Firefox cache can be a goldmine of evidence. This cache stores web pages, images, and files locally to improve browsing speed, providing forensic investigators with a window into the user’s browsing history and downloaded content.
---------------------------------------------------------------------------------------------------------
Why Firefox Cache Matters in Forensics
The cache isn’t just a list of visited websites—it contains actual content files retrieved during web sessions. This means an examiner can recover cached web pages, media files, and other internet artifacts even if the user tries to delete their history. Additionally, metadata stored in the cache provides timestamps, helping to establish a timeline of online activities.
---------------------------------------------------------------------------------------------------------
Cache Storage and Size Variations
Firefox cache sizes vary depending on the browser version. Earlier versions (pre-4.0) had a fixed cache size of 50MB, while modern versions allow dynamic cache sizing based on available system resources, sometimes reaching up to 1GB.
Investigators can check cache size configurations in the prefs.js file by looking for the browser.cache.disk.capacity value. However, this setting only appears if the user has manually modified the default values.
C:\Users\Akash's\AppData\Roaming\Mozilla\Firefox\Profiles\8teby4gw.default-release
To manually inspect cache settings, type about:config in the Firefox address bar.
---------------------------------------------------------------------------------------------------------
Cache Storage Locations
The cache storage structure has changed significantly over time. Understanding these changes is crucial for forensic investigations.
For older systems like Windows XP, the location was:
%UserProfile%\Local Settings\Application Data\Mozilla\Firefox\Profiles\<random text>.default\CacheThe cache structure in these versions was complex, requiring specialized tools to parse. The cache files were divided into different components:
Cache Map: The index file that tracks stored cache entries.
Cache Block Files (CACHE_001, CACHE_002, etc.): Containers storing multiple cached files and metadata.
Cache Data Files: Randomly named files created when content was too large for Cache Block files.
Firefox Versions Before 32
Before Firefox 32, the cache was stored in:
%UserProfile%\AppData\Local\Mozilla\Firefox\Profiles\<random text>.default\CacheFirefox 32 and Later
Mozilla introduced a new, simplified cache structure in Firefox 32 for improved speed and flexibility. The cache is now stored in:
%UserProfile%\AppData\Local\Mozilla\Firefox\Profiles\<random text>.default\cache2\entriesEach cached file is stored individually, making it easier for forensic analysis. Unlike older versions, no additional database is needed to map cache entries. Metadata is directly appended to each cached file.
Key Metadata in Firefox Cache
Forensic investigators can extract the following details from Firefox cache:
Attribute | Description |
URL | Identifies the website the cached content originates from. |
Fetch Count | Indicates how often a cached file has been accessed. |
Missing Status | Shows whether the cached file still exists or has been purged due to cache control settings. |
Filename | The original name of the downloaded content. |
Content Type | Specifies the type of file stored (HTML, JavaScript, images, etc.). |
File Size | Reveals the size of the cached content. |
Last Modified Time | Records when the file was last updated in the cache. |
Last Fetched Time | Shows the last time the cached content was accessed, indicating recent visits. |
Response Header | Stores the full HTTP header, which includes encoding details, cache control settings, server information, and timestamp. |
Analyzing Firefox Cache Files
Investigators can manually examine Firefox cache by navigating to the cache directory and reviewing stored files. Since metadata is appended to each cached file in modern versions, tools like strings or hex editors can extract useful details. However, automated tools like MozillaCacheView and FTK Imager streamline the process by presenting a structured view of cache entries.
-----------------------------------------------------------------------------------------------------------
Tools for parsing and analyzing cache
MZCacheView: A User-Friendly Solution for Cache Analysis
One of the most effective tools for parsing Firefox cache files is MZCacheView, previously known as MozillaCacheView. This lightweight utility from NirSoft extracts and presents cache data in an easy-to-read format.
Column important to analyses in MZCacheview:
Attribute | Description |
File name | The name of the downloaded file. |
Content type | Indicates the file format (e.g., HTML, PNG, JSON). |
URL | The specific web address the file originated from. |
File size | The size of the stored file. |
Fetch count | Number of times the file has been retrieved from the cache. |
Last modified | The timestamp indicating when the file was cached. |
Last fetched | The most recent time the file was accessed. |
Expiration time | The server-defined expiry date for the cached file. |
Encoding type | Specifies whether the content was compressed (e.g., Gzip). |
Server details | Metadata from the HTTP response, including server name, last modified date, ETag, and response code. |
Key Features of MZCacheView:
✔ Displays all cached files with metadata.
✔ Provides filtering options for targeted analysis.
✔ Exports selected files for further investigation.
✔ Helps reconstruct browsing activity.
Using MZCacheView for Forensics:
Close Firefox: Since cache files are locked when Firefox is running, ensure the browser is closed before analysis.
Launch MZCacheView: Open the tool and let it automatically detect and list cache entries.
Filter and analyze: Sort results based on file type, URL, or modification time.
Export relevant files: Extract necessary cache entries for further review.
By using this tool, analysts can piece together a user's web activity, including visited sites, downloaded files, and accessed resources.
-----------------------------------------------------------------------------------------------------------
Rebuilding Webpages from Cache: A Hidden Goldmine
Beyond just extracting cached files, some forensic tools can reconstruct entire webpages from stored data. This capability allows investigators to see exactly what a user saw at a given time, even if the original webpage has changed or been deleted.
Popular Tools for Webpage Reconstruction:
✔ Foxton Browser History Examiner - Offers in-depth cache analysis and webpage rebuilding. ✔ AXIOM - A commercial tool used for advanced browser forensics.
✔ NetAnalysis - Specializes in browser history and cache reconstruction.
By isolating cached elements like HTML, CSS, and JavaScript, these tools recreate snapshots of previously visited sites. This is especially useful in cases where a suspect accessed a webpage that no longer exists.
-----------------------------------------------------------------------------------------------------------
Final Thoughts
Whether using MZCacheView for a user-friendly approach automation, these tools help forensic analysts piece together digital trails effectively. With proper techniques and best practices, investigators can turn browser cache data into compelling evidence in digital investigations.
---------------------------------------------Dean------------------------------------------------------
Comments