August 31, 2014 by

Volatility Plugin – Firefox History

13 comments

Categories: Forensics, Volatility


As part of the 2014 Volatility Plugin Contest, I created 3 plugins for locating Firefox browser history related artifacts:

They are all in the firefoxhistory.py module found on my volatility-plugins repo on GitHub.  They also depend on the sqlite_help.py module in the same location, which provides some useful functions for manipulating data in SQLite databases.  Firefox and Chrome both store history and browsing data in SQLite databases.  Depending on the number and type of fields in each table, certain values can be expected in certain positions, which allows us to locate records of a given table.

A sample memory image is available at voltest.zip, and the corresponding places.sqlite and cookies.sqlite from that image are at ff_places and ff_cookies, respectively, for comparison with the plugin output.  The firefoxdownloads plugin only works on Firefox 25 and earlier because the downloads.sqlite file was removed.  I don’t have a memory image to provide but will show sample output from parsing a downloads.sqlite file below.  The download data was moved into another table (“moz_annos” in places.sqlite) that I haven’t worked on yet.  However, the download URLs are typically in the firefoxhistory output anyway. The plugin has been run against the SQLite databases in version 25 and memory samples of a system with version 31, so I’d expect it to work on at least those versions and the ones in between.

Like the core Volatility module iehistory, this module adds similar functionality for Firefox browsing history.  It can print output in the default table format or in CSV or bodyfile format.  This is useful for combining with other plugins to create a timeline.  According to W3Schools, Firefox and Chrome make up about 85% of the browser share as of July 2014, so this and my other plugin in the contest help round out Volatility’s browser coverage.

Usage and output for the plugins is below.

firefoxhistory

The firefoxhistory plugin extracts records from the Firefox moz_places table in the places.sqlite SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. The full output from the sample image is copied below with all 31 records that are in the ff_places database linked to above, showing the plugin was able to locate them all. The output contains, among other fields, the URL, page title, number of visits, and the last visit date. The URL may occasionally be truncated, but the full URL can be displayed in CSV format. In addition, the last visit date timestamp is used in the bodyfile.

