Difference between pages "Jump Lists" and "Mozilla Firefox"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Jump Lists)
 
(Downloads)
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
'''Jump Lists''' are a feature found in Windows 7.
+
Mozilla Firefox is a Free and Open Source [[Web Browser|web browser]] developed by the Mozilla Foundation.
  
== Jump Lists ==
+
It can have many [http://addons.mozilla.org add-ons] which give it extra capabilities.
Jump Lists are a new Windows 7 Taskbar feature that gives the user quick access to recently accessed application files and actions.
+
  
Jump Lists come in multiple flavors:
+
== Anonymous Browsing ==
* automatic (autodest, or *.automaticDestinations-ms) files
+
Mozilla Firefox can be used in anonymous browsing (see [[The Onion Router]]). However, it is known that Firefox reveals computer's uptime in TLS (SSL) "Client Hello" packets allowing investigator correlate anonymous and non-anonymous traffic [http://archives.seul.org/or/talk/Apr-2008/msg00050.html].
* custom (custdest, or *.customDestinations-ms) files
+
  
Autodest files are created by the operating system.
+
This bug affects Firefox 2 (all versions) and Firefox 3 Beta3.
  
The Jump Lists are located in the user profile path:
+
== History ==
 +
Firefox 3 stores the history of visited sites in a file named '''places.sqlite'''. This file uses the [[SQLite database format]].
 +
 
 +
'''places.sqlite''' can be found in the following locations:
 +
 
 +
On Linux
 
<pre>
 
<pre>
C:\Users\%USERNAME%\Recent folder
+
/home/$USER/.mozilla/firefox/$PROFILE.default/places.sqlite
 
</pre>
 
</pre>
  
Where the autodest Jump Lists are located in the automaticDestinations subdirectory, and custdest Jump Lists in the customDestinations subdirectory.
+
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Application Support/Firefox/Profiles/$PROFILE.default/places.sqlite
 +
</pre>
  
<b>Note</b>: Jump Lists can prove to be considerably valuable during an examination, as the files appear (in limited testing) to persist after the application itself is removed from the system.  In one test, iTunes 10 was installed on a 64-bit Windows 7 system, and two audio files (i.e., [http://www.cyberspeak.libsyn.com: CyberSpeak podcasts]) were launched via iTunes.  The Jump Lists persisted after the iTunes was removed from the system.
+
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
 +
</pre>
  
=== AutomaticDestinations ===
+
On Windows Vista, 7
Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
+
<pre>
 +
C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
 +
</pre>
  
Files: *.automaticDestinations-ms
+
=== Timestamps ===
 +
The places.sqlite uses the following timestamps.
  
==== Structure ====
+
The '''moz_historyvisits.visit_date''' is in (the number of) microseconds since January 1, 1970 UTC
The autodest files are [[OLE Compound File|OLE Compound Files]] containing multiple streams of which:
+
* hexadecimal numbered, e.g. "1a"
+
* DestList
+
  
Each of the hexadecimal numbered streams contains data similar of that of a [[LNK|Windows Shortcut]].
+
Some Python code to do the conversion into human readable format:
 +
<pre>
 +
date_string = datetime.datetime( 1970, 1, 1 )
 +
            + datetime.timedelta( microseconds=timestamp )
 +
</pre>
  
The "DestList" stream acts as a most recently/frequently used (MRU/MFU) list. This stream consists of a 32-byte header, followed by the various structures that correspond to each of the individual numbered streams.  Each of these structures is 114 bytes in size, followed by a variable length Unicode string. The first 114 bytes of the structure contains the following information at the corresponding offsets:
+
=== Example queries ===
 +
Some example queries:
  
<table border="1">
+
To get an overview of the visited sites:
<tr> <th>Offset</th> <th>Size</th> <th>Description</th> </tr>
+
<pre>
<tr> <td>0x48</td> <td>16 bytes</td> <td>NetBIOS name of the system; padded with zeros to 16 bytes</td> </tr>
+
SELECT datetime(moz_historyvisits.visit_date/1000000, 'unixepoch', 'localtime'), moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;
<tr> <td>0x58</td> <td>8 bytes</td> <td>Stream number; corresponds to the numbered stream within the jump list</td> </tr>
+
</pre>
<tr> <td>0x64</td> <td>8 bytes</td> <td>[http://support.microsoft.com/kb/188768: FILETIME] object</td> </tr>
+
<tr> <td>0x70</td> <td>2 bytes</td> <td>Number of Unicode characters in the string that follows </td> </tr>
+
</table>
+
  
=== CustomDestinations ===
+
== Downloads ==
Path: C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations<br>
+
Firefox 3 stores the history of downloads sites in a file named '''downloads.sqlite'''. This file uses the [[SQLite database format]].
Files: *.customDestinations-ms
+
 
