Difference between pages "Mozilla Firefox 3 History File Format" and "Defacto"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Categorized the article)
 
(New page: '''Defacto''' is a software inventorization tool developed by National Hi-Tech Crime Unit [http://nhtcu.ru/] (Russia). == Overview == Defacto builds a list of installed software programs...)
 
Line 1: Line 1:
Starting in Firefox 3, a new file format was used to record browser history information. Rather than storing this information in a flat file using the mork file format (as was done in previous versions of Firefox), the information is kept in sqlite tables within a file.
+
'''Defacto''' is a software inventorization tool developed by National Hi-Tech Crime Unit [http://nhtcu.ru/] (Russia).
  
==File Locations==
+
== Overview ==
On linux systems, the history file is located in the users home folder in the .mozilla/firefox/<profile folder>/ folder and is named places.sqlite.
+
On Windows systems, the history file is located in C:\Documents and Settings\<username>\Application Data\Mozilla\firefox\Profiles\<profile folder> and is named places.sqlite.
+
  
==File Header==
+
Defacto builds a list of installed software programs by searching for specific files and scanning [[Windows Registry]].
Firefox 3 history files start with <pre> 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33</pre> which represents the ascii string SQLite format 3.  This is normal for any Sqlite database file, so it may be more appropriate to verify that the file is a Firefox 3 history file by looking for the database tables within the file.  For example, at offset 120701 (0x1D77D) the hex value <pre>43 52 45 41 54 45 20 54 41 42 4C 45 20 6D 6F 7A 5F 62 6F 6F 6B 6D 61 72 6B 73</pre> can be found.  This represents the ascii string CREATE TABLE moz_bookmarks.  At offset 120973 (0x1D88D) the hex value <pre>43 52 45 41 54 45 20 49 4E 44 45 58 20 6D 6F 7A 5F 62 6F 6F 6B 6D 61 72 6B 73 5F 69 74 65 6D 69 6E 64 65 78</pre> can be found.  This represents the ascii string CREATE TABLE moz_bookmarks_itemindex.
+
  
==Database Tables==
+
Defacto reports following information about installed software programs:
The places.sqlite file is essentially a database with multiple tables:
+
<pre>  moz_bookmarks
+
  moz_bookmarks_itemindex
+
  moz_bookmarks_parentindex
+
  moz_bookmarks_roots
+
  moz_keywords
+
  moz_favicons (actually stored the favicons in a BLOB within the table)
+
  moz_annos
+
  moz_annos_placeattributeindex
+
  moz_attributes
+
  moz_items_annos
+
  moz_items_annos_itemattributeindex
+
  moz_places (See Below)
+
  moz_places_url_uniqueindex
+
  moz_places_faviconindex
+
  moz_places_hostindex
+
  moz_places_visitcount
+
  moz_places_frequencyindex
+
  moz_historyvists (See Below)
+
  moz_historyvists_placedateindex
+
  moz_historyvists_fromindex
+
  moz_historyvists_dateindex
+
  moz_inputhistory
+
  sqlite_autoindex_moz_bookmarks_roots_1
+
  sqlite_autoindex_moz_keywords_1
+
  sqlite_sequence
+
  sqlite_autoindex_moz_favicons_1
+
  sqlite_autoindex_moz_anno_attributes_1
+
  sqlite_autoindex_moz_inputhistory_1</pre>
+
  
==moz_places==
+
* Author (vendor);
The moz_places table holds some of the information necessary to reconstruct the browser history.
+
* Product name;
<pre>  id INTEGER PRIMARY KEY
+
* License type (freeware, shareware, etc);
  url LONGVARCHAR (The whole URL string)
+
* Price;
  title LONGVARCHAR (The title presented from the TITLE tags on the page)
+
* Additional information (install date, install path, version/build, serial number, product key, etc);
  rev_host LONGVARCHAR (this is the host name from the URL in reverse)
+
* Registered owner.
  visit_count INTEGER
+
  hidden INTEGER
+
  typed INTEGER
+
  favicon_id INTEGER
+
  frequency INTEGER</pre>
+
  
==moz_historyvisits==
+
== Illegal Software ==
The moz_historyvisits table holds the other information that you need to link up with moz_places to reconstruct the browser history.
+
<pre>  id INTEGER
+
  from_visit INTEGER
+
  place_id INTEGER
+
  visit_date INTEGER
+
  visit_time INTEGER
+
  session INTEGER</pre>
+
  
[[Category:File Formats]]
+
Defacto maintains a database of blacklisted serial numbers. It can also detect cracked software.
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.defacto-com.ru/ Official website]

Revision as of 16:18, 12 September 2008

Defacto is a software inventorization tool developed by National Hi-Tech Crime Unit [1] (Russia).

Overview

Defacto builds a list of installed software programs by searching for specific files and scanning Windows Registry.

Defacto reports following information about installed software programs:

  • Author (vendor);
  • Product name;
  • License type (freeware, shareware, etc);
  • Price;
  • Additional information (install date, install path, version/build, serial number, product key, etc);
  • Registered owner.

Illegal Software

Defacto maintains a database of blacklisted serial numbers. It can also detect cracked software.

External Links

Retrieved from "http://www.forensicswiki.org/w/index.php?title=Mozilla_Firefox_3_History_File_Format&oldid=8434"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox