Difference between pages "Mozilla Firefox 3 History File Format" and "Windows Vista"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Gathering browser history: Fixed a typo in the SQL Query)
 
(Prefetch)
 
Line 1: Line 1:
Starting in Firefox 3, a new file format was used to record browser history information.  Rather than storing this information in a flat file using the mork file format (as was done in previous versions of Firefox), the information is kept in sqlite tables within a file.
+
== New Features ==
 +
* [[BitLocker Disk Encryption | BitLocker]]
 +
* [[Windows Desktop Search | Search]] integrated in operating system
 +
* [[ReadyBoost]]
 +
* [[SuperFetch]]
 +
* [[NTFS|Transactional NTFS (TxF)]]
 +
* [[Windows NT Registry File (REGF)|Transactional Registry (TxR)]]
 +
* [[Windows Shadow Volumes|Shadow Volumes]]; the volume-based storage of the Volume Shadow Copy data
 +
* $Recycle.Bin
 +
* [[Windows XML Event Log (EVTX)]]
 +
* [[User Account Control (UAC)]]
  
==File Locations==
+
== File System ==  
On linux systems, the history file is located in the users home folder in the .mozilla/firefox/<profile folder>/ folder and is named places.sqlite.
+
The file system used by Windows Vista is primarily [[NTFS]].
On Windows systems, the history file is located in C:\Documents and Settings\<username>\Application Data\Mozilla\firefox\Profiles\<profile folder> and is named places.sqlite.
+
  
==File Header==
+
In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by setting the NtfsDisableLastAccessUpdate value to '0' in the Registry key:
Firefox 3 history files start with <pre> 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33</pre> which represents the ascii string SQLite format 3.  This is normal for any Sqlite database file, so it may be more appropriate to verify that the file is a Firefox 3 history file by looking for the database tables within the file. For example, at offset 120701 (0x1D77D) the hex value <pre>43 52 45 41 54 45 20 54 41 42 4C 45 20 6D 6F 7A 5F 62 6F 6F 6B 6D 61 72 6B 73</pre> can be found.  This represents the ascii string CREATE TABLE moz_bookmarks.  At offset 120973 (0x1D88D) the hex value <pre>43 52 45 41 54 45 20 49 4E 44 45 58 20 6D 6F 7A 5F 62 6F 6F 6B 6D 61 72 6B 73 5F 69 74 65 6D 69 6E 64 65 78</pre> can be found.  This represents the ascii string CREATE TABLE moz_bookmarks_itemindex.
+
<pre>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem</pre>
  
==Database Tables==
+
Note that this feature has been around since as early as Windows 2000 [http://technet.microsoft.com/en-us/library/cc959914.aspx].
The places.sqlite file is essentially a database with multiple tables:
+
<pre>  moz_bookmarks
+
  moz_bookmarks_itemindex
+
  moz_bookmarks_parentindex
+
  moz_bookmarks_roots
+
  moz_keywords
+
  moz_favicons (actually stored the favicons in a BLOB within the table)
+
  moz_annos
+
  moz_annos_placeattributeindex
+
  moz_attributes
+
  moz_items_annos
+
  moz_items_annos_itemattributeindex
+
  moz_places (See Below)
+
  moz_places_url_uniqueindex
+
  moz_places_faviconindex
+
  moz_places_hostindex
+
  moz_places_visitcount
+
  moz_places_frequencyindex
+
  moz_historyvists (See Below)
+
  moz_historyvists_placedateindex
+
  moz_historyvists_fromindex
+
  moz_historyvists_dateindex
+
  moz_inputhistory
+
  sqlite_autoindex_moz_bookmarks_roots_1
+
  sqlite_autoindex_moz_keywords_1
+
  sqlite_sequence
+
  sqlite_autoindex_moz_favicons_1
+
  sqlite_autoindex_moz_anno_attributes_1
+
  sqlite_autoindex_moz_inputhistory_1</pre>
+
  
==moz_places==
+
== [[Prefetch]] ==
The moz_places table holds some of the information necessary to reconstruct the browser history.
+
Note that the prefetch hash function is different then that of [[Windows XP]].
<pre>  id INTEGER PRIMARY KEY
+
  url LONGVARCHAR (The whole URL string)
+
  title LONGVARCHAR (The title presented from the TITLE tags on the page)
+
  rev_host LONGVARCHAR (this is the host name from the URL in reverse)
+
  visit_count INTEGER
+
  hidden INTEGER
+
  typed INTEGER
+
  favicon_id INTEGER
+
  frequency INTEGER</pre>
+
  
==moz_historyvisits==
+
The [[Windows Prefetch File Format]] was changed to version 23.
The moz_historyvisits table holds the other information that you need to link up with moz_places to reconstruct the browser history.
+
<pre>  id INTEGER
+
  from_visit INTEGER
+
  place_id INTEGER
+
  visit_date INTEGER
+
  visit_time INTEGER
+
  session INTEGER</pre>
+
The place_id column of the moz_historyvisits table corresponds to the id column of the moz_places table.
+
The visit_date column keeps time in Unix time format (number of seconds since January 1, 1970).  However, there are additional digits appended to the end of the number.  Therefore, only the first 11 digits of the number should be used to calculate the actual visit date.
+
  
==Gathering browser history==
+
== Registry ==  
Browser history for Firefox 3 can be gathered by connecting to the Sqlite database and performing simple queries.  For example, the URLs visited and the date and time of the visit can be gathered with this query:<pre>SELECT moz_places.url, moz_historyvisits.visit_date
+
The [[Windows_Registry|Windows Registry]] remains a central component of the Windows Vista operating system.
FROM moz_places, moz_historyvisits
+
WHERE moz_places.id = moz_historyvisits.place_id</pre>
+
  
[[Category:File Formats]]
+
== See Also ==
 +
* [[Windows]]
 +
* [[Windows 7]]
 +
* [[Windows 8]]
 +
 
 +
== External Links ==
 +
* [https://www.symantec.com/avcenter/reference/Vista_Network_Attack_Surface_RTM.pdf Windows Vista Network Attack Surface Analysis], James Hoagland, Matt Conover, Tim Newsham, Ollie Whitehouse
 +
 
 +
[[Category:Operating systems]]

Revision as of 12:18, 20 October 2013

New Features

File System

The file system used by Windows Vista is primarily NTFS.

In Windows Vista, NTFS no longer tracks the Last Access time of a file by default. This feature can be enabled by setting the NtfsDisableLastAccessUpdate value to '0' in the Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem

Note that this feature has been around since as early as Windows 2000 [1].

Prefetch

Note that the prefetch hash function is different then that of Windows XP.

The Windows Prefetch File Format was changed to version 23.

Registry

The Windows Registry remains a central component of the Windows Vista operating system.

See Also

External Links