As part of the 2014 Volatility Plugin Contest, I created 3 plugins for locating Firefox browser history related artifacts:
They are all in the firefoxhistory.py module found on my volatility-plugins repo on GitHub. They also depend on the sqlite_help.py module in the same location, which provides some useful functions for manipulating data in SQLite databases. Firefox and Chrome both store history and browsing data in SQLite databases. Depending on the number and type of fields in each table, certain values can be expected in certain positions, which allows us to locate records of a given table.
A sample memory image is available at voltest.zip, and the corresponding places.sqlite and cookies.sqlite from that image are at ff_places and ff_cookies, respectively, for comparison with the plugin output. The firefoxdownloads plugin only works on Firefox 25 and earlier because the downloads.sqlite file was removed. I don’t have a memory image to provide but will show sample output from parsing a downloads.sqlite file below. The download data was moved into another table (“moz_annos” in places.sqlite) that I haven’t worked on yet. However, the download URLs are typically in the firefoxhistory output anyway. The plugin has been run against the SQLite databases in version 25 and memory samples of a system with version 31, so I’d expect it to work on at least those versions and the ones in between.
Like the core Volatility module iehistory, this module adds similar functionality for Firefox browsing history. It can print output in the default table format or in CSV or bodyfile format. This is useful for combining with other plugins to create a timeline. According to W3Schools, Firefox and Chrome make up about 85% of the browser share as of July 2014, so this and my other plugin in the contest help round out Volatility’s browser coverage.
Usage and output for the plugins is below.
firefoxhistory
The firefoxhistory plugin extracts records from the Firefox moz_places table in the places.sqlite SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. The full output from the sample image is copied below with all 31 records that are in the ff_places database linked to above, showing the plugin was able to locate them all. The output contains, among other fields, the URL, page title, number of visits, and the last visit date. The URL may occasionally be truncated, but the full URL can be displayed in CSV format. In addition, the last visit date timestamp is used in the bodyfile.
$ vol.py --plugins=plugins/ -f voltest.dmp firefoxhistory
Volatility Foundation Volatility Framework 2.4
ID URL Title Rev Host Visits Hidden Typed Favicon ID Frecency Last Visit Date GUID
------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -------------------------------- ------ ------ ----- ---------- -------- -------------------------- ------------
30 http://software-files-a.cnet.com/s/soft...07af0b2aceb5cb&fileName=ccsetup417.exe ccsetup417.exe moc.tenc.a-selif-erawtfos. 0 0 0 0 2014-08-30 19:54:49.614000 1XZQkyF56qMJ
29 http://download.cnet.com/CCleaner/3001-18512_4-10315544.html?hlndr=1 Thank you for downloading CCleaner from CNET Download.com moc.tenc.daolnwod. 1 0 0 12 100 2014-08-30 19:54:45.947000 N5LRyDii8toO
28 http://dw.cbsi.com/redir?ttag=download_...d=QCK-xqYz5LPFaJ0ebFV5qadurILbAkCQMAXl moc.isbc.wd. 1 1 0 100 2014-08-30 19:54:44.917000 fEjtASxUAxh6
27 http://download.cnet.com/CCleaner/?tag=main;pop CCleaner - Free download and software reviews - CNET Download.com moc.tenc.daolnwod. 1 0 0 12 100 2014-08-30 19:54:37.085000 pq1ZfeEKGvqZ
26 http://download.cnet.com/windows/ Windows PC software downloads and reviews from CNET Download.com moc.tenc.daolnwod. 1 0 0 11 -1 2014-08-30 19:54:28.723000 tfBwGHW8rHmc
