Firefox Forensics #1 (Internet History)

Over the week, I am looking at a dozen of harddisks, primarily requesting for Internet artifacts. I powered up my arsenal of forensic tools. The problems that I faced were:

• Blue screen for death for unknown reasons
• Most tools take time to process but I want it NOW!!
• Conflicting results between tools make verifications a hair-pulling experience
• Little control as to what I really want the tool to do for me. For your information, I tried kissing the dongle

Therefore I got my hands dirty and export the required Internet artifacts and processed them manually. My preferred tools are:

• SQLite 2009 Pro – There are several good SQLite viewer out there but SQLitePro2009 allow you to export query results to Excel, CSV and HTML format
• Nirsoft Browser tools – They are free, portable and easy to use.

Firefox History (v.21)

Firefox histories are primarily stored in a SQLite file named “places.sqlite“. There are several tables in this file but the tables that we are more interested in are:

1. moz_places
2. moz_historyvisits
3. moz_inputhistory
4. moz_hosts

moz_places

This table contains the following interest fields:

• id = primary key
• url = URL of webpage
• title = title of webpage
• visit_count = number of visit
• typed = if URL is typed ( 0 = No, 1 = Yes)
• last_visit_date = last visit timestamp in PR Time

moz_historyvisits

This table contains the interesting following fields:

• id = primary key
• place_id = reference to moz_places.id
• visit_date = webpage visit timestamp in PR Time

moz_inputhistory

This table contains the following interesting fields:

• place_id = reference to moz_places.id
• input = typed input
• use_count

moz_hosts

This table contains the following interesting fields:

• id = primary key
• host = hostname
• typed = Is the hostname typed (1 = Yes)

SQLite query to parse Firefox Internet Histories

SQLite query – Get history: select moz_historyvisits.id, moz_places.url, moz_places.title, moz_places.visit_count, moz_places.typed, datetime((moz_historyvisits.visit_date/1000000), “unixepoch”,”localtime”), moz_historyvisits.visit_type from moz_places, moz_historyvisits where moz_historyvisits.place_id = moz_places.id;

SQLite query to parse typed URLs in Firefox

select moz_inputhistory.place_id, moz_places.typed, moz_inputhistory.input, moz_places.url, moz_places.visit_count, moz_inputhistory.use_count from moz_places, moz_inputhistory where moz_places.id = moz_inputhistory.place_ids;

SQLite query to parse hostname

SELECT moz_hosts.id, moz_hosts.host, moz_hosts.frecency, moz_hosts.typed, moz_hosts.prefix FROM moz_hosts;

Safari Forensic

Artifacts in this examination is conducted on Safari 6.0.1 running on Mac OS X 10.8 aka Mount Lion.

• Bookmarks: /Users/<user>/Library/Safari/Bookmarks.plist
  • bookmarks (pre-defined on instalation or user-input)
• Downloads: /Users/<user>/Library/Safari/Downloads.plist
  • Source URL
  • Destination path on system
  • Total file size
  • Download progress (in bytes)
• Extensions: /Users/<user>/Library/Safari/Extensions/Extensions.plist
  • installed extensions
• History: /Users/<user>/Library/Safari/History.plist
  • URL
  • visit count
  • webpage title
  • last visited timestamp (in Mac CFAbsolute Time)
  • redirected URL
  • autocomplete
• History Index: /Users/<user>/Library/Safari/HistoryIndex.sk
• Last session: /Users/<user>/Library/Safari/LastSession.plist
• Local storage: /Users/<user>/Library/Safari/LocalStorage/ and /Users/<user>/Library/Safari/LocalStorage/StorageTracker.db
  • StorageTracker.db: tracks local storage files
• TopSites: /Users/<user>/Library/Safari/TopSites.plist
  • URL
  • Webpage title
  • Last modified timestamp
• Webpage Icons: /Users/<user>/Library/WebpageIcons.db
• Cache: /Users/<user>/Library/Caches/com.apple.Safari/Cache.db
  • BLOB Cache data
  • URL
  • timestamp (in system time)
• Webpage Preview (thumbnail): /Users/<user>/Library/Caches/com.apple.Safari/Webpage Previews
• Cookies: /Users/<user>/Library/Cookies/Cookies.binarycookies
  • Update: 3 Nov – Found a tool to parse binarycookies, check out this site: http://www.securitylearn.net/2012/10/27/cookies-binarycookies-reader/
    

LastSessions.plist

This plist file records the current state of the browser. This plist is used to restore the state of the browser in the event that Safari browser exit unexpectedly. In my lab simulation, if Safari browser is exit as normal, there will be no entry in the SessionWindows

Browsing session ended as normal

Browsing session ended unexpectedly

TabStates records the visited webpages in the current state. Each item in the TabStates is listed as a tab in Safari.

