Thursday, January 28, 2010

Mental Note on Firefox forensics using Firefox 3 Extractor

I left a post the other day on Firefox forensics, linking to Harlan's great page.

However, I wanted to dig a little further. I went to the Firefox 3 Forensics site and downloaded the Firefox 3 Extractor. It took a few minutes to get it right, but when I got it running, it was awesome; and a little eye opening.

First, I copied f3e.exe and sqlite3.dll into my firefox profile directory. I launched f3e, but couldn't get any results. Remembering my old sql developer days, it dawned on me that the files were locked as I had Firefox open. So, I closed Firefox and reran. Bingo. The internet history report came out. I tried to run another report, and the program failed with an error message.

So, this time, I followed the directions and copied the Firfox sqlite files to a seperate directory, and dumped f3e.exe and sqlite3.dll in there. Now, I could run any report, as many times as I like.

A couple of things I like:
The program asks for a case reference (maybe the profile of the subject)
The program asks for a cast name.
The program asks for the investigator.
With the internet history report option, you are asked if you want to use the favicons.

I chose the Internet History Usage report, which was D on my menu. After answering the questions, the html file is named "case refernce" - "case investigator" - Internet Usage.html so it is easy to find if you are running many reports.
Besides giving you the reference, name, and investigator, the report shows:
the top 20 most visited sites, with their counts, and,
A table with rows showing: favicon (if used), visit date, url, title, and if the url was typed.

I found it interesting going through the table that Yahoo mail uses the subject of the email as the title of the page. This could be useful if having to trace through web email.

I ran the other reports and have only skimmed the .csv files that have been produced. A quick look shows a detailed cookie analysis, a forms history file, a detailed bookmarks analysis, favorite icon analysis, and a couple of others that were blank (I might not be recording that information.)

There is a mini-FAQ, that lists where the various profile directories are stored.

Running the tool got me to consider the difference between "Private Browsing" and "Clearing Private Data". Normally, I clear my private data at the end of each session. But, I'm thinking of moving to Private Browsing, as it appears private browsing does not write the information to the hard drive.

So far, this is a great tool, that I plan to use in the future.

3 comments:

  1. Can you upload the program? (a new download link)
    firefoxforensics.com no longer works :(
    Gracias!

    ReplyDelete
  2. Hey, thanks for the comment. I looked around, and you're right, the site does appear down. To that end, I'm trying to find all the pieces of the tool to package together.

    ReplyDelete
  3. ok I will check this post by if you get a new link
    gracias

    ReplyDelete