25 http://download.cnet.com/windows moc.tenc.daolnwod. 1 1 0 -1 2014-08-30 19:54:28.286000 CDgZxQeKrwO3
24 http://download.cnet.com/ moc.tenc.daolnwod. 1 1 0 -1 2014-08-30 19:54:28.130000 AcV1_jX9bz5r
23 http://www.download.com/ moc.daolnwod.www. 1 1 0 2000 2014-08-30 19:54:27.849000 KpFmHKTN0a9u
22 http://download.com/ moc.daolnwod. 1 1 1 2000 2014-08-30 19:54:27.724000 V1HFFdxEPjun
21 https://twitter.com/ Twitter moc.rettiwt. 2 0 0 10 2100 2014-08-30 19:54:23.325000 oKw7WQ22cahd
20 http://twitter.com/ moc.rettiwt. 1 0 1 2000 2014-08-30 19:54:21.920000 DMtScqP31_Xu
19 http://www.msnbc.com/ msnbc: news, video and progressive community. Lean Forward. moc.cbnsm.www. 1 0 0 9 2000 2014-08-18 01:54:53.773000 5Gx2iLj1SjJW
18 http://msnbc.com/ moc.cbnsm. 1 1 1 2000 2014-08-18 01:54:53.681000 ta4jLp2lyGh4
17 https://www.google.com/?gws_rd=ssl Google moc.elgoog.www. 1 0 0 7 -1 2014-08-18 01:54:39.623000 _Utv1EjcJ6Hu
16 http://www.google.com/ moc.elgoog.www. 1 1 0 2000 2014-08-18 01:54:39.522000 or6Wi4BgJ4oo
15 http://google.com/ moc.elgoog. 1 1 1 2000 2014-08-18 01:54:39.455000 w27D_5ORtyhc
14 https://dl.google.com/tag/s/appguid%3D%...ser/update2/installers/ChromeSetup.exe ChromeSetup.exe moc.elgoog.ld. 0 0 0 0 2014-08-18 01:53:04.856000 n4Jx86eFfMwg
13 https://www.google.com/intl/en/chrome/b...u.html?installdataindex=defaultbrowser Chrome Browser moc.elgoog.www. 1 0 0 8 100 2014-08-18 01:53:04.603000 o4vAZ5aKWWyb
12 https://www.google.com/chrome/browser/ Chrome Browser moc.elgoog.www. 1 0 0 8 100 2014-08-18 01:52:46.891000 3-zVrw5J9YQk
10 https://www.google.com/search?q=chrome&...S:official&client=firefox-a&channel=sb chrome - Google Search moc.elgoog.www. 1 0 0 7 100 2014-08-18 01:52:40.683000 fcu6-CJQ0C-5
9 https://www.mozilla.org/en-US/firefox/31.0/firstrun/ Welcome to Firefox gro.allizom.www. 1 0 0 6 100 2014-08-18 01:52:31.981000 CFINbfipczLN
3 https://www.mozilla.org/en-US/firefox/customize/ gro.allizom.www. 0 0 0 2 140 3hOL_TOgRnCn
8 place:type=6&sort=14&maxResults=10 0 1 0 0 3lY95yoWx2XB
7 place:folder=BOOKMARKS_MENU&folder=UNFI...sort=12&maxResults=10&excludeQueries=1 0 1 0 0 mdM4Mp9kd8g3
1 https://www.mozilla.org/en-US/firefox/central/ gro.allizom.www. 0 0 0 140 kYVGjmJ-047k
11 https://www.google.com/chrome/ moc.elgoog.www. 1 1 0 100 2014-08-18 01:52:46.769000 zLswYKJFEaUD
5 https://www.mozilla.org/en-US/about/ gro.allizom.www. 0 0 0 4 140 dOQyh56nW4RJ
4 https://www.mozilla.org/en-US/contribute/ gro.allizom.www. 0 0 0 3 140 yEpWj7pAkHw3
2 https://www.mozilla.org/en-US/firefox/help/ gro.allizom.www. 0 0 0 140 06n0M4Af3U2S
6 place:sort=8&maxResults=10 0 1 0 0 zm8cJXPL3Nt1
31 http://download.cnet.com/CCleaner/3055-18512_4-10315544.html?tag=pdl-redir Free Software Downloads and Sof 1 0 0 0 0 0
31 http://download.cnet.com/CCleaner/3055-18512_4-10315544.html?tag=pdl-redir Free Software Downloads and Software Reviews - CNET Download.com moc.tenc.daolnwod. 1 0 0 12 100 2014-08-30 19:56:46.244000 4oOcy_AZUX9v
2 https://www.mozilla.org/en-US/firefox/help/ grUqtqU�⥥Υ3K 0 0 0 6039 �-�U:�lNٌ
31 http://download.cnet.com/CCleaner/3055-1 1 0 0 0 0
firefoxcookies
The firefoxcookies plugin extracts records from the Firefox moz_cookies table in the cookies.sqlite SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. Just a snippet of the output is pasted below because, while the limited browsing in the test image created only 31 history entries, there are hundreds of cookies. The output contains, among other fields, the domain, cookie name, path, and cookie value, though the value is often truncated in table format. It’s fully displayed in the CSV format. In addition, there are three timestamps for the creation time, last accessed time, and expiration time. These are all printed, and also included in the bodyfile for timeline generation.
