joachimmetz
diff --git a/‎data/formatters/browser.yaml
+116 b/‎data/formatters/browser.yaml
+116
diff --git a/‎data/formatters/generic.yaml
+72-1 b/‎data/formatters/generic.yaml
+72-1
diff --git a/‎data/formatters/windows.yaml
+56-7 b/‎data/formatters/windows.yaml
+56-7
@@ -71,13 +71,71 @@ short_message:
 - '({received_bytes} bytes)'
 ---
 type: 'conditional'
+data_type: 'chrome:history:page_visited'
+boolean_helpers:
+- input_attribute: 'url_hidden'
+  output_attribute: 'url_hidden_string'
+  value_if_true: '(URL hidden)'
+enumeration_helpers:
+- input_attribute: 'page_transition_type'
+  output_attribute: 'page_transition'
+  default_value: 'UNKNOWN'
+  # Also see: https://cs.chromium.org/chromium/src/ui/base/page_transition_types.h
+  values:
+    0: 'LINK - User clicked a link'
+    1: 'TYPED - User typed the URL in the URL bar'
+    2: 'AUTO_BOOKMARK - Got through a suggestion in the UI'
+    3: 'AUTO_SUBFRAME - Content automatically loaded in a non-toplevel frame - user may not realize'
+    4: 'MANUAL_SUBFRAME - Subframe explicitly requested by the user'
+    5: 'GENERATED - User typed in the URL bar and selected an entry from the list - such as a search bar'
+    6: 'START_PAGE - The start page of the browser'
+    7: 'FORM_SUBMIT - A form the user has submitted values to'
+    8: 'RELOAD - The user reloaded the page, eg by hitting the reload button or restored a session'
+    9: 'KEYWORD - URL what was generated from a replaceable keyword other than the default search provider'
+    10: 'KEYWORD_GENERATED - Corresponds to a visit generated from a KEYWORD'
+- input_attribute: 'visit_source'
+  output_attribute: 'visit_source'
+  default_value: 'UNKNOWN'
+  # Also see: https://cs.chromium.org/chromium/src/ui/app_list/search/history_types.h
+  values:
+    0: 'SOURCE_SYNCED'
+    1: 'SOURCE_BROWSED'
+    2: 'SOURCE_EXTENSION'
+    3: 'SOURCE_FIREFOX_IMPORTED'
+    4: 'SOURCE_IE_IMPORTED'
+    5: 'SOURCE_SAFARI_IMPORTED'
+message:
+- '{url}'
+- '({title})'
+- '[count: {typed_count}]'
+- 'Visit from: {from_visit}'
+- 'Visit Source: [{visit_source}]'
+- 'Type: [{page_transition}]'
+- '{url_hidden_string}'
+- '{url_typed_string}'
+short_message:
+- '{url}'
+- '({title})'
+---
+type: 'conditional'
 data_type: 'chrome:preferences:clear_history'
 message:
 - '{message}'
 short_message:
 - '{message}'
 ---
 type: 'conditional'
+data_type: 'chrome:preferences:content_settings:exceptions'
+message:
+- 'Permission {permission}'
+- 'used by {primary_url}'
+- 'embedded in {secondary_url}'
+short_message:
+- 'Permission {permission}'
+- 'used by {primary_url}'
+- 'embedded in {secondary_url}'
+---
+type: 'conditional'
 data_type: 'chrome:preferences:extensions_autoupdater'
 message:
 - '{message}'
@@ -193,12 +251,53 @@ data_type: 'firefox:places:bookmark_folder'
 message: '{title}'
 short_message: '{title}'
 ---
+type: 'conditional'
+data_type: 'firefox:places:page_visited'
+enumeration_helpers:
+- input_attribute: 'visit_type'
+  output_attribute: 'transition_string'
+  default_value: 'UNKOWN'
+  # Also see: src/toolkit/components/places/nsINavHistoryService.idl
+  values:
+    1: 'LINK'
+    2: 'TYPED'
+    3: 'BOOKMARK'
+    4: 'EMBED'
+    5: 'REDIRECT_PERMANENT'
+    6: 'REDIRECT_TEMPORARY'
+    7: 'DOWNLOAD'
+    8: 'FRAMED_LINK'
+message:
+- '{url}'
+- '({title})'
+- '[count: {visit_count}]'
+- 'Host: {host}'
+- 'visited from: {from_visit}'
+- '{url_hidden_string}'
+- '{url_typed_string}'
+- 'Transition: {transition_string}'
+short_message:
+- 'URL: {url}'
+---
 type: 'basic'
 data_type: 'firefox:downloads:download'
 message: '{url} ({full_path}). Received: {received_bytes} bytes out of: {total_bytes} bytes.'
 short_message: '{full_path} downloaded ({received_bytes} bytes)'
 ---
 type: 'conditional'
+data_type: 'msiecf:leak'
+boolean_helpers:
+- input_attribute: 'recovered'
+  output_attribute: 'recovered_string'
+  value_if_true: '[Recovered Entry]'
+message:
+- 'Cached file: {cached_file_path}'
+- 'Cached file size: {cached_file_size}'
+- '{recovered_string}'
+short_message:
+- 'Cached file: {cached_file_path}'
+---
+type: 'conditional'
 data_type: 'msiecf:redirected'
 boolean_helpers:
 - input_attribute: 'recovered'
@@ -211,6 +310,23 @@ short_message:
 - 'Location: {url}'
 ---
 type: 'conditional'
+data_type: 'msiecf:url'
+boolean_helpers:
+- input_attribute: 'recovered'
+  output_attribute: 'recovered_string'
+  value_if_true: '[Recovered Entry]'
+message:
+- 'Location: {url}'
+- 'Number of hits: {number_of_hits}'
+- 'Cached file: {cached_file_path}'
+- 'Cached file size: {cached_file_size}'
+- 'HTTP headers: {http_headers}'
+- '{recovered_string}'
+short_message:
+- 'Location: {url}'
+- 'Cached file: {cached_file_path}'
+---
+type: 'conditional'
 data_type: 'msie:webcache:container'
 message:
 - 'URL: {url}'
 
@@ -182,10 +182,55 @@ message: '{filename}'
 short_message: '{filename}'
 ---
 type: 'conditional'
+data_type: 'fs:ntfs:usn_change'
+flags_helpers:
+- input_attribute: 'update_reason_flags'
+  output_attribute: 'update_reason'
+  values:
+    0x00000001: 'USN_REASON_DATA_OVERWRITE'
+    0x00000002: 'USN_REASON_DATA_EXTEND'
+    0x00000004: 'USN_REASON_DATA_TRUNCATION'
+    0x00000010: 'USN_REASON_NAMED_DATA_OVERWRITE'
+    0x00000020: 'USN_REASON_NAMED_DATA_EXTEND'
+    0x00000040: 'USN_REASON_NAMED_DATA_TRUNCATION'
+    0x00000100: 'USN_REASON_FILE_CREATE'
+    0x00000200: 'USN_REASON_FILE_DELETE'
+    0x00000400: 'USN_REASON_EA_CHANGE'
+    0x00000800: 'USN_REASON_SECURITY_CHANGE'
+    0x00001000: 'USN_REASON_RENAME_OLD_NAME'
+    0x00002000: 'USN_REASON_RENAME_NEW_NAME'
+    0x00004000: 'USN_REASON_INDEXABLE_CHANGE'
+    0x00008000: 'USN_REASON_BASIC_INFO_CHANGE'
+    0x00010000: 'USN_REASON_HARD_LINK_CHANGE'
+    0x00020000: 'USN_REASON_COMPRESSION_CHANGE'
+    0x00040000: 'USN_REASON_ENCRYPTION_CHANGE'
+    0x00080000: 'USN_REASON_OBJECT_ID_CHANGE'
+    0x00100000: 'USN_REASON_REPARSE_POINT_CHANGE'
+    0x00200000: 'USN_REASON_STREAM_CHANGE'
+    0x00400000: 'USN_REASON_TRANSACTED_CHANGE'
+    0x80000000: 'USN_REASON_CLOSE'
+- input_attribute: 'update_source_flags'
+  output_attribute: 'update_source'
+  values:
+    0x00000001: 'USN_SOURCE_DATA_MANAGEMENT'
+    0x00000002: 'USN_SOURCE_AUXILIARY_DATA'
+    0x00000004: 'USN_SOURCE_REPLICATION_MANAGEMENT'
+message:
+- '{filename}'
+- 'File reference: {file_reference}'
+- 'Parent file reference: {parent_file_reference}'
+- 'Update source: {update_source}'
+- 'Update reason: {update_reason}'
+short_message:
+- '{filename}'
+- '{file_reference}'
+- '{update_reason}'
+---
+type: 'conditional'
 data_type: 'fs:stat'
 boolean_helpers:
 - input_attribute: 'is_allocated'
-  output_attribute: 'is_allocated'
+  output_attribute: 'unallocated'
   value_if_false: 'unallocated'
 message:
 - '{display_name}'
@@ -195,6 +240,32 @@ short_message:
 - '{filename}'
 ---
 type: 'conditional'
+data_type: 'fs:stat:ntfs'
+boolean_helpers:
+- input_attribute: 'is_allocated'
