Investigating Firefox Browser Forensics: A Forensic Guide/Browser analysis Book

Firefox stores extensive user activity data, making it possible to determine browsing history, downloads, bookmarks, and even synchronized data. This guide will walk you through a detailed forensic analysis of Firefox, covering history tracking, filling in evidence gaps, and deep-dive analysis techniques.

1. Determining Sites Visited

Review History Data & Search Keywords

Firefox stores browsing history in the places.sqlite database, primarily in the moz_places and moz_historyvisits tables. Analysts can extract and review:

• URLs visited

• Associated timestamps

• visit_type (e.g., direct navigation, link click, bookmark access, etc.)

• Search keywords stored in the browser’s history

Analyze VisitType for Typed URLs

Each visit in the moz_historyvisits table is categorized by a visit_type field. Typed URLs (where a user manually enters a URL) typically have a visit_type value of 1. Identifying these helps differentiate intentional browsing from passive link clicks.

Audit prefs.js for Privacy Settings

The prefs.js file contains browser configuration settings, including:

• Whether the user has enabled history synchronization across devices.

• Modifications in security settings, such as disabled tracking protection or script execution permissions.

Check for Evidence of Synchronization

Firefox Sync can transfer browsing data across multiple devices. Identifying whether sync is enabled is critical. Clues include:

• Entries with missing local artifacts (e.g., missing favicon, cache, or cookies).

• Last 30 days of history being available (as per Firefox Sync’s default settings).

Parse Download History

Download records are found in the moz_annos table within places.sqlite. Although downloads are not directly synchronized, references to downloaded files (visit_type = 7) may exist in synced history data.

Audit Bookmarks

Bookmarks are stored in places.sqlite (moz_bookmarks table). Analyzing bookmarks can reveal long-term user interests and frequently accessed sites.

Look for Other Profiles

Firefox allows multiple user profiles, each storing independent browser data. Investigating profiles.ini in the AppData\Roaming\Mozilla\Firefox directory helps locate multiple user profiles, expanding the evidence scope.

-------------------------------------------------------------------------------------------------------------

2. Filling in Evidence Gaps

Audit Cache Domains & Specific Files

The Firefox cache (cache2 folder) stores images, scripts, and other web resources. Cache analysis helps:

• Recover deleted browsing activity.

• Identify sites visited even if history is cleared.

• Link user activity with timestamps.

Review Cookie Domains

Cookies (cookies.sqlite) store authentication tokens, user preferences, and tracking data. They provide insight into user interactions, even if history is deleted.

Analyze Session Restore Files

Firefox automatically saves session data in recovery.jsonlz4 and previous.jsonlz4 under the sessionstore-backups folder. These files help:

• Identify tabs open before a crash or shutdown.

• Recover browsing sessions even after history is cleared.

Analyze Form History Entries

User-entered form data is stored in formhistory.sqlite. It contains:

• Search bar entries.

• Autofill form inputs (names, addresses, emails, etc.).

Review Installed Browser Extensions

Add-ons can introduce security vulnerabilities, track user activity, or execute scripts. Investigating extensions.json and the extensions folder helps:

• Identify malicious extensions.

• Recover deleted add-ons.

• Understand potential user modifications to browser behavior.

-------------------------------------------------------------------------------------------------------------

3. Deep Dive Analysis

Search Web Storage

Firefox uses IndexedDB (storage/default) and webappsstore.sqlite for web applications' local storage. Investigating these can reveal:

• User credentials (in some cases).

• Application-specific browsing behavior.

• Persistent tracking mechanisms.

Review Memory-Based Artifacts

Memory forensics can uncover transient browser artifacts, including:

• Private browsing session data.

• Unencrypted credentials or session tokens.

Carve Deleted SQLite Entries

Firefox’s SQLite databases do not immediately purge deleted records. Using forensic tools like sqlite3 or Undark can help recover deleted:

• Browsing history.

• Cookies.

• Bookmarks.

Review Firefox Jumplist Entries

Windows stores Firefox launch and recent file access information in Jumplists (.automaticDestinations-ms and .customDestinations-ms). Analyzing these provides:

• Evidence of Firefox execution.

• Recently accessed sites and profiles.

Targeted Analysis Using Volume Shadow Copies

Recovering old versions of Firefox’s databases using Windows Volume Shadow Copies (vssadmin list shadows) enables:

• Timeline reconstruction of browser activity.

• Recovery of deleted history, bookmarks, and settings.

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

Conclusion

Firefox forensic analysis requires a multi-layered approach. By correlating history, cache, cookies, session data, and memory artifacts, investigators can piece together a user’s browsing activity.

Tools for Firefox Forensics:

• SQLite Browsers (DB Browser for SQLite, Autopsy)

• Plaso (log2timeline) for timeline creation

• MozillaCacheView for cache analysis

• Volatility & Rekall for memory forensics

• ShadowExplorer for Volume Shadow Copy analysis

  
  

-------------------------------------------Dean------------------------------------------------