$ vol.py --plugins=plugins/ -f 2014contest/voltest.dmp firefoxcookies | more
Volatility Foundation Volatility Framework 2.4
Row ID Base Domain App Id InBrowserElement Name Value Host Path Expiry Last Accessed Creation Time Secure HttpOnly
------ ---------------------------- ------ ---------------- ------------------------ -------------------------------- -------------------------------- -------------------------------- -------------------- -------------------------- -------------------------- ------ --------
9 3 1970-01-01 00:00:00 1970-01-01 00:00:00 1996-11-11 19:32:25.943048 0 0
309 pubmatic.com 0 0 KRTBCOOKIE_22 488-pcv:1|uid:6...35249447496254 .pubmatic.com / 2017-08-29 19:54:40 2014-08-30 19:56:48.361000 2014-08-30 19:54:40.689000 0 0
307 pubmatic.com 0 0 KADUSERCOOKIE 892465A3-2C7F-4...7-A796CBE943D6 .pubmatic.com / 2015-08-30 19:54:40 2014-08-30 19:56:48.361000 2014-08-30 19:54:40.565000 0 0
446 turn.com 0 0 uid 6925335249447496254 .turn.com / 2015-02-26 19:54:51 2014-08-30 19:54:51.564000 2014-08-30 19:54:40.549000 0 0
305 mathtag.com 0 0 uuid a1995402-2bff-4...d-e79b6350092f .mathtag.com / 2015-08-30 19:54:40 2014-08-30 19:54:40.533000 2014-08-30 19:54:40.533000 0 0
303 pubmatic.com 0 0 KRTBCOOKIE_80 4031-CAESEKPqsq...vWPTGmwJGWwWo0 .pubmatic.com / 2014-11-28 19:54:40 2014-08-30 19:56:48.361000 2014-08-30 19:54:40.440002 0 0
301 pubmatic.com 0 0 KRTBCOOKIE_57 476-uid:8258907743645875089 .pubmatic.com / 2017-08-29 19:54:40 2014-08-30 19:56:48.361000 2014-08-30 19:54:40.440000 0 0
300 yimg.com 0 0 fpc 1000958395862%3...7%7C8TY7TsoTH7 s.yimg.com / 2015-08-30 19:54:40 2014-08-30 19:56:46.909000 2014-08-30 19:54:40.409001 0 0
478 adnxs.com 0 0 uuid2 8258907743645875089 .adnxs.com / 2014-11-28 19:56:48 2014-08-30 19:56:48.684000 2014-08-18 01:54:59.048000 0 1
294 pubmatic.com 0 0 SyncRTB 2_1410033280.3_....74_1410638080 .ads.pubmatic.com / 2015-06-26 19:54:39 2014-08-30 19:54:39.987000 2014-08-30 19:54:39.987000 0 0
464 cnet.com 0 0 WRUID 0 download.cnet.com / 2015-08-30 19:56:47 2014-08-31 13:18:29.617000 2014-08-30 19:54:38.037002 0 0
292 pubmatic.com 0 0 KTPCACOOKIE YES .pubmatic.com / 2015-06-26 19:54:39 2014-08-30 19:56:48.361000 2014-08-30 19:54:39.925000 0 0
291 yimg.com 0 0 ywandp 1000958395862%3A1432287649 s.yimg.com / 2024-08-27 19:54:39 2014-08-30 19:56:46.909000 2014-08-30 19:54:39.488000 0 0
273 cnet.com 0 0 bwp2 53d5c62aff9dff4...42286428349,v1 .download.cnet.com / 2015-09-15 15:00:01 2014-08-31 13:18:29.617000 2014-08-30 19:54:38.162000 0 0
272 cnet.com 0 0 _udl_sessionId en8N9q16psTV download.cnet.com /CCleaner/ 2014-08-30 20:24:38 2014-08-30 19:57:46.012000 2014-08-30 19:54:38.068000 0 0
398 chango.com 0 0 _vt 0 .chango.com / 2014-09-29 19:54:50 2014-08-30 19:54:50.846000 2014-08-30 19:54:50.846001 0 0
463 cnet.com 0 0 __CT_Data gpv=3&apv_11583_www08=3 download.cnet.com / 2015-08-30 19:56:47 2014-08-31 13:18:29.617000 2014-08-30 19:54:38.037000 0 0
268 cnet.com 0 0 LDCLGFbrowser 6003425c-6a57-4...b-f9c896e81eee download.cnet.com / 2024-08-27 19:54:37 2014-08-31 13:18:29.617000 2014-08-30 19:54:37.585000 0 0
257 everesttech.net 0 0 ev_t 3-VAIr@gAABc1hxA14 .everesttech.net / 2014-09-29 19:54:35 2014-08-30 19:56:48.118000 2014-08-30 19:54:35.478001 0 0
256 everesttech.net 0 0 gglck CAESEIFDIEoc5OXo637KcYakDk8 .everesttech.net / 2014-09-29 19:54:35 2014-08-30 19:56:48.118000 2014-08-30 19:54:35.478000 0 0
firefoxdownloads
The firefoxdownloads plugin extracts records from the Firefox moz_downloads table in the downloads.sqlite SQLite database file. The downloads.sqlite file was removed in Firefox 26. This data was moved into the moz_annos table in places.sqlite. A quick look at this table looks like it should be locatable; however, I haven’t worked on it yet. The test image that was provided has Firefox 31 installed so this plugin will not locate download records. However, I did have an old downloads.sqlite file that I built the plugin off of and it extracts all the records from the actual database file, so it should work on a memory image with the applicable version installed. The output below is an excerpt from running the plugin against that database file.
