Sqlite is extensively used database format for both, iOS and Android, and various built-in applications lean towards Sqlite to store their data. Many web browsers such as Chrome & Firefox and instant messaging applications (WhatsApp, etc.) are also using Sqlite as a database. Firefox contains individual files for each different function such as cookies, searches, cookies, places visited and so forth, thus it has total 12 Sqlite files. The data contains in these files are profile specific since every user has his personal Sqlite RDMS. During Mozilla Firefox forensics, experts use these Sqlite files for the purpose of analysis by opening them in any database viewer.
Various Sqlite Database files are as follows:
Each of the files has "sqlite_master" table that defines a schema for that database.
The path of the Sqlite files is different for different platforms, the default location of Sqlite files under Mozilla Firefox forensics are provided below:
C:\Documents and Settings\%USERNAME%\Application Data\Mozilla\Firefox\
It contains 3 tables – groups, prefs, and settings. A user can set the specific preferences for browser and content settings that remain persistent during the whole browsing session along with browser history. For investigation of Mozilla Firefox Sqlite files, it works as an indicator of intentionally or accidently visited sites.
This table stores all the useful information about each add-on, such as name od add-on, version number, description, developer notes, support URL, creator and creator's URL, homepage URL and total number of downloads. While carrying out Mozilla Firefox forensics techies can use this table in order to find the details of all installed add-ons.
The cookies are generated in two ways – one is to create the user profiles and other is for advertising purpose. So, it is clear that availability of the cookie does not mean that the user has visited that site. Firefox store the cookies in a table within the file "moz_cookies". Important columns for Sqlite file analysis need within the cookie database are baseDomain, host, lastAccessed, and creationTime.
It contains the information about the user credentials such as username and password that are being saved by the user during site visits. This information is maintained in the columns "encryptedUsername" and "encryptedPassword" in encrypted form. The time stamp information is also saved that consist the time of creation, last usage, last changed of the password. The number of times a site is visited is also saved in "timeUsed" column. It helps investigator to extract crucial artifacts while conducting Mozilla Firefox forensics.
It contains a file that maintains all the data used for filling out a form online. All the potential probative data is found in "value" column; other columns are "firstUsed" and "lastUsed" stores the associated time stamp information. In addition, the search keywords are also recorded in "fieldname" column within "searchbarhistory" entries.
The above discussed files are used for digital investigation purpose.
The Sqlite files of Mozilla Firefox can be opened with the help of available add-on Sqlite Manager. After installation of the Sqlite Manager, open any of the .sqlite file by following the instructions:
Click on Tools>Sqlite Manager> Connect Database> Path of .sqlite file and click open.
You can also use some third-party tools to open & analyze Sqlite file.
Firefox application stores its data in Sqlite database and the files can be viewed with various applications like Sqlite Manager. Mozilla Firefox Sqlite files contain various tables to store individual data. Then forensic investigations are applied on such files stored in database. These files store data in a protective way that remains in the tables after deletion by user. During Mozilla Firefox forensics, these Sqlite files are much helpful to extract the digital information.
The Mozilla Firefox Sqlite file stores heap of cricial and sensitive information. During investigations, experts need a solution for preservation and extraction of evidence. Sqlite Forensic Explorer stands as a comprehensive Sqlite database analysis platform equipped with versatile features.