculate to view results"
      template: |
        /*
        # Chromium Browser Top Sites
        */
        SELECT * FROM source(source="Chromium Browser Top Sites")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Chromium Browser Top Sites")

    

    LET Output = SELECT * FROM Rows
    WHERE ( URL =~ FilterRegex OR Title =~ FilterRegex )

    SELECT * FROM
    if(condition="Chromium Browser Top Sites" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Edge Browser Autofill_CombinedAutofill"
  notebook:
    - type: vql
      output: "Edge Browser Autofill_CombinedAutofill - Recalculate to view results"
      template: |
        /*
        # Edge Browser Autofill_CombinedAutofill
        */
        SELECT * FROM source(source="Edge Browser Autofill_CombinedAutofill")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Edge Browser Autofill_CombinedAutofill")

    

    LET Output = SELECT timestamp(epoch=date_last_used) AS DateLastUsed, *
    FROM Rows
    WHERE DateLastUsed > DateAfter AND DateLastUsed < DateBefore

    SELECT * FROM
    if(condition="Edge Browser Autofill_CombinedAutofill" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Edge Browser Navigation History_Navigation History"
  notebook:
    - type: vql
      output: "Edge Browser Navigation History_Navigation History - Recalculate to view results"
      template: |
        /*
        # Edge Browser Navigation History_Navigation History
        */
        SELECT * FROM source(source="Edge Browser Navigation History_Navigation History")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Edge Browser Navigation History_Navigation History")

    

    LET Output = SELECT ID,
       timestamp(epoch=`Last Visited Time`) AS `Last Visited Time`,
       Title, URL, VisitCount, OSPath
    FROM Rows
    WHERE `Last Visited Time` > DateAfter
      AND `Last Visited Time` < DateBefore
      AND (Title, URL) =~ FilterRegex

    SELECT * FROM
    if(condition="Edge Browser Navigation History_Navigation History" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Firefox Places"
  notebook:
    - type: vql
      output: "Firefox Places - Recalculate to view results"
      template: |
        /*
        # Firefox Places
        */
        SELECT * FROM source(source="Firefox Places")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Places")

    LET BookmarkTypes <= dict(`1`="URL", `2`="Folder", `3`="Separator")

    LET Output = SELECT ID, ParentID,
       get(item= BookmarkTypes, field=str(str=type), default="Unknown") AS Type,
       timestamp(epoch=dateAdded) AS DateAdded,
       timestamp(epoch=lastModified) AS LastModified,
       Position, Title, URL, ForeignKey, OSPath
    FROM Rows
    WHERE LastModified > DateAfter AND LastModified < DateBefore
      AND (Title, URL) =~ FilterRegex

    SELECT * FROM
    if(condition="Firefox Places" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Firefox Places_Downloads"
  notebook:
    - type: vql
      output: "Firefox Places_Downloads - Recalculate to view results"
      template: |
        /*
        # Firefox Places_Downloads
        */
        SELECT * FROM source(source="Firefox Places_Downloads")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Places_Downloads")

    

    LET Output = SELECT PlaceID, Content,
       timestamp(epoch=dateAdded) AS DateAdded,
       timestamp(epoch=lastModified) AS LastModified,
       OSPath
    FROM Rows
    WHERE LastModified > DateAfter AND LastModified < DateBefore
      AND Content =~ FilterRegex

    SELECT * FROM
    if(condition="Firefox Places_Downloads" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Firefox Places_History"
  notebook:
    - type: vql
      output: "Firefox Places_History - Recalculate to view results"
      template: |
        /*
        # Firefox Places_History
        */
        SELECT * FROM source(source="Firefox Places_History")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Places_History")

    LET VisitType <= dict(`1`='TRANSITION_LINK', `2`='TRANSITION_TYPED', `3`='TRANSITION_BOOKMARK',
      `4`='TRANSITION_EMBED', `5`= 'TRANSITION_REDIRECT_PERMANENT', `6`='TRANSITION_REDIRECT_TEMPORARY',
      `7`='TRANSITION_DOWNLOAD', `8`='TRANSITION_FRAMED_LINK', `9`='TRANSITION_RELOAD')

