4. Mozilla Firefox Forensics

Mozilla Firefox Forensics – Usage of Sqlite File in Investigation

Learn about challenges in Mozilla Firefox forensics. Detailed Sqlite file analysis is explained include type of database, location of artifacts and role of Sqlite files in Mozilla investigation. Data acquisition technology is demonstrated by techies.

Sqlite is extensively used database format for both, iOS and Android, and various built-in applications lean towards Sqlite to store their data. Many web browsers such as Chrome & Firefox and instant messaging applications (WhatsApp, etc.) are also using Sqlite as a database. Firefox contains individual files for each different function such as cookies, searches, cookies, places visited and so forth, thus it has total 12 Sqlite files. The data contains in these files are profile specific since every user has his personal Sqlite RDMS. During Mozilla Firefox forensics, experts use these Sqlite files for the purpose of analysis by opening them in any database viewer.

Different Types of Mozilla Firefox Sqlite Files

Various Sqlite Database files are as follows:

  • content-prefs.sqlite
  • extensions.sqlite
  • places.sqlite
  • webappsstore.sqlite
  • addons.sqlite
  • cookies.sqlite
  • formhistory.sqlite
  • search.sqlite
  • signons.sqlite
  • permissions.sqlite
  • chromeappstore.sqlite
  • downloads.sqlite

Each of the files has "sqlite_master" table that defines a schema for that database.

Default Location of Mozilla Firefox Sqlite Files

The path of the Sqlite files is different for different platforms, the default location of Sqlite files under Mozilla Firefox forensics are provided below:

  • Linux
    ~/.config/mozillafirefox/Default/databases
  • Mac OS X
    ~/Library/Application Support/Mozilla/Firefox/Profiles/
  • Windows XP
    C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\
  • Windows Vista & above
    C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\_.default

Importance of Different Sqlite Files in Mozilla Firefox Forensics

Sqlite File Analysis

content-prefs.sqlite

It contains 3 tables – groups, prefs, and settings. A user can set the specific preferences for browser and content settings that remain persistent during the whole browsing session along with browser history. For investigation of Mozilla Firefox Sqlite files, it works as an indicator of intentionally or accidently visited sites.

Database

addons.sqlite

This table stores all the useful information about each add-on, such as name od add-on, version number, description, developer notes, support URL, creator and creator's URL, homepage URL and total number of downloads. While carrying out Mozilla Firefox forensics techies can use this table in order to find the details of all installed add-ons.

Mozilla Firefox Sqlite Files

cookies.sqlite

The cookies are generated in two ways – one is to create the user profiles and other is for advertising purpose. So, it is clear that availability of the cookie does not mean that the user has visited that site. Firefox store the cookies in a table within the file "moz_cookies". Important columns for Sqlite file analysis need within the cookie database are baseDomain, host, lastAccessed, and creationTime.

User Credentials

signons.sqlite

It contains the information about the user credentials such as username and password that are being saved by the user during site visits. This information is maintained in the columns "encryptedUsername" and "encryptedPassword" in encrypted form. The time stamp information is also saved that consist the time of creation, last usage, last changed of the password. The number of times a site is visited is also saved in "timeUsed" column. It helps investigator to extract crucial artifacts while conducting Mozilla Firefox forensics.

Mozilla Firefox Sqlite Files

downloads.sqlite

All the downloaded history is stored in the table "moz_downloads", that remains same until it is deleted by the user. Valuable information are files downloaded, downloaded destination, their sources, time of downloads that used in Mozilla Firefox forensics investigation.

Extension File

extensions.sqlite

This file includes the data about installed extensions in seven different tables. One of these tables (addon table) consist the important forensic information that can be found in the columns "descriptor", "installDate", and "sourceURL".

Browser History

formhistory.sqlite

It contains a file that maintains all the data used for filling out a form online. All the potential probative data is found in "value" column; other columns are "firstUsed" and "lastUsed" stores the associated time stamp information. In addition, the search keywords are also recorded in "fieldname" column within "searchbarhistory" entries.

Sqlite File Analysis

permissions.sqlite

It contains the details of permission assigned to multiple sites whether the pop-ups are allowed or not. The sites are stored in "host" column and data is stored in "moz_hosts" table.

Search Engines

search.sqlite

Mozilla Firefox Sqlite files (search.sqlite) lists the available search engines that can be used by Mozilla Firefox.

App Store

chromeappstore.sqlite

It contains the details in the table webappstore2 regarding the search engine.

Sqlite File Analysis

webappstore.sqlite

It contains a table to store the software methodology and protocols used in web browser and the web storage types. The data is persistent and even after delete the history, cookies, or other information does not lead to the actual deletion of data.

The above discussed files are used for digital investigation purpose.

How to Open Mozilla Firefox Sqlite Files

The Sqlite files of Mozilla Firefox can be opened with the help of available add-on Sqlite Manager. After installation of the Sqlite Manager, open any of the .sqlite file by following the instructions:
Click on Tools>Sqlite Manager> Connect Database> Path of .sqlite file and click open.
You can also use some third-party tools to open & analyze Sqlite file.

Firefox application stores its data in Sqlite database and the files can be viewed with various applications like Sqlite Manager. Mozilla Firefox Sqlite files contain various tables to store individual data. Then forensic investigations are applied on such files stored in database. These files store data in a protective way that remains in the tables after deletion by user. During Mozilla Firefox forensics, these Sqlite files are much helpful to extract the digital information.

The Mozilla Firefox Sqlite file stores heap of cricial and sensitive information. During investigations, experts need a solution for preservation and extraction of evidence. Sqlite Forensic Explorer stands as a comprehensive Sqlite database analysis platform equipped with versatile features.
Free Download