Sunday, November 1, 2015

FireFox 41.0.1 Browsing session analysis - formhistory.sqlite

In the post on mounting the image, I mounted it to the "tmp/" folder which is part of my current working directory. I will now switch to the "tmp/" folder then the "FirefoxPortable", then "Data", then "profile". The profile directory contains the ".sqlite" files.

Now that we have the list of ".sqlite" files, let's start with "formhistory.sqlite"
According to the "formhistory.sqlite" is used for "Autocomplete history".  It remembers information typed into the firefox search bar and other forms on websites.

To open the database we do the following:
sansforensics@securitynik:~/firefox-analysis/tmp/FirefoxPortable/Data/profile$ sqlite3 formhistory.sqlite

once the database is opened we listed the tables and see there are 2 tables available. These are "moz_deleted_formhistory"  "moz_formhistory"

When "SELECT * FROM moz_deleted_formhistory" was performed. Nothing was returned. However, when "SELECT * FROM moz_formhistory" was performed we got the following entry.

While the above information is helpful, it would be better if we knew what was stored in each of the fields. Let's turn on the headers for the table using ".header on". Once this has been turned on lets run the query again.

The information above looks much more easy to read and understand now. So we are making progress. So from the above we see record 1 suggests we searched for "map of canada" 1 time. However, what do we make of the values in "firstUsed" and "lastUsed". Note also these two values are the same, so this actually matches with the "timesUsed" which is "1".

To convert the "firstUsed" and "lastUsed" we can use "" to convert the time as shown below.

While the above is one way to convert the time, we could also do it directly within the sql statement. Their however, seems to be a little problem though with converting the time. The issue is the time is stored as microseconds since epoch in the tables while sqlite "datetime" function accepts seconds. So for both the "firstUsed" and "lastUsed" we will need to divide those values by "1,000,000".
sqlite> SELECT id,fieldname,value,timesUsed,datetime(firstUsed/1000000,'unixepoch','localtime') as firstUsed,datetime(lastUsed/1000000,'unixepoch', 'localtime') as lastUsed FROM moz_formhistory;

From the above we see this search was conduced on 2015-10-03 at 21:59:5 localtime.

So what about if we wanted this time in UTC? Then we only need to remove the "localtime" entry from the query as shown below.

sqlite> SELECT id,fieldname,value,timesUsed,datetime(firstUsed/1000000,'unixepoch') as firstUsed,datetime(lastUsed/1000000,'unixepoch') as lastUsed FROM moz_formhistory;

So that's it for analyzing the "formhistory.sqlite" in firefox. Next post we will look at "places.sqlite".

Other posts in this series:


No comments:

Post a Comment