• TabTitle: records the title of the webpage
• TabURL: records the visited URL of the webpage

TopSites.plist

TopSites is a feature in Safari to improve user browsing preferences. Websites are added to TopSites either by one of the 3 following ways – by default, generated by Safari based on users’ preferences, and users pinning a website to TopSites. TopSites information are stored in TopSites.plist. This Plist file stored data such as URL, title and how the sites are added to TopSites.plist. In my lab test, the following XML-tags were observed:

• default sites: TopSiteIsBuiltIn
• Pinned by user: TopSiteIsPinned
• Safari-generated preference: <No tag>

Cache.db

Safari stored cache items in a SQLite file named “Cache.db”. The 2 most important tables in this SQLite file are:

• cfurl_cache_receiver_data (BLOB data)
• cfurl_cache_response (URL, for visited sites, timestamp on system in UTC format)

SQLite Statement to corelate BLOB data with URL, sort by timestamp:

select cfurl_cache_response.entry_ID, cfurl_cache_response.request_key, cfurl_cache_response.time_stamp, cfurl_cache_receiver_data.receiver_data from cfurl_cache_receiver_data, cfurl_cache_response where cfurl_cache_response.entry_ID == cfurl_cache_receiver_data.entry_ID order by cfurl_cache_response.time_stamp

.

Mac OSX Forensic (Mini-Series 4) – 10.8 User Folder

User folder in OS X 10.8 (Mountain Lion) is the same like other version of OS X 10. This folder contain most of the login user’s activities on a Mac system. Among the wealth of information in this folder are the user’s preferences. In a default user folder, you are likely to find the following folders/files:

• Desktop
• Documents
• Downloads
• Library: hidden folder containing preferences
• Movies
• Music
• Pictures
• Public
• Trash: User trash folder before they are remove from the system
• .bash_history: Terminal command history

Some of important files include:

• General preferences for user: ~/Library/Preferences/.GlobalPreferences.plist
• AddressBook preferences: ~/Library/Preferences/com.apple.AddressBook.plist
• Desktop Service: ~/Library/Preferences/com.apple.desktopservices.plist
• Dock – Apps keep in Docks (presistent-apps): ~/Library/Preferences/com.apple.com.apple.dock.plist
• Finder preferences: ~/Library/Preferences/com.apple.finder.plist
• Finder – Recent folders: ~/Library/Preferences/com.apple.finder.plist
• iCal preferences: ~/Library/Preferences/com.apple.iCal.plist
• Facetime – Account: ~/Library/Preferences/com.apple.imservice.FaceTime.plist
• iMessage – Account: ~/Library/Preferences/com.apple.imservice.iMessage.plist
• iPhoto preferences: ~/Library/Preferences/com.apple.iPhoto.plist
• Connected iDevices: ~/Library/Preferences/com.apple.iPod.plist
• iTunes Preferences: ~/Library/Preferences/com.apple.iTunes.plist
• Preview – Recent Documents: ~/Library/Preferences/com.apple.Preview.LSSharedFileList
• Recent Apps: ~/Library/Preferences/com.apple.recentitems.plist
• Recent Documents: ~/Library/Preferences/com.apple.recentitems.plist
• Safari preferences: ~/Library/Preferences/com.apple.Safari.plist
• Scheduler plist: ~/Library/Preferences/com.apple.scheduler.plist
• Screensaver plist: ~/Library/Preferences/com.apple.screensaver.plist
• Spotlight – User’s search: ~/Library/Preferences/com.apple.spotlight.plist
• Appstore – AppleID: ~/Library/Preferences/com.apple.storeagent.plist
• Appstore – Last Auth Time: ~/Library/Preferences/com.apple.storeagent.plist
• Appstore Preferences: ~/Library/Preferences/com.apple.storeagent.plist
• Terminal preferences: ~/Library/Preferences/com.apple.Terminal.plist
• Textedit – Recent documents: ~/Library/Preferences/com.apple.TextEdit.LSSharedFileList
• User Keychains: ~/Library/Keychains/
• User Autorun: ~/Library/LaunchAgents/
• User Logs: ~/Library/Logs/

Opera Forensics

There are not many forensic articles on ‘Opera’. So I try to write something about it. This is my findings based on my observations. Definitely this posting is not complete and going to be an on-going project. If you are reading this, please drop me something, (a link, a tool, an article or anything!). And if you have written something on it, please share it with me.

