23 Maret 2015

List of tools


Memory Collection/Analysis
FTK Imager : Includes the ability to collect memory
DumpIt : Great utility for dumping Windows memory; 32- & 64-bit versions in one EXE!
Volatility - Google Code project home
Mandiant RedLine
HBGary Responder CE
NIST memory images
List from ForensicsWiki
"Federal" Trojan sample
HoneyNet "Banking Troubles" Challenge 

Network Capture/Analysis Tools
WireShark - Excellent free tool for capturing and analyzing network packet captures
NetworkMiner - Network forensic analysis tool
Netwitness Investigator - free edition of the tool; supports 25 simultaneous 1GB captures.
Network Appliance Forensic Toolkit (NAFT) by Didier Stevens - Python-based, can extract packets from Windows memory.  If you're using 32-bit Python and your input file is greater than 512MB, split it into chunks.

Sample Images
Digital Corpora - Simson Garfinkel's site with test images and scenarios
Hacking Case from NIST (CFReDs)
Lance Mueller's Practical examples - Lance no longer maintains the site, but the site itself will remain; Practical #1 is an excellent example to use.
Interesting image and scenario from InfoSecShortTakes

Carving
PhotoRec - from the site: "...designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures (thus the Photo Recovery name) from digital camera memory. PhotoRec ignores the file system and goes after the underlying data..."
Scalpel - v2.0; excellent carver that (like others) is file system independent.  You can also create custom .conf file entries.
ParseRS/RipRS - John Moan's tools for recovering IE Travelog/RecoveryStore pages. 

Image Mounting
OSFMount
ImDisk - Installs as a Control Panel applet
FTK Imager
vhdtool - use this tool to convert a raw/dd image file to a .vhd file, which you can mount using the Disk Management tool in Win7
raw2vmdk - Java utility convert a raw/dd image to .vmdk 
LiveView - Java utility for creating VMWare support files for a raw/dd image; you can then boot the image (if you're not LE, consider using ntpasswd below to 'zero out' the Administrator password so that you can log in...)
VirtualBox - Oracle's free virtualization framework that can run a wide range of guest OS's, including OS/2, Amiga, Android, etc., as well as Linux and Windows.

File System Artifact Tools
analyzeMFT - David Kovar's Python tool for parsing the MFT
MFT Extractor (hmft.exe) - Extract the MFT for parsing with other tools 
INDXParse - Tool for parsing index/$I30 files
Joachim Schicht's MFT Tools (mft2csv, LogFileParser, etc.)

File Analysis
PDF Tools from Didier Stevens 
PDFStreamDumper - description of use here
SWF Mastah - Python script to make extracting SWF streams from PDF files easier

Analysis Frameworks
OSForensics - Features listed here; file searches, hash lists, rainbow tables.  Primarily intended to work on live systems, but you can mount an image as a volume and run it against that.
DFF - FOSS digital analysis framework; be sure to read and follow the blog.
ProDiscover Basic Edition - Free, limited version of ProDiscover; you'll need to scroll down (also be sure to check out ZeroView)
SANS SIFT Workstation - SANS Forensic Appliance
Autopsy - As of Aug 2011, Windows only version (in beta) is a complete rewrite, using Java.

Registry Analysis
RegRipper - Get it here (RR.zip), includes regslack; also, more info here...
Registry Decoder

Shellbag Forensics (w/ a Python script and bodyfile format output)
Digital Forensics Stream blog post: Including Shellbags Data in Timelines 
Chad's Shellbags analysis article (w/ link to TZWorks sbag.exe)

Password Recovery
Now and again, there's a need to change or crack Windows passwords; for LE, often just knowing if an account had a password or not is enough.
Ntpwedit - allows you to change a Windows password; based on Nordahl's tool
Ntpasswd - Nordahl's tool; includes option for a CD/USB bootdisk to change a Windows password
pwdump7 - dump password hashes
SAMInside - password hash cracker
OphCrack - password hash cracker
L0phtcrack - no introduction necessary (15 day trial)

Phones/Phone Backup Files
I wanted to include a section to address FOSS tools for accessing mobile devices/phones, as well as backups of these devices that you might find on a Windows system.

iPhone
iPhoneBrowser - Access the iPhone file system from a Windows GUI
iPhone Analyzer -  
iPhoneBackupExtractor - includes a free download for extracting files from an iPhone backup
iPhone Backup Browser 
*You can also use the information in this article (even more info is available from this AppleExaminer article), and use SQLite or SQLite Browser to access information in the db files; for working with plists, consider plutil.exe (installed with iTunes) for converting plists.  Also consider this article from Linux Sleuthing that describes parsing the iPhone SMS database.
iTwin -

This SlideShare presentation talks about using open source tools to analyze iOS devices. 

