dissect.target 3.18.dev16__py3-none-any.whl → 3.19__py3-none-any.whl

dissect/target/helpers/utils.py

@@ -13,6 +13,17 @@ from dissect.target.helpers import fsutil
 log = logging.getLogger(__name__)
 
 
+def findall(buf: bytes, needle: bytes) -> Iterator[int]:
+    offset = 0
+    while True:
+        offset = buf.find(needle, offset)
+        if offset == -1:
+            break
+
+        yield offset
+        offset += 1
+
+
 class StrEnum(str, Enum):
     """Sortable and serializible string-based enum"""
 

dissect/target/loader.py

@@ -195,6 +195,7 @@ register("vma", "VmaLoader")
 register("kape", "KapeLoader")
 register("tanium", "TaniumLoader")
 register("itunes", "ITunesLoader")
+register("ab", "AndroidBackupLoader")
 register("target", "TargetLoader")
 register("log", "LogLoader")
 # Disabling ResLoader because of DIS-536

dissect/target/loaders/ab.py

@@ -0,0 +1,285 @@
+import hashlib
+import io
+import posixpath
+import shutil
+import struct
+from pathlib import Path
+from typing import BinaryIO
+
+try:
+    from Crypto.Cipher import AES
+
+    HAS_PYCRYPTODOME = True
+except ImportError:
+    HAS_PYCRYPTODOME = False
+
+from dissect.util.stream import AlignedStream, RelativeStream, ZlibStream
+
+from dissect.target.exceptions import LoaderError
+from dissect.target.filesystem import VirtualFilesystem
+from dissect.target.filesystems.tar import TarFilesystem
+from dissect.target.helpers import keychain
+from dissect.target.loader import Loader
+from dissect.target.plugins.os.unix.linux.android._os import AndroidPlugin
+from dissect.target.target import Target
+
+DIRECTORY_MAPPING = {
+    "a": "/data/app/{id}",
+    "f": "/data/data/{id}/files",
+    "db": "/data/data/{id}/databases",
+    "ef": "/storage/emulated/0/Android/data/{id}",
+    "sp": "/data/data/{id}/shared_preferences",
+    "r": "/data/data/{id}",
+    "obb": "/storage/emulated/0/Android/obb/{id}",
+}
+
+
+class AndroidBackupLoader(Loader):
+    """Load Android backup files.
+
+    References:
+        - http://fileformats.archiveteam.org/wiki/Android_ADB_Backup
+    """
+
+    def __init__(self, path: Path, **kwargs):
+        super().__init__(path)
+        self.ab = AndroidBackup(path.open("rb"))
+
+        if self.ab.encrypted:
+            for key in keychain.get_keys_for_provider("ab") + keychain.get_keys_without_provider():
+                if key.key_type == keychain.KeyType.PASSPHRASE:
+                    try:
+                        self.ab.unlock(key.value)
+                        break
+                    except ValueError:
+                        continue
+            else:
+                raise LoaderError(f"Missing password for encrypted Android Backup: {self.path}")
+
+    @staticmethod
+    def detect(path: Path) -> bool:
+        if path.suffix.lower() == ".ab":
+            return True
+
+        if path.is_file():
+            # The file extension can be chosen freely so let's also test for the file magic
+            with path.open("rb") as fh:
+                if fh.read(15) == b"ANDROID BACKUP\n":
+                    return True
+
+        return False
+
+    def map(self, target: Target) -> None:
+        if self.ab.compressed or self.ab.encrypted:
+            if self.ab.compressed and not self.ab.encrypted:
+                word = "compressed"
+            elif self.ab.encrypted and not self.ab.compressed:
+                word = "encrypted"
+            else:
+                word = "compressed and encrypted"
+
+            target.log.warning(
+                f"Backup file is {word}, consider unwrapping with "
+                "`python -m dissect.target.loaders.ab <path/to/backup.ab>`"
+            )
+
+        vfs = VirtualFilesystem(case_sensitive=False)
+
+        fs = TarFilesystem(self.ab.open())
+        for app in fs.path("/apps").iterdir():
+            for subdir in app.iterdir():
+                if subdir.name not in DIRECTORY_MAPPING:
+                    continue
+
+                path = DIRECTORY_MAPPING[subdir.name].format(id=app.name)
+
+                # TODO: Remove once we move towards "directory entries"
+                entry = subdir.get()
+                entry.name = posixpath.basename(path)
+
+                vfs.map_file_entry(path, entry)
+
+        target.filesystems.add(vfs)
+        target._os_plugin = AndroidPlugin.create(target, vfs)
+
+
+class AndroidBackup:
+    def __init__(self, fh: BinaryIO):
+        self.fh = fh
+
+        size = fh.seek(0, io.SEEK_END)
+        fh.seek(0)
+
+        # Don't readline() straight away as we may be reading something other than a backup file
+        magic = fh.read(15)
+        if magic != b"ANDROID BACKUP\n":
+            raise ValueError("Not a valid Android Backup file")
+
+        self.version = int(fh.read(2)[:1])
+        self.compressed = bool(int(fh.read(2)[:1]))
+
+        self.encrypted = False
+        self.unlocked = True
+        self.encryption = fh.readline().strip().decode()
+
+        if self.encryption != "none":
+            self.encrypted = True
+            self.unlocked = False
+            self._user_salt = bytes.fromhex(fh.readline().strip().decode())
+            self._ck_salt = bytes.fromhex(fh.readline().strip().decode())
+            self._rounds = int(fh.readline().strip())
+            self._user_iv = bytes.fromhex(fh.readline().strip().decode())
+            self._master_key = bytes.fromhex(fh.readline().strip().decode())
+
+            self._mk = None
+            self._iv = None
+
+        self._data_offset = fh.tell()
+        self.size = size - self._data_offset
+
+    def unlock(self, password: str) -> None:
+        if not self.encrypted:
+            raise ValueError("Android Backup is not encrypted")
+
+        self._mk, self._iv = self._decrypt_mk(password)
+        self.unlocked = True
+
+    def _decrypt_mk(self, password: str) -> tuple[bytes, bytes]:
+        user_key = hashlib.pbkdf2_hmac("sha1", password.encode(), self._user_salt, self._rounds, 32)
+
+        blob = AES.new(user_key, AES.MODE_CBC, iv=self._user_iv).decrypt(self._master_key)
+        blob = blob[: -blob[-1]]
+
+        offset = 0
+        iv_len = blob[offset]
+        offset += 1
+        iv = blob[offset : offset + iv_len]
+
+        offset += iv_len
+        mk_len = blob[offset]
+        offset += 1
+        mk = blob[offset : offset + mk_len]
+
+        offset += mk_len
+        checksum_len = blob[offset]
+        offset += 1
+        checksum = blob[offset : offset + checksum_len]
+
+        ck_mk = _encode_bytes(mk) if self.version >= 2 else mk
+        our_checksum = hashlib.pbkdf2_hmac("sha1", ck_mk, self._ck_salt, self._rounds, 32)
+        if our_checksum != checksum:
+            # Try reverse encoding for good measure
+            ck_mk = mk if self.version >= 2 else _encode_bytes(mk)
+            our_checksum = hashlib.pbkdf2_hmac("sha1", ck_mk, self._ck_salt, self._rounds, 32)
+
+        if our_checksum != checksum:
+            raise ValueError("Invalid password: master key checksum does not match")
+
+        return mk, iv
+
+    def open(self) -> BinaryIO:
+        fh = RelativeStream(self.fh, self._data_offset)
+
+        if self.encrypted:
+            if not self.unlocked:
+                raise ValueError("Missing password for encrypted Android Backup")
+            fh = CipherStream(fh, self._mk, self._iv, self.size)
+
+        if self.compressed:
+            fh = ZlibStream(fh)
+
+        return fh
+
+
+class CipherStream(AlignedStream):
+    """Transparently AES-CBC decrypted stream."""
+
+    def __init__(self, fh: BinaryIO, key: bytes, iv: bytes, size: int):
+        self._fh = fh
+
+        self._key = key
+        self._iv = iv
+        self._cipher = None
+        self._cipher_offset = 0
+        self._reset_cipher()
+
+        super().__init__(size)
+
+    def _reset_cipher(self) -> None:
+        self._cipher = AES.new(self._key, AES.MODE_CBC, iv=self._iv)
+        self._cipher_offset = 0
+
+    def _seek_cipher(self, offset: int) -> None:
+        """CBC is dependent on previous blocks so to seek the cipher, decrypt and discard to the wanted offset."""
+        if offset < self._cipher_offset:
+            self._reset_cipher()
+            self._fh.seek(0)
+
+        while self._cipher_offset < offset:
+            read_size = min(offset - self._cipher_offset, self.align)
+            self._cipher.decrypt(self._fh.read(read_size))
+            self._cipher_offset += read_size
+
+    def _read(self, offset: int, length: int) -> bytes:
+        self._seek_cipher(offset)
+
+        data = self._cipher.decrypt(self._fh.read(length))
+        if offset + length >= self.size:
+            # Remove padding
+            data = data[: -data[-1]]
+
+        self._cipher_offset += len(data)
+
+        return data
+
+
+def _encode_bytes(buf: bytes) -> bytes:
+    # Emulate byte[] -> char[] -> utf8 byte[] casting
+    return struct.pack(">32h", *struct.unpack(">32b", buf)).decode("utf-16-be").encode("utf-8")
+
+
+def main() -> None:
+    import argparse
+
+    parser = argparse.ArgumentParser(description="Android Backup file unwrapper")
+    parser.add_argument("path", type=Path, help="source path")
+    parser.add_argument("-p", "--password", help="encryption password")
+    parser.add_argument("-t", "--tar", action="store_true", help="write a tar file instead of a plain Android Backup")
+    parser.add_argument("-o", "--output", type=Path, help="output path")
+    args = parser.parse_args()
+
+    if not args.path.is_file():
+        parser.exit("source path does not exist or is not a file")
+
+    ext = ".tar" if args.tar else ".plain.ab"
+    if args.output is None:
+        output = args.path.with_suffix(ext)
+    elif args.output.is_dir():
+        output = args.output.joinpath(args.path.name).with_suffix(ext)
+    else:
+        output = args.output
+
+    if output.exists():
+        parser.exit(f"output path already exists: {output}")
+
+    print(f"unwrapping {args.path} -> {output}")
+    with args.path.open("rb") as fh:
+        ab = AndroidBackup(fh)
+
+        if ab.encrypted:
+            if not args.password:
+                parser.exit("missing password for encrypted Android Backup")
+            ab.unlock(args.password)
+
+        with ab.open() as fhab, output.open("wb") as fhout:
+            if not args.tar:
+                fhout.write(b"ANDROID BACKUP\n")  # header
+                fhout.write(b"5\n")  # version
+                fhout.write(b"0\n")  # compressed
+                fhout.write(b"none\n")  # encryption
+
+            shutil.copyfileobj(fhab, fhout, 1024 * 1024 * 64)
+
+
+if __name__ == "__main__":
+    main()

dissect/target/loaders/libvirt.py

@@ -0,0 +1,40 @@
+from pathlib import Path
+
+from defusedxml import ElementTree
+
+from dissect.target import container
+from dissect.target.helpers import fsutil
+from dissect.target.loader import Loader
+from dissect.target.target import Target
+
+
+class LibvirtLoader(Loader):
+    """Load libvirt xml configuration files."""
+
+    def __init__(self, path: Path, **kwargs):
+        path = path.resolve()
+        self.base_dir = path.parent
+        super().__init__(path)
+
+    @staticmethod
+    def detect(path: Path) -> bool:
+        if path.suffix.lower() != ".xml":
+            return False
+
+        with path.open("rb") as fh:
+            lines = fh.read(512).split(b"\n")
+            # From what I've seen, these are are always at the start of the file
+            # If its generated using virt-install
+            needles = [b"<domain", b"<name>", b"<uuid>"]
+            return all(any(needle in line for line in lines) for needle in needles)
+
+    def map(self, target: Target) -> None:
+        xml_data = ElementTree.fromstring(self.path.read_text())
+        for disk in xml_data.findall("devices/disk/source"):
+            if not (file := disk.get("file")):
+                continue
+
+            for part in [fsutil.basename(file), file]:
+                if (path := self.base_dir.joinpath(part)).exists():
+                    target.disks.add(container.open(path))
+                    break

dissect/target/loaders/mqtt.py

@@ -10,6 +10,7 @@ import time
 import urllib
 from dataclasses import dataclass
 from functools import lru_cache
+from getpass import getpass
 from pathlib import Path
 from struct import pack, unpack_from
 from threading import Thread
@@ -270,19 +271,25 @@ class Broker:
     case = None
     bytes_received = 0
     monitor = False
+    username = None
+    password = None
 
