Written by osmaoguzhan

Examining Firefox Database

Nowadays many crimes can be solved with browser datas. During Firefox forensics, examiners use these Sqlite files for the purpose of analysis by opening them in a database viewer. Let’s see what kind of things Firefox has.

  • Linux
    ~/.config/mozillafirefox/Default/databases
  • Mac OS X
    ~/Library/Application Support/Mozilla/Firefox/Profiles/
  • Windows XP
    C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\
  • Windows Vista & above
    C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\_.default

Above you can see where the Firefox DBs are located. But they can be somewhere else also. Generally these paths are used to store files. We’ll look at some of firefox files. First file we look is “places.sqlite”.

places.sqlite

This DB file stores the URLs that you’ve visited, your input history and frequency of these inputs, your bookmarks and more.

  • moz_places : Sites you’ve visited, title of sites, visit count, last visit date, description etc.
  • moz_bookmarks: Title, added date , last modified time
  • moz_inputhistory: Input you typed and frequency of inputs

formhistory.sqlite

  • moz_formhistory : Fieldname you filled, value you typed and how many times you used this value

cookies.sqlite

  • moz_cookies: Base domain, host, last accessed time and creation date.

addons.json

  • name
  • version
  • sourceURI
  • homepageURL
  • supportURL
  • description
  • Screen shots and icons

logins.json

  • hostname
  • encryptedUsername
  • encryptedPassword
  • timeCreated
  • timeLastUsed
  • timePasswordChanged
  • timeUsed

With the logins.json file you can decrypt the usernames and password by using a tool which I higly recommend. Let’s look how it works.

PasswordFox tool found all login credentials.

If you want to examine firefox DB you can use any sqlite database viewer to look at it. I’ve coded a tool which gets data and automatically creates a report for examiner. My tool’s name is FoxRider.

This is the first version of foxrider. I will improve it and add something like password decrypt option. Hope you like the article. See u!

Leave a comment