Difference between pages "LNK" and "Mozilla Firefox"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(External Links)
 
Line 1: Line 1:
Microsoft Windows Shortcut Files
+
{{expand}}
 +
Mozilla Firefox is a Free and Open Source [[Web Browser|web browser]] developed by the Mozilla Foundation.
  
== File Format ==
+
It can have many [http://addons.mozilla.org add-ons] which give it extra capabilities.
  
The Windows Shortcut file has the extension .lnk.
+
== Anonymous Browsing ==
It basically is a metadata file, specific for the Microsoft Windows platform and is interpreted by the Windows Shell.
+
Mozilla Firefox can be used in anonymous browsing (see [[The Onion Router]]). However, it is known that Firefox reveals computer's uptime in TLS (SSL) "Client Hello" packets allowing investigator correlate anonymous and non-anonymous traffic [http://archives.seul.org/or/talk/Apr-2008/msg00050.html].
The file format indicates that these files contain a specific signature, 0x4C (4C 00 00 00) at offset 0 within the file/stream. Further, the GUID (CLSID) 00021401-0000-0000-c000-000000000046 stored at byte offset 4 makes a good identifier.
+
  
Understanding this file format can be extremely useful for an analyst, as not only are shortcut files still employed as of Windows 7, but the binary format is also used in the numbered streams within *.automaticDestinations-ms [[Jump Lists]] files on Windows 7 and 8.
+
This bug affects Firefox 2 (all versions) and Firefox 3 Beta3.
  
== Metadata ==
+
== History ==
 +
Firefox 3 stores the history of visited sites in a file named '''places.sqlite'''. This file uses the [[SQLite database format]].
  
* [[MAC times]] of the target. These are a snapshot of the target date and timestamps before it was last opened. The target can be several things like for example a (linked) file;
+
'''places.sqlite''' can be found in the following locations:
 +
 
 +
On Linux
 
<pre>
 
<pre>
Linked file information:
+
/home/$USER/.mozilla/firefox/$PROFILE.default/places.sqlite
Creation time : Jul 26, 2009 14:44:34 UTC
+
Modification time : Jul 26, 2009 14:44:34 UTC
+
Access time : Aug 12, 2010 06:41:50 UTC
+
Local path : C:\Program Files (x86)\Windows Live\Mail\wlmail.exe
+
 
</pre>
 
</pre>
  
* The [[Shell Item]] list of the target;
+
On MacOS-X
* The size of the target when it was last accessed;
+
<pre>
* Serial number of the volume where the target was stored;
+
/Users/$USER/Library/Application Support/Firefox/Profiles/$PROFILE.default/places.sqlite
** Useful for correlating a USB drive or other removable media (if you can get the volume serial number off it) to a particular user or system.
+
</pre>
* Network volume share name;
+
* Read-only, hidden, system, volume label, encryption, sparse, compressed, offline and several other target attributes;
+
* MAC address of the host computer (sometimes);
+
* Distributed link tracking information, e.g.
+
  
 +
On Windows XP
 
<pre>
 
<pre>
Distributed link tracker information:
+
C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
Machine identifier string          : mysystem
+
Droid volume identifier            : 11111111-2222-3333-4444-555555555555
+
Droid file identifier              : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
+
Birth droid volume identifier      : 11111111-2222-3333-4444-555555555555
+
Birth droid file identifier        : aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
+
 
</pre>
 
</pre>
  
== External Links ==
+
On Windows Vista, 7
 +
<pre>
 +
C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
 +
</pre>
  
* [http://computerforensics.parsonage.co.uk/downloads/TheMeaningofLIFE.pdf The Meaning of Linkfiles In Forensic Examinations]
+
=== Timestamps ===
* [http://www.i2s-lab.com/Papers/The_Windows_Shortcut_File_Format.pdf Details of the Windows shortcut file format]
+
The places.sqlite uses the following timestamps.
* [http://msdn.microsoft.com/en-us/library/dd871305%28PROT.13%29.aspx MS-SHLLINK]
+
 
* [https://googledrive.com/host/0B3fBvzttpiiSQmluVC1YeDVvZWM/Windows%20Shortcut%20File%20(LNK)%20format.pdf Windows Shortcut File (LNK) format], by the [[liblnk|liblnk project]]
+
The '''moz_historyvisits.visit_date''' is in (the number of) microseconds since January 1, 1970 UTC
* [http://www.forensicfocus.com/link-file-evidentiary-value Evidentiary Value of Link Files], by Nathan Weilbacher
+
 
