SlideShare une entreprise Scribd logo

Josh Moulin: Finding deleted URLs in Mozilla Firefox places.sqlite

Josh Moulin, MSISA,CISSP
Josh Moulin, MSISA,CISSP
Technologie
1  sur  19
Télécharger pour lire hors ligne
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  1  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   Issue:     URLs  visible  within  the  places.sqlite  database  file  when  viewing  the  file  in  hex  view  that  are  not  visible  when   viewing   the   file   in   SQLite   Manager   or   FTK’s   viewer.     The   URLs   seen   in   hex   view   are   relevant   to   the   investigation.     Test  Information:     Path   for   Mozilla   information   (Windows   XP):     C:Documents   and   Settings%user%Application   DataMozillaFirefoxProfiles%uniquevalue%.default     OS:    Windows  XP  SP  3,  32  bit     Firefox  version:    15.0.1     Within  a  virtual  machine  running  Windows  XP  SP3  a  clean  installation  of  Mozilla  Firefox  15.0.1  was  installed.     The   places.sqlite   created   upon   installation   of   Firefox   was   deleted,   which   forces   Firefox   to   create   a   new   database  upon  the  next  time  the  program  is  run.     The  Firefox  add-­‐on  SQLite  Manager  was  downloaded  and  installed.    Once  it  was  installed  it  was  launched  by   going  to  Tools>SQLite  Manager:         To  obtain  a  baseline,  Firefox  was  launched  and  the  places.sqlite  database  was  rebuilt.    SQLite  Manager  was   launched  to  view  the  default  entries  in  places.sqlite.    By  default  Firefox  installs  five  bookmarks,  which  can  be   seen  below:    
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  2  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012       SQLite  Manager  shows  the  above  bookmarks  within  the  places.sqlite  file:      
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  3  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   As  an  overview,  SQLite  Manager  is  a  great  tool  for  viewing  these  database  files.    To  search  records,  click  on  the   “Browse  &  Search”  tab.    Although  you  can  directly  query  the  SQLite  tables  this  way,  unless  you  are  familiar   with  SQL  searches,  I  recommend  exporting  the  data  and  using  Excel.         To  better  search  and  review  information,  export  the  data  to  a  CSV  file.    Once  you  click  the  “Export  Wizard”   tab,  make  sure  to  check  the  box  “First  row  contains  column  names”  and  then  select  how  you  want  to  export   the  data.    Once  you  have  selected  the  appropriate  settings,  click  “OK”  and  you  should  receive  a  dialog  box   stating  that  your  records  have  been  exported.          
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  4  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012       Navigate  to  your  newly  created  CSV  file  and  open  it  with  Excel:         Above  is  the  standard  Excel  view  of  a  CSV  file.    When  working  with  a  large  amount  of  data,  there  are  a  few   tricks  you  can  use  to  make  data  management  easier.    This  includes  highlighting  the  top  row,  center  and  bold   the  font  on  the  first  row,  insert  gridlines,  and  then  freeze  the  top  row  and  add  filtering  to  the  top  row.    Also,   consider  hiding  any  columns  or  rows  that  are  not  applicable  to  your  investigation:    
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  5  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012           By  using  filtering  (indicated  by  the  dropdown  arrow  to  the  right  of  each  heading  in  the  top  row),  it  is  possible   to  quickly  sort  by  the  relevant  information  within  each  column.    See  below:             This  file  will  now  have  to  be  saved  as  an  Excel  workbook  since  this  file  is  no  longer  compatible  the  CSV  format.     Below  is  a  view  of  the  places.sqlite  file  while  viewing  it  in  FTK.    Notice  the  same  information  is  seen  below  as   what  we  have  seen  in  the  SQLite  Manager.    After  reviewing  the  entire  file,  no  other  entries  were  located.  
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  6  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012         Note  –  the  places.sqlite  file  is  locked  by  the  first  application  that  accesses  it.    This  is  important  to  note  during   testing  because  it  will  alter  the  normal  operation  of  Firefox.    For  example,  if  the  places.sqlite  file  is  open  within   FTK  Imager  and  then  Firefox  is  opened,  Firefox  will  act  normal,  however  no  data  is  actually  recorded  in  the   places.sqlite  file  since  FTK  Imager  has  locked  it.         In  an  attempt  to  replicate  the  initial  problem  of  having  URLs  visible  in  the  places.sqlite  file  but  not  within   Firefox,  SQLite  Manager,  or  FTK’s  parsed  viewer,  the  following  steps  were  taken:     1. Firefox  was  launched   2. The  following  URLs  were  visited:   a. Google.com   b. Cnn.com   c. Iacis.com   d. Whitehouse.gov   3. SQLite  Manager  was  launched   4. Reviewed  entries  with  this  tool      
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  7  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012       The  entries  in  my  history  match  exactly  what  I  navigated  to.    Now  I  opened  SQLite  Manager  and  reviewed  that   information:        
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  8  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012     SQLite  Manager  showed  the  exact  same  information  as  expected.    When  viewing  the  places.sqlite  file  in  FTK   Imager,  the  four  entries  were  also  seen.    The  entire  places.sqlite  file  was  viewed  and  no  abnormal  entries  were   located.         The  IACIS.com  URL  begins  at  decimal  offset  64308.    This  is  important,  keep  note  of  this  for  later.     Next,  Firefox  was  re-­‐launched  and  all  Internet  history  was  cleared.    This  was  accomplished  by  checking  all   available  boxes  and  selecting  “Everything”  from  the  dropdown  menu:          
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  9  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   Within  Firefox,  all  of  the  history  entries  are  now  gone:           SQLite  Manager  was  opened  next  to  see  what  entries  it  saw:                    
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  10  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   SQLite  Manager  also  does  not  show  any  information  for  the  URLs  after  the  history  has  been  deleted.    Next,   FTK  Imager  was  launched  and  the  places.sqlite  file  was  added  as  an  individual  file:         With  the  exception  of  a  few  bytes  of  data,  all  areas  that  used  to  contain  the  URL’s  I  had  visited  had  been   overwritten  with  zeros.    At  offset  64308  where  my  cursor  was  (shown  above  in  small  red  box),  you  can  see   that  iacis.com  is  gone.         The  next  test  was  checking  how  Private  Browsing  mode  in  Firefox  would  affect  the  entries  in  the  places.sqlite   file.         The  following  was  done  for  this  test:     1. Deleted  places.sqlite  file  to  force  Firefox  to  build  a  new  one.   2. Launched  Firefox.   3. Browsed  in  normal  mode  to  the  following  websites:   a. Computer-­‐forensics.sans.org   b. Facebook.com   c. Youtube.com   d. Yelp.com   4. Private  Browsing  mode  was  turned  on  and  the  following  sites  were  navigated  to:   a. Yahoo.com   b. Twitter.com   c. Linkedin.com   d. Amazon.com   5. Firefox  was  closed.        
