internet artifacts

 

 

Internet Artifacts with Mozilla Firefox

 

Internet artifacts refer to the data saved by the browser on the user’s history. They are important for digital forensics, because they can be used to make a timeline of the user’s events on the browser and the Internet in general. In the case of Mozilla Firefox the history data is stored in SQLite files. SQLite files are used to store databases. These files can be found in the Firefox Profile folder. The path to the folder depends on the operating system:

Operating System Location
Windows XP C:\Documents and Settings\%username\Local Settings\Application Data\Mozilla\Firefox\Profiles
Windows Vista/7/10 C:\Users\%username%\AppData\Roaming\Mozilla\Firefox\Profiles
Linux /home/$username/.mozilla/firefox/Profiles
OS X /Users/$username/Library/Application Support/Firefox/Profiles/

In order to read the SQLite files the SQLiteman porgram could be used. It is available for Mac, Windows, and Linux at: https://sourceforge.net/projects/sqliteman/. A sqlite database is opened using Ctrl-O (or going File → Open).

Formhistory:

First, the Firefox profile has the formhsitory.sqlite database. This database contains all the data that the user has entered into forms. This could include usernames, emails, addresses, search queries, etc. It would not include passwords as those are stored somewhere else. After opening a database, an SQL query is needed to get information. In this case run the command:

SELECT * FROM moz_formhistory;

The command retrieves information from moz_formhistory table in the formhistory.sqlite database. The * means it returns all the information.

In the above example, both a username and an email can be seen along with the number of times they were used.

Downloads:

The downloads.sqlite database has information on files downloaded using Firefox. This includes the name of the file, where it was downloaded from, where it was downloaded to, when the download started, and when it ended. This database does not contain information on files that were downloaded through an add-on or the cache, only files handled directly by the Firefox download manager. Use the following query:

SELECT * FROM moz_downloads;

Cookies:

The cookies.sqlite database stores all the Firefox cookies. The cookies could tell when was the last time a user visited a site, whether they were logged in or not, and whether the site set or requested the cookie. Use the following query:

SELECT * FROM moz_cookies;

Places:

The places.sqlite database has the most information related to the user’s activity. It contains all the websites the user visited along with the time they visited them. The sites are stored in the moz_places table while the time is stored in the moz_historyvisits table. So the query will have to match the entries in one table to the other one. Also, the time is recorded in PRTime which is the number of microseconds since January 1st 1970. The following query will not only list the sites with the time, but also convert the time into a readable format:

SELECT datetime(moz_historyvisits.visit_date/1000000, ‘unixepoch’), moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;

Cache:

The Firefox cache stores the images, scripts, and other parts of a website that has been visited. So if the same website is opened then it will load faster. Cache is not stored in a SQLite file. Instead, another program has to be used. In the case of Windows, download MozillaCacheView from https://www.nirsoft.net/utils/mozilla_cache_viewer.html. When this program is opened it will automatically read the current contents of the Firefox cache.

In the above example, one of the images from the cache is opened. In the image’s URL is in the data. The URL is then searched to get the original image.

Saved Session Data:

Whenever the Firefox browser is not closed properly then a file called sessionstore.js is created. This file stores information on all the closed tabs and windows of the browser. When the browser is reopened it will read the file in order to restore the tabs and windows, before then removing the file. Sessionstore.js is a JSON file. While they can be viewed with any text editor they would be hard to understand. So a program like JsonView, which can be downloaded here: http://www.softpedia.com/get/Programming/File-Editors/JSON-Viewer-Mitec.shtmlm, is used to parse and organize the data.

Bookmarks:

Firefox stores the bookmarks data in the places.sqlite database. The name of the bookmark is in the moz_bookmarks table. The number of times it was used and the URL it links to is stored in the moz_places table. So the following query should be used:

SELECT moz_bookmarks.type, moz_bookmarks.title, moz_places.url, moz_places.title, moz_places.visit_count FROM moz_places, moz_bookmarks, WHERE moz_bookmarks.fk =moz_places.id AND moz_bookmarks.type <> 3;

Extensions:

Firefox stores the extensions data in a JSON file called extensions.js. It will contain data on what extensions the user has, when they were downloaded, and whether they are enabled.

In the following picture, it can be seen that the webextension uBlock is installed. It could also be found that the extension is enabled.

Your big idea

DetialDocPdf

Hacks

References:
[Alt11] Altheide, Cory; Carvey, Harlan: Digital Forensics with Open Source Tools:
Using Open Source Platform Tools for Performing Computer Forensics on Target
Systems: Windows, Mac, Linux, Unix, Etc. Elsevier Science, 2011.

Importants links :-

https://mig.mozilla.org/

http://www.acquireforensics.com/services/tech/mozilla-firefox.html

http://www.forensicswiki.org/wiki/Mozilla_Firefox

https://www.foxtonforensics.com/foxanalysis/