     diskinfo = {}
     index = {}
     topo = {}
     factor = 1
 
-    def __init__(self, broker: Broker, port: str, key: str, crt: str, ca: str, case: str, **kwargs):
+    def __init__(
+        self, broker: Broker, port: str, key: str, crt: str, ca: str, case: str, username: str, password: str, **kwargs
+    ):
         self.broker_host = broker
         self.broker_port = int(port)
         self.private_key_file = key
         self.certificate_file = crt
         self.cacert_file = ca
         self.case = case
+        self.username = username
+        self.password = password
         self.command = kwargs.get("command", None)
 
     def clear_cache(self) -> None:
@@ -393,6 +400,7 @@ class Broker:
             tls_version=ssl.PROTOCOL_TLS,
             ciphers=None,
         )
+        self.mqtt_client.username_pw_set(self.username, self.password)
         self.mqtt_client.tls_insecure_set(True)  # merely having the correct cert is ok
         self.mqtt_client.on_connect = self._on_connect
         self.mqtt_client.on_message = self._on_message
@@ -411,6 +419,8 @@ class Broker:
 @arg("--mqtt-ca", dest="ca", help="certificate authority file")
 @arg("--mqtt-command", dest="command", help="direct command to client(s)")
 @arg("--mqtt-diag", action="store_true", dest="diag", help="show MQTT diagnostic information")
+@arg("--mqtt-username", dest="username", help="Username for connection")
+@arg("--mqtt-password", action="store_true", dest="password", help="Ask for password before connecting")
 class MQTTLoader(Loader):
     """Load remote targets through a broker."""
 
@@ -435,7 +445,10 @@ class MQTTLoader(Loader):
         if cls.broker is None:
             if (uri := kwargs.get("parsed_path")) is None:
                 raise LoaderError("No URI connection details have been passed.")
+
             options = dict(urllib.parse.parse_qsl(uri.query, keep_blank_values=True))
+            if options.get("password"):
+                options["password"] = getpass()
             cls.broker = Broker(**options)
             cls.broker.connect()
             num_peers = int(options.get("peers", 1))

dissect/target/loaders/tar.py

@@ -1,8 +1,9 @@
+from __future__ import annotations
+
 import logging
 import re
 import tarfile
 from pathlib import Path
-from typing import Union
 
 from dissect.target import filesystem, target
 from dissect.target.filesystems.tar import (
@@ -21,22 +22,25 @@ ANON_FS_RE = re.compile(r"^fs[0-9]+$")
 class TarLoader(Loader):
     """Load tar files."""
 
-    def __init__(self, path: Union[Path, str], **kwargs):
+    def __init__(self, path: Path | str, **kwargs):
         super().__init__(path)
 
+        if isinstance(path, str):
+            path = Path(path)
+
         if self.is_compressed(path):
             log.warning(
                 f"Tar file {path!r} is compressed, which will affect performance. "
                 "Consider uncompressing the archive before passing the tar file to Dissect."
             )
 
-        self.tar = tarfile.open(path)
+        self.tar = tarfile.open(fileobj=path.open("rb"))
 
     @staticmethod
     def detect(path: Path) -> bool:
         return path.name.lower().endswith((".tar", ".tar.gz", ".tgz"))
 
-    def is_compressed(self, path: Union[Path, str]) -> bool:
+    def is_compressed(self, path: Path | str) -> bool:
         return str(path).lower().endswith((".tar.gz", ".tgz"))
 
     def map(self, target: target.Target) -> None:

dissect/target/loaders/utm.py

@@ -21,6 +21,9 @@ class UtmLoader(Loader):
     def map(self, target: Target) -> None:
         data_dir = self.path.joinpath("Data")
         for drive in self.config.get("Drive", []):
+            if drive.get("ImageType") != "Disk":
+                continue
+
             path = data_dir.joinpath(drive["ImageName"])
             try:
                 target.disks.add(container.open(path))

dissect/target/loaders/velociraptor.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 import logging
 import zipfile
 from pathlib import Path
-from typing import TYPE_CHECKING, Optional
+from typing import TYPE_CHECKING
 
 from dissect.target.loaders.dir import DirLoader, find_dirs, map_dirs
 from dissect.target.plugin import OperatingSystem
@@ -18,7 +18,7 @@ UNIX_ACCESSORS = ["file", "auto"]
 WINDOWS_ACCESSORS = ["mft", "ntfs", "lazy_ntfs", "ntfs_vss", "auto"]
 
 
-def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional[list[Path]]]:
+def find_fs_directories(path: Path) -> tuple[OperatingSystem | None, list[Path] | None]:
     fs_root = path.joinpath(FILESYSTEMS_ROOT)
 
     # Unix
@@ -56,7 +56,7 @@ def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional
     return None, None
 
 
-def extract_drive_letter(name: str) -> Optional[str]:
+def extract_drive_letter(name: str) -> str | None:
     # \\.\X: in URL encoding
     if len(name) == 14 and name.startswith("%5C%5C.%5C") and name.endswith("%3A"):
         return name[10].lower()
@@ -91,7 +91,7 @@ class VelociraptorLoader(DirLoader):
                 f"Velociraptor target {path!r} is compressed, which will slightly affect performance. "
                 "Consider uncompressing the archive and passing the uncompressed folder to Dissect."
             )
-            self.root = zipfile.Path(path)
+            self.root = zipfile.Path(path.open("rb"))
         else:
             self.root = path
 
@@ -105,8 +105,8 @@ class VelociraptorLoader(DirLoader):
         #   results/
         #   uploads.json
         #   [...] other files related to the collection
-        if path.suffix == ".zip":  # novermin
-            path = zipfile.Path(path)
+        if path.exists() and path.suffix == ".zip":  # novermin
+            path = zipfile.Path(path.open("rb"))
 
         if path.joinpath(FILESYSTEMS_ROOT).exists() and path.joinpath("uploads.json").exists():
             _, dirs = find_fs_directories(path)

dissect/target/plugin.py

@@ -2,9 +2,11 @@
 
 See dissect/target/plugins/general/example.py for an example plugin.
 """
+
 from __future__ import annotations
 
 import fnmatch
+import functools
 import importlib
 import importlib.util
 import inspect
@@ -140,7 +142,7 @@ def get_nonprivate_attributes(cls: Type[Plugin]) -> list[Any]:
 
 def get_nonprivate_methods(cls: Type[Plugin]) -> list[Callable]:
     """Retrieve all public methods of a :class:`Plugin`."""
-    return [attr for attr in get_nonprivate_attributes(cls) if not isinstance(attr, property)]
+    return [attr for attr in get_nonprivate_attributes(cls) if not isinstance(attr, property) and callable(attr)]
 
 
 def get_descriptors_on_nonprivate_methods(cls: Type[Plugin]) -> list[RecordDescriptor]:
@@ -196,6 +198,8 @@ class Plugin:
     The :func:`internal` decorator and :class:`InternalPlugin` set the ``__internal__`` attribute.
     Finally. :func:`args` decorator sets the ``__args__`` attribute.
 
+    The :func:`alias` decorator populates the ``__aliases__`` private attribute of :class:`Plugin` methods.
+
     Args:
         target: The :class:`~dissect.target.target.Target` object to load the plugin for.
     """
@@ -448,6 +452,11 @@ def register(plugincls: Type[Plugin]) -> None:
     exports = []
     functions = []
 
+    # First pass to resolve aliases
+    for attr in get_nonprivate_attributes(plugincls):
+        for alias in getattr(attr, "__aliases__", []):
+            clone_alias(plugincls, attr, alias)
+
     for attr in get_nonprivate_attributes(plugincls):
         if isinstance(attr, property):
             attr = attr.fget
@@ -542,6 +551,47 @@ def arg(*args, **kwargs) -> Callable:
     return decorator
 
