Prefetch Forensic

Prefetch files as defined in ForensicWiki is “Windows Prefetch files, introduced in Windows XP, are designed to speed up the application startup process.” Prefetch files contained metadata of forensic interests are:

  • Executable file name (Unicode),
  • Last Executed Timestamp,
  • Executed Count, abd
  • Volume ID.

Notable mentions to Prefetch forensic articles are:

Further to that, you will probably find many tools and articles on Prefetch file analysis. So I am just going to write only very briefly on it.

Prefetch files can be found at c:\Windows\Prefetch\ folder. For the purpose of this post, I will only focus on the file articles with the ‘pf’ extension.

Windows XP

  • OS Version: Offset 00, length of 4 bytes (LE)
    • 0x00000011: Windows XP
  • File header: Offset 04, length of 4 bytes
    • SCCA (0x53, 0x43, 0x43, 0x41)
  • Unicode filename: Offset 16, length of 30 bytes
  • Last executed time: Offset 128, length of 8 bytes (LE), Windows Filetime format
  • Executed count: Offset 144, length of 4 bytes (LE)
  • VolumeID:
    • Reference to Forensicwiki, Offset 108, length of 4 bytes points to the offset of section D of the prefetch file.
    • Volume ID is located at Offset of section D + 16 bytes, for a length of 4 bytes

Windows Vista

  • OS Version: Offset 00, Length of 4 bytes (LE)
    • 00000017: Windows Vista
  • File header: Offset 04, Length of 4 bytes
    • SCCA (0x53, 0x43, 0x43, 0x41)
  • Unicode filename: Offset 16, Length of 30 bytes
  • Last executed time: Offset 128, Length of 8 bytes (LE), Windows Filetime format
  • Executed count: Offset 152, length of 4 bytes (LE)
  • VolumeID:
    • Reference to Forensicwiki, Offset 108, length of 4 bytes points to the offset of section D of the prefetch file.
    • Volume ID is located at Offset of section D + 16 bytes, for a length of 4 bytes

Windows 7

  • OS Version: Offset 00, Length of 4 bytes (LE)
    • 00000017: Windows 7
  • File header: Offset 04, Length of 4 bytes
    • SCCA (0x53, 0x43, 0x43, 0x41)
  • Last executed time: Offset 128, Length of 8 bytes (LE), Windows Filetime format
  • Executed count: Offset 152 length of 4 bytes (LE)
  • VolumeID:
    • Reference to Forensicwiki, Offset 108, length of 4 bytes points to the offset of section D of the prefetch file.
    • Volume ID is located at Offset of section D + 16 bytes, for a length of 4 bytes

Windows 8

  • OS Version: Offset 00, Length of 4 bytes (LE)
    • 0000001A: Windows 8
  • File header: Offset 04, Length of 4 bytes
    • SCCA (0x53, 0x43, 0x43, 0x41)
  • Last executed time: Offset 128, Length of 8 bytes (LE), Windows Filetime format
    • According to my colleagues (JS and TB), Prefetch captured the last 8 executed time starting at offset 128. Each record is stored in Windows Filetime format.
  • Executed count: Offset 208, length of 4 bytes (LE)
  • VolumeID:
    • Reference to Forensicwiki, Offset 108, length of 4 bytes points to the offset of section D of the prefetch file.
    • Volume ID is located at Offset of section D + 16 bytes, for a length of 4 bytes.

I wrote a simple EnScript to parse the Prefetch data and have tested it on limited numbers of prefetch files. This EnScript will parse Prefetch files with the file signature “SCCA”. The mode of operating the EnScript is illustrated in the following image:

prefetch 001

Once the EnScript is run successfully, the output will save in the specified output file.

prefetch 002

Link for Prefetch Parser 0.2

This EnScript is tested on limited number of Prefetch files. If you have any question or clarification or you find any bug, please contact me at davidkoepi – gm ail

Advertisements

Firefox Forensics (Part 3) – Cache

While learning on Firefox Cache, I stumbled upon several articles, I came across two or three good tools that automates the Firefox cache files. However what I really want to get down to the hex levels of the Cache Map and Cache Block. I know a few articles on the Internet that explain pretty clearly on how to analyze Firefox cache. I guess I must have an IQ of below average because I just can’t find the location and interpret these hex into valuable details. If any kind souls who are reading this, please enlightening and point me to any fantastic article that explain Firefox Cache for someone real dumb like me. Thank  You! and Merry Christmas!!!

~~~~~ ~~~~~

When the user browses websites, Firefox cache temporary stores images, scripts and other files from the websites. Firefox cache can be view by typing “about:cache” in the address bar. There are 3 types of caches:

  • Memory cache: cache data in RAM
  • Dish cache: cache data stored on the disk
  • Offline cache:

~~~~~ ~~~~~

Firefox Cache Locations

Win XP:

  • C:\Documents and Settingd\[user]\Local Settings\Application Data\Firefox\Profiles\XXXXXXXX.default\Cache\

Win Vista and Win 7:

  • C:\Users\[user]\AppData]Local\Mozilla\Firefox\Profiles\XXXXXXXX.default\Cache\

Mac OS X:

  • ~/Library/Firefox/Caches/Firefox/Profiles/XXXXXXXX.default/

Linux:

  • ~/.mozilla/firefox/XXXXXXXX.default/Cache/

~~~~~ ~~~~~

Inside Firefox cache folder, there will be one Cache Map file, three Cache block file and cache data files. The Cache Map (“_CACHE_MAP_”) and Cache Block files (“_CACHE_001”, “_CACHE_002” and “_CACHE_003)” are the essential files to analysis Firefox’s cache files.

Firefox Cache Map

The  Cache Map is the main file needed to reconstruct Firefox cache files. If you had read Web Browser Forensics, Part 2, you probably know that within the Cache Map, you probably find Cache Map buckets which contain mapping to the Cache Map records. Within the Cache Map, each Cache Record contain 4 32-bit values

  • Hash Number
  • Eviction Rank
  • Data Location
  • Metadata Location

The 32-bit Metadata Location is bitwise-AND with 0x30000000 to obtain the metadata stored in the Cache Map or any of the 3 Cache Block file. If the resulted value from the bit-wise AND operation return a ‘0’, the metadata are stored in the Cache Map, a value of ‘1’ to ‘3’ are stored in the respectively Cache Block file.

In my hands-on, the single Cache file is named “1F796D27d01”. I did a search with “1F796D27” on the Cache Map and found the the offset 0x0804. The value of the Cache record is as follows:

  • Hash Number = 1F796D27 (1st eight character of the cache file)
  • Eviction Rank =B3148457
  • Data Location =80007401
  • Metadata Location = 91000000
  • Cache Block locatioon = 91000000 AND 30000000 = 1 (location of metadata is stored in Cache Block 1)

Firefox Cache Block

In the Firefox Cache directory, the Cache Block files (“_CACHE_001”, “_CACHE_002” and “_CACHE_003)” contain metadata and data. Each Cache entry will contain the information:

0-3

4 bytes Magic number
4-7 4 bytes Location (Big Endian)
12-15 4 bytes Fetch time (Big Endian)
16-19 4 bytes Modify time (Big Endian)
20-23 4 bytes Expire time (Big Endian)
24-27 4 bytes Data size (Big Endian)
28-31 4 bytes Request size (Big Endian)
32-35 4 bytes Info size (Big Endian)
36-(R) Request string
(R+1)- Info string

Firefox Cache Files

One quick and easy way to view the cache files is to use FTK Imager Lite to browse the cache files. One advantage of FTK Imager allows you to view the contents of the cache files and view the file’s metadata in the “Properties” pane.

Cache files in the Cache folder are created when the content is too large to be stored in the Cache Block.In the Firefox Cache folder, Cache files are named in the following order

In my hands-on, the filename is “1F796D27d01”, it indicates that “1F796D27” is the 32-bit hash number, d represent it is a data file.

