{"id":50632943,"url":"https://github.com/slasq/browser-autopsy","last_synced_at":"2026-06-07T00:01:35.794Z","repository":{"id":359066876,"uuid":"1209835528","full_name":"Slasq/Browser-Autopsy","owner":"Slasq","description":"DFIR tool for offline browser artifacts analysis — Chrome \u0026 Firefox","archived":false,"fork":false,"pushed_at":"2026-06-06T22:46:44.000Z","size":106,"stargazers_count":1,"open_issues_count":1,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-06T23:12:07.270Z","etag":null,"topics":["browser-forensics","dfir","forensic-analysis","incident-response","python","sqlite"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Slasq.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-13T20:37:58.000Z","updated_at":"2026-06-06T22:18:26.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Slasq/Browser-Autopsy","commit_stats":null,"previous_names":["slasq/browser-autopsy"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/Slasq/Browser-Autopsy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Slasq%2FBrowser-Autopsy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Slasq%2FBrowser-Autopsy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Slasq%2FBrowser-Autopsy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Slasq%2FBrowser-Autopsy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Slasq","download_url":"https://codeload.github.com/Slasq/Browser-Autopsy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Slasq%2FBrowser-Autopsy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34003814,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-06T02:00:07.033Z","response_time":107,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["browser-forensics","dfir","forensic-analysis","incident-response","python","sqlite"],"created_at":"2026-06-07T00:00:42.007Z","updated_at":"2026-06-07T00:01:35.781Z","avatar_url":"https://github.com/Slasq.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"```\n██████╗ ██████╗ ██████╗ ██╗ ██╗███████╗███████╗██████╗ \n██╔══██╗██╔══██╗██╔═══██╗██║ ██║██╔════╝██╔════╝██╔══██╗\n██████╔╝██████╔╝██║ ██║██║ █╗ ██║███████╗█████╗ ██████╔╝\n██╔══██╗██╔══██╗██║ ██║██║███╗██║╚════██║██╔══╝ ██╔══██╗\n██████╔╝██║ ██║╚██████╔╝╚███╔███╔╝███████║███████╗██║ ██║\n╚═════╝ ╚═╝ ╚═╝ ╚═════╝ ╚══╝╚══╝ ╚══════╝╚══════╝╚═╝ ╚═╝\n █████╗ ██╗ ██╗████████╗ ██████╗ ██████╗ ███████╗██╗ ██╗\n ██╔══██╗██║ ██║╚══██╔══╝██╔═══██╗██╔══██╗██╔════╝╚██╗ ██╔╝\n ███████║██║ ██║ ██║ ██║ ██║██████╔╝███████╗ ╚████╔╝ \n ██╔══██║██║ ██║ ██║ ██║ ██║██╔═══╝ ╚════██║ ╚██╔╝ \n ██║ ██║╚██████╔╝ ██║ ╚██████╔╝██║ ███████║ ██║ \n ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═════╝ ╚═╝ ╚══════╝ ╚═╝ \n```\n\nOffline forensic analyzer for Chrome and Firefox browser artifacts.\nBuilt for DFIR investigations — extracts browsing history, downloads, and\nsearch queries, builds a unified timeline, flags suspicious activity\nagainst a configurable IOC set, and produces HTML/CSV reports.\n\n---\n\n## Features\n\n- **Two-browser support** — Chrome (`History` SQLite) and Firefox (`places.sqlite`)\n- **Three artifact types** per browser:\n - Browsing history (per-visit timestamps, not just last visit)\n - Downloads (target path, file size, state, redirect chains)\n - Search queries auto-detected from 9 engines: Google, Bing, DuckDuckGo, Yahoo, YouTube, Ecosia, Brave, Startpage, Yandex\n- **Chain of custody** — every source file is SHA-256 hashed before parsing; the hash is propagated through every derived event\n- **Read-only access** — source database is copied to temp before being opened (WAL/SHM included); the original is never modified\n- **Anomaly detection** against a configurable IOC YAML:\n - Suspicious domains (exact + wildcard `*.tld`)\n - Suspicious file extensions (incl. the double-extension trick — `invoice.pdf.exe`)\n - Suspicious search keywords\n- **Time-window filtering** — narrow analysis to an incident window\n- **Reports**:\n - Self-contained HTML, print-friendly (`@media print` → clean A4 PDF)\n - CSV exports (timeline + anomalies) with UTF-8 BOM for Excel\n\n---\n\n## Install\n\nRequires Python **3.10+**.\n\n```bash\npip install -r requirements.txt\n```\n\n---\n\n## Quick start\n\n```bash\npython main.py --chrome-profile /path/to/chrome/Default --case-id INC-2024-001\n```\n\nReports land in `./output/`. Open `output/report.html` in any browser.\n\n\u003e Want to see what a generated report looks like without running the tool?\n\u003e Open `report_demo.html` in the repository root.\n\n---\n\n## Try with sample data\n\nThe repository ships with a script that generates anonymized browser artifacts\nsimulating a suspicious insider-activity incident (INC-2026-03-14).\n\n**1. Generate the artifacts:**\n\n```bash\npython samples/generate.py\n```\n\n**2. Run the tool against them:**\n\n```bash\npython main.py --chrome-profile samples/chrome --firefox-profile samples/firefox --case-id INC-2026-03-14 --output-dir output/demo\n```\n\nOpen `output/demo/report.html` to see the results.