 
+def alias(*args, **kwargs: dict[str, Any]) -> Callable:
+    """Decorator to be used on :class:`Plugin` functions to register an alias of that function."""
+
+    if not kwargs.get("name") and not args:
+        raise ValueError("Missing argument 'name'")
+
+    def decorator(obj: Callable) -> Callable:
+        if not hasattr(obj, "__aliases__"):
+            obj.__aliases__ = []
+
+        if name := (kwargs.get("name") or args[0]):
+            obj.__aliases__.append(name)
+
+        return obj
+
+    return decorator
+
+
+def clone_alias(cls: type, attr: Callable, alias: str) -> None:
+    """Clone the given attribute to an alias in the provided class."""
+
+    # Clone the function object
+    clone = type(attr)(attr.__code__, attr.__globals__, alias, attr.__defaults__, attr.__closure__)
+    clone.__kwdefaults__ = attr.__kwdefaults__
+
+    # Copy some attributes
+    functools.update_wrapper(clone, attr)
+    if wrapped := getattr(attr, "__wrapped__", None):
+        # update_wrapper sets a new wrapper, we want the original
+        clone.__wrapped__ = wrapped
+
+    # Update module path so we can fool inspect.getmodule with subclassed Plugin classes
+    clone.__module__ = cls.__module__
+
+    # Update the names
+    clone.__name__ = alias
+    clone.__qualname__ = f"{cls.__name__}.{alias}"
+
+    setattr(cls, alias, clone)
+
+
 def plugins(
     osfilter: Optional[type[OSPlugin]] = None,
     special_keys: set[str] = set(),
@@ -970,7 +1020,7 @@ class NamespacePlugin(Plugin):
                 continue
 
             # The method needs to output records
-            if getattr(subplugin_func, "__output__", None) != "record":
+            if getattr(subplugin_func, "__output__", None) not in ["record", "yield"]:
                 continue
 
             # The method may not be part of a parent class.
@@ -1056,6 +1106,9 @@ class NamespacePlugin(Plugin):
             cls.__init_subclass_namespace__(cls, **kwargs)
 
 
+__COMMON_PLUGIN_METHOD_NAMES__ = {attr.__name__ for attr in get_nonprivate_methods(Plugin)}
+
+
 class InternalPlugin(Plugin):
     """Parent class for internal plugins.
 
@@ -1065,13 +1118,17 @@ class InternalPlugin(Plugin):
 
     def __init_subclass__(cls, **kwargs):
         for method in get_nonprivate_methods(cls):
-            if callable(method):
+            if callable(method) and method.__name__ not in __COMMON_PLUGIN_METHOD_NAMES__:
                 method.__internal__ = True
 
         super().__init_subclass__(**kwargs)
         return cls
 
 
+class InternalNamespacePlugin(NamespacePlugin, InternalPlugin):
+    pass
+
+
 @dataclass(frozen=True, eq=True)
 class PluginFunction:
     name: str

dissect/target/plugins/apps/browser/chrome.py

@@ -25,6 +25,7 @@ class ChromePlugin(ChromiumMixin, BrowserPlugin):
     DIRS = [
         # Windows
         "AppData/Local/Google/Chrome/User Data/Default",
+        "AppData/Local/Google/Chrome/User Data/Snapshots/*/Default",
         "AppData/Local/Google/Chrome/continuousUpdates/User Data/Default",
         "Local Settings/Application Data/Google/Chrome/User Data/Default",
         # Linux

dissect/target/plugins/apps/browser/chromium.py

@@ -79,11 +79,12 @@ class ChromiumMixin:
         users_dirs: list[tuple] = []
         for user_details in self.target.user_details.all_with_home():
             for d in hist_paths:
-                cur_dir: TargetPath = user_details.home_path.joinpath(d)
-                cur_dir = cur_dir.resolve()
-                if not cur_dir.exists() or (user_details, cur_dir) in users_dirs:
-                    continue
-                users_dirs.append((user_details, cur_dir))
+                home_dir: TargetPath = user_details.home_path
+                for cur_dir in home_dir.glob(d):
+                    cur_dir = cur_dir.resolve()
+                    if not cur_dir.exists() or (user_details.user, cur_dir) in users_dirs:
+                        continue
+                    users_dirs.append((user_details, cur_dir))
         return users_dirs
 
     def _iter_db(
@@ -278,6 +279,7 @@ class ChromiumMixin:
                         is_http_only=bool(cookie.is_httponly),
                         same_site=bool(cookie.samesite),
                         source=db_file,
+                        _target=self.target,
                         _user=user.user,
                     )
             except SQLError as e:

dissect/target/plugins/apps/browser/edge.py

@@ -28,6 +28,7 @@ class EdgePlugin(ChromiumMixin, BrowserPlugin):
         ".var/app/com.microsoft.Edge/config/microsoft-edge/Default",
         # Windows
         "AppData/Local/Microsoft/Edge/User Data/Default",
+        "AppData/Local/Microsoft/Edge/User Data/Snapshots/*/Default",
         # Macos
         "Library/Application Support/Microsoft Edge/Default",
     ]