+  output_attribute: 'unallocated'
+  value_if_false: 'unallocated'
+enumeration_helpers:
+- input_attribute: 'attribute_type'
+  output_attribute: 'attribute_name'
+  default_value: 'UNKNOWN'
+  values:
+    0x00000010: '$STANDARD_INFORMATION'
+    0x00000030: '$FILE_NAME'
+message:
+- '{display_name}'
+- 'File reference: {file_reference}'
+- 'Attribute name: {attribute_name}'
+- 'Name: {name}'
+- 'Parent file reference: {parent_file_reference}'
+- '({unallocated})'
+- 'Path hints: {path_hints}'
+short_message:
+- '{filename}'
+- '{file_reference}'
+- '{attribute_name}'
+---
+type: 'conditional'
 data_type: 'gdrive:snapshot:cloud_entry'
 boolean_helpers:
 - input_attribute: 'shared'
 
@@ -160,6 +160,28 @@ short_message:
 - ': {dest_port}'
 ---
 type: 'conditional'
+data_type: 'windows:lnk:link'
+message:
+- '[{description}]'
+- 'File size: {file_size}'
+- 'File attribute flags: 0x{file_attribute_flags:08x}'
+- 'Drive type: {drive_type}'
+- 'Drive serial number: 0x{drive_serial_number:08x}'
+- 'Volume label: {volume_label}'
+- 'Local path: {local_path}'
+- 'Network path: {network_path}'
+- 'cmd arguments: {command_line_arguments}'
+- 'env location: {env_var_location}'
+- 'Relative path: {relative_path}'
+- 'Working dir: {working_directory}'
+- 'Icon location: {icon_location}'
+- 'Link target: {link_target}'
+short_message:
+- '[{description}]'
+- '{linked_path}'
+- '{command_line_arguments}'
+---
+type: 'conditional'
 data_type: 'windows:metadata:deleted_item'
 enumeration_helpers:
 - input_attribute: 'drive_number'
@@ -201,15 +223,17 @@ short_message:
 - 'Deleted file: {original_filename}'
 ---
 type: 'conditional'
-data_type: 'windows:registry:explorer:programcache'
+data_type: 'windows:prefetch:execution'
 message:
-- 'Key: {key_path}'
-- 'Value: {value_name}'
-- 'Entries: [{entries}]'
+- 'Prefetch'
+- '[{executable}] was executed -'
+- 'run count {run_count}'
+- 'path hints: {path_hints}'
+- 'hash: 0x{prefetch_hash:08X}'
+- '{volumes_string}'
 short_message:
-- 'Key: {key_path}'
-- 'Value: {value_name}'
-- 'Entries: [{entries}]'
+- '{executable} was run'
+- '{run_count} time(s)'
 ---
 type: 'conditional'
 data_type: 'windows:registry:amcache'
@@ -278,6 +302,17 @@ message: '[{key_path}] ImagePath: {image_path}'
 short_message: '[{key_path}] ImagePath: {image_path}'
 ---
 type: 'conditional'
+data_type: 'windows:registry:explorer:programcache'
+message:
+- 'Key: {key_path}'
+- 'Value: {value_name}'
+- 'Entries: [{entries}]'
+short_message:
+- 'Key: {key_path}'
+- 'Value: {value_name}'
+- 'Entries: [{entries}]'
+---
+type: 'conditional'
 data_type: 'windows:registry:installation'
 message:
 - '{product_name}'
@@ -592,6 +627,20 @@ message: '[{key_path}] {entries}'
 short_message: '[{key_path}] {entries}'
 ---
 type: 'conditional'
+data_type: 'windows:shell_item:file_entry'
+message:
+- 'Name: {name}'
+- 'Long name: {long_name}'
+- 'Localized name: {localized_name}'
+- 'NTFS file reference: {file_reference}'
+- 'Shell item path: {shell_item_path}'
+- 'Origin: {origin}'
+short_message:
+- 'Name: {file_entry_name}'
+- 'NTFS file reference: {file_reference}'
+- 'Origin: {origin}'
+---
+type: 'conditional'
 data_type: 'windows:srum:application_usage'
 message:
 - 'Application: {application}'