Difference between pages "Insider Threat Research" and "Mozilla Firefox"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(Cache)
 
Line 1: Line 1:
==Bibliography==
+
{{expand}}
===US Government Reports===
+
Mozilla Firefox is a Free and Open Source [[Web Browser|web browser]] developed by the Mozilla Foundation.
* [http://www.pnl.gov/coginformatics/media/pdf/tr-pacman-65204.pdf Predictive Modeling for Insider Threat Mitigation], PNNL-SA-65204, April 2009
+
* [http://www.dhra.mil/perserec/reports.html#TR0902 Insider Risk Evaluation and Audit], PERSEREC TR 09-02, August 2009
+
* [http://www.dhra.mil/perserec/reports.html#TR0513 Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technology Insiders Analysis and Observations], PERSEREC TR 05-15 September 2005
+
* [http://www.dhra.mil/perserec/reports.html#TR0510 Technological, Social, and Economic Trends That are Increasing U.S. Vulnerability to Insider Espionage], PERSEREC TR 05-10 May 2005
+
* [http://www.fas.org/sgp/library/changes.pdf Changes in Espionage by Americans: 1947-2007], Katherine L. Herbig, PERSEREC TR 08-05, March 2008.  
+
  
 +
It can have many [http://addons.mozilla.org add-ons] which give it extra capabilities.
  
===Presentations===
+
== Anonymous Browsing ==
* [http://www.bus.lsu.edu/fraud/2010/barbee.pdf Insider Threats: Hidden Risks], Russell Barbee (DHS), 2010 Fraud and Forensic Accounting Conference, Louisiana State University
+
Mozilla Firefox can be used in anonymous browsing (see [[The Onion Router]]). However, it is known that Firefox reveals computer's uptime in TLS (SSL) "Client Hello" packets allowing investigator correlate anonymous and non-anonymous traffic [http://archives.seul.org/or/talk/Apr-2008/msg00050.html].
  
==External Links==
+
This bug affects Firefox 2 (all versions) and Firefox 3 Beta3.
* [http://www.cpni.gov.uk/advice/Personnel-security1/Insider-threats/ Centre for the Protection of National Infrastructure (UK) Insider data collection study]
+
 
* [http://www.cert.org/insider_threat/ Software Engineering Institute (CMU) Insider Threat Center]
+
== History ==
* [http://www.dhra.mil/perserec/ Defense Personnel and Security Research Center (PERSEREC)]
+
Firefox 3 stores the history of visited sites in a file named '''places.sqlite'''. This file uses the [[SQLite database format]].
*[http://www.dhra.mil/perserec/osg/t1threat/insider-threat.htm Insider Threat Page]
+
 
 +
'''places.sqlite''' can be found in the following locations:
 +
 
 +
On Linux
 +
<pre>
 +
/home/$USER/.mozilla/firefox/$PROFILE.default/places.sqlite
 +
</pre>
 +
 
 +
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Application Support/Firefox/Profiles/$PROFILE.default/places.sqlite
 +
</pre>
 +
 
 +
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
 +
</pre>
 +
 
 +
On Windows Vista, 7
 +
<pre>
 +
C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
 +
</pre>
 +
 
 +
=== Timestamps ===
 +
The places.sqlite uses the following timestamps.
 +
 
 +
The '''moz_historyvisits.visit_date''' is in (the number of) microseconds since January 1, 1970 UTC
 +
 
 +
Some Python code to do the conversion into human readable format:
 +
<pre>
 +
date_string = datetime.datetime( 1970, 1, 1 )
 +
            + datetime.timedelta( microseconds=timestamp )
 +
</pre>
 +
 
 +
=== Example queries ===
 +
Some example queries:
 +
 
 +
To get an overview of the visited sites:
 +
<pre>
 +
SELECT datetime(moz_historyvisits.visit_date/1000000, 'unixepoch', 'localtime'), moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;
 +
</pre>
 +
 
 +
== Downloads ==
 +
Firefox 3 stores the history of downloads sites in a file named '''downloads.sqlite'''. This file uses the [[SQLite database format]].
 +
 
 +
'''downloads.sqlite''' can be found in the same location as '''places.sqlite'''.
 +
 
 +
'''Note it looks that Firefox 21 (or earlier?) stores the downloads as part of the bookmarks in moz_bookmarks and moz_annos in places.sqlite'''
 +
 
