Difference between pages "File Carving" and "Mozilla Firefox"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (See also)
 
 
Line 1: Line 1:
'''Carving''' is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media. Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.
+
{{expand}}
 +
Mozilla Firefox is a Free and Open Source [[Web Browser|web browser]] developed by the Mozilla Foundation.
  
 +
It can have many [http://addons.mozilla.org add-ons] which give it extra capabilities.
  
=File Carving=
+
== Anonymous Browsing ==
 +
Mozilla Firefox can be used in anonymous browsing (see [[The Onion Router]]). However, it is known that Firefox reveals computer's uptime in TLS (SSL) "Client Hello" packets allowing investigator correlate anonymous and non-anonymous traffic [http://archives.seul.org/or/talk/Apr-2008/msg00050.html].
  
Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries. [[Semantic Carving]] performs carving based on an analysis of the contents of the proposed files.  
+
This bug affects Firefox 2 (all versions) and Firefox 3 Beta3.
  
File carving should be done on a [[disk image]], rather than on the original disk.
+
== History ==
 +
Firefox 3 stores the history of visited sites in a file named '''places.sqlite'''. This file uses the [[SQLite database format]].
  
File carving tools are listed on the [[Tools:Data_Recovery]] wiki page.
+
'''places.sqlite''' can be found in the following locations:
  
Many carving programs have an option to only look at or near sector boundaries where headers are found. However, searching the entire input can find files that have been embedded into other files, such as [[JPEG]]s being embedded into [[Microsoft]] [[DOC|Word documents]]. This may be considered an advantage or a disadvantage, depending on the circumstances.
+
On Linux
 +
<pre>
 +
/home/$USER/.mozilla/firefox/$PROFILE.default/places.sqlite
 +
</pre>
  
Today most file carving programs will only recover files that are contiguous on the media.  
+
On MacOS-X
 +
<pre>
 +
/Users/$USER/Library/Application Support/Firefox/Profiles/$PROFILE.default/places.sqlite
 +
</pre>
  
== File Carving Taxonomy==
+
On Windows XP
[[Simson Garfinkel]] and [[Joachim Metz]] have proposed the following file carving taxonomy:
+
<pre>
 +
C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
 +
</pre>
  
;Carving
+
On Windows Vista, 7
:General term for extracting data (files) out of undifferentiated blocks (raw data), like "carving" a sculpture out of soap stone.  
+
<pre>
 +
C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite
 +
</pre>
  
;Block Based Carving
+
=== Timestamps ===
:Any carving method (algorithm) that analyzes the input on block-by-block basis to determine if a block is part of a possible output file. This method assumes that each block can only be part of a single file (or embedded file).
+
The places.sqlite uses the following timestamps.
  
;Characteristic Based Carving
+
The '''moz_historyvisits.visit_date''' are in (the number of) microseconds since January 1, 1970 UTC
:Any carving method (algorithm) that analyzes the input on characteristic basis (for example, entropy) to determine if the input is part of a possible output file.
+
  
;Header/Footer Carving
+
Some Python code to do the conversion into human readable format:
:A method for carving files out of raw data using a distinct header (start of file marker) and footer (end of file marker).
+
<pre>
 +
date_string = datetime.datetime( 1970, 1, 1 )
 +
            + datetime.timedelta( microseconds=timestamp )
 +
</pre>
  
;Header/Maximum (file) size Carving
+
=== Example queries ===
:A method for carving files out of raw data using a distinct header (start of file marker) and a maximum (file) size. This approach works because many file formats (e.g. JPEG, MP3) do not care if additional junk is appended to the end of a valid file.
+
Some example queries:
  
;Header/Embedded Length Carving
+
To get an overview of the visited sites:
:A method for carving files out of raw data using a distinct header and a file length (size) which is embedded in the file format
+
<pre>
 +
SELECT moz_historyvisits.visit_date, moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;
 +
</pre>
  
;File structure based Carving
+
== Downloads ==
:A method for carving files out of raw data using a certain level of knowledge of the internal structure of file types. Garfinkel called this approach "Semantic Carving" in his DFRWS2006 carving challenge submission, while Metz and Mora called the approach "Deep Carving."
+
Firefox 3 stores the history of downloads sites in a file named '''downloads.sqlite'''. This file uses the [[SQLite database format]].
  
;Semantic Carving
+
'''downloads.sqlite''' can be found in the same location as '''places.sqlite'''.
:A method for carving files based on a linguistic analysis of the file's content. For example, a semantic carver might conclude that six blocks of french in the middle of a long HTML file written in English is a fragment left from a previous allocated file, and not from the English-language HTML file.
+
  
;Carving with Validation
+
=== Timestamps ===
:A method for carving files out of raw data where the carved files are validated using a file type specific validator.
+
The places.sqlite uses the following timestamps.
  
