Investigating Firefox
27/8/2021 Friday
Firefox is an open-source web browser that was developed by Mozilla. Firefox is known and praised for its security and privacy-concerned approach. The web browser is available for desktop (Windows, macOS and Linux) and for mobile devices (Android and iOS).
Digital Forensics Value of Firefox Artifacts
People around the world rely primarily on the Internet as a source of information. At the same time, web browsers are one of the most basic and essential applications for accessing and surfing the Internet. Firefox on desktop has the third-largest market share worldwide (after Google Chrome and Safari). Given its popularity and wide usage, Firefox is considered an important source of evidentiary information in investigations as it enables the investigator to collect valuable and crucial evidence relevant to the case such as the suspect search history, downloads list and cookies.
Location of Firefox Artifacts
Firefox creates individual folders (profiles) for each user at the following location:
C:\Users\%username%\AppData\Roaming\Mozilla\Firefox\Profiles\%profilename%.default
All user related details can be found in the previous location except for the cache as it can be found at:
C:\Users\%username%\AppData\Local\Mozilla\Firefox\Profiles\%profilename%.default\cache2
Structure of Firefox Artifacts
The majority of Firefox artifacts are maintained within SQLite database files such as Firefox bookmarks, cookies and downloads; however, some of the artifacts are stored within JSON files such as Firefox add-ons and logins.
Analyzing Firefox Artifacts with ArtiFast Windows
This section discusses how to use ArtiFast Windows to extract and analyze Firefox artifacts from Windows machines and what kind of digital forensic insights we can gain from the platform.
After you have created your case and added evidence for the investigation, at the Artifacts Parser Selection Phase, you can select Firefox Artifacts:
ArtiFast can analyze Firefox Add-ons, Bookmarks, Cache 2, Cookies, Current Session, Downloads, Favicons, Form History, History, Input History, Last Backup, Last Session, Logins, Upgrade Backups, User Account and Visits. For demonstration purposes, all the artifacts have been chosen, however, you have the option to select one or more artifacts.
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of the Firefox artifacts in ArtiFast software.
Firefox Add-ons Artifact
This artifact contains the add-ons from the Firefox web browser. Add-ons includes extensions, themes and plugins. The details you can view include:
- Name - The name of the add-on.
- Description - The description of the add-on.
- Version - The version of the add-on.
- Install Date/Time-UTC - The date/time when the add-on was installed.
- Updated Date/Time - The date/time when the add-on was updated.
- Add-On Disabled - Indicates whether the add-on has been disabled by the user or not.
Firefox Bookmarks Artifact
This artifact contains details related to the bookmarked webpages from Firefox web browser. The details you can view include:
- Bookmark URL - The URL of the bookmarked webpage.
- Bookmark Title - The title of the bookmark.
- Parent Title - The title of the parent bookmark.
- Added Date - The date/time when the bookmark was created.
- Last Modified Date - The date/time when the field was last modified.
Firefox Cache 2 Artifact
This artifact contains the cached entries in the Firefox web browser. The details you can view include:
- Cache file Creation Date - The date/time when the cached entry was created.
- Last Modified Date - The date/time when the cached entry was last modified.
- Last Fetched Date - The date/time when the cached entry was last fetched.
- Expiry Date - The date/time when the cached entry will expire.
- Cache Location - The path of the cached file on the disk.
- Key - The Key or URL of the cached file.
- Fetch Count - Indicates the number of times the cached entry was fetched.
- HTTP Content - HTTP header contents.
Firefox Cookies Artifact
This artifact contains the cookies from the Firefox web browser. The details you can view include:
- Name - The name of the cookie.
- Value - The value of the cookie.
- Host - The host domain of the cookie.
- Path - The path to the cookie.
- Base Domain Name - The name of the base domain.
- Is Secure Connection - Indicates whether the connection is secure or not.
- Is Http Only - Indicates whether the browser supports HttpOnly or not.
- Creation Time - The date/time when the cookie was created.
- Expiration Date - The date/time when the cookie will expire (If the cookie was set to expire).
- Last Access Date - The date/time when the cookie was last accessed.
Firefox Current Session Artifact
This artifact contains the webpages from the current session from the Firefox web browser. The details you can view include:
- Last Access Date - The date/time when the webpage was last accessed.
- URL - The URL of the webpage.
- ID - ID.
- Original URI - The original URI of the webpage.
- User Typed Value - The value typed by the user.
- Title - The title of the webpage.
- Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
- Previously Visited - Indicates whether the webpage has been visited before.
- Is Closed - Indicates whether the webpage has been closed or not.
- Index - Index.
- Is Hidden - Is hidden.
Firefox Downloads Artifact
This artifact contains the downloads from the Firefox web browser. The details you can view include:
- Start Date/Time-UTC - The date/time when the item started downloading.
- End Date/Time - The date/time when the download ended.
- Download Source - The URL of the downloaded item.
- Saved To - Indicates the path to where the item was downloaded to.
- File Name - The name of the downloaded item.
- State - Indicates the state of the downloaded item (Download Complete, Download in Progress/Paused, Download Failed and Download Interrupted/Cancelled).
- File Size - The size of the file in bytes.
Firefox Favicons Artifact
This artifact contains the favicons from the Firefox web browser, which are small icons associated with a particular website or webpage. The details you can view include:
- Expiration Date - The date/time when the icon will expire.
- Icon URL - The URL of the icon.
- Width - The width of the icon.
- Is Root - Indicates whether the icon is root or not.
Firefox Form History Artifact
This artifact contains the form history from the Firefox web browser. The details you can view include:
- First Used Date - The date/time when the field was first used.
- Last Used Date - The date/time when the field was last used.
- ID - The database row ID.
- Field Name - The form field name.
- Field Value - The saved form field value.
- Used Count - Indicates the number of times the field was used.
Firefox History Artifact
This artifact contains the web history from the Firefox web browser. The details you can view include:
- Last Visit Date - The date/time when the webpage was last visited.
- Reversed Host - The reversed host.
- Frequency Score - The frequency score.
- Description - The description of the webpage.
- URL - The URL of the webpage.
- Title - The title of the webpage.
- Visit Count - Indicates the number of times the webpage was visited.
- Is Typed - Indicates whether the URL was typed by the user or not.
- Is Hidden - Is hidden.
- Preview Image URL - The URL of the previewed image.
Firefox Input History Artifact
This artifact contains the input history from the Firefox web browser. The details you can view include:
- Last Visit Date - Last visit date of autocomplete URL.
- Use Count - Indicates the number of times the input was used.
- Title - The title of autocomplete URL.
- Autocomplete URL - Indicates the autocompleted URL.
- Typed Input - The user typed input.
Firefox Last Backup Artifact
This artifact contains the last backup from the Firefox web browser. The details you can view include:
- Last Access Date - The date/time when the webpage was last accessed.
- URL - The URL of the webpage.
- ID - ID.
- Original URI - The original URI of the webpage.
- Closed At - The date/time when the webpage was closed.
- User Typed Value - The value typed by the user.
- Title - The title of the webpage.
- Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
- Previously Visited - Indicates whether the webpage has been visited before.
- Is Closed - Indicates whether the webpage has been closed or not.
- Index - Index.
- Is Hidden - Is hidden.
Firefox Last Session Artifact
This artifact contains the webpages from the last session from the Firefox web browser. The details you can view include:
- Last Access Date - The date/time when the webpage was last accessed.
- URL - The URL of the webpage.
- ID - ID.
- Original URI - The original URI of the webpage.
- Closed At - The date/time when the webpage was closed.
- User Typed Value - The value typed by the user.
- Title - The title of the webpage.
- Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
- Previously Visited - Indicates whether the webpage has been visited before.
- Is Closed - Indicates whether the webpage has been closed or not.
- Index - Index.
- Is Hidden - Is hidden.
Firefox Logins Artifact
This artifact contains the login details for the websites that the user has logged in using the Firefox web browser. The details you can view include:
- Creation Date - The date/time when the data was created.
- Password Last Change Date - The date/time when the password was last changed.
- Password Field - The password entered by the user.
- Encrypted Password - The password entered by the user (encrypted).
- Username Field - The username entered by the user.
- Encrypted Username - The username entered by the user (encrypted).
- Last Used Date - The date/time when the data was last used.
- Host Name - The URL of the login webpage.
- Form Submit URL - The URL where the form is submitted.
- Http Realm - Http Realm
- Guid - The Guid.
Firefox Upgrade Backups Artifact
This artifact contains a backup of the webpages from the last active session on Firefox web browser. The details you can view include:
- Last Access Date - The date/time when the webpage was last accessed.
- URL - The URL of the webpage.
- ID - ID.
- Original URI - The original URI of the webpage.
- Closed At - The date/time when the webpage was closed.
- User Typed Value - The value typed by the user.
- Title - The title of the webpage.
- Referrer URL - If the webpage was a redirect, this attribute indicates the URL of the webpage.
- Previously Visited - Indicates whether the webpage has been visited before.
- Is Closed - Indicates whether the webpage has been closed or not.
- Index - Index.
- Is Hidden - Is hidden.
Firefox User Account Artifact
This artifact contains all the user saved account details from the Firefox web browser. The details you can view include:
- Last Modification Date - The date/time when the account was last modified.
- Account UID - The account UID.
- Account Email - The account email.
- Is Verified - Indicates whether the account was verified.
- Device ID - Indicates the device owner ID.
- Profile Email - The profile email.
- Profile UID - The profile UID.
- Profile Avatar URL - The URL of the profile avatar.
- Profile Display Name - The display name of the profile.
- Is Avatar Default - Indicates whether the user was using the default avatar or not.
- Session Token - The session token.
- Etag - Entity tag.
Firefox Visits Artifact
This artifact contains the non-archived visits for the Firefox web browser. The details you can view include:
- Visit Date - The date/time when the webpage was visited.
- Title - The title of the visited webpage.
- URL - The URL of the visited webpage.
- Visit Type - Indicates the webpage visit type (how the transition occurred).
- Source URL - The source URL.
- Source Title - The source title.