Module 0x6 | Forensic Kung Fu

Firefox Investigation

You can find Firefox profile databases in

  • Linux 
    1. /home/$USER/.mozilla/firefox/[PROFILE]
  • Windows 
    1. C:\Users\%USERNAME%\[PROFILE]

In above directories, there are many SQLite database files, so let’s to import these databases and see what we get

  1. require 'sqlite3'
  3. # Browser history 
  4. db = SQLite3::Database.new "places.sqlite"
  6. # List all tables 
  7. db.execute  "SELECT * FROM sqlite_master where type='table'"
  9. # List all visited URLs (History)
  10. db.execute  "SELECT url FROM moz_places"
  11. # List all bookmarks
  12. db.execute  "SELECT title FROM moz_bookmarks"
  14. # List all Cookies
  15. db = SQLite3::Database.new "cookies.sqlite"
  16. db.execute  "SELECT baseDomain, name, host, path, value FROM moz_cookies"
  18. # List all form history
  19. db = SQLite3::Database.new "formhistory.sqlite"
  20. db.execute  "SELECT fieldname, value FROM moz_formhistory"

More about Firefox forensic

Google Chrome Investigation

  • Linux
    1. /home/$USER/.config/google-chrome/Default
  • Windows 
    1. C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\
  1. require 'sqlite3'
  3. # List all Cookies
  4. db = SQLite3::Database.new "Cookies"
  5. db.execute  "SELECT host_key, path, name, value FROM cookies"

More about Chrome forensic