* [http://blog.0x01000000.org/2010/08/10/lnk-parsing-youre-doing-it-wrong-i/ LNK Parsing: You’re doing it wrong (I)], by [[Jordi Sánchez López]], August 10, 2010
+
Some Python code to do the conversion into human readable format:
* [http://blog.0x01000000.org/2010/08/13/lnk-parsing-youre-doing-it-wrong-ii/ LNK Parsing: You’re doing it wrong (II)], by [[Jordi Sánchez López]], August 13, 2010
+
<pre>
 +
date_string = datetime.datetime( 1970, 1, 1 )
 +
            + datetime.timedelta( microseconds=timestamp )
 +
</pre>
 +
 
 +
=== Example queries ===
 +
Some example queries:
 +
 
 +
To get an overview of the visited sites:
 +
<pre>
 +
SELECT datetime(moz_historyvisits.visit_date/1000000, 'unixepoch', 'localtime'), moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;
 +
</pre>
 +
 
 +
== Downloads ==
 +
Firefox 3 stores the history of downloads sites in a file named '''downloads.sqlite'''. This file uses the [[SQLite database format]].
 +
 
 +
'''downloads.sqlite''' can be found in the same location as '''places.sqlite'''.
 +
 
 +
=== Timestamps ===
 +
The places.sqlite uses the following timestamps.
 +
 
 +
The '''moz_downloads.startTime''' and '''moz_downloads.endTime''' are in (the number of) microseconds since January 1, 1970 UTC.
 +
 
 +
=== Example queries ===
 +
Some example queries:
 +
 
 +
To get an overview of the downloaded files:
 +
<pre>
 +
SELECT moz_downloads.startTime, moz_downloads.source, moz_downloads.currBytes, moz_downloads.maxBytes FROM moz_downloads;
 +
</pre>
 +
 
 +
== See Also ==
 +
 
 +
* [[Mozilla Suite]]
 +
* [[Mozilla Firefox History File Format]]
 +
* [[SQLite database format]]
 +
 
 +
== External Links ==
  
== Tools ==
+
* [http://www.mozilla.com/firefox/ Official website]
* [http://www.tzworks.net/prototype_page.php?proto_id=11 Windows LNK file parser.] Free tool that can be run on Windows, Linux or Mac OS-X
+
* [http://kb.mozillazine.org/Profile_folder_-_Firefox Profile folder - Firefox]
* [http://jafat.sourceforge.net/files.html Free tool (in PERL) that is capable of reading and reporting on Windows shortcut files]
+
* [https://wiki.mozilla.org/images/3/3d/Downloads.sqlite.schema.pdf Firefox 3 – downloads.sqlite]
* [http://mitec.cz/wfa.html Free tool that is capable of reading and reporting on Windows shortcut files]
+
* [[liblnk]]
+
* [http://code.google.com/p/lnk-parser/ lnk-parser]
+
  
[[Category:File Formats]]
+
[[Category:Applications]]
 +
[[Category:Web Browsers]]

Revision as of 14:24, 18 July 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Mozilla Firefox is a Free and Open Source web browser developed by the Mozilla Foundation.

It can have many add-ons which give it extra capabilities.

Anonymous Browsing

Mozilla Firefox can be used in anonymous browsing (see The Onion Router). However, it is known that Firefox reveals computer's uptime in TLS (SSL) "Client Hello" packets allowing investigator correlate anonymous and non-anonymous traffic [1].

This bug affects Firefox 2 (all versions) and Firefox 3 Beta3.

History

Firefox 3 stores the history of visited sites in a file named places.sqlite. This file uses the SQLite database format.

places.sqlite can be found in the following locations:

On Linux

/home/$USER/.mozilla/firefox/$PROFILE.default/places.sqlite

On MacOS-X

/Users/$USER/Library/Application Support/Firefox/Profiles/$PROFILE.default/places.sqlite

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite

On Windows Vista, 7

C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite

Timestamps

The places.sqlite uses the following timestamps.

The moz_historyvisits.visit_date is in (the number of) microseconds since January 1, 1970 UTC

Some Python code to do the conversion into human readable format:

date_string = datetime.datetime( 1970, 1, 1 )
            + datetime.timedelta( microseconds=timestamp )

Example queries

Some example queries:

To get an overview of the visited sites:

SELECT datetime(moz_historyvisits.visit_date/1000000, 'unixepoch', 'localtime'), moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;

Downloads

Firefox 3 stores the history of downloads sites in a file named downloads.sqlite. This file uses the SQLite database format.

downloads.sqlite can be found in the same location as places.sqlite.

Timestamps

The places.sqlite uses the following timestamps.

The moz_downloads.startTime and moz_downloads.endTime are in (the number of) microseconds since January 1, 1970 UTC.

Example queries

Some example queries:

To get an overview of the downloaded files:

SELECT moz_downloads.startTime, moz_downloads.source, moz_downloads.currBytes, moz_downloads.maxBytes FROM moz_downloads;

See Also

External Links