$ vol.py --plugins=plugins/ -f voltest.dmp firefoxhistory
Volatility Foundation Volatility Framework 2.4
ID     URL                                                                              Title                                                                            Rev Host                         Visits Hidden Typed Favicon ID Frecency Last Visit Date            GUID
------ -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- -------------------------------- ------ ------ ----- ---------- -------- -------------------------- ------------
    30 http://software-files-a.cnet.com/s/soft...07af0b2aceb5cb&fileName=ccsetup417.exe ccsetup417.exe                                                                   moc.tenc.a-selif-erawtfos.            0      0     0                   0 2014-08-30 19:54:49.614000 1XZQkyF56qMJ
    29 http://download.cnet.com/CCleaner/3001-18512_4-10315544.html?hlndr=1             Thank you for downloading CCleaner from CNET Download.com                        moc.tenc.daolnwod.                    1      0     0         12      100 2014-08-30 19:54:45.947000 N5LRyDii8toO
    28 http://dw.cbsi.com/redir?ttag=download_...d=QCK-xqYz5LPFaJ0ebFV5qadurILbAkCQMAXl                                                                                  moc.isbc.wd.                          1      1     0                 100 2014-08-30 19:54:44.917000 fEjtASxUAxh6
    27 http://download.cnet.com/CCleaner/?tag=main;pop                                  CCleaner - Free download and software reviews - CNET Download.com                moc.tenc.daolnwod.                    1      0     0         12      100 2014-08-30 19:54:37.085000 pq1ZfeEKGvqZ
    26 http://download.cnet.com/windows/                                                Windows PC software downloads and reviews from CNET Download.com                 moc.tenc.daolnwod.                    1      0     0         11       -1 2014-08-30 19:54:28.723000 tfBwGHW8rHmc
    25 http://download.cnet.com/windows                                                                                                                                  moc.tenc.daolnwod.                    1      1     0                  -1 2014-08-30 19:54:28.286000 CDgZxQeKrwO3
    24 http://download.cnet.com/                                                                                                                                         moc.tenc.daolnwod.                    1      1     0                  -1 2014-08-30 19:54:28.130000 AcV1_jX9bz5r
    23 http://www.download.com/                                                                                                                                          moc.daolnwod.www.                     1      1     0                2000 2014-08-30 19:54:27.849000 KpFmHKTN0a9u
    22 http://download.com/                                                                                                                                              moc.daolnwod.                         1      1     1                2000 2014-08-30 19:54:27.724000 V1HFFdxEPjun
    21 https://twitter.com/                                                             Twitter                                                                          moc.rettiwt.                          2      0     0         10     2100 2014-08-30 19:54:23.325000 oKw7WQ22cahd
    20 http://twitter.com/                                                                                                                                               moc.rettiwt.                          1      0     1                2000 2014-08-30 19:54:21.920000 DMtScqP31_Xu
    19 http://www.msnbc.com/                                                            msnbc: news, video and progressive community. Lean Forward.                      moc.cbnsm.www.                        1      0     0          9     2000 2014-08-18 01:54:53.773000 5Gx2iLj1SjJW
    18 http://msnbc.com/                                                                                                                                                 moc.cbnsm.                            1      1     1                2000 2014-08-18 01:54:53.681000 ta4jLp2lyGh4
    17 https://www.google.com/?gws_rd=ssl                                               Google                                                                           moc.elgoog.www.                       1      0     0          7       -1 2014-08-18 01:54:39.623000 _Utv1EjcJ6Hu
    16 http://www.google.com/                                                                                                                                            moc.elgoog.www.                       1      1     0                2000 2014-08-18 01:54:39.522000 or6Wi4BgJ4oo