This article is based on Opera 12.11 (build 1611) running on a Windows 7 machine.

File Locations:

• Win7: \Users\[user]\AppData\Local\Opera\
• Win7: \Users\[user]\AppData\Roaming\Opera\
• Win Vista: \Users\[user]\AppData\Local\Opera\
• Win Vista: \Users\[user]\AppData\Roaming\Opera\
• Win XP: \Documents and Settings\[user]\Application Data\Opera\
• Win XP: \Documents and Settings\[user]\Local Settings\Application Data\Opera\
• Mac OS X: ~/Library/Application Support/Opera
• Mac OS X: ~/Library/Caches/Opera
• Mac OS X: ~/Library/Opera

File Artifacts:

• Installation/Last update information: autoupdate_region.dat & operaprefs.ini
• Bookmarks: bookmarks.adr
• Cookies: cookies4.dat
• Download: download.dat
• Histories: global_history.dat
• Preferences: operaprefs.ini
• Search preferences: search.ini
• Search histories: search_field_history.dat
• Speeddial settings: speeddial.ini
• Typed URLs: typed_history.xml
• Last Sessions: autosave.win & autosave.win.bak
• Cache folder: \Users\[user]\AppData\Local\Opera\Opera\Cache

Bookmarks

Bookmarks information are stored in a text file named “bookmarks.adr”. Some interesting information are:

• URL or Folder
• NAME: given name for bookmark (bookmark folder)
• CREATED: created timestamp (Unix & GMT)
• VISITED: visited timestamp (Unix & GMT)
• URL: URL for bookmark

History

Browsing histories are stored in a text format file named “global_history.dat”. This file provides information to:

• Window title
• URL
• Visited timestamp (Unix & GMT)

Search Histories

Search file histories can be found in a XML format file named “search_field_history.dat”.

Typed URLs

Users’ typed URLs can be found in “typed_history.xml” which contained the the URLs and the associated timestamp (in GMT).

Last Sessions

Last sessions which can be used to restore the website in the event of a program crashes can be found in text format file “autosave.win” & “autosave.win.bak”. Essentially, it recorded the state of the browser when the browser is in use. Among the most important information is the number of windows opened and the URLs.

Cache

Opera stored cache files starting with “opr” and are saved with “tmp” extension. The tool that I used is Nirsoft OperaCacheView. You have to copy out the cache folder and used Nirsoft OperaCacheView to parse the cache files.

Cookies

Cookies are stored in a semi-binary file named “cookies4.dat”. If you do a search, you will probably find a few tool to parse cookies data. However as of this moment, I prefer to set up Opera on a virtual machine and import the Opera artifacts into the virtual machine, and used ‘Cookie Manager’ in Opera Preferences to view the data.

Link:

• http://www.opera.com/docs/operafiles/
• http://my.opera.com/community/forums/topic.dml?id=1057962
• http://my.opera.com/SearchEdit/blog/search-ini-explainen
• http://en.wikipedia.org/wiki/Features_of_the_Opera_web_browser

That is all for now. Moving on to other project and will definitely add more stuffs as and when I find new stuff. : )

Google Chrome Forensics on Mac Part 2 – File Artifacts

This is a summary of the available artifacts on Mac OS X 10.7 with Google Chrome browser version: 18.0.1025.163

Profile-       Profile name-       Last used profile –       Number of times launched –       Timestamp for last launched (Unix time) –       Timestamp for last used (Unix time)	~/Library/Application Support/Google/Chrome/Local State
History	~/Library/Application Support/Google/Chrome/History
History Index	~/Library/Application Support/Google/Chrome/History Index YYYY-MM
Bookmarks	~/Library/Application Support/Google/Chrome/Bookmarks~/Library/Application Support/Google/Chrome/Bookmarks.bak
Cookies	~/Library/Application Support/Google/Chrome/Cookies
Extensions	~/Library/Application Support/Google/Chrome/Extensions/
Favicons	~/Library/Application Support/Google/Chrome/Favicons
Login Username and Password	~/Library/Application Support/Google/Chrome/Login Data
Keylog Indexing	~/Library/Application Support/Google/Chrome/Network Action Predictor
Configurations and settings	~/Library/Application Support/Google/Chrome/Preferences
Omni Box Indexing	~/Library/Application Support/Google/Chrome/Shortcuts
Top Sites	~/Library/Application Support/Google/Chrome/Top Sites
Web Data information such as-       Autofill-       Login –       Credit card info	~/Library/Application Support/Google/Chrome/Web Data
Cache	~/Library/Cache/Google/Chrome/Profile/[profilename]/Cache

Google Chrome Forensics on Mac

It is not easy to write about forensic analysis of browser artifacts. The frequent upgrade and limited resources available did not make it easier. Please do your own research and testing. I am afterall a practitioner, not a scientist or an engineer. Have fun.

Browser Version: 18.0.1025.163

Locations:

OS X 10.7 –  ~/Library/Application Support/Google/Chrome/ and  ~/Library/Cache/Google/Chrome/Profile/[profilename]/Cache

Forensic Artifacts:

• Local State – Profile information, including last used profile
• Bookmark – user-specified bookmarks
• Cookies
• History – browsing history
• History Index [YYYY-MM] – text-based contents of visited sites
• Login Data – Saved Username
• Network Action Predictor – Learn user behavior and probably used to predict user intended web address or search term
• Shortcuts – One of the feature of Omnibox, offers suggestions for URL or search term
• Top Sites – feature similar to Safari
• Web Data – Autofill information
• Cache

Time-based analysis

Time recorded are mostly recorded in Webkit time format (number of microseconds since 01/01/1601 00:00:00 UTC represented in 64-bit integers).  A simple analysis to convert Webkit time format to Unix time format is:

[timestamp]/1000000 – 11644473600

Useful SQLite statement

Cookies sqlite database: Cookie’s hostname, creation timestamp and last access timestamp:

select host_key, datetime((creation_utc/1000000 – 11644473600), “unixepoch”, “localtime”), datetime((last_access_utc/1000000 – 11644473600), “unixepoch”, “localtime”) from cookies

History sqlite database: Sort history by last visited time

select datetime((last_visit_time/1000000 – 11644473600), “unixepoch”, “localtime”), url, title, typed_count, visit_count from urls

History sqlite database: Sort history by timeline

select datetime((visits.visit_time/1000000 – 11644473600), “unixepoch”, “localtime”), urls.url,urls.title from urls, visits where visits.url = urls.id order by visits.visit_time asc

History sqlite database: Search term analysis

select datetime((visits.visit_time/1000000 – 11644473600), “unixepoch”, “localtime”), keyword_search_terms.term, urls.url from keyword_search_terms, urls, visits where keyword_search_terms.url_id = urls.id = visits.url order by visits.visit_time asc

History sqlite database: Download files

select datetime(start_time, “unixepoch”, “localtime”), datetime(end_time, “unixepoch”, “localtime”), url, full_path from downloads order by start_time asc 

`

Mac OS X 10.6 Address Book Forensics Part 1

Address Book is the default address for Mac OS X. It integrates and synchronises with the operating system, applications and IOS devices. On MAC OS X, Address book integrate with iChat, Mail, iCal, iTunes, MobileMe and contacts are indexed in Spotlight. For full list of features, you can refer to Wikipedia – Address Book.

 

I have conducted my testing on a Mac running OS X 10.6.7, Address Book version 5.0.3 (883). This is a simple sharing from me and serve as my personal reference to me. Please conduct your own test to verify. Do let me know if your test result is different from me so we can build a stronger and better community. You can refer to my ‘About Me’ page for disclaimer and about me.

 

~/Library/Preferences/AddressBookMe.plist : This file contain registration information of the Mac Machine when the machine is first boot up for registration. This file may not exist on the system when the user skipped the registration process.