    LET Output = SELECT VisitID, FromVisitID,
       timestamp(epoch= last_visit_date) AS LastVisitDate,
       VisitCount, URL, Title, Description,
       get(item= VisitType, field=str(str=visit_type), default="Unknown") AS VisitType,
       Bool(Value=hidden) AS Hidden,
       Bool(Value=typed) AS Typed,
       Frecency, PreviewImageURL, OSPath
    FROM Rows
    WHERE LastVisitDate > DateAfter AND LastVisitDate < DateBefore
      AND (Title, URL, Description) =~ FilterRegex

    SELECT * FROM
    if(condition="Firefox Places_History" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Firefox Cookies"
  notebook:
    - type: vql
      output: "Firefox Cookies - Recalculate to view results"
      template: |
        /*
        # Firefox Cookies
        */
        SELECT * FROM source(source="Firefox Cookies")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Cookies")

    

    LET Output = SELECT ID, Host, Name, Value,
       timestamp(epoch= creationTime) AS CreationTime,
       timestamp(epoch= lastAccessed) AS LastAccessedTime,
       timestamp(epoch= expiry) AS Expiration,
       Bool(Value= isSecure) AS IsSecure,
       Bool(Value= isHttpOnly) AS IsHTTPOnly, OSPath
    FROM Rows
    WHERE LastAccessedTime > DateAfter
      AND LastAccessedTime < DateBefore
      AND ( Name =~ FilterRegex OR Value =~ FilterRegex )

    SELECT * FROM
    if(condition="Firefox Cookies" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Firefox Downloads"
  notebook:
    - type: vql
      output: "Firefox Downloads - Recalculate to view results"
      template: |
        /*
        # Firefox Downloads
        */
        SELECT * FROM source(source="Firefox Downloads")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Downloads")

    

    LET Output = SELECT ID, Name, MIMEType, Source, Target,
       timestamp(epoch= startTime) AS StartTime,
       timestamp(epoch= endTime) AS EndTime,
       timestamp(epoch= expiry) AS Expiration,
       CurrentBytes, MaxBytes, OSPath
    FROM Rows
    WHERE StartTime > DateAfter
      AND StartTime < DateBefore
      AND Name =~ FilterRegex

    SELECT * FROM
    if(condition="Firefox Downloads" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Firefox Favicons"
  notebook:
    - type: vql
      output: "Firefox Favicons - Recalculate to view results"
      template: |
        /*
        # Firefox Favicons
        */
        SELECT * FROM source(source="Firefox Favicons")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Favicons")

    

    LET Output = SELECT ID, PageURL, FaviconURL,
       timestamp(epoch= expire_ms) AS Expiration,
       OSPath
    FROM Rows

    SELECT * FROM
    if(condition="Firefox Favicons" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Firefox Form History"
  notebook:
    - type: vql
      output: "Firefox Form History - Recalculate to view results"
      template: |
        /*
        # Firefox Form History
        */
        SELECT * FROM source(source="Firefox Form History")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Firefox Form History")

    

    LET Output = SELECT ID, FieldName, Value, TimesUsed,
       timestamp(epoch= firstUsed) AS FirstUsed,
       timestamp(epoch= lastUsed) AS LastUsed,
       GUID, OSPath
    FROM Rows
    WHERE LastUsed > DateAfter AND LastUsed < DateBefore
      AND ( FieldName =~ FilterRegex OR Value =~ FilterRegex )

    SELECT * FROM
    if(condition="Firefox Form History" =~ RuleFilter, then={
       SELECT * FROM Output
    })


- name: "IE or Edge WebCacheV01_All Data"
  notebook:
    - type: vql
      output: "IE or Edge WebCacheV01_All Data - Recalculate to view results"
      template: |
        /*
        # IE or Edge WebCacheV01_All Data
        */
        SELECT * FROM source(source="IE or Edge WebCacheV01_All Data")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM FilterFile(SourceName="IE or Edge WebCacheV01_All Data")

    LET MatchingFiles = SELECT OSPath FROM Rows
    LET S = scope()
    
    LET Containers(OSPath) = SELECT Table
    FROM parse_ese_catalog(file=OSPath)
    WHERE Table =~ "Container_"
    GROUP BY Table
    
    LET AllHits(OSPath) = SELECT * FROM foreach(row={
        SELECT * FROM Containers(OSPath=OSPath)
    }, query={
       SELECT timestamp(winfiletime=ExpiryTime) AS ExpiryTime,
          timestamp(winfiletime=ModifiedTime) AS ModifiedTime,
          timestamp(winfiletime=AccessedTime) AS AccessedTime,
          S.Url AS Url, *
       FROM parse_ese(file=OSPath, table=Table)
    })

    LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
      SELECT * FROM AllHits(OSPath=OSPath)
    })
    WHERE AccessedTime > DateAfter AND AccessedTime < DateBefore
      AND Url =~ FilterRegex

    SELECT * FROM
    if(condition="IE or Edge WebCacheV01_All Data" =~ RuleFilter, then={
       SELECT * FROM Output
    })


- name: "IE or Edge WebCacheV01_Highlights"
  notebook:
    - type: vql
      output: "IE or Edge WebCacheV01_Highlights - Recalculate to view results"
      template: |
        /*
        # IE or Edge WebCacheV01_Highlights
        */
        SELECT * FROM source(source="IE or Edge WebCacheV01_Highlights")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM FilterFile(SourceName="IE or Edge WebCacheV01_Highlights")

    

    LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
      SELECT AccessedTime, ModifiedTime, ExpiryTime, Url
      FROM AllHits(OSPath=OSPath)
    })
    WHERE AccessedTime > DateAfter AND AccessedTime < DateBefore
      AND Url =~ FilterRegex

    SELECT * FROM
    if(condition="IE or Edge WebCacheV01_Highlights" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "MacOS Applications Cache"
  notebook:
    - type: vql
      output: "MacOS Applications Cache - Recalculate to view results"
      template: |
        /*
        # MacOS Applications Cache
        */
        SELECT * FROM source(source="MacOS Applications Cache")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="MacOS Applications Cache")

    

    LET Output = SELECT
       time_stamp AS Timestamp,
       OSPath.Base AS Application,
       entry_ID AS EntryID,
       version AS Version,
       hash_value AS Hash,
       storage_policy AS StoragePolicy,
       request_key AS URL,
       plist(file=request_object, accessor="data") AS Request,
       plist(file=response_object, accessor="data") AS Response,
       partition AS Partition,
       OSPath
    FROM Rows
    WHERE Timestamp > DateAfter AND Timestamp < DateBefore
      AND Application =~ FilterRegex

    SELECT * FROM
    if(condition="MacOS Applications Cache" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "MacOS NetworkUsage"
  notebook:
    - type: vql
      output: "MacOS NetworkUsage - Recalculate to view results"
      template: |
        /*
        # MacOS NetworkUsage
        */
        SELECT * FROM source(source="MacOS NetworkUsage")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="MacOS NetworkUsage")

    

    LET Output = SELECT timestamp(epoch= ZTIMESTAMP + 978307200) AS Timestamp,
      timestamp(epoch= ZFIRSTTIMESTAMP + 978307200) AS FirstTimestamp,
      timestamp(epoch= LIVE_USAGE_TIMESTAMP + 978307200) AS LiveUsageTimestamp,
      ZBUNDLENAME AS BundleID,
      ZPROCNAME AS ProcessName,
      ZWIFIIN AS WifiIn,
      ZWIFIOUT AS WifiOut,
      ZWWANIN AS WanIn,
      ZWWANOUT AS WandOut,
      ZWIREDIN AS WiredIn,
      ZWIREDOUT AS WiredOut,
      ZXIN AS _XIn,
      ZXOUT AS _XOut,
      Z_PK AS LiveUsageTableID
    FROM Rows

    SELECT * FROM
    if(condition="MacOS NetworkUsage" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "MacOS Notes"
  notebook:
    - type: vql
      output: "MacOS Notes - Recalculate to view results"
      template: |
        /*
        # MacOS Notes
        */
        SELECT * FROM source(source="MacOS Notes")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="MacOS Notes")

    

