Digital forensics

Browser Forensics: Firefox

Nitesh Malviya
September 16, 2020 by
Nitesh Malviya

Introduction

Browsers have become an inherent part of our virtual life and we all make use of browsers for surfing the internet in some or the other way. Also, browsers can be used not only for surfing, we can make use of browsers for navigating through the file system of the OS.

You might have observed by default browsers store data like search queries, username, password, form data, emails, credit card data and other sensitive information. Also, browsers do contain downloaded media like Images, Videos, Exe’s, documents etc. Bookmarks and browser history gives an idea of the user's surfing habit and interest.

You might have realised the browser stores a lot of sensitive information about the user and its surfing habit. Thus they play a very important role in forensics due to the nature and amount of data they store with them.

Learn Network Forensics

Learn Network Forensics

Get hands-on experience analyzing logs, protocols, wireless, web traffic and email for traces left behind by attackers.

Why Browser Forensics

With the help of Browser Forensics and with the assistance of forensics tools one can extract sensitive data and chosen keywords from most web browsers. One can retrieve deleted data and keywords, check whether history was cleared, retrieve artifacts like Cookies, Downloads data, History, Saved Password, websites visited etc. Also, Browser Forensics helps a lot to understand how an attack on a system was conducted, helping in finding the source of Malwares/Adwares/Spywares, Malicious Emails and Phishing Websites etc.

There are many web browsers available like Chrome, Firefox, Safari, IE, Opera etc. depending upon the platform being used. In this post, we will be learning about how to conduct forensics for Firefox Browser.

Firefox

Firefox is one of the most popular open source browsers. It runs on all platforms and has been developed by Mozilla Foundation.

Few salient features offered by Firefox - 

1) More secure

2) Own extensions

3) Advanced Incognito mood – User location tracking can be disabled

Firefox Artifacts

An artifact is a remnant or trace left behind on the computer which helps to identify the source of malicious traffic and attack conducted onto the system. Few examples include cache data, History, Downloads etc.

Firefox stores these artifacts inside specific folders in the operating system. The file location for every browser is different but the file format remains the same. Following are the common artifacts stored by Firefox –

1) Navigation History – This reveals navigation history of the user. It can be used to track whether a user has visited any malicious URL or not.

2) Autocomplete Data – This reveals data that has been used on various forms and search terms etc. It is used with Navigation History for more insight.

3) Bookmarks - Self Explanatory

4) Add-ons, Extensions and Plugins - Self Explanatory

5) Cache – Contains cache data from various websites like Images, Javascript Files etc

6) Logins - Self Explanatory

7) Form Data - Self Explanatory

8) Favicons - Self Explanatory

9) Session Data - Self Explanatory

10) Thumbnails - Self Explanatory

11) Favorites - Self Explanatory

12) Sensitive data - Self Explanatory

Various Artifacts and its Location

Following are the location of various artifacts one can have a look while doing forensics investigation on Firefox -

1) Profile Path – This contains the majority of the artifacts and profile data of the user.

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].default

C:UsersUSER_NAMEAppDataLocalMozillaFirefoxProfiles[profileID].default

2) Bookmarks + Navigation History – This is stored in SQLite Database form

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultplaces.sqlite

3) Bookmarks Backup – This is stored in a folder

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultbookmarkbackups

4) Cookies – This is also stored in SQLite Database form

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultcookies.sqlite

5) Cache

Location –

C:UsersUSER_NAMEAppDataLocalMozillaFirefoxProfiles[profileID].defaultcache2entries

C:UsersUSER_NAMEAppDataLocalMozillaFirefoxProfiles[profileID].defaultstartupCache

6) Form History - Stored in SQLite Database Form

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultfor mhistory.sqlite

7) Addons + Extensions - Stored in the form of Folders

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultaddons.sqlite

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultextensions.sqlite

8) Favicons  - Stored in SQLite Database Form

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultfavicons.sqlite

9) Settings and Preferences

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultprefs.js

10) Logins + Password - Stored in JSON Form

Location –

Logins

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultlogins.json

Passwords

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultkey4.db

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultkey3.db (Older Version)

11) Sessions Data – Jsonlz4 File

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultsessionstore.jsonlz4

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultsessionstore-backups

12) Downloads -

Location –

C:UsersUSER_NAMEAppDataRoamingMozillaFirefoxProfiles[profileID].defaultdownloads.sqlite

13) Thumbnails - Stored in SQLite Database Form

Location –

C:UsersUSER_NAMEAppDataLocalMozillaFirefoxProfiles[profileID].defaultthumbnails

Tools

Now we know different artifacts and their location let’s see what all tools can be used for performing Browser Forensics –

 1) DB Browser – For opening .sqlite files

 2) DB Browser – For opening .sqlite files

 3) Nirsoft Web Browsers Tools

 4) BrowsingHistoryView

 5) ESEDatabaseView

 6) Session History Scrounger - for Firefox

 7) Sysinternals Strings

 8) OS Forensics

 9) Magnet IEF

10) Browser History Viewer

11) Browser History Examiner

12) Hindsight

13) libsedb - Library to access the Extensible Storage Engine (ESE), Database File (EDB) format

14) Web Browser Addons View

15) The LaZagne Project

16) firepwd.py (open source tool to decrypt Mozilla protected passwords)

17) Firefox Search Engine Extractor (Open ‘search.json.mozlz4’ files)

18) Firefox Bookmark Backup Reader/Decompressor (Open ‘ jsonlz4’ files)

Learn Network Forensics

Learn Network Forensics

Get hands-on experience analyzing logs, protocols, wireless, web traffic and email for traces left behind by attackers.

Sources

  1. https://www.cybercrimechambers.com/web-browser-forensics.php
  2. https://www.digitalforensics.com/blog/an-overview-of-web-browser-forensics/
  3. https://medium.com/@nasbench/web-browsers-forensics-7e99940c579a
  4. https://www.sciencedirect.com/topics/computer-science/forensic-artifact
Nitesh Malviya
Nitesh Malviya

Nitesh Malviya is a Security Consultant. He has prior experience in Web Appsec, Mobile Appsec and VAPT. At present he works on IoT, Radio and Cloud Security and open to explore various domains of CyberSecurity. He can be reached on his personal blog - https://nitmalviya03.wordpress.com/ and Linkedin - https://www.linkedin.com/in/nitmalviya03/.