Difference between pages "FRED" and "Mozilla Firefox"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
 
Line 1: Line 1:
'''FRED''' can refer to:
+
{{expand}}
 +
Mozilla Firefox is a Free and Open Source [[Web Browser|web browser]] developed by the Mozilla Foundation.
  
* [[First Responder's Evidence Disk]] - A [[Windows]] [[Incident Response|incident response]] tool written by [[Jesse Kornblum]].
+
It can have many [http://addons.mozilla.org add-ons] which give it extra capabilities.
* [[Tools:Memory_Imaging#x86_Hardware|Forensic RAM Extraction Device]], a hardware memory imager for x86 systems developed by BBN.
+
* [[Forensic Recovery of Evidence Device]] - A computer designed for forensic analysis made by [[Digital Intelligence]].
+
  
{{disambig}}
+
== Anonymous Browsing ==
 +
Mozilla Firefox can be used in anonymous browsing (see [[The Onion Router]]). However, it is known that Firefox reveals computer's uptime in TLS (SSL) "Client Hello" packets allowing investigator correlate anonymous and non-anonymous traffic [http://archives.seul.org/or/talk/Apr-2008/msg00050.html].
 +
 
 +
This bug affects Firefox 2 (all versions) and Firefox 3 Beta3.
 +
 
 +
== History ==
 +
Firefox 3 stores the history of visited sites in a file named '''places.sqlite'''. This file uses the [[SQLite database format]].
 +
 
 +
'''places.sqlite''' can be found in the following locations:
 +
 
 +
On Linux
 +
<pre>
 +
/home/$USER/.mozilla/firefox/$PROFILE.default/places.sqlite
 +
</pre>
 +
 
 +
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Application Support/Firefox/Profiles/$PROFILE.default/places.sqlite
 +
</pre>
 +
 
 +
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
 +
</pre>
 +
 
 +
On Windows Vista, 7
 +
<pre>
 +
C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
 +
</pre>
 +
 
 +
=== Timestamps ===
 +
The places.sqlite uses the following timestamps.
 +
 
 +
==== moz_historyvisits.visit_date ====
 +
 
 +
The visit date and time values in the moz_historyvisits table are in (the number of) microseconds since January 1, 1970 UTC
 +
 
 +
Some Python code to do the conversion into human readable format:
 +
<pre>
 +
date_string = datetime.datetime( 1970, 1, 1 )
 +
            + datetime.timedelta( microseconds=timestamp )
 +
</pre>
 +
 
 +
=== Example queries ===
 +
Some example queries:
 +
 
 +
To get an overview of the visited sites:
 +
<pre>
 +
SELECT moz_historyvisits.visit_date, moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;
 +
</pre>
 +
 
 +
== Downloads ==
 +
Firefox 3 stores the history of downloads sites in a file named '''downloads.sqlite'''. This file uses the [[SQLite database format]].
 +
 
 +
'''downloads.sqlite''' can be found in the same location as '''places.sqlite'''.
 +
 
 +
== See Also ==
 +
 
 +
* [[Mozilla Suite]]
 +
* [[Mozilla Firefox History File Format]]
 +
* [[SQLite database format]]
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.mozilla.com/firefox/ Official website]
 +
 
 +
[[Category:Applications]]
 +
[[Category:Web Browsers]]

Revision as of 05:02, 3 November 2011

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Mozilla Firefox is a Free and Open Source web browser developed by the Mozilla Foundation.

It can have many add-ons which give it extra capabilities.

Anonymous Browsing

Mozilla Firefox can be used in anonymous browsing (see The Onion Router). However, it is known that Firefox reveals computer's uptime in TLS (SSL) "Client Hello" packets allowing investigator correlate anonymous and non-anonymous traffic [1].

This bug affects Firefox 2 (all versions) and Firefox 3 Beta3.

History

Firefox 3 stores the history of visited sites in a file named places.sqlite. This file uses the SQLite database format.

places.sqlite can be found in the following locations:

On Linux

/home/$USER/.mozilla/firefox/$PROFILE.default/places.sqlite

On MacOS-X

/Users/$USER/Library/Application Support/Firefox/Profiles/$PROFILE.default/places.sqlite

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite

On Windows Vista, 7

C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite

Timestamps

The places.sqlite uses the following timestamps.

moz_historyvisits.visit_date

The visit date and time values in the moz_historyvisits table are in (the number of) microseconds since January 1, 1970 UTC

Some Python code to do the conversion into human readable format:

date_string = datetime.datetime( 1970, 1, 1 )
            + datetime.timedelta( microseconds=timestamp )

Example queries

Some example queries:

To get an overview of the visited sites:

SELECT moz_historyvisits.visit_date, moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;

Downloads

Firefox 3 stores the history of downloads sites in a file named downloads.sqlite. This file uses the SQLite database format.

downloads.sqlite can be found in the same location as places.sqlite.

See Also

External Links