\n\n---\n\n## Try with sample data\n\nThe repository ships with a script that generates anonymized browser artifacts\nsimulating a suspicious insider-activity incident (INC-2026-03-14).\n\n**1. Generate the artifacts:**\n\n```bash\npython samples/generate.py\n```\n\n**2. Run the tool against them:**\n\n```bash\npython main.py --chrome-profile samples/chrome --firefox-profile samples/firefox --case-id INC-2026-03-14 --output-dir output/demo\n```\n\nOpen `output/demo/report.html` to see the results.\n\n---\n\n## Usage\n\n### Full example\n\n```bash\npython main.py \\\n --chrome-profile /evidence/chrome/Default \\\n --firefox-profile /evidence/firefox/abc123.default-release \\\n --output-dir /cases/INC-2024-001/reports \\\n --case-id INC-2024-001 \\\n --ioc-file /cases/INC-2024-001/custom_iocs.yaml \\\n --start 2024-01-15T22:00:00 \\\n --end 2024-01-16T06:00:00 \\\n --report both\n```\n\n### Options\n\n| Flag | Default | Description |\n|-----------------------|-----------------------|-------------|\n| `--chrome-profile` | — | Path to a Chrome profile directory |\n| `--firefox-profile` | — | Path to a Firefox profile directory |\n| `--output-dir` | `./output` | Directory for generated reports |\n| `--report` | `both` | `html` / `csv` / `both` |\n| `--case-id` | `UNSPECIFIED` | Case ID displayed in HTML report header |\n| `--ioc-file` | `./config/iocs.yaml` | Path to IOC YAML config |\n| `--start` | — | Earliest event (ISO-8601; naive = UTC) |\n| `--end` | — | Latest event (ISO-8601; naive = UTC) |\n\nAt least one of `--chrome-profile` / `--firefox-profile` is required.\n\n### Where browser profiles live\n\n| OS | Chrome | Firefox |\n|----------|---------------------------------------------------------|----------------------------------------------------------------|\n| Windows | `%LOCALAPPDATA%\\Google\\Chrome\\User Data\\Default` | `%APPDATA%\\Mozilla\\Firefox\\Profiles\\\u003cid\u003e.default-release` |\n| macOS | `~/Library/Application Support/Google/Chrome/Default` | `~/Library/Application Support/Firefox/Profiles/\u003cid\u003e.default` |\n| Linux | `~/.config/google-chrome/Default` | `~/.mozilla/firefox/\u003cid\u003e.default-release` |\n\n\u003e **Windows note**: close Chrome / Firefox before running — Windows holds an exclusive lock on the profile databases.\n\n### Exit codes\n\n- `0` — success\n- `1` — runtime failure (missing artifact, missing IOC file)\n- `2` — argument error (no profile, invalid date, `--start \u003e --end`)\n\n---\n\n## IOC configuration\n\nThe default `config/iocs.yaml` ships with sensible starter content — Tor\nhidden services, paste sites, anonymous file-sharing, malware extensions,\noffensive-security keywords. Override per investigation with `--ioc-file`:\n\n```yaml\nsuspicious_domains:\n - \"*.onion\" # wildcard suffix match — any .onion\n - pastebin.com # exact match (sub.pastebin.com NOT included)\n - cdn.discordapp.com\n\nsuspicious_extensions:\n - .exe\n - .ps1\n - .hta # HTML Application — classic phishing vector\n\nsuspicious_keywords:\n - mimikatz\n - \"bypass uac\"\n - \"disable defender\"\n```\n\nMatching is case-insensitive throughout. Leading `.` in extensions is\noptional — `exe` and `.exe` both work.\n\n---\n\n## Project structure\n\n```\nBrowser-Autopsy/\n├── main.py CLI entry point\n├── requirements.txt\n├── report_demo.html sample rendered report\n│\n├── config/\n│ └── iocs.yaml default IOC config\n│\n├── extractors/ parse raw browser artifacts\n│ ├── base.py shared helpers + dataclasses\n│ ├── chrome.py Chrome History parser\n│ └── firefox.py Firefox places.sqlite parser\n│\n├── analyzers/ process extracted data\n│ ├── timeline.py unify events into a chronological timeline\n│ └── anomaly.py IOC-based detection\n│\n├── reporters/ generate output\n│ ├── html.py Jinja2-rendered HTML report\n│ ├── csv.py CSV exports\n│ └── templates/\n│ └── report.html report template (inline CSS, no JS)\n│\n└── tests/ extensive pytest suite\n```\n\n---\n\n## Testing\n\n```bash\npytest # full suite\npytest tests/test_timeline.py # one module\npytest -v -k chrome # only chrome-related tests\n```\n\n---\n\n## Output\n\nThree files land in `--output-dir`:\n\n- **`report.html`** — full forensic report with summary stats, source\n files table (path + SHA-256), anomaly table, and the complete\n timeline. Anomaly-flagged rows are visually highlighted. Print-friendly.\n- **`timeline.csv`** — every event as a row. Flat columns\n (`url`, `query`, `filename`) plus a `details_json` column for forensic\n completeness.\n- **`anomalies.csv`** — flagged anomalies with full event context for\n triage. Sorted by severity (high → low).\n\nCSVs are UTF-8 with BOM so Excel on Windows handles non-ASCII (Polish,\nCyrillic, etc.) correctly out of the box.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fslasq%2Fbrowser-autopsy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fslasq%2Fbrowser-autopsy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fslasq%2Fbrowser-autopsy/lists"}