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  11  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   Firefox  was  re-­‐launched  and  the  places.sqlite  file  was  viewed  with  the  SQLite  Manager  add-­‐on.    See  below:         As   expected,   all   of   the   websites   that   were   visited   in   normal   browsing   mode   are   shown   and   none   of   the   websites  visiting  in  Private  Browsing  mode  are  visible.    Firefox  was  closed  and  the  places.sqlite  was  viewed  in   FTK  Imager.                                          
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  12  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   In  FTK  Imager,  the  URLs  visiting  in  normal  mode  are  visible  as  to  be  expected.    It  is  also  interesting  that  the   new  URLs  overwrote  the  same  location  of  the  old  URLs  that  were  deleted  when  the  history  was  cleared.    You   can  see  below  at  offset  64308  yelp.com  now  resides  there  (where  IACIS.com  once  did):         The  entire  places.sqlite  file  was  viewed  in  hex  for  any  other  remnants  or  evidence  of  the  websites  viewed  in   Private  Browsing  mode  and  nothing  was  located.     At  this  point  it  has  been  determined  that  the  URLs  found  in  the  original  investigation  must  not  have  been  from   a   Private   Browsing   mode   and   the   history   must   not   have   been   cleared   from   Firefox   before   the   forensic   examination  was  conducted.    The  only  thing  left  to  check  was  how  bookmarks  interacted  with  the  places.sqlite   file.     It  was  determined  that  when  a  bookmark  is  created  in  Firefox  during  normal  browsing  mode,  it  does  make  an   entry  into  the  places.sqlite  database.    The  original  four  URLs  were  navigated  back  to  and  bookmarked.                                
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  13  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   See  the  native  Firefox  view  below:         The  SQLite  Manager  shows  the  following  information:                      
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  14  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012         FTK  Imager  shows  the  following:         The  bookmarks  start  at  decimal  offset  58686.         To  test  how  bookmarks  interact  with  Private  Browsing  mode,  the  following  was  done:     1. Firefox  was  re-­‐launched.   2. Navigated  to  the  following  websites  and  bookmarked  them:   a. Bing.com   b. Wordpress.com   c. Ebay.com   d. Apple.com   3. Firefox  was  closed  and  re-­‐launched.   4. SQLite  Manager  was  launched.     SQLite  Manager  showed  the  following:           This  shows  that  even  in  Private  Browsing,  if  a  URL  is  bookmarked,  it  will  enter  the  URL  into  the  places.sqlite   file.              
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  15  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012     FTK  Imager  showed  the  following:         The  bing.com  bookmark  entry  was  also  shown  but  wouldn’t  fit  in  the  same  screenshot.    The  bookmark  for   apple.com  was  located  at  decimal  offset  65145.     Next,  Firefox  was  re-­‐launched  and  all  history  was  cleared.    The  following  bookmarks  were  visible:              
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  16  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012     Next  the  bookmarks  were  deleted  that  were  created  while  in  Private  Browsing  mode.    The  Firefox  native  view   is  shown  below:         When  SQLite  Manager  was  opened,  the  following  was  seen:        
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  17  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   In  the  bookmarks  table,  only  the  four  remaining  bookmarks  are  shown.     However,  in  the  moz_places  table,  all  of  the  bookmarks,  including  the  deleted  bookmarks  can  be  found:         In  looking  at  the  places.sqlite  in  FTK  Imager,  all  of  the  entries  including  the  deleted  bookmarks  were  present,   although  some  had  moved  position:          
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  18  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012       Above  shows  remnants  of  the  URL  wordpress.com  and  bing.com.    Offset  65145  that  once  had  the  apple.com   URL  now  shows  this:         You  can  see  the  URL  for  apple.com  up  above  the  original  offset  (highlighted  in  blue).         Next,  Firefox  was  re-­‐launched  and  all  history  was  cleared  again.    This  time  it  eliminated  all  of  the  deleted   bookmarks  from  the  places.sqlite  database.    See  below:         The  blue  highlighted  area  is  decimal  offset  65145  again,  showing  that  all  of  the  old  bookmark  data  is  now   overwritten.  
Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  19  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012       The  takeaways  from  this  are:     1. Bookmarking  in  Firefox,  even  in  Private  Browsing  will  create  entries  in  the  places.sqlite  file.   2. History  is  overwritten  in  the  places.sqlite  at  the  completion  of  a  browsing  session  in  Private  Browsing   mode,  or  anytime  a  user  clicks  Tools>Clear  Recent  History.   3. If   bookmarks   are   deleted,   they   are   immediately   removed   from   the   moz_bookmarks   table   in   the   places.sqlite  database.   4. If  bookmarks  are  deleted,  they  remain  in  the  moz_places  table  in  the  places.sqlite  database  and  are   available  to  be  recovered  until  they  are  overwritten.   5. Deleted  bookmark  data  will  be  overwritten  if  the  user  clicks  Tools>Clear  Recent  History  after  deleting   the  bookmarks.   In  this  particular  investigation  it  was  my  opinion  that  the  user  had  at  one  time  bookmarked  the  URLs  that  were   located  in  the  hex  view  of  the  places.sqlite  file  but  not  visible  in  SQLite  Manager  or  Firefox’s  native  view.    The   user  deleted  the  bookmarks  of  the  websites  in  question  prior  to  turning  over  the  computer,  however  did  not   clear  their  recent  history  after  deleting  the  bookmarks,  allowing  them  to  be  recovered.    This  finding  may  show   additional  intent,  not  only  that  websites  of  interest  were  once  bookmarked  by  the  user,  but  also  there  was   some   attempt   to   “clean   up”   the   computer   before   the   examination   (especially   since   many   non-­‐relevant   bookmarks  remained  and  only  a  select  few  were  deleted).     In  this  particular  investigation,  the  deleted  bookmark  entries  correspond  with  thousands  of  deleted  images   recovered  from  unallocated  space  as  well  as  orphan  files  located  during  the  exam.        

