This is a continuation of a discussion on Firefox forensics begun in the Fall 2012 issue of DFI News. Read part 1 at www.dfinews.com/article/mozilla-firefox-forensics.

Browser Basics
The most prevalent software applications in use today are probably Web browsers. They are used for viewing, retrieving, traversing, and presenting information resources obtained from the Web. Although browsers are complex software applications, they have common functionality regarding their main components. A simplified overview of their high level structure is as follows:

• User Interface - the entire browser display except for its main window.
• Browser Engine - takes the marked up content (XML, HTML, etc.) and formatting information (CSS, XSL, etc.) and displays it on the monitor’s screen.
• Rendering Engine - responsible for displaying the requested content.
• Networking - used for network calls (HTTP, etc.).
• UI Backend - used for drawing widgets such as windows and combo boxes.
• JavaScript Interpreter - software which interprets/executes JavaScript.
• Data Storage - a persistence layer consisting of the data that the browser stores on the computer hard drive.

When a URL is entered into the address bar, the browser communicates with a name server to resolve it into an IP address. This allows the browser to connect to the appropriate Web server using HTTP. Once connected, HTTP commands then direct the Web server to retrieve and transmit data back to the browser. The browser reads the HTML and displays the information resources (HTML document, a .pdf file, an image, a video, etc.) which were identified by a Unified Resource Identifier (URI). The browser then saves the Web documents in its cache using Web caching technology. Caching of Web objects reduces the bandwidth usage and server load and allows the browser to retrieve the same Web page much faster when it is visited at a later time. It also allows recently viewed Web pages to be viewed offline and copied although some of the features such as Flash animations and “real time” objects found on the Web page may not function.

Firefox Cache Location
The Firefox cache contains both metadata (information about the various cache entries) and data (the cached items themselves) which can be of immense forensic importance. Cache files are located as follows in Windows 7 and 8:

• C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\Cache
• C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\jumplistCache
• C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\OfflineCache
• C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\startupCache

In the C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\Cache directory there are four primary internal files:

• _CACHE_001_ - stores small metadata and data entries in 512-byte blocks.
• _CACHE_002_ - stores medium-sized metadata and data items in 1024-byte blocks.
• _CACHE_003_ - stores large metadata and data items in 4096-byte blocks.
• _CACHE_MAP_ - contains the index to both the metadata and the data and links them together. A working copy is stored in memory when Firefox is running while the other cache files are continuously updated during Web browsing.

Additionally, there may be any number of external directories/files which are used to store very large metadata items or data.

Viewing the Firefox Cache
Firefox has a built-in feature which allows direct viewing access to cache files. With the Firefox browser running, entering “about:cache” into the address field and pressing the Enter key on the keyboard will load the “Information about the Cache Service” screen. Information concerning the memory cache device, disk cache device, and offline cache device will be displayed and appear as follows: