If you can see this check that

Main Page

Firefox forensics

Firefox Forensics
User:
Password:

Objectives

This lab is a short follow-on lab to the browser forensics lab. It allows you to explore Firefox cookies and browser history.

Firefox stores its data in a database format known as sqlite3. Unfortunately caine 2.5.1 does not support the right sqlite format by default. However I have patched the virtual machine image to use the latest version.

We also need a few perl scripts to help us in the analysis. These will be installed when you press the initialise button. Firstly /home/caine/place.pl will analyse the history: 

#!/usr/bin/perl -w
#
# Firefox Advanced history info.
# Adapted from http://snippets.dzone.com/posts/show/8431
# (which is usually in:
# "C:\Documents and Settings\${USER}\Application Data\Mozilla\Firefox\Profiles
#    \${PROFILE}\places.sqlite" )
#
use strict;
my $places=$ARGV[0];
die "$0: ERROR - can't find places.sqlite\n" if ! -f $places;

my $hist;
my $run_query = "echo 'select last_visit_date, url from moz_places;' | sqlite3 $places";
open (QUERY, "$run_query|") || die "Can't run '$run_query': $!\n";
while (defined (my $line = <QUERY>)) {
    if ( $line =~ /^([0-9]+)\|(.*)$/ ) {
        my ($time, $url) = ($1, $2);
        chomp $url;

        if ( length($time) > 10 ) {
            $time = substr($time, 0, 10);
        }
        $hist->{$url} = {
           time => $time,
           url => $url,
        };
    }
}
close QUERY;

my @mon  = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
my @day  = qw( Sun Mon Tue Wed Thu Fri Sat );

sub by_time ($$) {
    my ($a, $b) = (shift, shift);
    $hist->{$a}->{time} <=> $hist->{$b}->{time};
}

for my $key ( sort by_time keys %{$hist} ) {
    my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst)
    = gmtime($hist->{$key}->{time});

    printf "%4d-%02d-%02d %02d:%02d:%02d (%s %02d %s %04d) %s\n",
        $year + 1900, $mon + 1, $mday, $hour, $min, $sec,
        $day[$wday], $mday, $mon[$mon], $year + 1900,
        $hist->{$key}->{url};
}

In order to view firefox cookie information you may find the following useful too. We call this file /home/caine/cookies.pl. 

#!/usr/bin/perl -w
#
use strict;
my $cookies = $ARGV[0];
die "$0: ERROR - can't find cookie file $cookies\n" if ! -f "$cookies";

my @db;
#moz_cookies (id INTEGER PRIMARY KEY, baseDomain TEXT, name TEXT, value TEXT,
#             host TEXT, path TEXT, expiry INTEGER, lastAccessed INTEGER,
#             creationTime INTEGER, isSecure INTEGER, isHttpOnly INTEGER

my $run_query = "echo 'select lastAccessed, baseDomain, name, value from moz_cookies;' | sqlite3 $cookies";
open (QUERY, "$run_query|") || die "Can't run '$run_query': $!\n";
while (defined (my $line = <QUERY>)) {

    if ( $line =~ /^([0-9]+)\|(.*)\|(.*)\|(.*)$/ ) {
        my ($time,$base,$name,$value) = ($1, $2,$3,$4);
        if ( length($time) > 10 ) {
            $time = substr($time, 0, 10);
        }
        push @db,{ time => $time, base => $base,
                   name => $name, value => $value
        };
    }
}
close QUERY;

my @mon  = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
my @day  = qw( Sun Mon Tue Wed Thu Fri Sat );

for my $i ( sort {$a->{time} <=> $b->{time}} @db ) {
    my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst)=gmtime($i->{time});
    printf "%4d-%02d-%02d %02d:%02d:%02d (%s %02d %s %04d) %s %s %s\n",
        $year + 1900, $mon + 1, $mday, $hour, $min, $sec,
        $day[$wday], $mday, $mon[$mon], $year + 1900,
        $i->{base},$i->{name},$i->{value};

}

Both of these scripts will be created automatically in the /home/caine directory when you press the initialise button below.

Question 1: Firefox analysis

Initialise the machine and load the required perl scripts automatically.

Tests - not attempted
Autoload place.pl UNTESTED
Autoload cookies.pl UNTESTED

The Firefox data files for a particular user is stored in: 

Documents and Settings/<USER>/Application Data/Mozilla/Firefox/Profiles/

where <USER> is the name of the user of interest. A Profile is just a directory, which in the default case takes a form like "abcde123.default".

What is the profile directory of alice in the image "/images/diskimg2.dd".
Profile name:

Tests - not attempted
Default profile of alice UNTESTED

From the profile directory you have identified, extract the "cookies.sqlite" and "places.sqlite" files and save them in /home/caine.

Tests - not attempted
cookies.sqlite correct UNTESTED
places.sqlite correct UNTESTED

Use "./place.pl" with the parameter places.sqlite to find out about the firefox browser history of this user. 

$ ./place.pl places.sqlite

From the history you can see that the user apparently installed chrome, as when this is downloaded it loads a /chrome/thankyou.html file from google.com. What time in the format 00:00:00 did this thankyou happen?

Tests - not attempted
Time chrome ran for the first time? UNTESTED

In a similar way as above for places, use "cookies.pl" on "cookies.sqlite", what time did the doubleclick.net cookie get updated? Again use the time format 00:00:00.

Tests - not attempted
Time chrome ran for the first time? UNTESTED
Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2 MySQL1 MySQL2
Caine 3.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7 | 8a | 8b | WebBrowserA | WebBrowserB | Registry
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2012 Gordon Russell. All rights reserved.