Mozilla FireFox Browser History Forensics - Using Digital Detective, NetAnalysis
Looking for Mozilla FireFox browser history files?
Looking for Mozilla FireFox browser history files?
Tested on my own system with the following system info:
- Windows 7 64-Bit
- FireFox 14.01
In this directory;
%APPDATA%\Mozilla\Firefox\Profiles\
You will find the following directory:
6t7byt3w.default (the pre-dot characters will differ from user to user)
This directory is seventeen characters in length.
Each user's seventeen character directory name will differ, but the extension, and as example, "12345678.default" will remain the same for all users. It is under this directory that your FireFox profile files will reside. This includes the directories under, as example, "12345678.default" - bookmarkbackups, extensions, minidumps, etc.
At this time, all we are concerned with is
pointing Digital Detective, NetAnalysis to this directory for the
purposes of loading in the FireFox browser history.
The important file in the FireFox browser for parsing and searching the users' Internet history is "places.sqlite".When "places.sqlite" is loaded into NetAnalysis, then you can begin your investigation.
This is just a starting point.
As I find more, more details will follow.
Sources & Tools (that I use):
http://www.digital-detective.co.uk/
http://kb.digital-detective.co.uk/display/NetAnalysis1/Home
Not required, but tools to have a good understanding of -
- Microsoft NotePad; .log functionality. If you don't know what I'm speaking of,
< search: notepad ".LOG" >
To implement in notepad.exe:
Type ".LOG" (without the quotes) and (in uppercase) in the first line of a notepad.exe file, followed by one of the following codes.
ENTER = ; RETURN, Apple: U+2324; DECIMAL - 13, HEX - 0D, control+M or ^M; C0 and C1 control codes;
\r; (U+21B5)
System knowledge:
- Microsoft Windows default file locations,
- Microsoft Internet Explorer INDEX.DAT
- Knowledge of all versions is a good thing.
- SQL Queries
---------------------------------------------------
- Microsoft Internet Explorer INDEX.DAT
- Knowledge of all versions is a good thing.
- SQL Queries
---------------------------------------------------
Corrections and edits added: October 5, 2012
---------------------------------------------------
---------------------------------------------------
No comments:
Post a Comment