Blog >> Firefox

Investigating Firefox

27/8/2021 Friday

Firefox is an open-source web browser that was developed by Mozilla. Firefox is known and praised for its security and privacy-concerned approach. The web browser is available for desktop (Windows, macOS and Linux) and for mobile devices (Android and iOS).


Digital Forensics Value of Firefox Artifacts


People around the world rely primarily on the Internet as a source of information. At the same time, web browsers are one of the most basic and essential applications for accessing and surfing the Internet. Firefox on desktop has the third-largest market share worldwide (after Google Chrome and Safari). Given its popularity and wide usage, Firefox is considered an important source of evidentiary information in investigations as it enables the investigator to collect valuable and crucial evidence relevant to the case such as the suspect search history, downloads list and cookies.


Location of Firefox Artifacts


Firefox creates individual folders (profiles) for each user at the following location:

C:\Users\%username%\AppData\Roaming\Mozilla\Firefox\Profiles\%profilename%.default

All user related details can be found in the previous location except for the cache as it can be found at:

C:\Users\%username%\AppData\Local\Mozilla\Firefox\Profiles\%profilename%.default\cache2


Structure of Firefox Artifacts


The majority of Firefox artifacts are maintained within SQLite database files such as Firefox bookmarks, cookies and downloads; however, some of the artifacts are stored within JSON files such as Firefox add-ons and logins.


Analyzing Firefox Artifacts with ArtiFast Windows


This section discusses how to use ArtiFast Windows to extract and analyze Firefox artifacts from Windows machines and what kind of digital forensic insights we can gain from the platform.

After you have created your case and added evidence for the investigation, at the Artifacts Parser Selection Phase, you can select Firefox Artifacts:




ArtiFast can analyze Firefox Add-ons, Bookmarks, Cache 2, Cookies, Current Session, Downloads, Favicons, Form History, History, Input History, Last Backup, Last Session, Logins, Upgrade Backups, User Account and Visits. For demonstration purposes, all the artifacts have been chosen, however, you have the option to select one or more artifacts.



Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View”, with indexing, filtering, and searching capabilities. Below is a detailed description of the Firefox artifacts in ArtiFast software.


Firefox Add-ons Artifact

This artifact contains the add-ons from the Firefox web browser. Add-ons includes extensions, themes and plugins. The details you can view include:


Firefox Bookmarks Artifact

This artifact contains details related to the bookmarked webpages from Firefox web browser. The details you can view include:


Firefox Cache 2 Artifact

This artifact contains the cached entries in the Firefox web browser. The details you can view include:


Firefox Cookies Artifact

This artifact contains the cookies from the Firefox web browser. The details you can view include:


Firefox Current Session Artifact

This artifact contains the webpages from the current session from the Firefox web browser. The details you can view include:


Firefox Downloads Artifact

This artifact contains the downloads from the Firefox web browser. The details you can view include:


Firefox Favicons Artifact

This artifact contains the favicons from the Firefox web browser, which are small icons associated with a particular website or webpage. The details you can view include:


Firefox Form History Artifact

This artifact contains the form history from the Firefox web browser. The details you can view include:


Firefox History Artifact

This artifact contains the web history from the Firefox web browser. The details you can view include:


Firefox Input History Artifact

This artifact contains the input history from the Firefox web browser. The details you can view include:


Firefox Last Backup Artifact

This artifact contains the last backup from the Firefox web browser. The details you can view include:


Firefox Last Session Artifact

This artifact contains the webpages from the last session from the Firefox web browser. The details you can view include:


Firefox Logins Artifact

This artifact contains the login details for the websites that the user has logged in using the Firefox web browser. The details you can view include:


Firefox Upgrade Backups Artifact

This artifact contains a backup of the webpages from the last active session on Firefox web browser. The details you can view include:


Firefox User Account Artifact

This artifact contains all the user saved account details from the Firefox web browser. The details you can view include:


Firefox Visits Artifact

This artifact contains the non-archived visits for the Firefox web browser. The details you can view include: