Firefox Forensics (Part 3) – Cache

While learning on Firefox Cache, I stumbled upon several articles, I came across two or three good tools that automates the Firefox cache files. However what I really want to get down to the hex levels of the Cache Map and Cache Block. I know a few articles on the Internet that explain pretty clearly on how to analyze Firefox cache. I guess I must have an IQ of below average because I just can’t find the location and interpret these hex into valuable details. If any kind souls who are reading this, please enlightening and point me to any fantastic article that explain Firefox Cache for someone real dumb like me. Thank  You! and Merry Christmas!!!

~~~~~ ~~~~~

When the user browses websites, Firefox cache temporary stores images, scripts and other files from the websites. Firefox cache can be view by typing “about:cache” in the address bar. There are 3 types of caches:

  • Memory cache: cache data in RAM
  • Dish cache: cache data stored on the disk
  • Offline cache:

~~~~~ ~~~~~

Firefox Cache Locations

Win XP:

  • C:\Documents and Settingd\[user]\Local Settings\Application Data\Firefox\Profiles\XXXXXXXX.default\Cache\

Win Vista and Win 7:

  • C:\Users\[user]\AppData]Local\Mozilla\Firefox\Profiles\XXXXXXXX.default\Cache\

Mac OS X:

  • ~/Library/Firefox/Caches/Firefox/Profiles/XXXXXXXX.default/

Linux:

  • ~/.mozilla/firefox/XXXXXXXX.default/Cache/

~~~~~ ~~~~~

Inside Firefox cache folder, there will be one Cache Map file, three Cache block file and cache data files. The Cache Map (“_CACHE_MAP_”) and Cache Block files (“_CACHE_001”, “_CACHE_002” and “_CACHE_003)” are the essential files to analysis Firefox’s cache files.

Firefox Cache Map

The  Cache Map is the main file needed to reconstruct Firefox cache files. If you had read Web Browser Forensics, Part 2, you probably know that within the Cache Map, you probably find Cache Map buckets which contain mapping to the Cache Map records. Within the Cache Map, each Cache Record contain 4 32-bit values

  • Hash Number
  • Eviction Rank
  • Data Location
  • Metadata Location

The 32-bit Metadata Location is bitwise-AND with 0x30000000 to obtain the metadata stored in the Cache Map or any of the 3 Cache Block file. If the resulted value from the bit-wise AND operation return a ‘0’, the metadata are stored in the Cache Map, a value of ‘1’ to ‘3’ are stored in the respectively Cache Block file.

In my hands-on, the single Cache file is named “1F796D27d01”. I did a search with “1F796D27” on the Cache Map and found the the offset 0x0804. The value of the Cache record is as follows:

  • Hash Number = 1F796D27 (1st eight character of the cache file)
  • Eviction Rank =B3148457
  • Data Location =80007401
  • Metadata Location = 91000000
  • Cache Block locatioon = 91000000 AND 30000000 = 1 (location of metadata is stored in Cache Block 1)

Firefox Cache Block

In the Firefox Cache directory, the Cache Block files (“_CACHE_001”, “_CACHE_002” and “_CACHE_003)” contain metadata and data. Each Cache entry will contain the information:

0-3

4 bytes Magic number
4-7 4 bytes Location (Big Endian)
12-15 4 bytes Fetch time (Big Endian)
16-19 4 bytes Modify time (Big Endian)
20-23 4 bytes Expire time (Big Endian)
24-27 4 bytes Data size (Big Endian)
28-31 4 bytes Request size (Big Endian)
32-35 4 bytes Info size (Big Endian)
36-(R) Request string
(R+1)- Info string

Firefox Cache Files

One quick and easy way to view the cache files is to use FTK Imager Lite to browse the cache files. One advantage of FTK Imager allows you to view the contents of the cache files and view the file’s metadata in the “Properties” pane.

Cache files in the Cache folder are created when the content is too large to be stored in the Cache Block.In the Firefox Cache folder, Cache files are named in the following order

In my hands-on, the filename is “1F796D27d01”, it indicates that “1F796D27” is the 32-bit hash number, d represent it is a data file.

~~~~~ ~~~~~

Firefox Disk Cache Setting

Configuration about disk cache can be viewed by typing “about:config” and the 2 main settings for disk cache are:

  • browser.cache.disk.enable
  • browser.cache.disk.capacity

The “browser.cache.disk.enable” setting defines if disk cache is enabled. It is set to ‘true’ on default. The “browser.cache.disk.capacity” defines the maximum size of harddisk allocated for disk cache. The default is set at 512,000KB (or 50MB). Alternate cache storage can also be found if “browser.cache.disk.parent_directory” is present.

~~~~~ ~~~~~

Tools: CacheViewer

CacheViewer is a Firefox addons for GUI front-end for “about:cache”.  This tools is able to parse information from Firefox Cache for:

  • Source URL
  • Destination file cached on disk (if any)
  • Fetch count
  • Date last fetched
  • Date last modified

~~~~~ ~~~~~

Credits and References

  1. Change Firefox Cache Location: a short article on changing disk cache location
  2. Where is Firefox Internet Files Cache Folders – Part II: another article on Firefox Cache
  3. Read Firefox Cache with Python

~~~~~ ~~~~~

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s