Recommandé

Bri forum 2005 inside flex profiles - jeroen van de kamp
Bri forum 2005 inside flex profiles - jeroen van de kampBri forum 2005 inside flex profiles - jeroen van de kamp
Bri forum 2005 inside flex profiles - jeroen van de kampGethsemane Lutheran Church & School
 
Office2010 basicsandtheinternet (1)
Office2010 basicsandtheinternet (1)Office2010 basicsandtheinternet (1)
Office2010 basicsandtheinternet (1)SuraleydaYaaqshid
 
Dervy bis-155-week-4-quiz-new
Dervy bis-155-week-4-quiz-newDervy bis-155-week-4-quiz-new
Dervy bis-155-week-4-quiz-newgovendaagoovenda
 
Contributing to the WordPress Codex
Contributing to the WordPress CodexContributing to the WordPress Codex
Contributing to the WordPress CodexLorelle VanFossen
 
Using File Maker Pro With Microsoft Office
Using File Maker Pro With Microsoft OfficeUsing File Maker Pro With Microsoft Office
Using File Maker Pro With Microsoft OfficeFrescatiStory
 
Dangerous Google searching for secrets
Dangerous Google searching for secretsDangerous Google searching for secrets
Dangerous Google searching for secretsPim Piepers
 
tutorial2.docx - Fedora Tutorial
tutorial2.docx - Fedora Tutorialtutorial2.docx - Fedora Tutorial
tutorial2.docx - Fedora Tutorialbutest
 
White Paper: Enabling the Perforce Administrator via Mobile Device
White Paper: Enabling the Perforce Administrator via Mobile DeviceWhite Paper: Enabling the Perforce Administrator via Mobile Device
White Paper: Enabling the Perforce Administrator via Mobile DevicePerforce
 

Recommandé

Bri forum 2005 inside flex profiles - jeroen van de kamp
Bri forum 2005 inside flex profiles - jeroen van de kampBri forum 2005 inside flex profiles - jeroen van de kamp
Bri forum 2005 inside flex profiles - jeroen van de kampGethsemane Lutheran Church & School
 
Office2010 basicsandtheinternet (1)
Office2010 basicsandtheinternet (1)Office2010 basicsandtheinternet (1)
Office2010 basicsandtheinternet (1)SuraleydaYaaqshid
 
Dervy bis-155-week-4-quiz-new
Dervy bis-155-week-4-quiz-newDervy bis-155-week-4-quiz-new
Dervy bis-155-week-4-quiz-newgovendaagoovenda
 
Contributing to the WordPress Codex
Contributing to the WordPress CodexContributing to the WordPress Codex
Contributing to the WordPress CodexLorelle VanFossen
 
Using File Maker Pro With Microsoft Office
Using File Maker Pro With Microsoft OfficeUsing File Maker Pro With Microsoft Office
Using File Maker Pro With Microsoft OfficeFrescatiStory
 
Dangerous Google searching for secrets
Dangerous Google searching for secretsDangerous Google searching for secrets
Dangerous Google searching for secretsPim Piepers
 
tutorial2.docx - Fedora Tutorial
tutorial2.docx - Fedora Tutorialtutorial2.docx - Fedora Tutorial
tutorial2.docx - Fedora Tutorialbutest
 
White Paper: Enabling the Perforce Administrator via Mobile Device
White Paper: Enabling the Perforce Administrator via Mobile DeviceWhite Paper: Enabling the Perforce Administrator via Mobile Device
White Paper: Enabling the Perforce Administrator via Mobile DevicePerforce
 
BI-Publisher-Tutorial-Lesson-2.pdf
BI-Publisher-Tutorial-Lesson-2.pdfBI-Publisher-Tutorial-Lesson-2.pdf
BI-Publisher-Tutorial-Lesson-2.pdfAhmedChakroun13
 
D google searching tactics
D google searching tacticsD google searching tactics
D google searching tacticsAniket Sharma
 
Dangerous google searching for secrets
Dangerous google searching for secretsDangerous google searching for secrets
Dangerous google searching for secretsDecarl Decarl
 
Swf search final
Swf search finalSwf search final
Swf search finalDuane Nickull
 
An introduction to the Spring Framework
An introduction to the Spring FrameworkAn introduction to the Spring Framework
An introduction to the Spring Frameworkweili_at_slideshare
 
