Web browsers are treasure troves of digital artifacts, often holding crucial evidence in forensic investigations. Among them, Mozilla Firefox stands out with its rich history storage, cookie management, and download tracking.
-------------------------------------------------------------------------------------------------------------
Why Firefox Artifacts Matter in Investigations
Each browser artifact stores different aspects of a user's online activity. There’s no single file that contains everything an investigator needs. For example, while the history file shows visited websites, cookies can reveal additional sites, login sessions, and even data from deleted history records.
Firefox collects and stores these digital footprints in structured SQLite databases, making forensic analysis more streamlined yet requiring proper querying techniques.
-------------------------------------------------------------------------------------------------------------
Tracking Cookies: The Hidden Trail of User Activity
Cookies are small files websites use to store session details, login tokens, and user preferences. Unlike history files, cookies often persist longer and provide information even after users delete their browsing history.
Firefox Cookie Storage
Firefox consolidates all cookies into a single SQLite database named cookies.sqlite. This database stores:
Cookie name – Identifies the specific cookie
Domain/Host – The website that created the cookie
Value – The data stored within the cookie
Creation and last accessed times – Useful for timeline analysis
Analyzing Cookies with NirSoft MZCookiesView
One of the easiest ways to examine Firefox cookies is by using MZCookiesView, a free tool by NirSoft. Investigators can:
Load the cookies.sqlite file
Sort and filter cookies by domain, value, or timestamp
View detailed cookie properties by right-clicking any entry
Cookies can reveal previously accessed sites, user preferences, and authentication tokens that might still be valid.
-------------------------------------------------------------------------------------------------------------
Question you must asked while investigating cookies:
Investigative Questions | cookies.sqlite |
What website domain issued the cookie? | host |
What is the cookie name? | name |
Should the cookie only be sent in encrypted sessions? | isSecure |
What values/preferences were stored? | value |
When was the cookie created? | creationTime |
When was the cookie/site last accessed? | lastAccessed |
-------------------------------------------------------------------------------------------------------------
Firefox Download History: What Files Were Accessed?
Firefox maintains a detailed log of every file downloaded by a user. This artifact is crucial for tracking malicious activities or identifying unauthorized data transfers.
Where is Download History Stored?
Before Firefox 26 – Downloads were stored in a dedicated database, downloads.sqlite.
(Things to look for table below)
Investigative Questions | downloads.sqlite |
What was the file name? | name |
What was the file type? | mimeType |
Where was the file downloaded from? | source |
What was the referring page? | referrer |
Where was the file saved? | target |
What application was used to open the file? | preferredApplication |
When did the download start? | startTime |
When did the download end? | endTime |
How large was the download? | maxBytes |
Was the download successful? | state |
Firefox 26 and later – Download history was merged into places.sqlite, making investigations more complex. (Things to look for table below)
Investigative Questions | places.sqlite Table: moz_annos |
What was the filename? | place_id (ref. moz_places) |
Where was the file downloaded from? | place_id (ref. moz_places) |
Where was the file saved? | content (file:///) |
When did the download end? | content (endTime) |
How large was the download? | content (fileSize) |
Was the download successful? | content (state) |
Extracting Download Information
To analyze download history in places.sqlite, forensic investigators should focus on:
moz_annos Table – Stores metadata, including download location, status, and timestamps (in PRTime format use dcode to parse the time).
moz_places Table – Holds URLs associated with downloads (identified by place_id).
Co-relation:
A download is marked successful with state = 1. If a user cancels or encounters an error, different state values are assigned:
2 = Error occurred, download aborted
3 = Download canceled
4 = Download paused
Identifying Default and Last Used Download Folders
Firefox records the user's preferred download directory in the prefs.js file within the profile folder. The settings include:
browser.download.dir – The default download folder.
browser.download.lastDir – The last folder used for downloads.
The default location is typically %UserProfile%\Downloads\, but users often change it.
Easier way below
Using NirSoft FirefoxDownloadsView
The FirefoxDownloadsView tool allows easy examination of download history, showing filenames, source URLs, timestamps, and file locations.
-------------------------------------------------------------------------------------------------------------
Auto-Complete Data: What Was Typed?
Auto-complete data provides a fascinating insight into what users have typed into forms, search bars, and login fields. This includes:
Email addresses
Usernames
Search queries
Personal details like addresses and phone numbers
Firefox Auto-Complete Storage
Firefox stores auto-complete data in formhistory.sqlite, logging:
Field name (e.g., email, username)
Value entered
Number of times used
First and last used timestamps
This artifact is particularly useful when tracking user intent and potential account credentials. However, since auto-filled data isn’t tied to specific websites, timestamps must be correlated with browsing history for better accuracy.
Converting Firefox Timestamps
Firefox timestamps use PRTime format, which represents time in microseconds since January 1, 1970. To convert them into a readable format, forensic tools like DCode can be used.
Investigative Questions | formhistory.sqlite |
What type of form was the data entered into? | fieldname |
What was the data typed by the user? | value |
How many times has the value been used? | timesUsed |
When was the data first typed in? | firstUsed |
When is the last time the data was used? | lastUsed |
-----------------------------------------------------------------------------------------------------------
Conclusion: Piecing the Puzzle Together
Forensic analysis is all about correlation—no single artifact tells the full story. Combining multiple artifacts and timeline analysis is key to uncovering the truth.
-----------------------------------------------Dean-----------------------------------------------------
Comments