    LET Output = SELECT Key AS _Key,
     OSPath[1] AS User,
     Note,
     Title,
     Snippet,
     NoteID AS _NoteID,
     timestamp(cocoatime=CreatedTS) AS CreatedTime,
     timestamp(cocoatime=LastOpenedDate) AS LastOpenedTime,
     timestamp(cocoatime=DirModificationDate) AS LastDirModifcation,
     Account AS _Account,
     Directory,
     DirectoryID,
     AttachmentName,
     AttachmentSize,
     AttachmentUUID,
     if(condition=AttachmentUUID,
        then=OSPath[:2] + '/Library/Group Containers/group.com.apple.notes/Accounts/LocalAccount/Media/' + AttachmentUUID + '/' + AttachmentName) AS AttachmentLocation,
     AccountName AS _AccountName,
     AccountID AS _AccountID,
     AccountType AS _AccountType,
     gunzip(string=Data) AS Data,
     OSPath
    FROM Rows
    WHERE LastOpenedTime > DateAfter AND LastOpenedTime < DateBefore
      AND ( Title =~ FilterRegex OR Data =~ FilterRegex )

    SELECT * FROM
    if(condition="MacOS Notes" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "MacOS XProtect Detections"
  notebook:
    - type: vql
      output: "MacOS XProtect Detections - Recalculate to view results"
      template: |
        /*
        # MacOS XProtect Detections
        */
        SELECT * FROM source(source="MacOS XProtect Detections")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="MacOS XProtect Detections")

    

    LET Output = SELECT *
    FROM Rows
    WHERE dt > DateAfter
      AND dt < DateBefore
      AND (violated_rule, exec_path, responsible_path, responsible_signing_id,
        exec_cdhash, exec_sha256, responsible_cdhash, responsible_sha256 ) =~ FilterRegex

    SELECT * FROM
    if(condition="MacOS XProtect Detections" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Windows Activities Cache_ActivityPackageId"
  notebook:
    - type: vql
      output: "Windows Activities Cache_ActivityPackageId - Recalculate to view results"
      template: |
        /*
        # Windows Activities Cache_ActivityPackageId
        */
        SELECT * FROM source(source="Windows Activities Cache_ActivityPackageId")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Windows Activities Cache_ActivityPackageId")

    

    LET Output = SELECT format(format="%0X-%0X-%0X-%0X-%0X", args=[
      ActivityId[0:4], ActivityId[4:6], ActivityId[6:8],
      ActivityId[8:10], ActivityId[10:] ]) AS ActivityId,
      Platform, PackageName, ExpirationTime, OSPath
    FROM Rows

    SELECT * FROM
    if(condition="Windows Activities Cache_ActivityPackageId" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Windows Activities Cache_Clipboard"
  notebook:
    - type: vql
      output: "Windows Activities Cache_Clipboard - Recalculate to view results"
      template: |
        /*
        # Windows Activities Cache_Clipboard
        */
        SELECT * FROM source(source="Windows Activities Cache_Clipboard")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Windows Activities Cache_Clipboard")

    

    LET Output = SELECT
      CreatedTime,
      timestamp(epoch=LastModifiedTime) AS LastModifiedTime,
      timestamp(epoch=LastModifiedOnClient) AS LastModifiedOnClient,
      StartTime,
      EndTime,
      Payload,
      OSPath[1] AS User,
      base64decode(string=parse_json_array(data=ClipboardPayload)[0].content) AS ClipboardPayload,
      OSPath AS Path,
      Mtime
    FROM Rows
    WHERE StartTime > DateAfter
      AND StartTime < DateBefore
      AND ClipboardPayload =~ FilterRegex

    SELECT * FROM
    if(condition="Windows Activities Cache_Clipboard" =~ RuleFilter, then={
       SELECT * FROM Output
    })



  
- name: "Windows WPNDatabase - Notifications_Notifications"
  notebook:
    - type: vql
      output: "Windows WPNDatabase - Notifications_Notifications - Recalculate to view results"
      template: |
        /*
        # Windows WPNDatabase - Notifications_Notifications
        */
        SELECT * FROM source(source="Windows WPNDatabase - Notifications_Notifications")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM ApplyFile(SourceName="Windows WPNDatabase - Notifications_Notifications")

