top of page

Firefox Cookies/ Download History/ Auto-Complete Data : A Forensic Perspective

Web browsers are treasure troves of digital artifacts, often holding crucial evidence in forensic investigations. Among them, Mozilla Firefox stands out with its rich history storage, cookie management, and download tracking.


-------------------------------------------------------------------------------------------------------------


Why Firefox Artifacts Matter in Investigations

Each browser artifact stores different aspects of a user's online activity. There’s no single file that contains everything an investigator needs. For example, while the history file shows visited websites, cookies can reveal additional sites, login sessions, and even data from deleted history records.


Firefox collects and stores these digital footprints in structured SQLite databases, making forensic analysis more streamlined yet requiring proper querying techniques.


-------------------------------------------------------------------------------------------------------------


Tracking Cookies: The Hidden Trail of User Activity

Cookies are small files websites use to store session details, login tokens, and user preferences. Unlike history files, cookies often persist longer and provide information even after users delete their browsing history.


Firefox Cookie Storage

Firefox consolidates all cookies into a single SQLite database named cookies.sqlite. This database stores:



  • Cookie name – Identifies the specific cookie

  • Domain/Host – The website that created the cookie

  • Value – The data stored within the cookie

  • Creation and last accessed times – Useful for timeline analysis



Analyzing Cookies with NirSoft MZCookiesView

One of the easiest ways to examine Firefox cookies is by using MZCookiesView, a free tool by NirSoft. Investigators can:

  • Load the cookies.sqlite file

  • Sort and filter cookies by domain, value, or timestamp

  • View detailed cookie properties by right-clicking any entry


Cookies can reveal previously accessed sites, user preferences, and authentication tokens that might still be valid.


-------------------------------------------------------------------------------------------------------------

Question you must asked while investigating cookies:

Investigative Questions

cookies.sqlite

What website domain issued the cookie?

host

What is the cookie name?

name

Should the cookie only be sent in encrypted sessions?

isSecure

What values/preferences were stored?

value

When was the cookie created?

creationTime

When was the cookie/site last accessed?

lastAccessed

-------------------------------------------------------------------------------------------------------------


Firefox Download History: What Files Were Accessed?

Firefox maintains a detailed log of every file downloaded by a user. This artifact is crucial for tracking malicious activities or identifying unauthorized data transfers.


Where is Download History Stored?

  • Before Firefox 26 – Downloads were stored in a dedicated database, downloads.sqlite.

    (Things to look for table below)

Investigative Questions

downloads.sqlite

What was the file name?

name

What was the file type?

mimeType

Where was the file downloaded from?

source

What was the referring page?

referrer

Where was the file saved?

target

What application was used to open the file?

preferredApplication

When did the download start?

startTime

When did the download end?

endTime

How large was the download?

maxBytes

Was the download successful?

state

  • Firefox 26 and later – Download history was merged into places.sqlite, making investigations more complex. (Things to look for table below)

Investigative Questions

places.sqlite Table: moz_annos

What was the filename?

place_id (ref. moz_places)

Where was the file downloaded from?

place_id (ref. moz_places)

Where was the file saved?

content (file:///)

When did the download end?

content (endTime)

How large was the download?

content (fileSize)

Was the download successful?

content (state)


Extracting Download Information

To analyze download history in places.sqlite, forensic investigators should focus on:

  • moz_annos Table – Stores metadata, including download location, status, and timestamps (in PRTime format use dcode to parse the time).

  • moz_places Table – Holds URLs associated with downloads (identified by place_id).


Co-relation:

A download is marked successful with state = 1. If a user cancels or encounters an error, different state values are assigned:


  • 2 = Error occurred, download aborted

  • 3 = Download canceled

  • 4 = Download paused


Identifying Default and Last Used Download Folders

Firefox records the user's preferred download directory in the prefs.js file within the profile folder. The settings include:

  • browser.download.dir – The default download folder.

  • browser.download.lastDir – The last folder used for downloads.


The default location is typically %UserProfile%\Downloads\, but users often change it.


Easier way below

Using NirSoft FirefoxDownloadsView

The FirefoxDownloadsView tool allows easy examination of download history, showing filenames, source URLs, timestamps, and file locations.



-------------------------------------------------------------------------------------------------------------

Auto-Complete Data: What Was Typed?

Auto-complete data provides a fascinating insight into what users have typed into forms, search bars, and login fields. This includes:


  • Email addresses

  • Usernames

  • Search queries

  • Personal details like addresses and phone numbers


Firefox Auto-Complete Storage

Firefox stores auto-complete data in formhistory.sqlite, logging:


  • Field name (e.g., email, username)

  • Value entered

  • Number of times used

  • First and last used timestamps

This artifact is particularly useful when tracking user intent and potential account credentials. However, since auto-filled data isn’t tied to specific websites, timestamps must be correlated with browsing history for better accuracy.


Converting Firefox Timestamps

Firefox timestamps use PRTime format, which represents time in microseconds since January 1, 1970. To convert them into a readable format, forensic tools like DCode can be used.


Investigative Questions

formhistory.sqlite

What type of form was the data entered into?

fieldname

What was the data typed by the user?

value

How many times has the value been used?

timesUsed

When was the data first typed in?

firstUsed

When is the last time the data was used?

lastUsed


-----------------------------------------------------------------------------------------------------------


Conclusion: Piecing the Puzzle Together

Forensic analysis is all about correlation—no single artifact tells the full story. Combining multiple artifacts and timeline analysis is key to uncovering the truth.


-----------------------------------------------Dean-----------------------------------------------------

 
 
 

Comments


bottom of page