~/Library/Preferences/com.apple.AddressBook.plist : preference file for user’ settings

~/Library/Preferences/com.apple.AddressBook.abd.plist : not sure what this file suppose to do

~/Library/Preferences/ByHost/com.apple.AddressBook.sync.[psuedo-random number] : In my testing, this file contained the timestamp that AddressBook was used. I assume that the timestamp may be used to indicate the AddressBook is last updated or used.

Address Book entries are stored in SQLite database in ~/Library/Application Support/AddressBook/AddressBook-v22.abcddb.

~/Library/Application Support/AddressBook/Metadata/ : Each contact is kept in stored in distinct file and assigned a unique ID.This unique ID can be reference to AddressBook-v22.abcddb database file.

 

The corresponding image is kept in ~/Library/Application Support/AddressBook/Images/. On my machine, I created 1 group and 2 contacts.

~~~~~ ~~~~~

Mac OS X Crash Reporter Analysis

I stumbled upon a folder named “CrashReporter” while doing some testing on my Mac. As the name suggests, CrashReporter is a debugging facility in Mac OS X that logs all programs that crash. You might say it is more suitable for developer and advanced users. I still think it is still worth to take a look. On my system, I discovered 3 files inside “CrashReporter” folder. As I remember, the timestamp was most likely the time that my Mac crashed on these occasions.

What got my interest is that one of the plist file “interval_XXXXXXXXX.plist”. Under the field “appDuration”, it logged the applications running on the system and it’s duration (I have not figure out the units for the duration).

When a program crashes, CrashReporter will log the details. On my Mac, I found that it is stored in ~/Library/Application Support/CrashReporter. While doing some searching on the Internet, crash logs are typically stored in ~/Library/Logs/CrashReporter/. Instead of finding crash logs of my Mac, I found a subfolder named “MobileDevice” and a folder named after my iPhone. In this folder, contained crash logs of my iPhone and it’s applications.

In the folder “~/Library/Logs/CrashReporter/ folder, each crash is distinctly saved into 2 files: one *.crash file and one *.plist. If you want to look at the detail of the crash, you probably may want to look at crash file.

According to Mac OS X Reference Library,  it is possible that crash logs are stored in /Library/Logs/CrashReporter/ and these circumstances may be due to that the ownership of the crash process was owned by root or the ownership cannot be determined, or the user’s home directory is not available.

~~~~~ ~~~~~

Credits and References

• Mac OS X Reference Library Technical Note TN2123 Crash Reporter : explained how crash logs are created and stored on the system. Also, a detail explanation of reading crash logs.
• Disable the Crash Reporter Dialog Box in Mac OS X :
• Crash Reporter: Identify Cash Problems in iPhone : How to install a Cydia App on a jailbroken iPhone

~~~~~ ~~~~~

Mandiant Web Historian

Web Historian is a free software from Mandiant Corporation. Web Historian parses history files from Internet Explorer, Firefox, Google Chrome and Safari.

 

Web Historian can scan the local system, exported profiles or individual history files as input. The parsed output can be categorized into:

• Web history
• Cookie history
• Download history
• Form history
• Thumbnails

Also check out the pre-defined filters for each category tab. They are very useful if you need to examine the entries. For example, the “redirect” filter can help you to display entries of redirect URLs.

 

In term of reporting, Web History can output reports in HTML, CSV or XML format.

Web Historian also has an built-in analytic tools for creating diagrams and analysis graphics. One of the analytical tool that I particularly like is “Daily Timeline” which can output daily web activity into a timeline chart.

 

~~~~~ ~~~~~

Firefox Forensics (Part 3) – Cache

While learning on Firefox Cache, I stumbled upon several articles, I came across two or three good tools that automates the Firefox cache files. However what I really want to get down to the hex levels of the Cache Map and Cache Block. I know a few articles on the Internet that explain pretty clearly on how to analyze Firefox cache. I guess I must have an IQ of below average because I just can’t find the location and interpret these hex into valuable details. If any kind souls who are reading this, please enlightening and point me to any fantastic article that explain Firefox Cache for someone real dumb like me. Thank  You! and Merry Christmas!!!

~~~~~ ~~~~~

When the user browses websites, Firefox cache temporary stores images, scripts and other files from the websites. Firefox cache can be view by typing “about:cache” in the address bar. There are 3 types of caches:

• Memory cache: cache data in RAM
• Dish cache: cache data stored on the disk
• Offline cache:

~~~~~ ~~~~~

Firefox Cache Locations

Win XP:

