Difference between revisions of "Mozilla Firefox"

From ForensicsWiki
Jump to: navigation, search
(External Links)
m (Cache Data File)
 
(14 intermediate revisions by the same user not shown)
Line 57: Line 57:
  
 
'''downloads.sqlite''' can be found in the same location as '''places.sqlite'''.
 
'''downloads.sqlite''' can be found in the same location as '''places.sqlite'''.
 +
 +
'''Note it looks that Firefox 21 (or earlier?) stores the downloads as part of the bookmarks in moz_bookmarks and moz_annos in places.sqlite'''
  
 
=== Timestamps ===
 
=== Timestamps ===
Line 70: Line 72:
 
SELECT moz_downloads.startTime, moz_downloads.source, moz_downloads.currBytes, moz_downloads.maxBytes FROM moz_downloads;
 
SELECT moz_downloads.startTime, moz_downloads.source, moz_downloads.currBytes, moz_downloads.maxBytes FROM moz_downloads;
 
</pre>
 
</pre>
 +
 +
== Cache ==
 +
The common location of the Cache directory is:
 +
 +
On Linux
 +
<pre>
 +
/home/$USER/.mozilla/firefox/$PROFILE.default/Cache/
 +
</pre>
 +
 +
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Caches/Firefox/Profiles/$PROFILE.default/Cache/
 +
</pre>
 +
 +
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\
 +
</pre>
 +
 +
On Windows Vista, 7
 +
<pre>
 +
C:\Users\%USERNAME%\AppData\Local\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\
 +
</pre>
 +
 +
The Cache directory contains the multiple type of cache files:
 +
* Cache Map File
 +
* Cache Block File
 +
* Cache Data File
 +
 +
=== Cache Map file ===
 +
File named _CACHE_MAP_
 +
 +
Contains:
 +
* Cache Map file header
 +
* An array of Cache Map buckets
 +
 +
There are 32 buckets in the Cache map file. Within each bucket, there are 256 records inside each bucket, hence the Cache Map file contains 8192 records in total.
 +
 +
Each record contains the information for one instance of cache data. A record contains four 32-bit integers:
 +
* A Hash Number
 +
* An Eviction Rank
 +
* The Data Location
 +
* The Metadata Location
 +
 +
=== Cache Block file ===
 +
File named _CACHE_00#_, where # is a number ranging from [1-3].
 +
 +
=== Cache Data File ===
 +
File named:
 +
<pre>
 +
<hash number><type><generation number>
 +
</pre>
 +
 +
Where <hash number>, <type>, <generation number> are placeholders for the corresponding values.
  
 
== See Also ==
 
== See Also ==
  
* [[Mozilla Suite]]
 
 
* [[Mozilla Firefox History File Format]]
 
* [[Mozilla Firefox History File Format]]
 
* [[SQLite database format]]
 
* [[SQLite database format]]
Line 82: Line 137:
 
* [http://kb.mozillazine.org/Profile_folder_-_Firefox Profile folder - Firefox]
 
* [http://kb.mozillazine.org/Profile_folder_-_Firefox Profile folder - Firefox]
 
* [https://wiki.mozilla.org/images/3/3d/Downloads.sqlite.schema.pdf Firefox 3 – downloads.sqlite]
 
* [https://wiki.mozilla.org/images/3/3d/Downloads.sqlite.schema.pdf Firefox 3 – downloads.sqlite]
 +
* [http://download.cdn.mozilla.net/pub/firefox/releases/ Mozilla Firefox Releases]
 +
 +
=== Cache ===
 +
* [http://people.mozilla.org/~chofmann/l10n/tree/mozilla/netwerk/cache/src/nsDiskCacheMap.h nsDiskCacheMap.h]
 +
* [http://www.symantec.com/connect/articles/web-browser-forensics-part-2 Web Browser Forensics, Part 2], by Keith J. Jones, Rohyt Belani, May 10, 2005
  
 
[[Category:Applications]]
 
[[Category:Applications]]
 
[[Category:Web Browsers]]
 
[[Category:Web Browsers]]

Latest revision as of 23:22, 29 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Mozilla Firefox is a Free and Open Source web browser developed by the Mozilla Foundation.

It can have many add-ons which give it extra capabilities.

Anonymous Browsing

Mozilla Firefox can be used in anonymous browsing (see The Onion Router). However, it is known that Firefox reveals computer's uptime in TLS (SSL) "Client Hello" packets allowing investigator correlate anonymous and non-anonymous traffic [1].

This bug affects Firefox 2 (all versions) and Firefox 3 Beta3.

History

Firefox 3 stores the history of visited sites in a file named places.sqlite. This file uses the SQLite database format.

places.sqlite can be found in the following locations:

On Linux

/home/$USER/.mozilla/firefox/$PROFILE.default/places.sqlite

On MacOS-X

/Users/$USER/Library/Application Support/Firefox/Profiles/$PROFILE.default/places.sqlite

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite

On Windows Vista, 7

C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite

Timestamps

The places.sqlite uses the following timestamps.

The moz_historyvisits.visit_date is in (the number of) microseconds since January 1, 1970 UTC

Some Python code to do the conversion into human readable format:

date_string = datetime.datetime( 1970, 1, 1 )
            + datetime.timedelta( microseconds=timestamp )

Example queries

Some example queries:

To get an overview of the visited sites:

SELECT datetime(moz_historyvisits.visit_date/1000000, 'unixepoch', 'localtime'), moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;

Downloads

Firefox 3 stores the history of downloads sites in a file named downloads.sqlite. This file uses the SQLite database format.

downloads.sqlite can be found in the same location as places.sqlite.

Note it looks that Firefox 21 (or earlier?) stores the downloads as part of the bookmarks in moz_bookmarks and moz_annos in places.sqlite

Timestamps

The places.sqlite uses the following timestamps.

The moz_downloads.startTime and moz_downloads.endTime are in (the number of) microseconds since January 1, 1970 UTC.

Example queries

Some example queries:

To get an overview of the downloaded files:

SELECT moz_downloads.startTime, moz_downloads.source, moz_downloads.currBytes, moz_downloads.maxBytes FROM moz_downloads;

Cache

The common location of the Cache directory is:

On Linux

/home/$USER/.mozilla/firefox/$PROFILE.default/Cache/

On MacOS-X

/Users/$USER/Library/Caches/Firefox/Profiles/$PROFILE.default/Cache/

On Windows XP

C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\

On Windows Vista, 7

C:\Users\%USERNAME%\AppData\Local\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\

The Cache directory contains the multiple type of cache files:

  • Cache Map File
  • Cache Block File
  • Cache Data File

Cache Map file

File named _CACHE_MAP_

Contains:

  • Cache Map file header
  • An array of Cache Map buckets

There are 32 buckets in the Cache map file. Within each bucket, there are 256 records inside each bucket, hence the Cache Map file contains 8192 records in total.

Each record contains the information for one instance of cache data. A record contains four 32-bit integers:

  • A Hash Number
  • An Eviction Rank
  • The Data Location
  • The Metadata Location

Cache Block file

File named _CACHE_00#_, where # is a number ranging from [1-3].

Cache Data File

File named:

<hash number><type><generation number>

Where <hash number>, <type>, <generation number> are placeholders for the corresponding values.

See Also

External Links

Cache