Difference between pages "Mozilla Firefox" and "Microsoft Office"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Downloads)
 
(External Links)
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
Mozilla Firefox is a Free and Open Source [[Web Browser|web browser]] developed by the Mozilla Foundation.
 
  
It can have many [http://addons.mozilla.org add-ons] which give it extra capabilities.
+
== EventLogs ==
 
+
As of Office 2010 related Office Alerts EventLog:
== Anonymous Browsing ==
+
Mozilla Firefox can be used in anonymous browsing (see [[The Onion Router]]). However, it is known that Firefox reveals computer's uptime in TLS (SSL) "Client Hello" packets allowing investigator correlate anonymous and non-anonymous traffic [http://archives.seul.org/or/talk/Apr-2008/msg00050.html].
+
 
+
This bug affects Firefox 2 (all versions) and Firefox 3 Beta3.
+
 
+
== History ==
+
Firefox 3 stores the history of visited sites in a file named '''places.sqlite'''. This file uses the [[SQLite database format]].
+
 
+
'''places.sqlite''' can be found in the following locations:
+
 
+
On Linux
+
 
<pre>
 
<pre>
/home/$USER/.mozilla/firefox/$PROFILE.default/places.sqlite
+
C:\Windows\System32\winevt\Logs\OAlerts.evtx
</pre>
+
 
+
On MacOS-X
+
<pre>
+
/Users/$USER/Library/Application Support/Firefox/Profiles/$PROFILE.default/places.sqlite
+
</pre>
+
 
+
On Windows XP
+
<pre>
+
C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
+
</pre>
+
 
+
On Windows Vista, 7
+
<pre>
+
C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
+
</pre>
+
 
+
=== Timestamps ===
+
The places.sqlite uses the following timestamps.
+
 
+
The '''moz_historyvisits.visit_date''' is in (the number of) microseconds since January 1, 1970 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1970, 1, 1 )
+
            + datetime.timedelta( microseconds=timestamp )
+
</pre>
+
 
+
=== Example queries ===
+
Some example queries:
+
 
+
To get an overview of the visited sites:
+
<pre>
+
SELECT datetime(moz_historyvisits.visit_date/1000000, 'unixepoch', 'localtime'), moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;
+
</pre>
+
 
+
== Downloads ==
+
Firefox 3 stores the history of downloads sites in a file named '''downloads.sqlite'''. This file uses the [[SQLite database format]].
+
 
+
'''downloads.sqlite''' can be found in the same location as '''places.sqlite'''.
+
 
+
'''Note it looks that Firefox 21 (or earlier?) stores the downloads as part of the bookmarks in moz_bookmarks and moz_annos in places.sqlite'''
+
 
+
=== Timestamps ===
+
The places.sqlite uses the following timestamps.
+
 
+
The '''moz_downloads.startTime''' and '''moz_downloads.endTime''' are in (the number of) microseconds since January 1, 1970 UTC.
+
 
+
=== Example queries ===
+
Some example queries:
+
 
+
To get an overview of the downloaded files:
+
<pre>
+
SELECT moz_downloads.startTime, moz_downloads.source, moz_downloads.currBytes, moz_downloads.maxBytes FROM moz_downloads;
+
 
</pre>
 
</pre>
  
 
== See Also ==
 
== See Also ==
 
+
* [[Microsoft Office File formats]]
* [[Mozilla Suite]]
+
* [[Mozilla Firefox History File Format]]
+
* [[SQLite database format]]
+
  
 
== External Links ==
 
== External Links ==
 +
* [http://dfstream.blogspot.com/2014/01/ms-excel-2013-last-saved-location.html MS Excel 2013 Last Saved Location Metadata], Jason Hale, January 12, 2014
  
* [http://www.mozilla.com/firefox/ Official website]
+
[[Category:Analysis]]
* [http://kb.mozillazine.org/Profile_folder_-_Firefox Profile folder - Firefox]
+
* [https://wiki.mozilla.org/images/3/3d/Downloads.sqlite.schema.pdf Firefox 3 – downloads.sqlite]
+
* [http://download.cdn.mozilla.net/pub/firefox/releases/ Mozilla Firefox Releases]
+
 
+
[[Category:Applications]]
+
[[Category:Web Browsers]]
+

Revision as of 16:26, 13 January 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

EventLogs

As of Office 2010 related Office Alerts EventLog:

C:\Windows\System32\winevt\Logs\OAlerts.evtx

See Also

External Links