BlackBerry
ForensicsWiki BlackBerry Forensics page (watch out for these common pitfalls)
Blackberry Desktop Manager software
There is some additional information at Eric Huber's blog, via an interview with Shafik Punja.
Blackberry.com IPD file format
ElcomSoft BlackBerry Explorer -for pay, but has a limited trial version (read/parse IPD/BBB files)
Get additional information from a BB (after backup) using JavaLoader (NOT a forensic tool)
Bye Nary blog post - What's in an IPD?

Other possible solutions (untested):
Reincubate Labs - Blackberry Backup Extractor
MagicBerry IPD parser

Android
If you're interested in seeing if there's any location information available in an Android phone, check out android-locdump. 

While not specific to Windows, check out this Wiki page at the HoneyNet site for a VirtualBox VM you can download to do Android malware RE. 

eEvidence.info site for mobile forensics
Cellular.Sherlock - lots of great info available on mobile forensics

PE Analysis Tools
HBGary Fingerprint - Analysis/comparison tool, extensible via C#
CFF Explorer - Understands .NET files, extensible via scripting
TZWorks pe_view and pescan
PEiD - discontinued, but good tool
PEView

Metadata tools
Phil Harvey's EXIFTool
Zena Forensics EXIF Summarizer - Python script
Word 2007 metadata - read_open_xml.pl 

Other tools
Wifi WAP geolocation using macl.pl
VMDK Forensic Artifact Extractor (vfae.exe) - extract files from a VMDK
Jesse updated md5deep to include Win PE file identification (miss identify)

Browser Analysis
Sean Cavanaugh's paper on Safari cache.db analysis (refers to the Forensics from the Sausage Factory blog posts)

Firefox
Kristinn's SANS  blog write-up regarding FF3+ history (ff3histview.pl)
MozillaZine: Contents of user's profile folder
ForensicsWiki: FF3 History File format
Write-up on F3e 

Chrome
Hindsight Chrome history parser

Sites
These are some sites that include a number of useful tools:
TZWorks - lots of great tools including a shellbag parser
NirSoft - another site with a lot of great tools
Tools I've written and provided with my books (WRF tools, timeline tools, etc.)
WoanWare - Lots of great free utilities, including some for browser analysis
OpenSourceForensics - site with a number of *nix/Windows tools listed
pyDetective - Site containing Python scripts for DF analysis
ForensicCtrl - Free forensic tool list
MalwareHunters Free Tools
My Forensic Tools (from the UK): Some interesting free tools
BethLogic Code site


Original posted by Winsdowsir 

06 Januari 2015

Disable a Smart Phone's Geotagging Feature


Here are the steps to disable geotagging for the four major mobile operating systems. Note that manufacturer websites are largely silent on this issue; these tips are pulled from user experience, community blogs and how-to websites.

Android 4.2 phones
  1. Start camera application
  2. Hit the Settings button
  3. Scroll down and find the GPS Tag option and turn it off
In older versions, the option may be called “Store Location,” but is it essentially the same process.

BlackBerry 6.0 and 7.0
RIM suggests through the online documentation that disabling geotagging be done on BlackBerry Enterprise Server,  which would work from an admin’s point of view if an agency uses BES. If not, to turn the setting off on an individual BlackBerry  phone:
  1. Open Camera
  2. Set the Location icon to “Disabled”
For some earlier versions, hit the Menu and Option buttons before changing the setting.

iPhone 4 and 5
  1. Go to Settings
  2. Select General
  3. Select Location Services
  4. Set Camera to “Off”
For older versions users can’t really turn off geotagging for the camera without disabling it for all applications. But location warnings can be set to go off when an application is using them.

Windows Phone 7 and 8
  1. Go to Settings
  2. Navigate to Applications
  3. Scroll down to Pictures & Camera
  4. Set “include location (GPS) info in Pictures you take” to “Off”
This article was copied from http://gcn.com/Articles/2012/12/10/How-to-disable-smart-phone-geotagging-feature.aspx?Page=1


24 Desember 2014

Find the Location Where a Picture Was Taken

Many people nowadays more sensitive with the new technology especially when it was related with picture. We can see Instagram, Pinterest, and many other service that give free service to upload your photos and share with others. Many camera brand now put and bundled a lot of latest technology such as GPS into the camera to make the people who use it more sociable and they can share it as soon as they captured the moment.

