Mozilla Firefox Forensics: Part 2

Thu, 12/20/2012 - 7:01am
John J. Barbara

This is a continuation of a discussion on Firefox forensics begun in the Fall 2012 issue of DFI News. Read part 1 at

Browser Basics
The most prevalent software applications in use today are probably Web browsers. They are used for viewing, retrieving, traversing, and presenting information resources obtained from the Web. Although browsers are complex software applications, they have common functionality regarding their main components. A simplified overview of their high level structure is as follows:

  • User Interface - the entire browser display except for its main window.
  • Browser Engine - takes the marked up content (XML, HTML, etc.) and formatting information (CSS, XSL, etc.) and displays it on the monitor’s screen.
  • Rendering Engine - responsible for displaying the requested content.
  • Networking - used for network calls (HTTP, etc.).
  • UI Backend - used for drawing widgets such as windows and combo boxes.
  • JavaScript Interpreter - software which interprets/executes JavaScript.
  • Data Storage - a persistence layer consisting of the data that the browser stores on the computer hard drive.

When a URL is entered into the address bar, the browser communicates with a name server to resolve it into an IP address. This allows the browser to connect to the appropriate Web server using HTTP. Once connected, HTTP commands then direct the Web server to retrieve and transmit data back to the browser. The browser reads the HTML and displays the information resources (HTML document, a .pdf file, an image, a video, etc.) which were identified by a Unified Resource Identifier (URI). The browser then saves the Web documents in its cache using Web caching technology. Caching of Web objects reduces the bandwidth usage and server load and allows the browser to retrieve the same Web page much faster when it is visited at a later time. It also allows recently viewed Web pages to be viewed offline and copied although some of the features such as Flash animations and “real time” objects found on the Web page may not function.

Firefox Cache Location
The Firefox cache contains both metadata (information about the various cache entries) and data (the cached items themselves) which can be of immense forensic importance. Cache files are located as follows in Windows 7 and 8:

• C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\Cache
• C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\jumplistCache
• C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\OfflineCache
• C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\startupCache

In the C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\Cache directory there are four primary internal files:

_CACHE_001_ - stores small metadata and data entries in 512-byte blocks.
_CACHE_002_ - stores medium-sized metadata and data items in 1024-byte blocks.
_CACHE_003_ - stores large metadata and data items in 4096-byte blocks.
_CACHE_MAP_ - contains the index to both the metadata and the data and links them together. A working copy is stored in memory when Firefox is running while the other cache files are continuously updated during Web browsing.

Additionally, there may be any number of external directories/files which are used to store very large metadata items or data.

Viewing the Firefox Cache
Firefox has a built-in feature which allows direct viewing access to cache files. With the Firefox browser running, entering “about:cache” into the address field and pressing the Enter key on the keyboard will load the “Information about the Cache Service” screen. Information concerning the memory cache device, disk cache device, and offline cache device will be displayed and appear as follows:

• Memory cache device
Number of entries
Maximum storage size
Storage in use
Inactive storage
List Cache Entries

• Disk cache device
Number of entries
Maximum storage size
Storage in use
Cache directory
List Cache Entries

• Offline cache device
Number of entries
Maximum storage size
Storage in use
Cache directory

Both “List Cache Entries” are hyperlinks. Clicking on either one will cause the cached files or objects to be displayed along with their original link location URLs. For instance, clicking on the link under “memory cache device” will display information regarding the key, data size, fetch count, last modified, and expires that is stored in memory. The information is searchable. Clicking on any of the entries will display the “Cache entry information” screen for that entry and provide a wealth of potential forensic information such as:

  • Key - the URL.
  • Fetch count – number of times accessed.
  • Last fetched – yyyy-mm-dd-hh:mm:ss.
  • Last modified – yyyy-mm-dd-hh:mm:ss.
  • Expires – yyyy-mm-dd-hh:mm:ss.
  • Data size – size of the file.
  • File on disk – none.
  • Security - document does not have any security information associated with it.
  • Client – HTTP.
  • Request method – GET (may or may not be present)
  • Response head – HTTP, server information, etc. (may or may not be present).
  • Charset - (may or may not be present).
  • Charset source - (may or may not be present).

Likewise, clicking on the link under “Disk cache device” and clicking on any of its entries will provide similar information. Clicking on one of the key entries should open the URL or provide other pertinent information. Note that the “File on disk” may point to the directory where it is stored on the hard drive!

The free Firefox add-on, CacheViewer, provides a GUI front end instead of having to use “about:cache.” In addition to providing a searching capability for both memory and disk cache files, it includes a sorting functionality to sort the key, size, MIME type, device, and last fetched columns. An additional feature is a preview pane for images and the ability to copy them for later examination. For instance, searching for “.jpg” will provide a list of all the URLs that contain a .jpg and clicking on one of the “key” URLs will display that .jpg image in the preview pane. Right clicking on the key URL will also provide “Open in Browser” and “Save as” functionalities for that .jpg. Alternately, the free standalone utility MozillaCacheView can be used to read the cache folder on a live system or pointed to the location of an external cache. It provides forensic information such as the URL, Content Type, Fetch Count, Last Fetched, Cache Name, Server Name, Server Time, and so forth. The information can be exported to a CSV/Tab-Delimited File or viewed as an HTML Report.

This article will be continued in the next issue of Forensic Magazine.

John J. Barbara owns Digital Forensics Consulting, LLC, providing consulting services for companies and laboratories seeking digital forensics accreditation. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence.


Share this Story

You may login with either your assigned username or your e-mail address.
The password field is case sensitive.