Browser Analysis - Firefox | Caitlin M. Allen

Quick Notes

Handled in a sqlite3 database
- places.sqlite can be found at _/Users/$user/Library/Application Support/Firefox/Profiles/.default/places.sqlite_
  - will be randomly determined when setting up Firefox
  - places.sqlite holds a number of tables -> two similar to Chrome
    - mox_historyvisits -> Timestamped entry for each visited website and URL id
    - moz_places -> Correlate the URL id to the actual URL
Query to pull timestamp and URL from history
- SELECT datetime(hv.visit_date/1000000, ‘unixepoch’) as dt, p.url FROM moz_historyvisits hv INNER JOIN moz_places p ON hv.place_id = p.id ORDER by dt ASC

Old versions of Firefox used to store a sqlite3 database called downloads.sqlite
- Stored files that were downloaded and when
- Now in the places.sqlite file
Only need to collect one database
- Downloads can be found in the moz_annos table
Data is stored differently from Chrome and Safari
- Every download creates multiple entries
- moz_attribute_id field can be found in the moz_anno_attribute table
  - Numbers correspond to what was done
    - 1 -> bookmarkProperties/description
    - 2 -> Places/SmartBookmark
    - 3 -> places/exlcludeFromBackup
    - 4 -> PlacesOrganizer/OrganizerFolder
    - 5 -> PlacesOrganizer/OrganizerQuery
    - 6 -> downloads/destinationFileURI
    - 7 -> downloads/destinationFileName
    - 8 -> downloads/metadata
  - Look for entries with a moz_attribute_id of 6
Query to pull timestamp, download location, and source URL
- SELECT moz_annos.dateAdded, moz_annos.content, moz_places.url FROM moz_places, moz_annos WHERE moz_places.id = moz_annos.place_id AND anno_attribute_id=6

_/Users/$user/Library/Application Support/Firefox/Profiles//cookies.sqlite_
- Holds a table called moz_cookies
- Cookies for visited sites
_/Users/$user/Library/Application Support/Firefox/Profiles//extensions.json_
- Data on what extensions are installed as well as descriptions, extension homepages, and authors