 +
=== Timestamps ===
 +
The places.sqlite uses the following timestamps.
 +
 
 +
The '''moz_downloads.startTime''' and '''moz_downloads.endTime''' are in (the number of) microseconds since January 1, 1970 UTC.
 +
 
 +
=== Example queries ===
 +
Some example queries:
 +
 
 +
To get an overview of the downloaded files:
 +
<pre>
 +
SELECT moz_downloads.startTime, moz_downloads.source, moz_downloads.currBytes, moz_downloads.maxBytes FROM moz_downloads;
 +
</pre>
 +
 
 +
== Cache ==
 +
On Linux
 +
<pre>
 +
/home/$USER/.mozilla/firefox/$PROFILE.default/Cache/
 +
</pre>
 +
 
 +
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Caches/Firefox/Profiles/$PROFILE.default/Cache/
 +
</pre>
 +
 
 +
On Windows XP
 +
<pre>
 +
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\
 +
</pre>
 +
 
 +
On Windows Vista, 7
 +
<pre>
 +
C:\Users\%USERNAME%\AppData\Local\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\
 +
</pre>
 +
 
 +
== See Also ==
 +
 
 +
* [[Mozilla Suite]]
 +
* [[Mozilla Firefox History File Format]]
 +
* [[SQLite database format]]
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.mozilla.com/firefox/ Official website]
 +
* [http://kb.mozillazine.org/Profile_folder_-_Firefox Profile folder - Firefox]
 +
* [https://wiki.mozilla.org/images/3/3d/Downloads.sqlite.schema.pdf Firefox 3 – downloads.sqlite]
 +
* [http://download.cdn.mozilla.net/pub/firefox/releases/ Mozilla Firefox Releases]
 +
 
 +
[[Category:Applications]]
 +
[[Category:Web Browsers]]

Revision as of 05:38, 22 September 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Mozilla Firefox is a Free and Open Source web browser developed by the Mozilla Foundation.

It can have many add-ons which give it extra capabilities.

Anonymous Browsing

Mozilla Firefox can be used in anonymous browsing (see The Onion Router). However, it is known that Firefox reveals computer's uptime in TLS (SSL) "Client Hello" packets allowing investigator correlate anonymous and non-anonymous traffic [1].

This bug affects Firefox 2 (all versions) and Firefox 3 Beta3.

History

Firefox 3 stores the history of visited sites in a file named places.sqlite. This file uses the SQLite database format.

places.sqlite can be found in the following locations:

On Linux

/home/$USER/.mozilla/firefox/$PROFILE.default/places.sqlite

On MacOS-X

/Users/$USER/Library/Application Support/Firefox/Profiles/$PROFILE.default/places.sqlite

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite

On Windows Vista, 7

C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite

Timestamps

The places.sqlite uses the following timestamps.

The moz_historyvisits.visit_date is in (the number of) microseconds since January 1, 1970 UTC

Some Python code to do the conversion into human readable format:

date_string = datetime.datetime( 1970, 1, 1 )
            + datetime.timedelta( microseconds=timestamp )

Example queries

Some example queries:

To get an overview of the visited sites:

SELECT datetime(moz_historyvisits.visit_date/1000000, 'unixepoch', 'localtime'), moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;

Downloads

Firefox 3 stores the history of downloads sites in a file named downloads.sqlite. This file uses the SQLite database format.

downloads.sqlite can be found in the same location as places.sqlite.

Note it looks that Firefox 21 (or earlier?) stores the downloads as part of the bookmarks in moz_bookmarks and moz_annos in places.sqlite

Timestamps

The places.sqlite uses the following timestamps.

The moz_downloads.startTime and moz_downloads.endTime are in (the number of) microseconds since January 1, 1970 UTC.

Example queries

Some example queries:

To get an overview of the downloaded files:

SELECT moz_downloads.startTime, moz_downloads.source, moz_downloads.currBytes, moz_downloads.maxBytes FROM moz_downloads;

Cache

On Linux

/home/$USER/.mozilla/firefox/$PROFILE.default/Cache/

On MacOS-X

/Users/$USER/Library/Caches/Firefox/Profiles/$PROFILE.default/Cache/

On Windows XP

C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\

On Windows Vista, 7

C:\Users\%USERNAME%\AppData\Local\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\

See Also

External Links