Update Chrome Extensions parser to work on updated artifact types.

pyhindsight/plugins/chrome_extensions.py

@@ -1,44 +1,66 @@
 ###################################################################################################
 #
 # chrome_extensions.py
-#   Adds the name and description of each Chrome extension found in a URLItem to the Interpretation field
+#   Adds the name and description of each Chrome extension found to the Interpretation field
 #
-# Plugin Author: Ryan Benson (ryan@obsidianforensics.com)
+# Plugin Author: Ryan Benson (ryan@dfir.blog)
 #
 ###################################################################################################
 
+import re
+
 # Config
 friendlyName = "Chrome Extension Names"
-description = "Adds the name and description of each Chrome extension found in a URLItem to the Interpretation field"
+description = "Adds the name and description of each Chrome extension found to the Interpretation field"
 artifactTypes = ("url", "local storage")
 remoteLookups = 0
 browser = "Chrome"
 browserVersion = 1
-version = "20150125"
+version = "20210424"
 parsedItems = 0
 
 
 def plugin(analysis_session=None):
-    import re
     if analysis_session is None:
         return
 
-    extension_re = re.compile(r'^chrome-extension[_|://]([a-z]{32})')
+    extension_re = re.compile(r'^chrome-extension(_|://)([a-z]{32})')
     global parsedItems
     parsedItems = 0
 
     for item in analysis_session.parsed_artifacts:
-        if item.row_type.startswith(artifactTypes):
-            if item.interpretation is None:
-                m = re.search(extension_re, item.url)
-                if m:
-                    try:
-                        for ext in analysis_session.installed_extensions['data']:
-                            if ext.app_id == m.group(1):
-                                item.interpretation = '{} ({}) [Chrome Extension]'.format(ext.name, ext.description)
-                                parsedItems += 1
-                    except:
-                        pass
+        if not item.row_type.startswith(artifactTypes):
+            continue
+
+        if item.interpretation is not None:
+            continue
+
+        m = re.search(extension_re, item.url)
+        if m:
+            try:
+                for ext in analysis_session.installed_extensions['data']:
+                    if ext.app_id == m.group(2):
+                        item.interpretation = f'{ext.name} ({ext.description}) [Chrome Extension]'
+                        parsedItems += 1
+            except:
+                pass
+
+    for item in analysis_session.parsed_storage:
+        if not item.row_type.startswith(artifactTypes):
+            continue
+
+        if item.interpretation is not None:
+            continue
+
+        m = re.search(extension_re, item.origin)
+        if m:
+            try:
+                for ext in analysis_session.installed_extensions['data']:
+                    if ext.app_id == m.group(2):
+                        item.interpretation = f'{ext.name} ({ext.description}) [Chrome Extension]'
+                        parsedItems += 1
+            except:
+                pass
 
     # Description of what the plugin did
-    return '{} extension URLs parsed'.format(parsedItems)
+    return f'{parsedItems} extension URLs parsed'

pyhindsight/plugins/unfurl_interpretation.py

@@ -21,7 +21,7 @@
 remoteLookups = 1  # if this plugin will query online sources/databases
 browser = "Chrome"  # browsers that the plugin applies to
 browserVersion = 1  # browser versions that the plugin applies to
-version = "20210307"  # version of the plugin (use the date)
+version = "20210424"  # version of the plugin (use the date)
 parsedItems = 0  # count of items that the plugin parsed; initialized to 0
 
 
@@ -36,10 +36,6 @@ def plugin(target_browser):
         if item.row_type not in artifactTypes:
             continue
 
-        # If the item already has an interpretation don't replace it.
-        if item.interpretation is not None:
-            continue
-
         # Otherwise, try to parse the item's value with Unfurl
         try:
             u = core.Unfurl()