Difference between pages "Mozilla Firefox" and "Forensic Disk Differencing"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
m (See Also)
 
Line 1: Line 1:
{{expand}}
+
Forensic Disk Differencing is the process of taking two or more disk images from the same computer and determining what changes in the first disk image might have resulted in the changes that are observed in the second. One common use of differencing is to determine what an attacker did during a break-in. To be used for this purpose, it is necessary to have a forensic disk image of the computer before the break-in and after the break-in.
Mozilla Firefox is a Free and Open Source [[Web Browser|web browser]] developed by the Mozilla Foundation.
+
  
It can have many [http://addons.mozilla.org add-ons] which give it extra capabilities.
+
==Differencing Tools==
 +
===idifference.py===
 +
idifference.py is part of the [[Digital Forensics XML]] Python Toolkit distributed with [[fiwalk]]. This tool will compare two different disk images and report changes in files between the first and the second. It also produces a timeline of changes.
  
== Anonymous Browsing ==
+
For example, using the '''nps-2009-canon2''' series of disk images:
Mozilla Firefox can be used in anonymous browsing (see [[The Onion Router]]). However, it is known that Firefox reveals computer's uptime in TLS (SSL) "Client Hello" packets allowing investigator correlate anonymous and non-anonymous traffic [http://archives.seul.org/or/talk/Apr-2008/msg00050.html].
+
  
This bug affects Firefox 2 (all versions) and Firefox 3 Beta3.
 
 
== History ==
 
Firefox 3 stores the history of visited sites in a file named '''places.sqlite'''. This file uses the [[SQLite database format]].
 
 
'''places.sqlite''' can be found in the following locations:
 
 
On Linux
 
 
<pre>
 
<pre>
/home/$USER/.mozilla/firefox/$PROFILE.default/places.sqlite
+
$ python idifference.py /nps-2009-canon2-gen2.raw nps-2009-canon2-gen3.raw
</pre>
+
>>> Reading nps-2009-canon2-gen2.raw
 +
>>> Reading nps-2009-canon2-gen3.raw
  
On MacOS-X
+
Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw
<pre>
+
/Users/$USER/Library/Application Support/Firefox/Profiles/$PROFILE.default/places.sqlite
+
</pre>
+
  
On Windows XP
+
New Files:  
<pre>
+
C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
+
</pre>
+
  
On Windows Vista, 7
+
2008-12-23 14:26:12 1315993 DCIM/100CANON/IMG_0041.JPG
<pre>
+
C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
+
</pre>
+
  
=== Timestamps ===
+
Deleted Files:
The places.sqlite uses the following timestamps.
+
  
The '''moz_historyvisits.visit_date''' are in (the number of) microseconds since January 1, 1970 UTC
+
2008-12-23 14:12:38 855935 DCIM/100CANON/IMG_0001.JPG
 +
2008-12-23 14:22:38 1347778 DCIM/100CANON/IMG_0037.JPG
  
Some Python code to do the conversion into human readable format:
+
Files with modified content (but size unchanged):
<pre>
+
date_string = datetime.datetime( 1970, 1, 1 )
+
            + datetime.timedelta( microseconds=timestamp )
+
</pre>
+
  
=== Example queries ===
+
Files with changed file properties:  
Some example queries:
+
  
To get an overview of the visited sites:
+
DCIM/CANONMSC/M0100.CTG SHA1 changed 69b30c352ee802f49b1ea25325af9fa05c3ffca1 -> baa42c03a917b01b212fb7e538e5deb525995f31
<pre>
+
DCIM/CANONMSC/M0100.CTG crtime changed to 1230070924 -> 1230071142
SELECT moz_historyvisits.visit_date, moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;
+
DCIM/CANONMSC/M0100.CTG mtime changed to 1230070924 -> 1230071142
</pre>
+
DCIM/CANONMSC/M0100.CTG resized 180 -> 188
  
== Downloads ==
+
Timeline
Firefox 3 stores the history of downloads sites in a file named '''downloads.sqlite'''. This file uses the [[SQLite database format]].
+
  
'''downloads.sqlite''' can be found in the same location as '''places.sqlite'''.
+
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG SHA1 changed 69b30c352ee802f49b1ea25325af9fa05c3ffca1 -> baa42c03a917b01b212fb7e538e5deb525995f31
 
+
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG crtime changed 1230070924 -> 1230071142
=== Timestamps ===
+
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG mtime changed 1230070924 -> 1230071142
The places.sqlite uses the following timestamps.
+
2008-12-23 14:25:42 DCIM/CANONMSC/M0100.CTG resized 180 -> 188
 
+
2008-12-23 14:26:12 DCIM/100CANON/IMG_0041.JPG created
The '''moz_downloads.startTime''' and '''moz_downloads.endTime''' both are are in (the number of) microseconds since January 1, 1970 UTC.
+
$
 
+
=== Example queries ===
+
Some example queries:
+
 
+
To get an overview of the downloaded files:
+
<pre>
+
SELECT moz_downloads.startTime, moz_downloads.source, moz_downloads.currBytes, moz_downloads.maxBytes FROM moz_downloads;
+
 
</pre>
 
</pre>
  
== See Also ==
+
Here are some more examples:
 
+
* [[File:Idifference-demo1.txt]] --- idifference.py run on two disks from the 2009-M57 Patents scenario (Jo's November 23 vs. November 24th disk)
* [[Mozilla Suite]]
+
* [[Mozilla Firefox History File Format]]
+
* [[SQLite database format]]
+
 
+
== External Links ==
+
 
+
* [http://www.mozilla.com/firefox/ Official website]
+
  
[[Category:Applications]]
+
==See Also==
[[Category:Web Browsers]]
+
*[http://dfrws.org/2012/proceedings/DFRWS2012-6.pdf A general strategy for differential forensic analysis]

Latest revision as of 20:21, 21 October 2013

Forensic Disk Differencing is the process of taking two or more disk images from the same computer and determining what changes in the first disk image might have resulted in the changes that are observed in the second. One common use of differencing is to determine what an attacker did during a break-in. To be used for this purpose, it is necessary to have a forensic disk image of the computer before the break-in and after the break-in.

Differencing Tools

idifference.py

idifference.py is part of the Digital Forensics XML Python Toolkit distributed with fiwalk. This tool will compare two different disk images and report changes in files between the first and the second. It also produces a timeline of changes.

For example, using the nps-2009-canon2 series of disk images:

$ python idifference.py /nps-2009-canon2-gen2.raw nps-2009-canon2-gen3.raw 
>>> Reading nps-2009-canon2-gen2.raw
>>> Reading nps-2009-canon2-gen3.raw

Disk image:/corp/drives/nps/nps-2009-canon2/nps-2009-canon2-gen3.raw 

New Files: 

2008-12-23 14:26:12	1315993	DCIM/100CANON/IMG_0041.JPG

Deleted Files: 

2008-12-23 14:12:38	855935	DCIM/100CANON/IMG_0001.JPG
2008-12-23 14:22:38	1347778	DCIM/100CANON/IMG_0037.JPG

Files with modified content (but size unchanged): 

Files with changed file properties: 

DCIM/CANONMSC/M0100.CTG	SHA1 changed	69b30c352ee802f49b1ea25325af9fa05c3ffca1	->	baa42c03a917b01b212fb7e538e5deb525995f31
DCIM/CANONMSC/M0100.CTG	crtime changed to	1230070924	->	1230071142
DCIM/CANONMSC/M0100.CTG	mtime changed to	1230070924	->	1230071142
DCIM/CANONMSC/M0100.CTG	resized	180	->	188

Timeline 

2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	SHA1 changed	69b30c352ee802f49b1ea25325af9fa05c3ffca1	->	baa42c03a917b01b212fb7e538e5deb525995f31
2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	crtime changed	1230070924	->	1230071142
2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	mtime changed	1230070924	->	1230071142
2008-12-23 14:25:42	DCIM/CANONMSC/M0100.CTG	resized	180	->	188
2008-12-23 14:26:12	DCIM/100CANON/IMG_0041.JPG	created
$

Here are some more examples:

  • File:Idifference-demo1.txt --- idifference.py run on two disks from the 2009-M57 Patents scenario (Jo's November 23 vs. November 24th disk)

See Also