Read Part 2 of Mozilla Firefox Forensics.

Firefox SQLite Relational Database Management System
The majority of potential forensic information does not reside in the Windows Registry, but rather in two directories located in the individual User account(s). The first directory, “C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\Cache\,” stores the Firefox Cache which contains information about the various cache entries (metadata) and the cached items themselves (data). Cache entries can be of immense forensic importance. The other directory, “C:\Users\[User]\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxxxx.default\,” stores the SQLite Relational Database Management System (RDMS). RDMSs are primarily used to store and manage User-defined records and generate data summaries and reports through the use of query commands that can access and combine data from multiple tables. The SQLite RDMS is a public domain software package which is an embeddable, integral part of an application and not a separate process that is accessed from a client. It does not require the use of a separate server process or system. SQLite RDMSs have a small default code footprint (around one megabyte), efficiently uses disk space and memory (usually a couple of megabytes), and requires no configuration. The entire database (tables, definitions, data, and indices) is stored on the host device as a single cross platform file which is locked during writing events.

Firefox Database Files
Each User on a system has his own SQLite RDMS in his profile and it is important to note that the data in the files is profile specific. Normally, the databases would be extracted from an acquired image and examined on a forensic machine using tools such as FoxAnalysis, SQLite Database Browser, Firefox 3 Extractor, sqlite3_analyzer, or SQLite Manager. However, data from any SQLite table can be viewed directly within Firefox itself by using the SQLite Manager add-on which also supports exporting the data to a spreadsheet. (It should be noted that a sophisticated User can manipulate the data by adding or deleting information from the files using this add-on).

Firefox (version 16.0.2) typically includes twelve SQLite databases, each of which performs a different function such as storing bookmarks, cookies, places visited, searches, and so forth. The database files are as follows:

  • addons.sqlite
  • chromeappsstore.sqlite
  • content-prefs.sqlite
  • cookies.sqlite
  • downloads.sqlite
  • extensions.sqlite
  • formhistory.sqlite
  • permissions.sqlite
  • places.sqlite
  • search.sqlite
  • signons.sqlite
  • webappsstore.sqlite

Every SQLite database contains the “sqlite_master” table which defines the schema for that database. The number of other additional tables will vary depending upon the function of the database. All date/time stamps in the tables are stored as UNIX numeric values which can be decoded by using an application such as DCode.

There are four tables in the file: “addon,” “developer,” “screenshot,” and “sqlite_sequence.” The “addon” table contains all sorts of useful information such as the name of each add-on, its version number and description, its creator and the creator’s URL, developer notes, a support URL, the homepage URL, and the number of total downloads. There could be add-ons listed here that the User is not aware of, such as additional toolbars. Selecting “Add-ons” from the main Firefox drop down menu will display the “Add-ons Manager” tab. Selecting “Extensions” on the tab will provide a listing of all add-ons.

There is one table in the file, “webappsstore2” which contains information regarding the search engine.

There are three tables in the file, “groups,” “prefs,” and “settings.” A User can set site-specific preferences for browsers and content settings (page style, text zoom, etc.). Those preferences can remain persistent across browsing sessions and page visits. Along with browser history, this is an indicator of intentionally visited sites and not accidental or casual visits. The sites visited are maintained in the “groups” table.

Some Web sites use tracking cookies to create User profiles. Other sites use cookies for advertising purposes. The fact that a cookie is present does not necessarily mean that the User visited that site. When a User elects to remove cookies using Web browser functionality or a cookie-cleaner application, they may or may not all be deleted. Alternative cookie storage locations and the persistence of cookies and their processes can have an effect upon whether or not a cookie is deleted. Firefox stores its cookies in the only table in the file, “moz_cookies.” Data of forensic interest can be found in the “baseDomain,” “host,” “lastAccessed,” and “creationTime” columns.

Firefox stores a list of all files downloaded in the “moz_downloads” table which is used to populate the popup download queue. They remain in the table as long as the User does not clear the queue. Valuable forensic information can be found in the table. The names of all the files downloaded, their source, downloaded destination, and the start and end times of the download are all recorded. If the data in the “currBytes” and “maxBytes” columns is the same, that is indicative that the download completed successfully.

The file stores data about installed extensions and contains seven tables: “addon,” “addon_locale,” “locale,” “locale_strings,” “sqlite_sequence,” “targetApplication,” and “targetPlatform.” The “addon” table contains valuable forensic information, some of which can be found in the “descriptor,” “installDate,” and “sourceURI” columns.

The file only contains one table, “moz_formhistory,” but it stores a wealth of forensic information. All historical data for every form that a user ever filled out while online is maintained in the file! Potential probative data, such as e-mail addresses, actual names and addresses, phone numbers, and so forth can be found in the “value” column. Also the “firstUsed” and “lastUsed” columns record the date/timestamp information associated with the data. Additionally, if a User entered any search terms into the search bar, they will be recorded in the “fieldname” column under the “searchbar-history” entries.

The file contains a history of the permissions that are assigned to various sites, for example, whether or not pop-ups are allowed. The data is stored in the file’s only table, “moz_hosts” and the sites are listed in the “host” column.

The remaining four tables, “places.sqlite,” “search.sqlite,” “signons.sqlite,” and “webappsstore.sqlite” will be discussed in Part 4 of this article.

Software mentioned should not be considered as an endorsement by Forensic Magazine or by the author. Prior to purchasing or obtaining any tool, investigators and examiners should research those that are available to determine which best meet their technical and operational performance parameters. After procurement, the tools functionality must be verified before being used for forensic examinations.

John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence.