π¦ Firefox Artifacts Extraction
π― Objective
The goal of Firefox forensics is to trace user activity on the system through browsing records, cookies, bookmarks, form data, and login data.\ These artifacts help determine:
-
Browsing history
-
Cookies
-
Bookmarks
-
Form input data
-
Login credentials
They are used to:
-
Track userβs online activity
-
Accurately determine browsing behavior and timeline
-
Detect attempts to hide evidence such as history deletion or private browsing
-
Uncover illegal use like:
-
Accessing stolen accounts
-
Visiting hacking or leak sites
-
Downloading suspicious tools
π§ͺ Practical Scenarios
We are analyzing Firefox data in one of the following scenarios:
| Scenario Type | Description |
|---|---|
| π’ Live Analysis | The system is running, and weβre analyzing directly. |
| π΅ Mounted Analysis | Analyzing a disk or disk image from another system (e.g., in SIFT Workstation). |
π Firefox Artifact Paths on Linux Systems
πΉ Ubuntu / Linux Mint (when installed via Snap):
/home/USERNAME/snap/firefox/common/.mozilla/firefox/
-
Contains profile folders and SQLite databases
-
Snap runs in a sandbox, hence different path
πΉ Kali / SIFT (when installed via apt):
/home/USERNAME/.mozilla/firefox/
cd /home/as/.mozilla/firefox/i8moxwwr.default-esr
cd /home/sansforensics/.mozilla/firefox/xn53uh5w.default-release/
-
Default path for apt-based installations
-
Used in distros like Kali and SIFT
-
In SIFT, evidence paths are often mounted as:
/mnt/evidence/home/USERNAME/.mozilla/firefox/
π DF Tip: Always make sure the image is mounted properly and work on a copy, not the original.
π Profile Folder Components
Inside folders like:
xxxxxxxx.default-release or xxxxxxxx.default-esr
Youβll find key databases:
| File | Description |
|---|---|
places.sqlite |
π₯ Main database: browsing history + bookmarks |
cookies.sqlite |
Stores cookies: sessions, site settings |
favicons.sqlite |
Site icons β visual context of activity |
formhistory.sqlite |
Form input history (e.g., search terms) |
webappsstore.sqlite |
LocalStorage data for web apps |
logins.json + key4.db |
Saved login data β encrypted and need key to decrypt |
cd /home/as/.mozilla/firefox/i8moxwwr.default-esr ls *.sqlite *.json *.db
If files aren't found, try:
cd /home/as/.mozilla/firefox/yi64xyq1.default
π οΈ Practical Analysis Steps
β 1. Locate Relevant Files
find /home -type f -name "places.sqlite"
β 2. Copy Files for Analysis
cp /home/USERNAME/.mozilla/firefox/xxxxxxxx.default-release/places.sqlite ~/Desktop/
β 3. Analyze with SQLite Viewer
-
Site: SQLViewer
-
Upload
places.sqlite
Key tables inside:
| Table | Purpose |
|---|---|
moz_places |
Visited URLs |
moz_historyvisits |
Links URL to visit timestamps |
moz_bookmarks |
Userβs saved bookmarks |
moz_bookmarks_deleted |
Deleted bookmarks (very important) |
moz_inputhistory |
Typed entries in address bar |
moz_keywords |
Bookmark keywords |
moz_places_extra |
Extra visit data |
moz_historyvisits_extra |
Time spent on site |
moz_origins |
Domain origins |
π‘ Tip: Join
moz_placesandmoz_historyvisitsfor a timeline view of user activity.
π Advanced Tools for Firefox Artifacts Analysis
| Tool | Functionality |
|---|---|
sqlite3 |
Quick command-line analysis |
Browser History Examiner |
Visual browsing history analysis (Windows) |
Hindsight (by Obsidian) |
Open-source Python tool to analyze browser history and generate reports |
Autopsy |
Forensics suite with built-in browser module |
π§ What Can Firefox Forensics Reveal?
-
Visited websites and timestamps
-
Bookmark analysis to reveal sites of interest
-
Cookie analysis to extract:
-
Active sessions
-
Site tracking artifacts
-
Temporal correlation between browsing and other system events
-
Detection of concealment attempts (private mode β history deletion)
π‘ Pro Tips in Digital Forensics
-
π§ͺ Always work on a readonly copy
-
π Use
statto check file timestamps:
stat places.sqlite
-
π Correlate findings with:
-
Bash history
-
System logs (
/var/log/syslog) -
USB activity logs
-
π₯ Check all profiles β there may be multiple users
π Practical Example: Visit Timeline
Opening the file using SQLite
β³οΈ Option 1: Terminal using sqlite3
sqlite3 ~/Desktop/places.sqlite
Inside SQLite, run:
SELECT
moz_places.url,
datetime(moz_historyvisits.visit_date/1000000,'unixepoch') AS visit_time
FROM
moz_places, moz_historyvisits
WHERE
moz_places.id = moz_historyvisits.place_id
ORDER BY
visit_time DESC
LIMIT 20;
To exit SQLite:
.exit
π Why divide timestamp by 1,000,000?
Because
visit_dateis stored in microseconds since the Unix epoch.\ To convert to seconds (fordatetime(...,'unixepoch')), you must divide by1,000,000.
β End Result?
You'll extract the last 20 visited websites along with their timestamps β extremely useful in building a user activity timeline during investigation.
π Summary of File Analysis Outputs
| Artifact Type | What It Reveals |
|---|---|
moz_places |
Visited websites |
moz_historyvisits |
Visit timestamps and durations |
moz_bookmarks |
Userβs bookmarked/favorite sites |
moz_bookmarks_deleted |
Bookmark deletion attempts |
cookies.sqlite |
Active sessions β possible account access |
logins.json + key4.db |
Logged-in accounts (even if history is deleted) |
formhistory.sqlite |
Search terms and form data |
π§° Additional Useful Tools
| Tool | Use Case |
|---|---|
sqlite3 |
Fast terminal-based analysis |
| SQLite Viewer | Visual SQLite analysis |
Browser History Examiner |
Powerful GUI tool (Windows) |
Autopsy |
Comprehensive forensics platform with browser support |
Hindsight |
Python tool to analyze Chrome and Firefox with timeline reporting |