;Fragment Recovery Carving
+
The '''moz_downloads.startTime''' and '''moz_downloads.endTime''' both are are in (the number of) microseconds since January 1, 1970 UTC.
:A carving method in which two or more fragments are reassembled to form the original file or object. Garfinkel previously called this approach "Split Carving."
+
  
== File Carving challenges and test images ==
+
=== Example queries ===
 +
Some example queries:
  
[http://www.dfrws.org/2006/challenge/]
+
To get an overview of the downloaded files:
File Carving Challenge - [[Digital Forensic Research Workshop|DFRWS]] 2006
+
<pre>
 +
SELECT moz_downloads.startTime, moz_downloads.source, moz_downloads.currBytes, moz_downloads.maxBytes FROM moz_downloads;
 +
</pre>
  
[http://dftt.sourceforge.net/test6/index.html]
+
== See Also ==
FAT Undelete Test #1 - Digital Forensics Tool Testing Image (dftt #6)
+
  
[http://dftt.sourceforge.net/test7/index.html]
+
* [[Mozilla Suite]]
NTFS Undelete (and leap year) Test #1 - Digital Forensics Tool Testing Image (dftt #7)
+
* [[Mozilla Firefox History File Format]]
 +
* [[SQLite database format]]
  
[http://dftt.sourceforge.net/test11/index.html]
+
== External Links ==
Basic Data Carving Test - fat32 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #11)
+
  
[http://dftt.sourceforge.net/test12/index.html]
+
* [http://www.mozilla.com/firefox/ Official website]
Basic Data Carving Test - ext2 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #12)
+
  
==File Carving Bibliography==
+
[[Category:Applications]]
 
+
[[Category:Web Browsers]]
Mikus, Nicholas A. "An analysis of disc carving techniques," Master's Thesis, Naval Postgraduate School. March 2005. http://handle.dtic.mil/100.2/ADA432468
+
 
+
Garfinkel, S., "Carving Contiguous and Fragmented Files with Fast Object Validation", Digital Forensics Workshop (DFRWS 2007), Pittsburgh, PA, August 2007.  http://www.simson.net/clips/academic/2007.DFRWS.pdf
+
 
+
== See also ==
+
* [[Tools:Data_Recovery#Carving | FIle Carving Tools]]
+
* [[File Carving Bibliography]]
+
 
+
=Memory Carving=
+

Revision as of 06:08, 3 November 2011

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Mozilla Firefox is a Free and Open Source web browser developed by the Mozilla Foundation.

It can have many add-ons which give it extra capabilities.

Anonymous Browsing

Mozilla Firefox can be used in anonymous browsing (see The Onion Router). However, it is known that Firefox reveals computer's uptime in TLS (SSL) "Client Hello" packets allowing investigator correlate anonymous and non-anonymous traffic [1].

This bug affects Firefox 2 (all versions) and Firefox 3 Beta3.

History

Firefox 3 stores the history of visited sites in a file named places.sqlite. This file uses the SQLite database format.

places.sqlite can be found in the following locations:

On Linux

/home/$USER/.mozilla/firefox/$PROFILE.default/places.sqlite

On MacOS-X

/Users/$USER/Library/Application Support/Firefox/Profiles/$PROFILE.default/places.sqlite

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite

On Windows Vista, 7

C:\Users\%USERNAME%\AppData\Roaming\Mozilla\Firefox\Profiles\%PROFILE%.default\places.sqlite

Timestamps

The places.sqlite uses the following timestamps.

The moz_historyvisits.visit_date are in (the number of) microseconds since January 1, 1970 UTC

Some Python code to do the conversion into human readable format:

date_string = datetime.datetime( 1970, 1, 1 )
            + datetime.timedelta( microseconds=timestamp )

Example queries

Some example queries:

To get an overview of the visited sites:

SELECT moz_historyvisits.visit_date, moz_places.url FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id;

Downloads

Firefox 3 stores the history of downloads sites in a file named downloads.sqlite. This file uses the SQLite database format.

downloads.sqlite can be found in the same location as places.sqlite.

Timestamps

The places.sqlite uses the following timestamps.

The moz_downloads.startTime and moz_downloads.endTime both are are in (the number of) microseconds since January 1, 1970 UTC.

Example queries

Some example queries:

To get an overview of the downloaded files:

SELECT moz_downloads.startTime, moz_downloads.source, moz_downloads.currBytes, moz_downloads.maxBytes FROM moz_downloads;

See Also

External Links