OSS 2020 Using SOLR as Open-Source Search Platform.pdf
OSS 2020 Using SOLR as Open-Source Search Platform.pdfOSS 2020 Using SOLR as Open-Source Search Platform.pdf
OSS 2020 Using SOLR as Open-Source Search Platform.pdfGan Keng Hoon
 
Recipe 14 of Data Warehouse and Business Intelligence - Build a Staging Area ...
Recipe 14 of Data Warehouse and Business Intelligence - Build a Staging Area ...Recipe 14 of Data Warehouse and Business Intelligence - Build a Staging Area ...
Recipe 14 of Data Warehouse and Business Intelligence - Build a Staging Area ...Massimo Cenci
 
Dangerous google searching for secrets
Dangerous google searching for secretsDangerous google searching for secrets
Dangerous google searching for secretsMathivanan M
 
How to Synchronize Excel with SharePoint Online
How to Synchronize Excel with SharePoint OnlineHow to Synchronize Excel with SharePoint Online
How to Synchronize Excel with SharePoint OnlineDon E. Wallace
 
Fabian Williams SharePoint Saturday New York BCS Deck
Fabian Williams SharePoint Saturday New York BCS DeckFabian Williams SharePoint Saturday New York BCS Deck
Fabian Williams SharePoint Saturday New York BCS DeckFabian Williams
 
SharePoint BCS, OK. But what is the SharePoint Business Data List Connector (...
SharePoint BCS, OK. But what is the SharePoint Business Data List Connector (...SharePoint BCS, OK. But what is the SharePoint Business Data List Connector (...
SharePoint BCS, OK. But what is the SharePoint Business Data List Connector (...Layer2
 
obiee 12c installation guidelines
obiee 12c installation guidelinesobiee 12c installation guidelines
obiee 12c installation guidelineskumud thakur
 
05 160723204945
05 16072320494505 160723204945
05 160723204945Srikanth Rodda
 
Customization & designing art worx day1
Customization & designing art worx day1Customization & designing art worx day1
Customization & designing art worx day1Hesham Aly
 
FAST Search for SharePoint 2010
FAST Search for SharePoint 2010FAST Search for SharePoint 2010
FAST Search for SharePoint 2010Alexandre Ferreira
 
Domino testing presentation
Domino testing presentationDomino testing presentation
Domino testing presentationdominion
 
Integrating Excel Files in Visual Fusion
Integrating Excel Files in Visual FusionIntegrating Excel Files in Visual Fusion
Integrating Excel Files in Visual FusionIDV Solutions
 
Entity Framework
Entity FrameworkEntity Framework
Entity FrameworkMahesh Pachbhai
 
Salesforce Admin's guide : the data loader from the command line
Salesforce Admin's guide : the data loader from the command lineSalesforce Admin's guide : the data loader from the command line
Salesforce Admin's guide : the data loader from the command lineCyrille Coeurjoly
 
Expanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityExpanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityTeamstudio
 
Disheveled Digital Forensics: The Impact of Inconsistent Standards, Certifica...
Disheveled Digital Forensics: The Impact of Inconsistent Standards, Certifica...Disheveled Digital Forensics: The Impact of Inconsistent Standards, Certifica...
Disheveled Digital Forensics: The Impact of Inconsistent Standards, Certifica...Josh Moulin, MSISA,CISSP
 
Information Security Basics for Businesses and Individuals
Information Security Basics for Businesses and IndividualsInformation Security Basics for Businesses and Individuals
Information Security Basics for Businesses and IndividualsJosh Moulin, MSISA,CISSP
 

Contenu connexe

Similaire à Josh Moulin: Finding deleted URLs in Mozilla Firefox places.sqlite

BI-Publisher-Tutorial-Lesson-2.pdf
BI-Publisher-Tutorial-Lesson-2.pdfBI-Publisher-Tutorial-Lesson-2.pdf
BI-Publisher-Tutorial-Lesson-2.pdfAhmedChakroun13
 
D google searching tactics
D google searching tacticsD google searching tactics
D google searching tacticsAniket Sharma
 
Dangerous google searching for secrets
Dangerous google searching for secretsDangerous google searching for secrets
Dangerous google searching for secretsDecarl Decarl
 
An introduction to the Spring Framework
An introduction to the Spring FrameworkAn introduction to the Spring Framework
An introduction to the Spring Frameworkweili_at_slideshare
 
OSS 2020 Using SOLR as Open-Source Search Platform.pdf
OSS 2020 Using SOLR as Open-Source Search Platform.pdfOSS 2020 Using SOLR as Open-Source Search Platform.pdf
OSS 2020 Using SOLR as Open-Source Search Platform.pdfGan Keng Hoon
 
Recipe 14 of Data Warehouse and Business Intelligence - Build a Staging Area ...
Recipe 14 of Data Warehouse and Business Intelligence - Build a Staging Area ...Recipe 14 of Data Warehouse and Business Intelligence - Build a Staging Area ...
Recipe 14 of Data Warehouse and Business Intelligence - Build a Staging Area ...Massimo Cenci
 
Dangerous google searching for secrets
Dangerous google searching for secretsDangerous google searching for secrets
Dangerous google searching for secretsMathivanan M
 
How to Synchronize Excel with SharePoint Online
How to Synchronize Excel with SharePoint OnlineHow to Synchronize Excel with SharePoint Online
How to Synchronize Excel with SharePoint OnlineDon E. Wallace
 
Fabian Williams SharePoint Saturday New York BCS Deck
Fabian Williams SharePoint Saturday New York BCS DeckFabian Williams SharePoint Saturday New York BCS Deck
Fabian Williams SharePoint Saturday New York BCS DeckFabian Williams
 