It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. The output contains, among other fields, the filename, source URL, target path being saved to, and bytes downloaded. In addition, there are timestamps for the start and end times of the download. These are both printed, and also included in the bodyfile for timeline generation.
$ vol.py --plugins=plugins/ -f downloads.sqlite firefoxdownloads
Volatility Foundation Volatility Framework 2.4
Row Id Name Source Target Temp Path Start Time End Time State Referrer Entity ID Current Bytes Max Bytes MIME Type Prefer App Prefer Action Auto Resume
------ -------------------------------- -------------------------------------------------------------------------------- ------------------------------------------------------------ -------------------------------- -------------------------- -------------------------- ----- ------------------------------------------------------------ --------- ------------- ------------ -------------------- ---------------- ------------- -----------
2 Wireshark-win64-1.12.0(1).exe http://wiresharkdownloads.riverbed.com/...shark/win64/Wireshark-win64-1.12.0.exe file:///Users/dave/Downloads/Wireshark-win64-1.12.0(1).exe 2014-08-06 19:06:40.462456 2014-08-06 19:07:39.180254 1 https://..._=iMVZ42DWnZQPvsWG&flshenb=1 35531552 35531552 applicati...-program 0 0
1 Wireshark-win64-1.12.0.exe https://2.na.dl.wireshark.org/win64/Wireshark-win64-1.12.0.exe file:///Users/dave/Downloads/Wireshark-win64-1.12.0.exe 2014-08-06 03:15:57.461410 2014-08-06 03:16:50.061426 1 https://www.wireshark.org/download.html 35531552 35531552 applicati...-program 0 0
Pingback: Volatility Plugins For Firefox History | infopunk.org
Thank you for the plugins.
Minor detail: one of the headers for “firefoxhistory” is “Frecency”.
Is this a miss-spelling of “Frequency” ?
That’s actually how it’s spelled in the SQLite database, so I kept it that way in the plugin output:
$ sqlite3 places.sqlite
SQLite version 3.8.5 2014-08-15 22:37:57
Enter ".help" for usage hints.
sqlite> .schema
CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER , guid TEXT, foreign_count INTEGER DEFAULT 0 NOT NULL);
I noticed when I exported the firefoxhistory to a csv file, a few of the entries had a black rectangle with a white circle inside the rectangle. This appeared before the url. Is this private browsing urls?
I think that’s probably just non-ascii data. It’s possible the Firefox DB has been modified and the plugin offsets aren’t correct. Do you know what version of Firefox is in the version you’re running the plugin against?
Not 100% sure. I only have a RAM image. If you know of any ways to find this information via RAM, please let me know and I can check for you.
Simplest may be to run “strings” on it and look for the version of Firefox in the User-Agent.
They have added a field.
The table from when I created the plugin:
CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER , guid TEXT);
The table in FF45:
CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER , guid TEXT, foreign_count INTEGER DEFAULT 0 NOT NULL);
I’ll need to update the code to handle this. Some of the results may be off a few bytes because of this. I’ll try to make an update this weekend and will let you know.
I updated the plugin to handle the new field. You can get it from the Volatility community repo:
https://github.com/volatilityfoundation/community/blob/master/DaveLasalle/firefoxhistory.py
Let me know if that works for you.
When I use this plugin I get this error message:
./volatility –plugins=plugins/ -f vmem.vmem –profile=Win7SP0x86 firefoxdownloads
Volatility Foundation Volatility Framework 2.5
*** Failed to import volatility.plugins.firefoxhistory (ImportError: No module named csv)
This is weird because csv is builtin, and when I import csv from a python instance in the terminal it imports fine. Any idea what’s causing this?
We ended up solving this over email, and I never approved the comment here. This error was occurring in the standalone version of Volatility. Using the source version resolved it.
Was the issue ever resolved in the latest standalone executable?
Thanks
Robert
I don’t know. I’ve never used the standalone executable.