Firefox Forensics #1 (Internet History)

Over the week, I am looking at a dozen of harddisks, primarily requesting for Internet artifacts. I powered up my arsenal of forensic tools. The problems that I faced were:

  • Blue screen for death for unknown reasons
  • Most tools take time to process but I want it NOW!!
  • Conflicting results between tools make verifications a hair-pulling experience
  • Little control as to what I really want the tool to do for me. For your information, I tried kissing the dongle

Therefore I got my hands dirty and export the required Internet artifacts and processed them manually. My preferred tools are:

  • SQLite 2009 Pro – There are several good SQLite viewer out there but SQLitePro2009 allow you to export query results to Excel, CSV and HTML format
  • Nirsoft Browser tools – They are free, portable and easy to use.

Firefox History (v.21)

Firefox histories are primarily stored in a SQLite file named “places.sqlite“. There are several tables in this file but the tables that we are more interested in are:

  1. moz_places
  2. moz_historyvisits
  3. moz_inputhistory
  4. moz_hosts

moz_places

This table contains the following interest fields:

  • id = primary key
  • url = URL of webpage
  • title = title of webpage
  • visit_count = number of visit
  • typed = if URL is typed ( 0 = No, 1 = Yes)
  • last_visit_date = last visit timestamp in PR Time

moz_historyvisits

This table contains the interesting following fields:

  • id = primary key
  • place_id = reference to moz_places.id
  • visit_date = webpage visit timestamp in PR Time

moz_inputhistory

This table contains the following interesting fields:

  • place_id = reference to moz_places.id
  • input = typed input
  • use_count

moz_hosts

This table contains the following interesting fields:

  • id = primary key
  • host = hostname
  • typed = Is the hostname typed (1 = Yes)

SQLite query to parse Firefox Internet Histories

SQLite query – Get history: select moz_historyvisits.id, moz_places.url, moz_places.title, moz_places.visit_count, moz_places.typed, datetime((moz_historyvisits.visit_date/1000000), “unixepoch”,”localtime”), moz_historyvisits.visit_type from moz_places, moz_historyvisits where moz_historyvisits.place_id = moz_places.id;

SQLite query to parse typed URLs in Firefox

select moz_inputhistory.place_id, moz_places.typed, moz_inputhistory.input, moz_places.url, moz_places.visit_count, moz_inputhistory.use_count from moz_places, moz_inputhistory where moz_places.id = moz_inputhistory.place_ids;

SQLite query to parse hostname

SELECT moz_hosts.id, moz_hosts.host, moz_hosts.frecency, moz_hosts.typed, moz_hosts.prefix FROM moz_hosts;

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s