~~~~~ ~~~~~

Firefox Disk Cache Setting

Configuration about disk cache can be viewed by typing “about:config” and the 2 main settings for disk cache are:

  • browser.cache.disk.enable
  • browser.cache.disk.capacity

The “browser.cache.disk.enable” setting defines if disk cache is enabled. It is set to ‘true’ on default. The “browser.cache.disk.capacity” defines the maximum size of harddisk allocated for disk cache. The default is set at 512,000KB (or 50MB). Alternate cache storage can also be found if “browser.cache.disk.parent_directory” is present.

~~~~~ ~~~~~

Tools: CacheViewer

CacheViewer is a Firefox addons for GUI front-end for “about:cache”.  This tools is able to parse information from Firefox Cache for:

  • Source URL
  • Destination file cached on disk (if any)
  • Fetch count
  • Date last fetched
  • Date last modified

~~~~~ ~~~~~

Credits and References

  1. Change Firefox Cache Location: a short article on changing disk cache location
  2. Where is Firefox Internet Files Cache Folders – Part II: another article on Firefox Cache
  3. Read Firefox Cache with Python

~~~~~ ~~~~~

Event Logs Explorer

Event Log Explorer is a software from FSPro Labs for analysing event logs of Microsoft Windows operating systems. The software is free for personal (non-commercial) use. License can be purchased for commercial use. Please refer to Eventlogxp.com for full description and features. And also refer to my disclaimer.

Event Logs can be imported into Event Logs Explorer, open up the event logs on the local computer or remote computer.

Event Logs Explorer displays logs in table format. Details of the event logs are displayed in the Description pane. Event Logs Explorer is useful for most basic analysis work task such as sorting, filtering and colour-coding event logs in its viewer.

Filtering is relatively to use. You can just right-click on the item you want to filter and the context menu display the selection based on the column.

More advance filtering is also available by selecting “Filter…” in the context menu.

The software also provides for options to look up event logs description which is very useful since majority cannot remember all the eventid represent.

In term of presentation, Event Logs Explorer display the respective logs file in separate tab or you can choose to merge all logs into a single table.

In term of exporting logs file for examination report, you can export/print the entire logs or selection. Logs file can be exported to text, HTML, Excel or Excel 2007 format. For more features, you can navigate to Eventlogxp.com.

aa

Firefox Forensics (Part 2) – Session Restore

Firefox will automatically restore your sessions after software updates, restart or the browser crashed unexpectedly. Session restore information are stored in a file named “sessionrestore.js” in the user’s Firefox profile. A backup of the session restore file is named “sessionrestore.bak”. This folder contain the details of the website visited, and other information such as open tabs, typed-text in forms and windows size require to be restore when Firefox is restarts.  Web Browser Session Restore Forensics is a writeup detailing session restore forensics on Firefox and other browsers.

Firefox’s session restore information can be extracted from the users’ Firefox profile or by craving out from the seized evidence. The information are stored in JSON data structure. The information extracted can then be read using a JSON file editor. The tool of my choice is Allan S Hay’s JSON Viewer. Below is an example of a Session Restore information:

The time value 1291963762473 is the date/time stamp of the saved session in Firefox. The time can be decode in DCode, using “Unix: Millisecond Value”

Other information could be determined at the time of the crash including number of Firefox’s Windows and Tabs saved in the session. In my example, there is one window opened and 3 tabs in the Windows.

Cookie’s information:

Another tool that can be used to parse Firefox session restore data is a command line by Mark Woan called firefoxsessionstoreextractor:

Firefox Forensics

This article is based on my research on Firefox and hands-on on an extensively run Firefox which is running on my PC. The hands-on was done on Firefox 3.6.12 running on a Windows XP SP3 machine.

~~~~~ ~~~~~

Credits and References

I like to put my credits at the start of the article because many others wrote articles on Firefox before me and I used them to help me to unravel the “mysteries” of the browser.

~~~~~ ~~~~~

Default Locations

WinXP:

  • C:\Documents and Settings\[user]\Application Data\Mozilla\Firefox\Profiles\XXXXXXXX.default\
  • C:\Documents and Settingd\[user]\Local Settings\Application Data\Firefox\Profiles\XXXXXXXX.default\Cache\

WinVista and Win7:

  • C:\Users\[user]\AppData\Roaming\Mozilla\Firefox\Profiles\XXXXXXXX.default\
  • C:\Users\[user]\AppData]Local\Mozilla\Firefox\Profiles\XXXXXXXX.default\Cache\

Linux:

  • ~/.mozilla/firefox/XXXXXXXX.default/

Mac OS X:

  • ~/Library/Application Support/Firefox/Profiles/XXXXXXXX.default/
  • ~/Library/Application Support/Mozilla/Extensions
  • ~/Library/Caches/Firefox/Profiles/XXXXXXXX.default/Cache/

