Firefox Privacy Settings and Firefox Extensions as well as synchronization: A Forensic Deep Dive

Mozilla Firefox, one of the most widely used web browsers, offers users extensive customization options, privacy controls, and synchronization capabilities. As for forensic perspective, this will generate crucial artifacts that can provide valuable insights during investigations.

--------------------------------------------------------------------------------------------------------

Firefox Privacy Settings & Their Impact on Artifacts

Firefox provides users with extensive privacy controls through the about:preferences.

These settings influence how browsing data is stored and cleared, impacting the forensic artifacts left behind.

• Browsing and Download History: Deletes stored history, auto-complete suggestions, and downloads from places.sqlite.

• Active Logins: Removes all session cookies from memory.

• Form and Search History: Clears auto-fill data from formhistory.sqlite.

• Cookies: Deletes saved cookies, including Flash cookies, from cookies.sqlite.

• Cache: Clears the browser cache directory.

• Site Preferences: Removes site-specific settings stored in prefs.js.

• Offline Website Data: Deletes cached offline website data.

User preferences regarding privacy settings are saved in the prefs.js file within the Firefox profile folder, which is a crucial file for forensic examination.

--------------------------------------------------------------------------------------------------------

Firefox Extensions & Add-ons: A Digital Fingerprint

Firefox’s extension ecosystem enables users to enhance their browsing experience, but it also leaves behind digital footprints.

• Cookie Manipulation Tools (e.g., Cookie Editor): Could indicate potential tampering with web authentication.

• Privacy-focused Extensions (e.g., Tor Control): Suggests possible anonymity-seeking behavior.

Where is Extension Data Stored?

• Modern Versions (Post Firefox 25): Extensions are now stored in extensions.json, which contains details like:

  
  

  • Extension name

  • Installation source

  • Install/update timestamps (PRTime format)

  • Whether the extension was enabled at the time of evidence acquisition

    
    

• Older Versions (Firefox 4-24): Extensions were previously managed in extensions.sqlite and addons.sqlite.

------------------------------------------------------------------------------------------------------------

Firefox Sync: Synchronization Across Devices

Firefox Sync is a powerful feature that allows users to synchronize browsing data across multiple devices, including bookmarks, passwords, history, open tabs, and even installed extensions.

How Sync Works

1. Local data is encrypted and uploaded to Mozilla’s sync server.

2. Other devices signed into the same Firefox account can pull and decrypt this data.

3. The sync frequency varies but typically occurs every 10 minutes or whenever significant changes happen.

4. Users can force an immediate sync through the browser menu.

   
   

How to Identify Sync Artifacts?

Investigators can determine if Firefox Sync is enabled by examining the prefs.js file. Look for entries beginning with services.sync., including:

• services.sync.username → Stores the user’s Firefox account email.

• services.sync.engine. (addons, bookmarks, history, passwords, prefs, tabs)* → Indicates what data is being synchronized.

• signedinuser.json → Contains sync-related user details.

services.sync.engine.addons

services.sync.engine.bookmarks

services.sync.engine.history

services.sync.engine.passwords

services.sync.engine.prefs

services.sync.engine tabs

Additionally, client.devices logs the number of devices linked to the Firefox account, categorized by desktop and mobile platforms.

Can Sync Data Be Forensically Retrieved?

While synced data is encrypted before being sent to Mozilla’s servers, you can still retrieve locally stored data from the browser’s profile folder. For organizations looking to disable sync, settings can be enforced through the Mozilla.cfg configuration file.

What Gets Synced?

• Browsing History: The last 30 days of history is synced upon initial sync.

• Bookmarks: Saved bookmarks are replicated across devices.

• Preferences (prefs.js): Customized browser settings are retained.

• Form History: Includes autofill data and saved entries.

• Add-ons & Extensions: Installed add-ons and their settings.

• Logins & Passwords: Saved credentials.

• Open Tabs: Active browsing sessions are accessible from any linked device.

What Doesn't Get Synced?

• Download History: Although downloads are not explicitly synced, evidence of downloads (visit_type 7 entries) is stored in the moz_historyvisits table.

  

• Cache Data: Locally stored site content remains device-specific.

  

• Favicons: Icons representing visited sites are not transferred.

• Webappstore Databases: Any stored web application data remains local.

-------------------------------------------------------------------------------------------------------------

Distinguishing Local vs. Synced Data

Firefox does not label whether data originated from a local browsing session or was synced from another device, analysts need to look for patterns and anomalies.

Here are a few methods to identify synced data:

1. Check visit_type in moz_historyvisits Table:

   • If an entry has a visit_type of 1 (link-followed visit), the from_visit field should reference a non-zero place_id, indicating the originating page.

     
     

2. Look for Missing Data in Certain Tables:

   • Description & preview_image_url Fields: These fields should contain data in locally visited entries but will often be null for synced ones.

   • Favicons Database (favicons.sqlite): If a site is visited locally, its favicon should be stored. A missing favicon may indicate a synced entry.

   • Webappstore.sqlite Database: Synced entries typically lack corresponding data here.

   • Cache2 Folder: If no cached files exist for a site, it might have been synced rather than visited directly.

     
     

3. Check Cookies:

   • Synced sites only store a small subset of cookies, whereas locally visited sites tend to store a large number of cookies.

     
     

4. Download History Verification:

   • If an entry in moz_historyvisits has a visit_type of 7 (download indication) but lacks a corresponding entry in moz_annos, the download was likely performed on another device.

     
     

-------------------------------------------------------------------------------------------------------------

Identifying Synced Form History

Unlike browsing history, form history (autofill data) is nearly impossible to differentiate between local and synced entries. All form history records are stored in formhistory.sqlite, and timestamps for synced entries reflect the synchronization time rather than the original data entry time. Without access to all synced devices, separating local and remote form history entries is extremely difficult.

The Impact of Clearing Data

When a user manually clears browsing data in Firefox, the following artifacts are removed:

• places.sqlite (browsing history & bookmarks)

• formhistory.sqlite (saved form entries)

• cookies.sqlite (stored cookies)

• Cache & session-store folders (session data)

• favicons.sqlite & webappstore.sqlite (site icons & web storage data)

Sync Behavior for Deleted Data

Clearing data on one device does not erase it from other synced devices. Forensic analysts should always try to obtain all linked devices, as important evidence might still exist elsewhere.

However, there are two exceptions where deletion does sync across devices:

1. Delete Page: Removes a specific site’s history from both the local and synced databases.

2. Forget About This Site: Wipes all traces of a site from both the local system and synced devices.

Conclusion

---------------------------------------------Dean----------------------------------------