SharePoint BCS, OK. But what is the SharePoint Business Data List Connector (...
SharePoint BCS, OK. But what is the SharePoint Business Data List Connector (...SharePoint BCS, OK. But what is the SharePoint Business Data List Connector (...
SharePoint BCS, OK. But what is the SharePoint Business Data List Connector (...Layer2
 
obiee 12c installation guidelines
obiee 12c installation guidelinesobiee 12c installation guidelines
obiee 12c installation guidelineskumud thakur
 
Customization & designing art worx day1
Customization & designing art worx day1Customization & designing art worx day1
Customization & designing art worx day1Hesham Aly
 
FAST Search for SharePoint 2010
FAST Search for SharePoint 2010FAST Search for SharePoint 2010
FAST Search for SharePoint 2010Alexandre Ferreira
 
Domino testing presentation
Domino testing presentationDomino testing presentation
Domino testing presentationdominion
 
Integrating Excel Files in Visual Fusion
Integrating Excel Files in Visual FusionIntegrating Excel Files in Visual Fusion
Integrating Excel Files in Visual FusionIDV Solutions
 
Salesforce Admin's guide : the data loader from the command line
Salesforce Admin's guide : the data loader from the command lineSalesforce Admin's guide : the data loader from the command line
Salesforce Admin's guide : the data loader from the command lineCyrille Coeurjoly
 
Expanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityExpanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityTeamstudio
 

Similaire à Josh Moulin: Finding deleted URLs in Mozilla Firefox places.sqlite (20)

BI-Publisher-Tutorial-Lesson-2.pdf
BI-Publisher-Tutorial-Lesson-2.pdfBI-Publisher-Tutorial-Lesson-2.pdf
BI-Publisher-Tutorial-Lesson-2.pdf
 
D google searching tactics
D google searching tacticsD google searching tactics
D google searching tactics
 
Dangerous google searching for secrets
Dangerous google searching for secretsDangerous google searching for secrets
Dangerous google searching for secrets
 
Swf search final
Swf search finalSwf search final
Swf search final
 
An introduction to the Spring Framework
An introduction to the Spring FrameworkAn introduction to the Spring Framework
An introduction to the Spring Framework
 
OSS 2020 Using SOLR as Open-Source Search Platform.pdf
OSS 2020 Using SOLR as Open-Source Search Platform.pdfOSS 2020 Using SOLR as Open-Source Search Platform.pdf
OSS 2020 Using SOLR as Open-Source Search Platform.pdf
 
Recipe 14 of Data Warehouse and Business Intelligence - Build a Staging Area ...
Recipe 14 of Data Warehouse and Business Intelligence - Build a Staging Area ...Recipe 14 of Data Warehouse and Business Intelligence - Build a Staging Area ...
Recipe 14 of Data Warehouse and Business Intelligence - Build a Staging Area ...
 
Dangerous google searching for secrets
Dangerous google searching for secretsDangerous google searching for secrets
Dangerous google searching for secrets
 
How to Synchronize Excel with SharePoint Online
How to Synchronize Excel with SharePoint OnlineHow to Synchronize Excel with SharePoint Online
How to Synchronize Excel with SharePoint Online
 
Fabian Williams SharePoint Saturday New York BCS Deck
Fabian Williams SharePoint Saturday New York BCS DeckFabian Williams SharePoint Saturday New York BCS Deck
Fabian Williams SharePoint Saturday New York BCS Deck
 
SharePoint BCS, OK. But what is the SharePoint Business Data List Connector (...
SharePoint BCS, OK. But what is the SharePoint Business Data List Connector (...SharePoint BCS, OK. But what is the SharePoint Business Data List Connector (...
SharePoint BCS, OK. But what is the SharePoint Business Data List Connector (...
 
obiee 12c installation guidelines
obiee 12c installation guidelinesobiee 12c installation guidelines
obiee 12c installation guidelines
 
05 160723204945
05 16072320494505 160723204945
05 160723204945
 
Customization & designing art worx day1
Customization & designing art worx day1Customization & designing art worx day1
Customization & designing art worx day1
 
FAST Search for SharePoint 2010
FAST Search for SharePoint 2010FAST Search for SharePoint 2010
FAST Search for SharePoint 2010
 
Domino testing presentation
Domino testing presentationDomino testing presentation
Domino testing presentation
 
Integrating Excel Files in Visual Fusion
Integrating Excel Files in Visual FusionIntegrating Excel Files in Visual Fusion
Integrating Excel Files in Visual Fusion
 
Entity Framework
Entity FrameworkEntity Framework
Entity Framework
 
Salesforce Admin's guide : the data loader from the command line
Salesforce Admin's guide : the data loader from the command lineSalesforce Admin's guide : the data loader from the command line
Salesforce Admin's guide : the data loader from the command line
 
Expanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate UsabilityExpanding XPages with Bootstrap Plugins for Ultimate Usability
Expanding XPages with Bootstrap Plugins for Ultimate Usability
 

Plus de Josh Moulin, MSISA,CISSP

Disheveled Digital Forensics: The Impact of Inconsistent Standards, Certifica...
Disheveled Digital Forensics: The Impact of Inconsistent Standards, Certifica...Disheveled Digital Forensics: The Impact of Inconsistent Standards, Certifica...
Disheveled Digital Forensics: The Impact of Inconsistent Standards, Certifica...Josh Moulin, MSISA,CISSP
 
Information Security Basics for Businesses and Individuals
Information Security Basics for Businesses and IndividualsInformation Security Basics for Businesses and Individuals
Information Security Basics for Businesses and IndividualsJosh Moulin, MSISA,CISSP
 
