Difference between pages "Mozilla Firefox" and "OLE Compound File"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(See Also)
 
(External Links)
 
Line 1: Line 1:
{{expand}}
+
The '''Object Linking and Embedding (OLE) Compound File (CF)''' is used in other file formats as its underlying container file.
Mozilla Firefox is a Free and Open Source [[Web Browser|web browser]] developed by the Mozilla Foundation.
+
It allows data to be stored in multiple streams.  
  
It can have many [http://addons.mozilla.org add-ons] which give it extra capabilities.
+
The OLECF is also known as:
 +
* Compound Binary File (current name used by [[Microsoft]])
 +
* Compound Document File (name used by [[OpenOffice]])
 +
* OLE2 file
  
== Anonymous Browsing ==
+
== MIME types ==
Mozilla Firefox can be used in anonymous browsing (see [[The Onion Router]]). However, it is known that Firefox reveals computer's uptime in TLS (SSL) "Client Hello" packets allowing investigator correlate anonymous and non-anonymous traffic [http://archives.seul.org/or/talk/Apr-2008/msg00050.html].
+
  
This bug affects Firefox 2 (all versions) and Firefox 3 Beta3.
+
Because the OLECF by itself is just a container it does not use a mime type.
 +
A mime type assigned to an OLECF refers to its contents.
  
== History ==
+
== File signature ==
Firefox 3 stores the history of visited sites in a file named '''places.sqlite'''. This file uses the [[SQLite database format]].
+
  
'''places.sqlite''' can be found in the following locations:
+
The OLECF has the following file signature:
 +
hexadecimal: d0 cf 11 e0 a1 b1 1a e1
  
On Linux
+
The OLECF has no distinct footer.
<pre>
+
/home/$USER/.mozilla/firefox/$PROFILE.default/places.sqlite
+
</pre>
+
  
On MacOS-X
+
== Contents ==
<pre>
+
/Users/$USER/Library/Application Support/Firefox/Profiles/$PROFILE.default/places.sqlite
+
</pre>
+
  
On Windows XP
+
The OLECF uses a FAT-like file system to define blocks that are assigned to the stream using multiple allocation tables.
<pre>
+
It uses a directory structure to define the name of the streams.
C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
+
</pre>
+
  
On Windows Vista, 7
+
The OLECF is used to store:
<pre>
+
* [[Microsoft Office]] 97-2003 documents:
C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
+
** [[Word Document (DOC)]]
</pre>
+
** [[Excel Spreadsheet (XLS)]]
 +
** [[Powerpoint Presentation (PPT)]]
 +
* [[Thumbs.db]]
 +
* [[Jump Lists]]
 +
* StickyNotes.snt
  
=== Timestamps ===
+
== Also See ==
The places.sqlite uses the following timestamps.
+
* [[Media:Compdocfileformat.pdf|Microsoft Compound Document File Format]], by OpenOffice.org
 
+
The '''moz_historyvisits.visit_date''' is in (the number of) microseconds since January 1, 1970 UTC
+
 
+
Some Python code to do the conversion into human readable format:
+
<pre>
+
date_string = datetime.datetime( 1970, 1, 1 )
+
            + datetime.timedelta( microseconds=timestamp )
+
</pre>
+
 
+
=== Example queries ===
+
Some example queries:
+
 
+
To get an overview of the visited sites:
+
<pre>
+
SELECT datetime(moz_historyvisits.visit_date/1000000, 'unixepoch', 'localtime'), moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;
+
</pre>
+
 
+
== Downloads ==
+
Firefox 3 stores the history of downloads sites in a file named '''downloads.sqlite'''. This file uses the [[SQLite database format]].
+
 
+
'''downloads.sqlite''' can be found in the same location as '''places.sqlite'''.
+
 
+
'''Note it looks that Firefox 21 (or earlier?) stores the downloads as part of the bookmarks in moz_bookmarks and moz_annos in places.sqlite'''
+
 
+
=== Timestamps ===
+
The places.sqlite uses the following timestamps.
+
 
+
The '''moz_downloads.startTime''' and '''moz_downloads.endTime''' are in (the number of) microseconds since January 1, 1970 UTC.
+
 
+
=== Example queries ===
+
Some example queries:
+
 
+
To get an overview of the downloaded files:
+
<pre>
+
SELECT moz_downloads.startTime, moz_downloads.source, moz_downloads.currBytes, moz_downloads.maxBytes FROM moz_downloads;
+
</pre>
+
 
+
== Cache ==
+
On Linux
+
<pre>
+
/home/$USER/.mozilla/firefox/$PROFILE.default/Cache/
+
</pre>
+
 
+
On MacOS-X
+
<pre>
+
/Users/$USER/Library/Caches/Firefox/Profiles/$PROFILE.default/Cache/
+
</pre>
+
 
+
On Windows XP
+
<pre>
+
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\
+
</pre>
+
 
+
On Windows Vista, 7
+
<pre>
+
C:\Users\%USERNAME%\AppData\Local\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\
+
</pre>
+
 
+
== See Also ==
+
 
+
* [[Mozilla Firefox History File Format]]
+
* [[SQLite database format]]
+
  
 
== External Links ==
 
== External Links ==
 +
* [http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/WindowsCompoundBinaryFileFormatSpecification.pdf Compound Binary File Specification], by [[Microsoft]]. Be warned this file contains at least one error: the directory entry name length is a size in bytes not in characters.
 +
* [http://msdn.microsoft.com/en-us/library/dd942138.aspx MS-CFB: Compound File Binary File Format], by [[Microsoft]]
 +
* [https://googledrive.com/host/0B3fBvzttpiiSS0hEb0pjU2h6a2c/OLE%20Compound%20File%20format.pdf OLE Compound File format specification], by the [[libolecf|libolecf project]]
  
* [http://www.mozilla.com/firefox/ Official website]
+
== Tools ==
* [http://kb.mozillazine.org/Profile_folder_-_Firefox Profile folder - Firefox]
+
* [[libolecf]]
* [https://wiki.mozilla.org/images/3/3d/Downloads.sqlite.schema.pdf Firefox 3 – downloads.sqlite]
+
* [http://www.mitec.cz/ssv.html MiTec Structured Storage Viewer]
* [http://download.cdn.mozilla.net/pub/firefox/releases/ Mozilla Firefox Releases]
+
  
[[Category:Applications]]
+
[[Category:File Formats]]
[[Category:Web Browsers]]
+

Revision as of 01:11, 1 October 2013

The Object Linking and Embedding (OLE) Compound File (CF) is used in other file formats as its underlying container file. It allows data to be stored in multiple streams.

The OLECF is also known as:

  • Compound Binary File (current name used by Microsoft)
  • Compound Document File (name used by OpenOffice)
  • OLE2 file

MIME types

Because the OLECF by itself is just a container it does not use a mime type. A mime type assigned to an OLECF refers to its contents.

File signature

The OLECF has the following file signature: hexadecimal: d0 cf 11 e0 a1 b1 1a e1

The OLECF has no distinct footer.

Contents

The OLECF uses a FAT-like file system to define blocks that are assigned to the stream using multiple allocation tables. It uses a directory structure to define the name of the streams.

The OLECF is used to store:

Also See

External Links

Tools