We would love to stay in touch with you!

Enter your details to join our mailing list and we'll send you a link to exclusive content.

* indicates required
Close

Firefox Forensics

by Jago Maniscalchi  //  October 4, 2010  //  Penetration Testing  //  No comments

We all know it is important to clear out temporary internet files and cookies, but what other data do commonly used browsers store on a computer? If an intruder gets access to your file system and is able to save off a few key files, he can learn all sorts about your Internet activity.

Firefox stores its data in a series of sqlite databases in a ‘profile’ directory. On windows this sits inside the ‘Application Data’ folder. By far the most useful file is the places.sqlitedatabase, which contains the Firefox history and bookmarks.

C:\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\ \places.sqlite

The database includes a historyplaces table that contains details of all the sites that the user has visited or downloaded files from. There are then separate tables that detail the specific downloads, visits and contain icons. Joining the tables to extract meaningful data can be done by hand, or using a tool. For example, to show the URL and download time of any URL that contains the keywords ‘rape’, ‘lolita’ or ‘porn’:

SELECT url, visit_date
FROM moz_places, moz_historyvisits
WHERE moz_places.id = moz_historyvisits.place_id AND (url LIKE “%rape%” OR url LIKE “%lolita%” OR url LIKE “%porn%”)
ORDER by visit_date

f3e, a tool downloadable from firefoxforensics.com automatically parses history data out of the database. It was written by a Forensic Investigator from a UK Police High Tech Unit. It includes all the required sqlite libraries and saves complex SQL joins to link history activity with a separate table.

signons.sqlite, a new file for Firefox 3.5 contains details of saved logins. As long as a master password has not been set, these again are easily extracted. Firepassword, a tool from SecurityXploded will automate the extraction process. It dynamically loads Firefox dlls, so needs to be run on a computer with a copy of Firefox (but not necessarily the same computer that the database came from).

So, with two files (places.sqlite and signons.sqlite) and two tools (f3e and firepassword), an analyst can easily extract Internet history, downloads, icons and login information, including passwords.

About the Author

Jago Maniscalchi is a Cyber security consultant, though he tries to avoid the word "Cyber" at all costs. He has spent 15 years working with Information Systems and has experience in website hosting, software engineering, infrastructure management, data analysis and security assessment. Jago lives in London with his family, enough pets to start a small zooalogical society, and a Samsung NaviBot Robotic Vacuum Cleaner. Despite an aptitude for learning computer languages, his repeated attempts to learn Italian have resulted in spectacular failure.

Leave a Comment

comm comm comm