• C:\Documents and Settingd\[user]\Local Settings\Application Data\Firefox\Profiles\XXXXXXXX.default\Cache\

Win Vista and Win 7:

• C:\Users\[user]\AppData]Local\Mozilla\Firefox\Profiles\XXXXXXXX.default\Cache\

Mac OS X:

• ~/Library/Firefox/Caches/Firefox/Profiles/XXXXXXXX.default/

Linux:

• ~/.mozilla/firefox/XXXXXXXX.default/Cache/

~~~~~ ~~~~~

Inside Firefox cache folder, there will be one Cache Map file, three Cache block file and cache data files. The Cache Map (“_CACHE_MAP_”) and Cache Block files (“_CACHE_001”, “_CACHE_002” and “_CACHE_003)” are the essential files to analysis Firefox’s cache files.

Firefox Cache Map

The  Cache Map is the main file needed to reconstruct Firefox cache files. If you had read Web Browser Forensics, Part 2, you probably know that within the Cache Map, you probably find Cache Map buckets which contain mapping to the Cache Map records. Within the Cache Map, each Cache Record contain 4 32-bit values

• Hash Number
• Eviction Rank
• Data Location
• Metadata Location

The 32-bit Metadata Location is bitwise-AND with 0x30000000 to obtain the metadata stored in the Cache Map or any of the 3 Cache Block file. If the resulted value from the bit-wise AND operation return a ‘0’, the metadata are stored in the Cache Map, a value of ‘1’ to ‘3’ are stored in the respectively Cache Block file.

In my hands-on, the single Cache file is named “1F796D27d01”. I did a search with “1F796D27” on the Cache Map and found the the offset 0x0804. The value of the Cache record is as follows:

• Hash Number = 1F796D27 (1st eight character of the cache file)
• Eviction Rank =B3148457
• Data Location =80007401
• Metadata Location = 91000000
• Cache Block locatioon = 91000000 AND 30000000 = 1 (location of metadata is stored in Cache Block 1)

Firefox Cache Block

In the Firefox Cache directory, the Cache Block files (“_CACHE_001”, “_CACHE_002” and “_CACHE_003)” contain metadata and data. Each Cache entry will contain the information:

0-3	4 bytes	Magic number
4-7	4 bytes	Location (Big Endian)
12-15	4 bytes	Fetch time (Big Endian)
16-19	4 bytes	Modify time (Big Endian)
20-23	4 bytes	Expire time (Big Endian)
24-27	4 bytes	Data size (Big Endian)
28-31	4 bytes	Request size (Big Endian)
32-35	4 bytes	Info size (Big Endian)
36-(R)		Request string
(R+1)-		Info string

Firefox Cache Files

One quick and easy way to view the cache files is to use FTK Imager Lite to browse the cache files. One advantage of FTK Imager allows you to view the contents of the cache files and view the file’s metadata in the “Properties” pane.

Cache files in the Cache folder are created when the content is too large to be stored in the Cache Block.In the Firefox Cache folder, Cache files are named in the following order

In my hands-on, the filename is “1F796D27d01”, it indicates that “1F796D27” is the 32-bit hash number, d represent it is a data file.

~~~~~ ~~~~~

Firefox Disk Cache Setting

Configuration about disk cache can be viewed by typing “about:config” and the 2 main settings for disk cache are:

• browser.cache.disk.enable
• browser.cache.disk.capacity

The “browser.cache.disk.enable” setting defines if disk cache is enabled. It is set to ‘true’ on default. The “browser.cache.disk.capacity” defines the maximum size of harddisk allocated for disk cache. The default is set at 512,000KB (or 50MB). Alternate cache storage can also be found if “browser.cache.disk.parent_directory” is present.

~~~~~ ~~~~~

Tools: CacheViewer

CacheViewer is a Firefox addons for GUI front-end for “about:cache”.  This tools is able to parse information from Firefox Cache for:

• Source URL
• Destination file cached on disk (if any)
• Fetch count
• Date last fetched
• Date last modified

~~~~~ ~~~~~

Credits and References

1. Change Firefox Cache Location: a short article on changing disk cache location
2. Where is Firefox Internet Files Cache Folders – Part II: another article on Firefox Cache
3. Read Firefox Cache with Python

~~~~~ ~~~~~