    

    LET Output = SELECT *, Parent || "" AS Parent,
        timestamp(winfiletime= ArrivalTime) AS ArrivalTime,
        if(condition= ExpirationTime > 0,
           then=timestamp(winfiletime= ExpirationTime),
          else='Expired') AS ExpirationTime,
        format(format="%02x", args=ActivityId) As ActivityId,
        WNSId || "" AS WNSId,
    
        if(condition= WNSCreatedTime > 0,
           then=timestamp(winfiletime= WNSCreatedTime),
          else='') AS WNSCreatedTime,
    
        if(condition= WNSExpirationTime > 0,
           then=timestamp(winfiletime= WNSExpirationTime),
          else='') AS WNSExpirationTime,
    
        upload(accessor="data",
           file=Payload,
           name=format(format="Payload%v.png", args=ID)) AS Payload
    
    FROM Rows

    SELECT * FROM
    if(condition="Windows WPNDatabase - Notifications_Notifications" =~ RuleFilter, then={
       SELECT * FROM Output
    })


- name: "Windows Search Service_SystemIndex_Gthr"
  notebook:
    - type: vql
      output: "Windows Search Service_SystemIndex_Gthr - Recalculate to view results"
      template: |
        /*
        # Windows Search Service_SystemIndex_Gthr
        */
        SELECT * FROM source(source="Windows Search Service_SystemIndex_Gthr")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_Gthr")

    LET MatchingFiles = SELECT OSPath FROM Rows
    
    LET FormatTimeB(T) = timestamp(winfiletime=parse_binary(
       filename=T, accessor="data", struct="uint64b"))
    
    LET FormatTime(T) = timestamp(winfiletime=parse_binary(
       filename=T, accessor="data", struct="uint64"))
    
    LET FormatSize(T) = parse_binary(
       filename=T, accessor="data", struct="uint64")

    LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
       SELECT ScopeID, DocumentID, SDID,
          FormatTimeB(T=LastModified) AS LastModified,
          FileName
       FROM parse_ese(file=OSPath, table= "SystemIndex_Gthr")
    })
    WHERE LastModified > DateAfter AND LastModified < DateBefore
      AND FileName =~ FilterRegex

    SELECT * FROM
    if(condition="Windows Search Service_SystemIndex_Gthr" =~ RuleFilter, then={
       SELECT * FROM Output
    })


- name: "Windows Search Service_SystemIndex_GthrPth"
  notebook:
    - type: vql
      output: "Windows Search Service_SystemIndex_GthrPth - Recalculate to view results"
      template: |
        /*
        # Windows Search Service_SystemIndex_GthrPth
        */
        SELECT * FROM source(source="Windows Search Service_SystemIndex_GthrPth")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_GthrPth")

    

    LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
       SELECT Scope, Parent, Name
       FROM parse_ese(file=OSPath, table= "SystemIndex_GthrPth")
    })
    WHERE Name =~ FilterRegex

    SELECT * FROM
    if(condition="Windows Search Service_SystemIndex_GthrPth" =~ RuleFilter, then={
       SELECT * FROM Output
    })


- name: "Windows Search Service_SystemIndex_PropertyStore"
  notebook:
    - type: vql
      output: "Windows Search Service_SystemIndex_PropertyStore - Recalculate to view results"
      template: |
        /*
        # Windows Search Service_SystemIndex_PropertyStore
        */
        SELECT * FROM source(source="Windows Search Service_SystemIndex_PropertyStore")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_PropertyStore")

    LET X = scope()
    
    -- The PropertyStore columns look like
    -- <random>-ProperName so we strip the
    -- random part off to display it properly.
    LET FilterDict(Dict) = to_dict(item={
      SELECT split(sep_string="-", string=_key)[1] || _key AS _key, _value
      FROM items(item=Dict)
    })
    