    15 http://google.com/                                                                                                                                                moc.elgoog.                           1      1     1                2000 2014-08-18 01:54:39.455000 w27D_5ORtyhc
    14 https://dl.google.com/tag/s/appguid%3D%...ser/update2/installers/ChromeSetup.exe ChromeSetup.exe                                                                  moc.elgoog.ld.                        0      0     0                   0 2014-08-18 01:53:04.856000 n4Jx86eFfMwg
    13 https://www.google.com/intl/en/chrome/b...u.html?installdataindex=defaultbrowser Chrome Browser                                                                   moc.elgoog.www.                       1      0     0          8      100 2014-08-18 01:53:04.603000 o4vAZ5aKWWyb
    12 https://www.google.com/chrome/browser/                                           Chrome Browser                                                                   moc.elgoog.www.                       1      0     0          8      100 2014-08-18 01:52:46.891000 3-zVrw5J9YQk
    10 https://www.google.com/search?q=chrome&...S:official&client=firefox-a&channel=sb chrome - Google Search                                                           moc.elgoog.www.                       1      0     0          7      100 2014-08-18 01:52:40.683000 fcu6-CJQ0C-5
     9 https://www.mozilla.org/en-US/firefox/31.0/firstrun/                             Welcome to Firefox                                                               gro.allizom.www.                      1      0     0          6      100 2014-08-18 01:52:31.981000 CFINbfipczLN
     3 https://www.mozilla.org/en-US/firefox/customize/                                                                                                                  gro.allizom.www.                      0      0     0          2      140                            3hOL_TOgRnCn
     8 place:type=6&sort=14&maxResults=10                                                                                                                                                                      0      1     0                   0                            3lY95yoWx2XB
     7 place:folder=BOOKMARKS_MENU&folder=UNFI...sort=12&maxResults=10&excludeQueries=1                                                                                                                        0      1     0                   0                            mdM4Mp9kd8g3
     1 https://www.mozilla.org/en-US/firefox/central/                                                                                                                    gro.allizom.www.                      0      0     0                 140                            kYVGjmJ-047k
    11 https://www.google.com/chrome/                                                                                                                                    moc.elgoog.www.                       1      1     0                 100 2014-08-18 01:52:46.769000 zLswYKJFEaUD
     5 https://www.mozilla.org/en-US/about/                                                                                                                              gro.allizom.www.                      0      0     0          4      140                            dOQyh56nW4RJ
     4 https://www.mozilla.org/en-US/contribute/                                                                                                                         gro.allizom.www.                      0      0     0          3      140                            yEpWj7pAkHw3
     2 https://www.mozilla.org/en-US/firefox/help/                                                                                                                       gro.allizom.www.                      0      0     0                 140                            06n0M4Af3U2S
     6 place:sort=8&maxResults=10                                                                                                                                                                              0      1     0                   0                            zm8cJXPL3Nt1
    31 http://download.cnet.com/CCleaner/3055-18512_4-10315544.html?tag=pdl-redir       Free Software Downloads and Sof                                     1      0     0          0        0 0
    31 http://download.cnet.com/CCleaner/3055-18512_4-10315544.html?tag=pdl-redir       Free Software Downloads and Software Reviews - CNET Download.com                 moc.tenc.daolnwod.                    1      0     0         12      100 2014-08-30 19:56:46.244000 4oOcy_AZUX9v
     2 https://www.mozilla.org/en-US/firefox/help/                                                                                                                       grUqtqU�⥥Υ3K                      0      0     0                6039                            �-�U:�lNٌ

