Browser Forensics: Firefox Bookmark Analysis

arzuarzu
2 min read

Mission Statement

It is required that needs to be done Firefox data analysis manually from bookmarks data.

Solution

Start the lab and access the machine. Mozilla.zip file can be found on desktop. Unzip the file and analyze.

How many bookmarks are there in the Firefox added by user?

places.sqlite file includes bookmarks and history URL for Firefox browser. The directory of the file is .mozilla/firefox/PROFILE.default-release/under home directory commonly. But this scenerio, the directory and files are given to us.

sqlite3 places.sqlite run command to open the places.sqlite database. .tables command displays the tables of the database. Type .help to see other commands in a detail.

SELECT * FROM moz_bookmarks command lists the bookmarked URLs

Run the command PRAGMA table_info(<TABLE_NAME>); or .schema TABLE_NAME to learn about the schema of the table.

What is the URL of the shopping site added to Favorites by target user?

To list Favorites sites with help of chatgpt for the SQL query, run the command

SELECT moz_places.url, moz_bookmarks.title, moz_places.description
FROM moz_bookmarks
JOIN moz_places ON moz_bookmarks.fk = moz_places.id
WHERE moz_bookmarks.title IS NOT NULL
ORDER BY moz_bookmarks.dateAdded DESC;

This query lists the URL and its title from the bookmarks and ordered by the added date. You can filter shopping keywords to search in description text or other column values.

When was the Youtube entry added DD-MM-YYYY?

This command can be used to find the date of the added Youtube in bookmarks with format DD-MM-YYYY. moz_places table includes history and bookmarks with url information, so there is a relation between moz_places and moz_bookmarks tables with column fk (foreign key). If controls with url, use this command

SELECT moz_places.url, strftime('%d-%m-%Y', dateAdded/1000000, 'unixepoch') AS added_date FROM moz_bookmarks JOIN moz_places ON moz_bookmarks.fk = moz_places.id WHERE moz_places.url LIKE '%youtube%'

If condition which title contains youtube is checked with title value, use the command SELECT title, strftime('%d-%m-%Y', dateAdded/1000000, 'unixepoch') AS added_date FROM moz_bookmarks WHERE title LIKE '%youtube%';

The column of dateAdded value represents the date in microsecond format. Linux date command can be used for the time conversion from microseconds to DD-MM-YYYY format with the help of ChatGPT, date -d "@$(printf "%.0f" $(awk 'BEGIN {print MICROSECONDS/ 1000000}'))" +"%d-%m-%Y" . Note that MICROSECONDS value will be the dateAdded value in the table.

0
Subscribe to my newsletter

Read articles from arzu directly inside your inbox. Subscribe to the newsletter, and don't miss out.

browser forensicscyberexamFirefox

Written by

arzu
arzu