~~~~~ ~~~~~

Cookies (cookies.sqlite)

Cookies information are located in a database table format named “moz_cookies” in cookies.sqlite3 files. Data that are of forensic interests are the host of the cookie files and the associated lastAccessed timestamp which may give indication of the time where the website was last accessed.

~~~~~ ~~~~~

Downloads (downloads.sqlite)

Downloads.sqlite records details of files downloaded using Firefox. The “moz_downloads” table contains the following objects:

I think one of the use for this table is to find out if the suspect had successfully download the files. This can be determine by investigating the ‘state’ field. In my analysis, a “1” in the state object indicates download is successful, “3” indicates download is cancelled, and “4” indicates download is paused. An alternate way to determine if a file is successfully downloaded is to match data in ‘currBytes’ with ‘maxBytes’ . Needless to say  if the data in”currBytes” equal to “maxBytes” mean the download is completed. Data in this table will be removed when the user clears the download list.

~~~~~ ~~~~~

Form Value (formhistory.sqlite)

Form data entered in Firefox are stored in formhistory.sqlite. The “timeUsed” which helps to determine the number of times that the value was used may be helpful to investigation as it may raises the question if the value was frequently used.

This table can be a wealth of information of the users’ search terms, email addresses, name and information for website registrations. One interest thing discovered in my hands-on is that search terms used in the search bar on the top right corner of Firefox are recorded in ‘fieldname’ in the ‘moz_formhistory’. with the entry as “searchbar-history”.

~~~~~ ~~~~~

Bookmarks and Internet History (places.sqlite)

Places.sqlite is probably the most important file in Firefox Forensics. In Firefox 3, Bookmarks and Internet histories are recorded in places.sqlite. In my analysis on Firefox 3.6.12, there are 10 relational tables in the database:

  • moz_anno_attributes
  • moz_annos
  • moz_bookmarks
  • moz_bookmarks_roots
  • moz_favicons
  • moz_historyvisits
  • moz_inputhistory
  • moz_items_annos
  • moz_keywords
  • moz_places

Firefoxforensics did a wonderful job in mapping out the schema of the database, you can view the diagram here. My analysis will focus on extracting meaningful data from this database on the browsing histories.

—– moz_places —–

From this table, we can build a simple timeline based on last visited date/time (sort by the lastest visits first)

  • select moz_places.url, datetime((moz_places.last_visit_date/1000000), ‘unixepoch’, ‘localtime’) from moz_places order by moz_places.last_visit_date desc;

However, the timeline is sorted based on the last visited time. A user may repeatedly visit the URL over the period of the Firefox history, one of the way to obtain a complete browsing history will be using data from “moz_places” and “moz_historyvisits” tables:

  • select moz_places.url, datetime((moz_historyvisits.visit_date/1000000), ‘unixepoch’, ‘localtime’) from moz_places, moz_historyvisits where moz_historyvisits.place_id = moz_places.id order by moz_historyvisits.visit_date desc;

Obtain Google search term (sort by latest query first)

  • select moz_places.url, datetime((moz_historyvisits.visit_date/1000000), ‘unixepoch’, ‘localtime’) from moz_places,moz_historyvisits where moz_places.id = moz_historyvisits.place_id and moz_places.url  like ‘%google.com%/search?q=%’ order by moz_historyvisits.visit_date desc;

We can also use the following query to query if the users had typed in the URL

  • select moz_places.url, datetime((moz_historyvisits.visit_date/1000000), ‘unixepoch’, ‘localtime’) from moz_places,moz_historyvisits where moz_places.id = moz_historyvisits.place_id and moz_historyvisits.visit_type = 2 order by moz_historyvisits.visit_date desc;

—– moz_inputhistory —–

I read an or two articles about “moz_inputhistory” explained that the table contains data relating to input URLs. However, my analysis showed this may not be true (well, I may be wrong!). My analysis suggest that it is a list of user’s input text that allow autocomplete to complete the URL in the browser.

One useful way is to determine the word that the user has used the text to complete the URL. For example, the user may not remember the full URL, but he said he had entered a specific text in the browser, we can use the following SQLite query to verify his claims:

  • select moz_inputhistory.input, moz_inputhistory.use_count, moz_places.url from moz_inputhistory,moz_places where moz_inputhistory.place_id = moz_places.id;

—– moz_historyvisits —–

The “moz_historyvisits” detailed records of URL browsing histories and can be used with “moz_places” to create a complete timeline. The details of the table are:

From this table, we can determine how the user arrived at the URL. For instance, the user claimed that he was unaware of how the explicit images arrived at his computer which he claimed he had never visited. We can use the following SQLite query to determine his claim:

  • select moz_places.url, datetime((moz_historyvisits.visit_date/1000000), ‘unixepoch’, ‘localtime’), moz_historyvisits.visit_type from moz_places, moz_historyvisits where moz_historyvisits.place_id = moz_places.id order by moz_historyvisits.visit_date desc;