    31 http://download.cnet.com/CCleaner/3055-1                                                                                                            1      0     0                   0 0

Back to top

firefoxcookies

The firefoxcookies plugin extracts records from the Firefox moz_cookies table in the cookies.sqlite SQLite database file. It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. Just a snippet of the output is pasted below because, while the limited browsing in the test image created only 31 history entries, there are hundreds of cookies. The output contains, among other fields, the domain, cookie name, path, and cookie value, though the value is often truncated in table format. It’s fully displayed in the CSV format. In addition, there are three timestamps for the creation time, last accessed time, and expiration time. These are all printed, and also included in the bodyfile for timeline generation.

$ vol.py --plugins=plugins/ -f 2014contest/voltest.dmp firefoxcookies | more
Volatility Foundation Volatility Framework 2.4
Row ID Base Domain                  App Id InBrowserElement Name                     Value                            Host                             Path                             Expiry               Last Accessed              Creation Time              Secure HttpOnly
------ ---------------------------- ------ ---------------- ------------------------ -------------------------------- -------------------------------- -------------------------------- -------------------- -------------------------- -------------------------- ------ --------
     9                                                    3                                                                                                                             1970-01-01 00:00:00  1970-01-01 00:00:00        1996-11-11 19:32:25.943048      0        0
   309 pubmatic.com                      0                0 KRTBCOOKIE_22            488-pcv:1|uid:6...35249447496254 .pubmatic.com                    /                                2017-08-29 19:54:40  2014-08-30 19:56:48.361000 2014-08-30 19:54:40.689000      0        0
   307 pubmatic.com                      0                0 KADUSERCOOKIE            892465A3-2C7F-4...7-A796CBE943D6 .pubmatic.com                    /                                2015-08-30 19:54:40  2014-08-30 19:56:48.361000 2014-08-30 19:54:40.565000      0        0
   446 turn.com                          0                0 uid                      6925335249447496254              .turn.com                        /                                2015-02-26 19:54:51  2014-08-30 19:54:51.564000 2014-08-30 19:54:40.549000      0        0
   305 mathtag.com                       0                0 uuid                     a1995402-2bff-4...d-e79b6350092f .mathtag.com                     /                                2015-08-30 19:54:40  2014-08-30 19:54:40.533000 2014-08-30 19:54:40.533000      0        0
   303 pubmatic.com                      0                0 KRTBCOOKIE_80            4031-CAESEKPqsq...vWPTGmwJGWwWo0 .pubmatic.com                    /                                2014-11-28 19:54:40  2014-08-30 19:56:48.361000 2014-08-30 19:54:40.440002      0        0
   301 pubmatic.com                      0                0 KRTBCOOKIE_57            476-uid:8258907743645875089      .pubmatic.com                    /                                2017-08-29 19:54:40  2014-08-30 19:56:48.361000 2014-08-30 19:54:40.440000      0        0
   300 yimg.com                          0                0 fpc                      1000958395862%3...7%7C8TY7TsoTH7 s.yimg.com                       /                                2015-08-30 19:54:40  2014-08-30 19:56:46.909000 2014-08-30 19:54:40.409001      0        0
   478 adnxs.com                         0                0 uuid2                    8258907743645875089              .adnxs.com                       /                                2014-11-28 19:56:48  2014-08-30 19:56:48.684000 2014-08-18 01:54:59.048000      0        1
   294 pubmatic.com                      0                0 SyncRTB                  2_1410033280.3_....74_1410638080 .ads.pubmatic.com                /                                2015-06-26 19:54:39  2014-08-30 19:54:39.987000 2014-08-30 19:54:39.987000      0        0
   464 cnet.com                          0                0 WRUID                    0                                download.cnet.com                /                                2015-08-30 19:56:47  2014-08-31 13:18:29.617000 2014-08-30 19:54:38.037002      0        0
   292 pubmatic.com                      0                0 KTPCACOOKIE              YES                              .pubmatic.com                    /                                2015-06-26 19:54:39  2014-08-30 19:56:48.361000 2014-08-30 19:54:39.925000      0        0
   291 yimg.com                          0                0 ywandp                   1000958395862%3A1432287649       s.yimg.com                       /                                2024-08-27 19:54:39  2014-08-30 19:56:46.909000 2014-08-30 19:54:39.488000      0        0
   273 cnet.com                          0                0 bwp2                     53d5c62aff9dff4...42286428349,v1 .download.cnet.com               /                                2015-09-15 15:00:01  2014-08-31 13:18:29.617000 2014-08-30 19:54:38.162000      0        0
   272 cnet.com                          0                0 _udl_sessionId           en8N9q16psTV                     download.cnet.com                /CCleaner/                       2014-08-30 20:24:38  2014-08-30 19:57:46.012000 2014-08-30 19:54:38.068000      0        0
   398 chango.com                        0                0 _vt                      0                                .chango.com                      /                                2014-09-29 19:54:50  2014-08-30 19:54:50.846000 2014-08-30 19:54:50.846001      0        0
   463 cnet.com                          0                0 __CT_Data                gpv=3&apv_11583_www08=3          download.cnet.com                /                                2015-08-30 19:56:47  2014-08-31 13:18:29.617000 2014-08-30 19:54:38.037000      0        0
   268 cnet.com                          0                0 LDCLGFbrowser            6003425c-6a57-4...b-f9c896e81eee download.cnet.com                /                                2024-08-27 19:54:37  2014-08-31 13:18:29.617000 2014-08-30 19:54:37.585000      0        0
   257 everesttech.net                   0                0 ev_t                     3-VAIr@gAABc1hxA14               .everesttech.net                 /                                2014-09-29 19:54:35  2014-08-30 19:56:48.118000 2014-08-30 19:54:35.478001      0        0
   256 everesttech.net                   0                0 gglck                    CAESEIFDIEoc5OXo637KcYakDk8      .everesttech.net                 /                                2014-09-29 19:54:35  2014-08-30 19:56:48.118000 2014-08-30 19:54:35.478000      0        0

Back to top

firefoxdownloads

The firefoxdownloads plugin extracts records from the Firefox moz_downloads table in the downloads.sqlite SQLite database file. The downloads.sqlite file was removed in Firefox 26. This data was moved into the moz_annos table in places.sqlite. A quick look at this table looks like it should be locatable; however, I haven’t worked on it yet. The test image that was provided has Firefox 31 installed so this plugin will not locate download records. However, I did have an old downloads.sqlite file that I built the plugin off of and it extracts all the records from the actual database file, so it should work on a memory image with the applicable version installed. The output below is an excerpt from running the plugin against that database file.

It supports –output=csv and –output=body to print in CSV and bodyfile format, respectively. The output contains, among other fields, the filename, source URL, target path being saved to, and bytes downloaded. In addition, there are timestamps for the start and end times of the download. These are both printed, and also included in the bodyfile for timeline generation.

$ vol.py --plugins=plugins/ -f downloads.sqlite firefoxdownloads
Volatility Foundation Volatility Framework 2.4
Row Id Name                             Source                                                                           Target                                                       Temp Path                        Start Time                 End Time                   State Referrer                                                     Entity ID Current Bytes Max Bytes    MIME Type            Prefer App       Prefer Action Auto Resume
------ -------------------------------- -------------------------------------------------------------------------------- ------------------------------------------------------------ -------------------------------- -------------------------- -------------------------- ----- ------------------------------------------------------------ --------- ------------- ------------ -------------------- ---------------- ------------- -----------
     2 Wireshark-win64-1.12.0(1).exe    http://wiresharkdownloads.riverbed.com/...shark/win64/Wireshark-win64-1.12.0.exe file:///Users/dave/Downloads/Wireshark-win64-1.12.0(1).exe                                    2014-08-06 19:06:40.462456 2014-08-06 19:07:39.180254     1 https://..._=iMVZ42DWnZQPvsWG&flshenb=1                35531552     35531552 applicati...-program                              0           0
     1 Wireshark-win64-1.12.0.exe       https://2.na.dl.wireshark.org/win64/Wireshark-win64-1.12.0.exe                   file:///Users/dave/Downloads/Wireshark-win64-1.12.0.exe                                       2014-08-06 03:15:57.461410 2014-08-06 03:16:50.061426     1 https://www.wireshark.org/download.html                35531552     35531552 applicati...-program                              0           0

Back to top

13 Responses to Volatility Plugin – Firefox History

  1. Pingback: Volatility Plugins For Firefox History | infopunk.org

  2. Paul

    Thank you for the plugins.

    Minor detail: one of the headers for “firefoxhistory” is “Frecency”.
    Is this a miss-spelling of “Frequency” ?

    • superponible Post author

      That’s actually how it’s spelled in the SQLite database, so I kept it that way in the plugin output:

      $ sqlite3 places.sqlite
      SQLite version 3.8.5 2014-08-15 22:37:57
      Enter ".help" for usage hints.
      sqlite> .schema
      CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER , guid TEXT, foreign_count INTEGER DEFAULT 0 NOT NULL);

  3. Zach

    I noticed when I exported the firefoxhistory to a csv file, a few of the entries had a black rectangle with a white circle inside the rectangle. This appeared before the url. Is this private browsing urls?

    • superponible Post author

      I think that’s probably just non-ascii data. It’s possible the Firefox DB has been modified and the plugin offsets aren’t correct. Do you know what version of Firefox is in the version you’re running the plugin against?

      • Zach

        Not 100% sure. I only have a RAM image. If you know of any ways to find this information via RAM, please let me know and I can check for you.

          • superponible Post author

            They have added a field.

            The table from when I created the plugin:

            CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER , guid TEXT);

            The table in FF45:

            CREATE TABLE moz_places ( id INTEGER PRIMARY KEY, url LONGVARCHAR, title LONGVARCHAR, rev_host LONGVARCHAR, visit_count INTEGER DEFAULT 0, hidden INTEGER DEFAULT 0 NOT NULL, typed INTEGER DEFAULT 0 NOT NULL, favicon_id INTEGER, frecency INTEGER DEFAULT -1 NOT NULL, last_visit_date INTEGER , guid TEXT, foreign_count INTEGER DEFAULT 0 NOT NULL);

            I’ll need to update the code to handle this. Some of the results may be off a few bytes because of this. I’ll try to make an update this weekend and will let you know.

  4. Steven

    When I use this plugin I get this error message:

    ./volatility –plugins=plugins/ -f vmem.vmem –profile=Win7SP0x86 firefoxdownloads
    Volatility Foundation Volatility Framework 2.5
    *** Failed to import volatility.plugins.firefoxhistory (ImportError: No module named csv)

    This is weird because csv is builtin, and when I import csv from a python instance in the terminal it imports fine. Any idea what’s causing this?

    • superponible Post author

      We ended up solving this over email, and I never approved the comment here. This error was occurring in the standalone version of Volatility. Using the source version resolved it.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.