 +
'''downloads.sqlite''' can be found in the same location as '''places.sqlite'''.
 +
 
 +
'''Note it looks that Firefox 21 (or earlier?) stores the downloads as part of the bookmarks in moz_bookmarks and moz_annos'''
 +
 
 +
=== Timestamps ===
 +
The places.sqlite uses the following timestamps.
 +
 
 +
The '''moz_downloads.startTime''' and '''moz_downloads.endTime''' are in (the number of) microseconds since January 1, 1970 UTC.
 +
 
 +
=== Example queries ===
 +
Some example queries:
 +
 
 +
To get an overview of the downloaded files:
 +
<pre>
 +
SELECT moz_downloads.startTime, moz_downloads.source, moz_downloads.currBytes, moz_downloads.maxBytes FROM moz_downloads;
 +
</pre>
  
==== Structure ====
+
== See Also ==
Custdest files reportedly follow a structure of sequential [http://msdn.microsoft.com/en-us/library/dd871305%28v=prot.13%29.aspx: MS-SHLLINK] binary format segments.
+
  
== See also ==
+
* [[Mozilla Suite]]
* [[List of Jump List IDs]]
+
* [[Mozilla Firefox History File Format]]
* [[OLE Compound File]]
+
* [[SQLite database format]]
* [[Windows]]
+
  
 
== External Links ==
 
== External Links ==
  
== Tools ==
+
* [http://www.mozilla.com/firefox/ Official website]
* Autodest files can be opened in tools such as the [http://mitec.cz/ssv.html: MiTec Structured Storage Viewer], and each of the streams individually/manually extracted.  Each of the extracted numbered streams can then be viewed via the [http://mitec.cz/wfa.html: Windows File Analyzer].
+
* [http://kb.mozillazine.org/Profile_folder_-_Firefox Profile folder - Firefox]
* Another approach would be to use Mark Woan's [http://www.woanware.co.uk/?p=265: JumpLister] tool to view the information within the numbered streams of each autodest file.
+
* [https://wiki.mozilla.org/images/3/3d/Downloads.sqlite.schema.pdf Firefox 3 – downloads.sqlite]
* TZWorks LLC [http://tzworks.net/prototype_page.php?proto_id=20 Jump List Parser (jmp)] also has a tool that can parse both the custom and automatic Destinations type files. For automaticDestinations it associates the MRU/MFU metadata with that of the SHLLINK metadata. There are versions of the tool that can run in Windows, Linux or Mac OS-X.
+
* [http://download.cdn.mozilla.net/pub/firefox/releases/ Mozilla Firefox Releases]
  
[[Category:Windows]]
+
[[Category:Applications]]
 +
[[Category:Web Browsers]]

Revision as of 15:24, 18 July 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Mozilla Firefox is a Free and Open Source web browser developed by the Mozilla Foundation.

It can have many add-ons which give it extra capabilities.

Anonymous Browsing

Mozilla Firefox can be used in anonymous browsing (see The Onion Router). However, it is known that Firefox reveals computer's uptime in TLS (SSL) "Client Hello" packets allowing investigator correlate anonymous and non-anonymous traffic [1].

This bug affects Firefox 2 (all versions) and Firefox 3 Beta3.

History

Firefox 3 stores the history of visited sites in a file named places.sqlite. This file uses the SQLite database format.

places.sqlite can be found in the following locations:

On Linux

/home/$USER/.mozilla/firefox/$PROFILE.default/places.sqlite

On MacOS-X

/Users/$USER/Library/Application Support/Firefox/Profiles/$PROFILE.default/places.sqlite

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite

On Windows Vista, 7

C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite

Timestamps

The places.sqlite uses the following timestamps.

The moz_historyvisits.visit_date is in (the number of) microseconds since January 1, 1970 UTC

Some Python code to do the conversion into human readable format:

date_string = datetime.datetime( 1970, 1, 1 )
            + datetime.timedelta( microseconds=timestamp )

Example queries

Some example queries:

To get an overview of the visited sites:

SELECT datetime(moz_historyvisits.visit_date/1000000, 'unixepoch', 'localtime'), moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;

Downloads

Firefox 3 stores the history of downloads sites in a file named downloads.sqlite. This file uses the SQLite database format.

downloads.sqlite can be found in the same location as places.sqlite.

Note it looks that Firefox 21 (or earlier?) stores the downloads as part of the bookmarks in moz_bookmarks and moz_annos

Timestamps

The places.sqlite uses the following timestamps.

The moz_downloads.startTime and moz_downloads.endTime are in (the number of) microseconds since January 1, 1970 UTC.

Example queries

Some example queries:

To get an overview of the downloaded files:

SELECT moz_downloads.startTime, moz_downloads.source, moz_downloads.currBytes, moz_downloads.maxBytes FROM moz_downloads;

See Also

External Links