    LET PropStore(OSPath) = SELECT *,
       FormatTime(T=X.System_Search_GatherTime) AS System_Search_GatherTime,
       FormatSize(T=X.System_Size) AS System_Size,
       FormatTime(T=X.System_DateModified) AS System_DateModified,
       FormatTime(T=X.System_DateAccessed) AS System_DateAccessed,
       FormatTime(T=X.System_DateCreated) AS System_DateCreated
    FROM foreach(row={
       SELECT *, FilterDict(Dict=_value) AS _value
       FROM items(item={
         SELECT * FROM parse_ese(file=OSPath, table="SystemIndex_PropertyStore")
      })
    }, column="_value")

    LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
       SELECT *
       FROM PropStore(OSPath=OSPath)
    })
    WHERE System_DateAccessed > DateAfter AND System_DateAccessed < DateBefore

    SELECT * FROM
    if(condition="Windows Search Service_SystemIndex_PropertyStore" =~ RuleFilter, then={
       SELECT * FROM Output
    })


- name: "Windows Search Service_SystemIndex_PropertyStore_Highlights"
  notebook:
    - type: vql
      output: "Windows Search Service_SystemIndex_PropertyStore_Highlights - Recalculate to view results"
      template: |
        /*
        # Windows Search Service_SystemIndex_PropertyStore_Highlights
        */
        SELECT * FROM source(source="Windows Search Service_SystemIndex_PropertyStore_Highlights")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_SystemIndex_PropertyStore_Highlights")

    

    LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
       SELECT WorkID,
          System_Search_GatherTime,
          System_Size,
          System_DateModified,
          System_DateCreated,
          X.System_FileOwner AS System_FileOwner,
          X.System_ItemPathDisplay AS System_ItemPathDisplay,
          X.System_ItemType AS System_ItemType,
          X.System_FileAttributes AS System_FileAttributes,
          X.System_Search_AutoSummary AS System_Search_AutoSummary
       FROM PropStore(OSPath=OSPath)
    })
    WHERE System_DateAccessed > DateAfter AND System_DateAccessed < DateBefore

    SELECT * FROM
    if(condition="Windows Search Service_SystemIndex_PropertyStore_Highlights" =~ RuleFilter, then={
       SELECT * FROM Output
    })


- name: "Windows Search Service_BrowsingActivity"
  notebook:
    - type: vql
      output: "Windows Search Service_BrowsingActivity - Recalculate to view results"
      template: |
        /*
        # Windows Search Service_BrowsingActivity
        */
        SELECT * FROM source(source="Windows Search Service_BrowsingActivity")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_BrowsingActivity")

    

    LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
       SELECT X.ItemPathDisplay AS ItemPathDisplay,
          X.Activity_ContentUri AS Activity_ContentUri,
          X.Activity_Description AS Activity_Description
       FROM PropStore(OSPath=OSPath)
       WHERE Activity_ContentUri
    })

    SELECT * FROM
    if(condition="Windows Search Service_BrowsingActivity" =~ RuleFilter, then={
       SELECT * FROM Output
    })


- name: "Windows Search Service_UserActivityLogging"
  notebook:
    - type: vql
      output: "Windows Search Service_UserActivityLogging - Recalculate to view results"
      template: |
        /*
        # Windows Search Service_UserActivityLogging
        */
        SELECT * FROM source(source="Windows Search Service_UserActivityLogging")
        LIMIT 50
  query: |
    LET Rows = SELECT * FROM FilterFile(SourceName="Windows Search Service_UserActivityLogging")

    

    LET Output = SELECT * FROM foreach(row=MatchingFiles, query={
       SELECT X.System_ItemPathDisplay AS System_ItemPathDisplay,
           FormatTime(T=X.ActivityHistory_StartTime) AS ActivityHistory_StartTime,
           FormatTime(T=X.ActivityHistory_EndTime) AS ActivityHistory_EndTime,
           X.ActivityHistory_AppId AS ActivityHistory_AppId
       FROM PropStore(OSPath=OSPath)
       WHERE ActivityHistory_AppId
    })
    WHERE ActivityHistory_StartTime > DateAfter
      AND ActivityHistory_StartTime < DateBefore

    SELECT * FROM
    if(condition="Windows Search Service_UserActivityLogging" =~ RuleFilter, then={
       SELECT * FROM Output
    })