Mozilla Firefox 3 History File Format

From ForensicsWiki
Revision as of 08:12, 15 April 2008 by Kevin (Talk | contribs)

Jump to: navigation, search

Starting in Firefox 3, a new file format was used to record browser history information. Rather than storing this information in a flat file using the mork file format (as was done in previous versions of Firefox), the information is kept in sqlite tables within a file.

File Locations

On linux systems, the history file is located in the users home folder in the .mozilla/firefox/<profile folder>/ folder and is named places.sqlite. On Windows systems, the history file is located in C:\Documents and Settings\<username>\Application Data\Mozilla\firefox\Profiles\<profile folder> and is named places.sqlite.

File Header

Firefox 3 history files start with
 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33
which represents the ascii string SQLite format 3. This is normal for any Sqlite database file, so it may be more appropriate to verify that the file is a Firefox 3 history file by looking for the database tables within the file. For example, at offset 120701 (0x1D77D) the hex value
43 52 45 41 54 45 20 54 41 42 4C 45 20 6D 6F 7A 5F 62 6F 6F 6B 6D 61 72 6B 73
can be found. This represents the ascii string CREATE TABLE moz_bookmarks. At offset 120973 (0x1D88D) the hex value
43 52 45 41 54 45 20 49 4E 44 45 58 20 6D 6F 7A 5F 62 6F 6F 6B 6D 61 72 6B 73 5F 69 74 65 6D 69 6E 64 65 78
can be found. This represents the ascii string CREATE TABLE moz_bookmarks_itemindex.

Database Tables

The places.sqlite file is essentially a database with multiple tables:

  moz_bookmarks
  moz_bookmarks_itemindex
  moz_bookmarks_parentindex
  moz_bookmarks_roots
  moz_keywords
  moz_favicons (actually stored the favicons in a BLOB within the table)
  moz_annos
  moz_annos_placeattributeindex
  moz_attributes
  moz_items_annos
  moz_items_annos_itemattributeindex
  moz_places (See Below)
  moz_places_url_uniqueindex
  moz_places_faviconindex
  moz_places_hostindex
  moz_places_visitcount
  moz_places_frequencyindex
  moz_historyvists (See Below)
  moz_historyvists_placedateindex
  moz_historyvists_fromindex
  moz_historyvists_dateindex
  moz_inputhistory
  sqlite_autoindex_moz_bookmarks_roots_1
  sqlite_autoindex_moz_keywords_1
  sqlite_sequence
  sqlite_autoindex_moz_favicons_1
  sqlite_autoindex_moz_anno_attributes_1
  sqlite_autoindex_moz_inputhistory_1

Places-schema.png

moz_places

The moz_places table holds some of the information necessary to reconstruct the browser history.

  id INTEGER PRIMARY KEY
  url LONGVARCHAR (The whole URL string)
  title LONGVARCHAR (The title presented from the TITLE tags on the page)
  rev_host LONGVARCHAR (this is the host name from the URL in reverse)
  visit_count INTEGER
  hidden INTEGER
  typed INTEGER
  favicon_id INTEGER
  frequency INTEGER

moz_historyvisits

The moz_historyvisits table holds the other information that you need to link up with moz_places to reconstruct the browser history.

  id INTEGER
  from_visit INTEGER
  place_id INTEGER
  visit_date INTEGER 
  visit_time INTEGER
  session INTEGER

The place_id column of the moz_historyvisits table corresponds to the id column of the moz_places table. The visit_date column keeps time in Unix time format (number of seconds since January 1, 1970). However, there are additional digits appended to the end of the number. Therefore, only the first 11 digits of the number should be used to calculate the actual visit date.

Gathering browser history

Browser history for Firefox 3 can be gathered by connecting to the Sqlite database and performing simple queries. For example, the URLs visited and the date and time of the visit can be gathered with this query:
SELECT moz_places.url, moz_historyvisits.visit_date 
FROM moz_places, moz_historyvisits 
WHERE moz_places.id = moz_historyvisits.place_id