Josh Moulin: Designing a Mobile Digital Forensic Lab on a Budget
Josh Moulin: Designing a Mobile Digital Forensic Lab on a BudgetJosh Moulin: Designing a Mobile Digital Forensic Lab on a Budget
Josh Moulin: Designing a Mobile Digital Forensic Lab on a BudgetJosh Moulin, MSISA,CISSP
 
Josh Moulin: What every prosecutor should know about peer to-peer investigations
Josh Moulin: What every prosecutor should know about peer to-peer investigationsJosh Moulin: What every prosecutor should know about peer to-peer investigations
Josh Moulin: What every prosecutor should know about peer to-peer investigationsJosh Moulin, MSISA,CISSP
 
Josh Moulin: Law Enforcement Multi-Disciplinary Team Approach to Technology F...
Josh Moulin: Law Enforcement Multi-Disciplinary Team Approach to Technology F...Josh Moulin: Law Enforcement Multi-Disciplinary Team Approach to Technology F...
Josh Moulin: Law Enforcement Multi-Disciplinary Team Approach to Technology F...Josh Moulin, MSISA,CISSP
 
Josh Moulin: Internet Scams and Identity Theft Prevention
Josh Moulin: Internet Scams and Identity Theft PreventionJosh Moulin: Internet Scams and Identity Theft Prevention
Josh Moulin: Internet Scams and Identity Theft PreventionJosh Moulin, MSISA,CISSP
 
Josh Moulin: Basic Fire Investigation for Law Enforcement
Josh Moulin: Basic Fire Investigation for Law EnforcementJosh Moulin: Basic Fire Investigation for Law Enforcement
Josh Moulin: Basic Fire Investigation for Law EnforcementJosh Moulin, MSISA,CISSP
 

Plus de Josh Moulin, MSISA,CISSP (8)

Disheveled Digital Forensics: The Impact of Inconsistent Standards, Certifica...
Disheveled Digital Forensics: The Impact of Inconsistent Standards, Certifica...Disheveled Digital Forensics: The Impact of Inconsistent Standards, Certifica...
Disheveled Digital Forensics: The Impact of Inconsistent Standards, Certifica...
 
Information Security Basics for Businesses and Individuals
Information Security Basics for Businesses and IndividualsInformation Security Basics for Businesses and Individuals
Information Security Basics for Businesses and Individuals
 
Josh Moulin: Designing a Mobile Digital Forensic Lab on a Budget
Josh Moulin: Designing a Mobile Digital Forensic Lab on a BudgetJosh Moulin: Designing a Mobile Digital Forensic Lab on a Budget
Josh Moulin: Designing a Mobile Digital Forensic Lab on a Budget
 
Josh Moulin: Cyberstalking Presentation
Josh Moulin: Cyberstalking PresentationJosh Moulin: Cyberstalking Presentation
Josh Moulin: Cyberstalking Presentation
 
Josh Moulin: What every prosecutor should know about peer to-peer investigations
Josh Moulin: What every prosecutor should know about peer to-peer investigationsJosh Moulin: What every prosecutor should know about peer to-peer investigations
Josh Moulin: What every prosecutor should know about peer to-peer investigations
 
Josh Moulin: Law Enforcement Multi-Disciplinary Team Approach to Technology F...
Josh Moulin: Law Enforcement Multi-Disciplinary Team Approach to Technology F...Josh Moulin: Law Enforcement Multi-Disciplinary Team Approach to Technology F...
Josh Moulin: Law Enforcement Multi-Disciplinary Team Approach to Technology F...
 
Josh Moulin: Internet Scams and Identity Theft Prevention
Josh Moulin: Internet Scams and Identity Theft PreventionJosh Moulin: Internet Scams and Identity Theft Prevention
Josh Moulin: Internet Scams and Identity Theft Prevention
 
Josh Moulin: Basic Fire Investigation for Law Enforcement
Josh Moulin: Basic Fire Investigation for Law EnforcementJosh Moulin: Basic Fire Investigation for Law Enforcement
Josh Moulin: Basic Fire Investigation for Law Enforcement
 

Dernier

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Dernier (20)

Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Josh Moulin: Finding deleted URLs in Mozilla Firefox places.sqlite

