This article is based on my research on Firefox and hands-on on an extensively run Firefox which is running on my PC. The hands-on was done on Firefox 3.6.12 running on a Windows XP SP3 machine.
Credits and References
I like to put my credits at the start of the article because many others wrote articles on Firefox before me and I used them to help me to unravel the “mysteries” of the browser.
- C:\Documents and Settings\[user]\Application Data\Mozilla\Firefox\Profiles\XXXXXXXX.default\
- C:\Documents and Settingd\[user]\Local Settings\Application Data\Firefox\Profiles\XXXXXXXX.default\Cache\
WinVista and Win7:
Mac OS X:
- ~/Library/Application Support/Firefox/Profiles/XXXXXXXX.default/
- ~/Library/Application Support/Mozilla/Extensions
Cookies information are located in a database table format named “moz_cookies” in cookies.sqlite3 files. Data that are of forensic interests are the host of the cookie files and the associated lastAccessed timestamp which may give indication of the time where the website was last accessed.
Downloads.sqlite records details of files downloaded using Firefox. The “moz_downloads” table contains the following objects:
I think one of the use for this table is to find out if the suspect had successfully download the files. This can be determine by investigating the ‘state’ field. In my analysis, a “1” in the state object indicates download is successful, “3” indicates download is cancelled, and “4” indicates download is paused. An alternate way to determine if a file is successfully downloaded is to match data in ‘currBytes’ with ‘maxBytes’ . Needless to say if the data in”currBytes” equal to “maxBytes” mean the download is completed. Data in this table will be removed when the user clears the download list.
Form Value (formhistory.sqlite)
Form data entered in Firefox are stored in formhistory.sqlite. The “timeUsed” which helps to determine the number of times that the value was used may be helpful to investigation as it may raises the question if the value was frequently used.
This table can be a wealth of information of the users’ search terms, email addresses, name and information for website registrations. One interest thing discovered in my hands-on is that search terms used in the search bar on the top right corner of Firefox are recorded in ‘fieldname’ in the ‘moz_formhistory’. with the entry as “searchbar-history”.
Bookmarks and Internet History (places.sqlite)
Places.sqlite is probably the most important file in Firefox Forensics. In Firefox 3, Bookmarks and Internet histories are recorded in places.sqlite. In my analysis on Firefox 3.6.12, there are 10 relational tables in the database:
Firefoxforensics did a wonderful job in mapping out the schema of the database, you can view the diagram here. My analysis will focus on extracting meaningful data from this database on the browsing histories.
—– moz_places —–
From this table, we can build a simple timeline based on last visited date/time (sort by the lastest visits first)
- select moz_places.url, datetime((moz_places.last_visit_date/1000000), ‘unixepoch’, ‘localtime’) from moz_places order by moz_places.last_visit_date desc;
However, the timeline is sorted based on the last visited time. A user may repeatedly visit the URL over the period of the Firefox history, one of the way to obtain a complete browsing history will be using data from “moz_places” and “moz_historyvisits” tables:
- select moz_places.url, datetime((moz_historyvisits.visit_date/1000000), ‘unixepoch’, ‘localtime’) from moz_places, moz_historyvisits where moz_historyvisits.place_id = moz_places.id order by moz_historyvisits.visit_date desc;
Obtain Google search term (sort by latest query first)
- select moz_places.url, datetime((moz_historyvisits.visit_date/1000000), ‘unixepoch’, ‘localtime’) from moz_places,moz_historyvisits where moz_places.id = moz_historyvisits.place_id and moz_places.url like ‘%google.com%/search?q=%’ order by moz_historyvisits.visit_date desc;
We can also use the following query to query if the users had typed in the URL
- select moz_places.url, datetime((moz_historyvisits.visit_date/1000000), ‘unixepoch’, ‘localtime’) from moz_places,moz_historyvisits where moz_places.id = moz_historyvisits.place_id and moz_historyvisits.visit_type = 2 order by moz_historyvisits.visit_date desc;
—– moz_inputhistory —–
I read an or two articles about “moz_inputhistory” explained that the table contains data relating to input URLs. However, my analysis showed this may not be true (well, I may be wrong!). My analysis suggest that it is a list of user’s input text that allow autocomplete to complete the URL in the browser.
One useful way is to determine the word that the user has used the text to complete the URL. For example, the user may not remember the full URL, but he said he had entered a specific text in the browser, we can use the following SQLite query to verify his claims:
- select moz_inputhistory.input, moz_inputhistory.use_count, moz_places.url from moz_inputhistory,moz_places where moz_inputhistory.place_id = moz_places.id;
—– moz_historyvisits —–
The “moz_historyvisits” detailed records of URL browsing histories and can be used with “moz_places” to create a complete timeline. The details of the table are:
From this table, we can determine how the user arrived at the URL. For instance, the user claimed that he was unaware of how the explicit images arrived at his computer which he claimed he had never visited. We can use the following SQLite query to determine his claim:
- select moz_places.url, datetime((moz_historyvisits.visit_date/1000000), ‘unixepoch’, ‘localtime’), moz_historyvisits.visit_type from moz_places, moz_historyvisits where moz_historyvisits.place_id = moz_places.id order by moz_historyvisits.visit_date desc;
Bookmarks are records in “moz_bookmarks” table:
In these folders, you can find the Cache Map (“_CACHE_MAP_”) and 3 Cache Block files (“_CACHE_001”, “_CACHE_002” and “_CACHE_003)”. These 4 files are the essential files to analysis Firefox’s cache files.
The Cache Map is the main file needed to reconstruct Firefox cache files. If you had read Web Browser Forensics, Part 2, you probably know that within the Cache Map, you probably find Cache Map buckets which contain mapping to the Cache Map records. Within the Cache Map, each Cache Record contain 4 32-bit values
- Hash Number
- Eviction Rank
- Data Location
- Metadata Location
The 32-bit Metadata Location is bitwise-AND with 0x30000000 to obtain the metadata stored in the Cache Map or any of the 3 Cache Block file. If the resulted value from the bit-wise AND operation return a ‘0’, the metadata are stored in the Cache Map, a value of ‘1’ to ‘3’ are stored in the respectively Cache Block file.
In my hands-on, the single Cache file is named “1F796D27d01”. I did a search with “1F796D27” on the Cache Map and found the the offset 0x0804. The value of the Cache record is as follows:
- Hash Number = 1F796D27 (1st eight character of the cache file)
- Eviction Rank =B3148457
- Data Location =80007401
- Metadata Location = 91000000
- Cache Block locatioon = 91000000 AND 30000000 = 1 (location of metadata is stored in Cache Block 1)
One quick and easy way to view the cache files is to use FTK Imager Lite to browse the cache files. One advantage of FTK Imager allows you to view the contents of the cache files and view the file’s metadata in the “Properties” pane.
Cache files in the Cache folder are created when the content is too large to be stored in the Cache Block.In the Firefox Cache folder, Cache files are named in the following order
In my hands-on, the filename is “1F796D27d01”, it indicates that “1F796D27” is the 32-bit hash number, d represent it is a data file.
MozillaCacheView is a tool from Nirsoft that read and display Firefox’s cache data. The metadata of forensic interests that can be retrieved are:
- Filename and filetype
- File size
- Fetch count
- Last modified / last fetch time
- Expiration time
During my reading, I found an article on carnal0wnage.attackresearch.com that explain how you can retrieve save passwords in Firefox. You can retrieve saved password saved in Firefox, if no Master Password is set. This can be done by
- Exporting the “key3.db” and “signons.sqlite” from the user’s profiles;
- Setup Firefox on the examiner’s machine.
- Replace “key3.db” and “signons.sqlite” with the user’s.
- Open up Firefox, go to Options > Security > Saved Passwords…