Thursday, June 23, 2011

Firefox 3 Forensic Analysis

Accessing information on the Internet leave variety of footprints such as visited websites, viewed content, downloaded documents, etc. The forensic information could be found in single files, directories, local databases and Windows registry. Moreover, Windows operating system maintains in registry a log of all local and wireless network connections (including the MAC address of the switch/router) which can further help forensic investigation to identify the physical location of the suspect (Laureate Online Education B.V., 2009) (Jonathan Risto, 2010).

According to W3School (2011), the five most used web browsers are Firefox (42%) followed by Chrome (25%) and Internet Explorer (25%), then Safari (4%) and Opera (2.4%). As such, digital forensic investigator should be knowledgeable in all four and geared up to perform extraction and analysis of the data collected by these Internet Browsers. In most cases, Internet browsers use local cache to store information to increase access time, history of visited web sites, favourites, etc. In some cases (Firefox), the stored information indicates if the suspect typed the Uniform Resource Locator (URL) showing intent of criminal or illegal activity. Furthermore, autocomplete history and cookies can provide the forensic investigator on information typed entered to the websites, or stored locally. In addition to that, the increasing use of web chats such as Yahoo! Chat and Gmail Chat allow provides potential access to additional information.

While Internet Explorer and Firefox traditionally stored the information in a file, from Firefox version 3 the information stored in the SQLite databases. For example, bookmarks and browsing history are stored in places.sqlite, passwords are stored in the key3.db and signons.sqlite, autocomplete history in formhistory.sqlite and cookies in cookies.sqlite (, n.d.) Numerous tools are available to perform forensic analysis of the information captured by the Firefox, including f3e and a simpel SQLite command line utility.

To locate SQLite 3 database, an investigator can utilize signature based search (i.e. foremost command) and look for the following hex value: 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33. To make sure that the identified SQLite database file is indeed a file used by Firefox, the following signature could be used to validate the file: 43 52 45 41 54 45 20 54 41 42 4C 45 20 6D 6F 7A 5F 62 6F 6F 6B 6D 61 72 6B 73.

After curving the SQLite 3 database file (using dd or foremost commands), it could be accessed simply by using sqlite command. All Firefox SQLite 3 files, are in essense a database with multiple tables. For example, places.sqlite contains the following tables: moz_anno_attributes, moz_favicons, moz_keywords, moz_annos, moz_historyvisits, moz_places, moz_bookmarks, moz_inputhistory, moz_bookmarks_roots and moz_items_annos.

Since SQLlite does not require authentication to work with the database, SQL statements could be used to retrieve relevant information (case specific). For example, the following query will retrieve 20 most visited websites:
sqlite> SELECT rev_host FROM moz_places ORDER BY visit_count DESC LIMIT 20;
to retrieve all places associated with the word “drugs”:
sqlite> SELECT * FROM moz_places WHERE url like "%drugs%";
or, to display all completed downloads (, 2008):
SELECT url, visit_date
FROM moz_places, moz_historyvisits
WHERE = moz_historyvisits.place_id AND visit_type = "7"
ORDER by visit_date

Firefox Anti-forensic Features

Firefox includes a number of anti forensic features which could be either invoked by the suspect, or automatically by the Firefox itself such as removal of old history records after a period of 90 days. Moreover, a suspect could use “Private Browsing” functionality or manually invoke “Clear Recent History”. In these cases, Firefox fills the space of each record with zeros, effectively wiping the data.

Regardless, although the content of the records is wiped, Pereira, M (n.d.) has demonstrated that “when searching all disk, record vestiges was found in unallocated space” either due to reallocated data by the underlying OS or due to the “rollback” journal used by the SQLite engine.


No comments:

Post a Comment