  • 1. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  1  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   Issue:     URLs  visible  within  the  places.sqlite  database  file  when  viewing  the  file  in  hex  view  that  are  not  visible  when   viewing   the   file   in   SQLite   Manager   or   FTK’s   viewer.     The   URLs   seen   in   hex   view   are   relevant   to   the   investigation.     Test  Information:     Path   for   Mozilla   information   (Windows   XP):     C:Documents   and   Settings%user%Application   DataMozillaFirefoxProfiles%uniquevalue%.default     OS:    Windows  XP  SP  3,  32  bit     Firefox  version:    15.0.1     Within  a  virtual  machine  running  Windows  XP  SP3  a  clean  installation  of  Mozilla  Firefox  15.0.1  was  installed.     The   places.sqlite   created   upon   installation   of   Firefox   was   deleted,   which   forces   Firefox   to   create   a   new   database  upon  the  next  time  the  program  is  run.     The  Firefox  add-­‐on  SQLite  Manager  was  downloaded  and  installed.    Once  it  was  installed  it  was  launched  by   going  to  Tools>SQLite  Manager:         To  obtain  a  baseline,  Firefox  was  launched  and  the  places.sqlite  database  was  rebuilt.    SQLite  Manager  was   launched  to  view  the  default  entries  in  places.sqlite.    By  default  Firefox  installs  five  bookmarks,  which  can  be   seen  below:    
  • 2. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  2  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012       SQLite  Manager  shows  the  above  bookmarks  within  the  places.sqlite  file:      
  • 3. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  3  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   As  an  overview,  SQLite  Manager  is  a  great  tool  for  viewing  these  database  files.    To  search  records,  click  on  the   “Browse  &  Search”  tab.    Although  you  can  directly  query  the  SQLite  tables  this  way,  unless  you  are  familiar   with  SQL  searches,  I  recommend  exporting  the  data  and  using  Excel.         To  better  search  and  review  information,  export  the  data  to  a  CSV  file.    Once  you  click  the  “Export  Wizard”   tab,  make  sure  to  check  the  box  “First  row  contains  column  names”  and  then  select  how  you  want  to  export   the  data.    Once  you  have  selected  the  appropriate  settings,  click  “OK”  and  you  should  receive  a  dialog  box   stating  that  your  records  have  been  exported.          
  • 4. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  4  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012       Navigate  to  your  newly  created  CSV  file  and  open  it  with  Excel:         Above  is  the  standard  Excel  view  of  a  CSV  file.    When  working  with  a  large  amount  of  data,  there  are  a  few   tricks  you  can  use  to  make  data  management  easier.    This  includes  highlighting  the  top  row,  center  and  bold   the  font  on  the  first  row,  insert  gridlines,  and  then  freeze  the  top  row  and  add  filtering  to  the  top  row.    Also,   consider  hiding  any  columns  or  rows  that  are  not  applicable  to  your  investigation:    
  • 5. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  5  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012           By  using  filtering  (indicated  by  the  dropdown  arrow  to  the  right  of  each  heading  in  the  top  row),  it  is  possible   to  quickly  sort  by  the  relevant  information  within  each  column.    See  below:             This  file  will  now  have  to  be  saved  as  an  Excel  workbook  since  this  file  is  no  longer  compatible  the  CSV  format.     Below  is  a  view  of  the  places.sqlite  file  while  viewing  it  in  FTK.    Notice  the  same  information  is  seen  below  as   what  we  have  seen  in  the  SQLite  Manager.    After  reviewing  the  entire  file,  no  other  entries  were  located.  
  • 6. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  6  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012         Note  –  the  places.sqlite  file  is  locked  by  the  first  application  that  accesses  it.    This  is  important  to  note  during   testing  because  it  will  alter  the  normal  operation  of  Firefox.    For  example,  if  the  places.sqlite  file  is  open  within   FTK  Imager  and  then  Firefox  is  opened,  Firefox  will  act  normal,  however  no  data  is  actually  recorded  in  the   places.sqlite  file  since  FTK  Imager  has  locked  it.         In  an  attempt  to  replicate  the  initial  problem  of  having  URLs  visible  in  the  places.sqlite  file  but  not  within   Firefox,  SQLite  Manager,  or  FTK’s  parsed  viewer,  the  following  steps  were  taken:     1. Firefox  was  launched   2. The  following  URLs  were  visited:   a. Google.com   b. Cnn.com   c. Iacis.com   d. Whitehouse.gov   3. SQLite  Manager  was  launched   4. Reviewed  entries  with  this  tool      
  • 7. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  7  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012       The  entries  in  my  history  match  exactly  what  I  navigated  to.    Now  I  opened  SQLite  Manager  and  reviewed  that   information:        
  • 8. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  8  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012     SQLite  Manager  showed  the  exact  same  information  as  expected.    When  viewing  the  places.sqlite  file  in  FTK   Imager,  the  four  entries  were  also  seen.    The  entire  places.sqlite  file  was  viewed  and  no  abnormal  entries  were   located.         The  IACIS.com  URL  begins  at  decimal  offset  64308.    This  is  important,  keep  note  of  this  for  later.     Next,  Firefox  was  re-­‐launched  and  all  Internet  history  was  cleared.    This  was  accomplished  by  checking  all   available  boxes  and  selecting  “Everything”  from  the  dropdown  menu:          
  • 9. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  9  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012  Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   Within  Firefox,  all  of  the  history  entries  are  now  gone:           SQLite  Manager  was  opened  next  to  see  what  entries  it  saw:                    
  • 10. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  10  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   SQLite  Manager  also  does  not  show  any  information  for  the  URLs  after  the  history  has  been  deleted.    Next,   FTK  Imager  was  launched  and  the  places.sqlite  file  was  added  as  an  individual  file:         With  the  exception  of  a  few  bytes  of  data,  all  areas  that  used  to  contain  the  URL’s  I  had  visited  had  been   overwritten  with  zeros.    At  offset  64308  where  my  cursor  was  (shown  above  in  small  red  box),  you  can  see   that  iacis.com  is  gone.         The  next  test  was  checking  how  Private  Browsing  mode  in  Firefox  would  affect  the  entries  in  the  places.sqlite   file.         The  following  was  done  for  this  test:     1. Deleted  places.sqlite  file  to  force  Firefox  to  build  a  new  one.   2. Launched  Firefox.   3. Browsed  in  normal  mode  to  the  following  websites:   a. Computer-­‐forensics.sans.org   b. Facebook.com   c. Youtube.com   d. Yelp.com   4. Private  Browsing  mode  was  turned  on  and  the  following  sites  were  navigated  to:   a. Yahoo.com   b. Twitter.com   c. Linkedin.com   d. Amazon.com   5. Firefox  was  closed.        
  • 11. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  11  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   Firefox  was  re-­‐launched  and  the  places.sqlite  file  was  viewed  with  the  SQLite  Manager  add-­‐on.    See  below:         As   expected,   all   of   the   websites   that   were   visited   in   normal   browsing   mode   are   shown   and   none   of   the   websites  visiting  in  Private  Browsing  mode  are  visible.    Firefox  was  closed  and  the  places.sqlite  was  viewed  in   FTK  Imager.                                          
  • 12. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  12  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   In  FTK  Imager,  the  URLs  visiting  in  normal  mode  are  visible  as  to  be  expected.    It  is  also  interesting  that  the   new  URLs  overwrote  the  same  location  of  the  old  URLs  that  were  deleted  when  the  history  was  cleared.    You   can  see  below  at  offset  64308  yelp.com  now  resides  there  (where  IACIS.com  once  did):         The  entire  places.sqlite  file  was  viewed  in  hex  for  any  other  remnants  or  evidence  of  the  websites  viewed  in   Private  Browsing  mode  and  nothing  was  located.     At  this  point  it  has  been  determined  that  the  URLs  found  in  the  original  investigation  must  not  have  been  from   a   Private   Browsing   mode   and   the   history   must   not   have   been   cleared   from   Firefox   before   the   forensic   examination  was  conducted.    The  only  thing  left  to  check  was  how  bookmarks  interacted  with  the  places.sqlite   file.     It  was  determined  that  when  a  bookmark  is  created  in  Firefox  during  normal  browsing  mode,  it  does  make  an   entry  into  the  places.sqlite  database.    The  original  four  URLs  were  navigated  back  to  and  bookmarked.                                
  • 13. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  13  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   See  the  native  Firefox  view  below:         The  SQLite  Manager  shows  the  following  information:                      
  • 14. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  14  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012         FTK  Imager  shows  the  following:         The  bookmarks  start  at  decimal  offset  58686.         To  test  how  bookmarks  interact  with  Private  Browsing  mode,  the  following  was  done:     1. Firefox  was  re-­‐launched.   2. Navigated  to  the  following  websites  and  bookmarked  them:   a. Bing.com   b. Wordpress.com   c. Ebay.com   d. Apple.com   3. Firefox  was  closed  and  re-­‐launched.   4. SQLite  Manager  was  launched.     SQLite  Manager  showed  the  following:           This  shows  that  even  in  Private  Browsing,  if  a  URL  is  bookmarked,  it  will  enter  the  URL  into  the  places.sqlite   file.              
  • 15. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  15  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012     FTK  Imager  showed  the  following:         The  bing.com  bookmark  entry  was  also  shown  but  wouldn’t  fit  in  the  same  screenshot.    The  bookmark  for   apple.com  was  located  at  decimal  offset  65145.     Next,  Firefox  was  re-­‐launched  and  all  history  was  cleared.    The  following  bookmarks  were  visible:              
  • 16. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  16  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012     Next  the  bookmarks  were  deleted  that  were  created  while  in  Private  Browsing  mode.    The  Firefox  native  view   is  shown  below:         When  SQLite  Manager  was  opened,  the  following  was  seen:        
  • 17. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  17  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012   In  the  bookmarks  table,  only  the  four  remaining  bookmarks  are  shown.     However,  in  the  moz_places  table,  all  of  the  bookmarks,  including  the  deleted  bookmarks  can  be  found:         In  looking  at  the  places.sqlite  in  FTK  Imager,  all  of  the  entries  including  the  deleted  bookmarks  were  present,   although  some  had  moved  position:          
  • 18. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  18  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012       Above  shows  remnants  of  the  URL  wordpress.com  and  bing.com.    Offset  65145  that  once  had  the  apple.com   URL  now  shows  this:         You  can  see  the  URL  for  apple.com  up  above  the  original  offset  (highlighted  in  blue).         Next,  Firefox  was  re-­‐launched  and  all  history  was  cleared  again.    This  time  it  eliminated  all  of  the  deleted   bookmarks  from  the  places.sqlite  database.    See  below:         The  blue  highlighted  area  is  decimal  offset  65145  again,  showing  that  all  of  the  old  bookmark  data  is  now   overwritten.  
  • 19. Finding  Deleted  URLs  within  Mozilla  Firefox  places.sqlite  file     Page  19  of  19     Josh  Moulin  –  CFCE,CEECS,DFCP,ACE       December,  2012       The  takeaways  from  this  are:     1. Bookmarking  in  Firefox,  even  in  Private  Browsing  will  create  entries  in  the  places.sqlite  file.   2. History  is  overwritten  in  the  places.sqlite  at  the  completion  of  a  browsing  session  in  Private  Browsing   mode,  or  anytime  a  user  clicks  Tools>Clear  Recent  History.   3. If   bookmarks   are   deleted,   they   are   immediately   removed   from   the   moz_bookmarks   table   in   the   places.sqlite  database.   4. If  bookmarks  are  deleted,  they  remain  in  the  moz_places  table  in  the  places.sqlite  database  and  are   available  to  be  recovered  until  they  are  overwritten.   5. Deleted  bookmark  data  will  be  overwritten  if  the  user  clicks  Tools>Clear  Recent  History  after  deleting   the  bookmarks.   In  this  particular  investigation  it  was  my  opinion  that  the  user  had  at  one  time  bookmarked  the  URLs  that  were   located  in  the  hex  view  of  the  places.sqlite  file  but  not  visible  in  SQLite  Manager  or  Firefox’s  native  view.    The   user  deleted  the  bookmarks  of  the  websites  in  question  prior  to  turning  over  the  computer,  however  did  not   clear  their  recent  history  after  deleting  the  bookmarks,  allowing  them  to  be  recovered.    This  finding  may  show   additional  intent,  not  only  that  websites  of  interest  were  once  bookmarked  by  the  user,  but  also  there  was   some   attempt   to   “clean   up”   the   computer   before   the   examination   (especially   since   many   non-­‐relevant   bookmarks  remained  and  only  a  select  few  were  deleted).     In  this  particular  investigation,  the  deleted  bookmark  entries  correspond  with  thousands  of  deleted  images   recovered  from  unallocated  space  as  well  as  orphan  files  located  during  the  exam.