Web History, Visits, Bookmarks & Search Terms
Downloads, Top Sites & Recently Closed Tabs
Did I mention that browsers have a ridiculous amount of data for an examiner to find? In this post we'll look at Cookies, Permissions and Form History. I hope you're hungry!
All relevant databases can be found generally in the following path:
data\data\org.mozilla.firefox\files\mozilla\*.default\
The "default" profile will have it's own unique guid of sorts.
Cookies
The Cookies database resides at the path:
data\data\org.mozilla.firefox\files\mozilla\*.default\cookies.sqlite*
There is only one table in the database so can't go wrong there, it's called "moz_cookies". A few columns of interest include:
- lastAccessed - last accessed timestamp in Unix Epoch microseconds
- creationTime - created timestamp in Unix Epoch microseconds
- host - webpage that is hosting the cookie
- name - name of the actual cookie being used
- value - value that the cookie contains
- expiry - expiration timestamp of the cookie in Unix Epoch seconds
- path - path of any extra associated files (not entirely sure but did see some references to JavaScript files)
Get the query here, see the results from Josh's test image below:
Permissions was one of the harder items to test. It was difficult to find good webpages that would throw up the permissions pop-up on mobile. Regardless, I could make some inferences but more future testing probably is needed. You can find the database at the path:
data\data\org.mozilla.firefox\files\mozilla\*.default\permissions.sqlite
The table is called "moz_perms" and the columns I pulled out were as follows:
- modificationTime - timestamp of the modification of the specific permission
- origin - the webpage the permission is coming from
- type - the actual permission name (ex. "autoplay-media-audible" or "storageAccessAPI")
- permission - status of the permission
- 1 = Allow
- 2 = Block
*Note* There may be more granular permission statuses but I haven't been able to produce them at this stime.
- expireTime - expiration timestamp of the permission
You can use the query from my Github to produce similar results as below:
Figure 2: Permissions output from DB Browser for SQLite
Form History
Form History or autofill are items entered into fields in forms and saved for potential future use. It can be useful in seeing what a person may be entering as well as how often. The Form History database file can be found at the following path:
data\data\org.mozilla.firefox\files\mozilla\*.default\formhistory.sqlite
The main table inside is called "moz_formhistory" and we can find these columns useful:
- firstUsed - first time that value and field have been used in Unix Epoch microscends
- lastUsed - last time that value and field have been used in Unix Epoch microscends
- fieldname - identifier for a specific field (not sure if there is a standardized list out there somewhere but I do see "ts" that looks to be a timestamp)
- value - actual value entered into a form field
- timesUsed - a count of how many times that value and field have been used
- id - unique identifier for each entry
Query is here, sample output below:
Figure 3: Form History ouptut from DB Browser for SQLite
These three parsers are also now available in ALEAPP, happy hunting!