~~~~~ ~~~~~

Bookmarks (moz_bookmarks)

Bookmarks are records in “moz_bookmarks” table:

~~~~~ ~~~~~

Firefox Cache

In these folders, you can find the Cache Map (“_CACHE_MAP_”) and 3 Cache Block files (“_CACHE_001”, “_CACHE_002” and “_CACHE_003)”. These 4 files are the essential files to analysis Firefox’s cache files.

The  Cache Map is the main file needed to reconstruct Firefox cache files. If you had read Web Browser Forensics, Part 2, you probably know that within the Cache Map, you probably find Cache Map buckets which contain mapping to the Cache Map records. Within the Cache Map, each Cache Record contain 4 32-bit values

  • Hash Number
  • Eviction Rank
  • Data Location
  • Metadata Location

The 32-bit Metadata Location is bitwise-AND with 0x30000000 to obtain the metadata stored in the Cache Map or any of the 3 Cache Block file. If the resulted value from the bit-wise AND operation return a ‘0’, the metadata are stored in the Cache Map, a value of ‘1’ to ‘3’ are stored in the respectively Cache Block file.

In my hands-on, the single Cache file is named “1F796D27d01”. I did a search with “1F796D27” on the Cache Map and found the the offset 0x0804. The value of the Cache record is as follows:

  • Hash Number = 1F796D27 (1st eight character of the cache file)
  • Eviction Rank =B3148457
  • Data Location =80007401
  • Metadata Location = 91000000
  • Cache Block locatioon = 91000000 AND 30000000 = 1 (location of metadata is stored in Cache Block 1)

One quick and easy way to view the cache files is to use FTK Imager Lite to browse the cache files. One advantage of FTK Imager allows you to view the contents of the cache files and view the file’s metadata in the “Properties” pane.

Cache files in the Cache folder are created when the content is too large to be stored in the Cache Block.In the Firefox Cache folder, Cache files are named in the following order

In my hands-on, the filename is “1F796D27d01”, it indicates that “1F796D27” is the 32-bit hash number, d represent it is a data file.

MozillaCacheView is a tool from Nirsoft that read and display Firefox’s cache data. The metadata of forensic interests that can be retrieved are:

  • Filename and filetype
  • URL
  • File size
  • Fetch count
  • Last modified / last fetch time
  • Expiration time

~~~~~ ~~~~~

Saved Passwords

During my reading, I found an article on carnal0wnage.attackresearch.com that explain how you can retrieve save passwords in Firefox. You can retrieve saved password saved in Firefox, if no Master Password is set. This can be done by

  1. Exporting the “key3.db” and “signons.sqlite” from the user’s profiles;
  2. Setup Firefox on the examiner’s machine.
  3. Replace “key3.db” and “signons.sqlite” with the user’s.
  4. Open up Firefox, go to Options > Security > Saved Passwords…

~~~~~ ~~~~~