Before you find the location of a photo, the photo has to be geotagged. Geotagged basically means that the longitude and latitude of the photo has been stored in the photo metadata. The metadata is the invisible part of the photo called EXIF data. Depending on the camera, EXIF data will store the current state of the camera when the photo was taken including date and time, shutter speeds, focal lengths, flash, lens type, location data, etc.

Of course, the only way you will see where a picture was taken is if the camera is GPS enabled. If you have a camera that doesn’t have any type of GPS option, then there won’t be any location data in the EXIF data. This is true of most SLR cameras. However, if the photo was taken with a smartphone and location services are enabled, then the GPS coordinates of the phone will be captured when you snap a picture.



To find the location where the above picture was taken, just follow the steps below:

1. Run the exiftool with GPS option.
Ex: exiftool file_name |grep GPS


The GPS position that shown is -7° 45′ 57.49″, +110° 22′ 18.33″

2. Go to Google Maps and then check the location based on GPS Position displayed through ExifTool. The result shows that the picture was taken in the Master of Information Technology of UGM.
You find the location via online, just go to http://regex.info/exif.cgi and then upload the picture or paste the link of the picture.The result shows as the following:


Useful links
GPS-Info: http://www.CDFinder.de/en/en/en/gpsinfo.html 
HoudahGeo: http://www.houdah.com/houdahGeo/
Locr Community: http://www.locr.com
Geotagger:
http://craig.stanton.net.nz/software/Geotagger.html
Crosshairs for Google Earth:
http://craig.stanton.net.nz/software/files/crosshairs.kmz
myTracks: http://mytracks.sourceforge.net
OpenStreetMap:
http://www.openstreetmap.org/
GPSBabel:
http://www.gpsbabel.org/
GiSTEQ PhotoTrackr:
http://www.gisteq.com/MACsoftwaretour.php
LoadMyTracks:
http://www.cluetrust.com/LoadMyTracks.html
Bt747 How-To:
http://www.trick77.com/2008/07/12/how-to-holux-m-241-with-bt747-v148-gps-logger-software/
Solmeta DP-GPS N2:
http://www.solmeta.com/en/products_detail.asp?id=10
Dawntech di-GPS Pro:
http://www.dawntech.hk/di-GPS/products.htm
iPhotoToGoogleEarth:
http://craig.stanton.net.nz/software/iPhotoToGoogleEarth.html
PhotoInfoEditor:
http://www.mmisoftware.co.uk/pages/photoinfoeditor.php
PhotoGPSEditor:
http://www.mmisoftware.co.uk/pages/photogpseditor.php
GPSPhotoLinker:
http://www.earlyinnovations.com/gpsphotolinker/
Maperture:
http://www.ubermind.com/products/maperture.php
Geotag Icon Project:
http://www.geotagicons.com/
Google Earth:
http://earth.google.com/download-earth.html


10 Desember 2014

Collective Intelligence Framework

CIF is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route). The most common types of threat intelligence warehoused in CIF are IP addresses, domains and urls that are observed to be related to malicious activity.
These are a list of interesting new feed sources for CIF:

http://honeytarg.cert.br/honeypots/
http://exposure.iseclab.org/
http://arakis.pl/en/index.html
http://www.spamcop.net/
http://honeytarg.cert.br/spampots/
http://zeltser.com/combating-malicious-software/malicious-ip-blocklists.html
http://contagiodump.blogspot.com/2010/11/links-and-resources-for-malware-samples.html
http://urlquery.net/index.php
http://www3.malekal.com/malwares/
http://jsunpack.jeek.org/dec/go?list=1
http://vxvault.siri-urz.net/ViriList.php
http://minotauranalysis.com/malwarelist.aspx
http://rss.uribl.com/nic/NAUNET_REG_RIPN.xml
http://www.malwareblacklist.com/showMDL.php
http://abusix.org/service/spamfeeds
http://atlas.arbor.net/summary/fastflux?out=xml
http://dshield.org/diary.html?storyid=12373
https://reputation.alienvault.com/reputation.data
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-domains.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-botnet-ips.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-domains.txt
http://security-research.dyndns.org/pub/malware-feeds/ponmocup-malware-ips.txt
http://malwareint.com
http://www.senderbase.org/home/detail_virus_source
http://callbackdomains.wordpress.com
http://labs.snort.org/iplists/
http://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-report
http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt
http://rules.emergingthreats.net/open/suricata/rules/botcc.rules
http://rules.emergingthreats.net/open/suricata/rules/rbn-ips.txt
https://www.projecthoneypot.org/list_of_ips.php
http://rules.emergingthreats.net/open/suricata/rules/tor.rules
http://rules.emergingthreats.net/open/suricata/rules/compromised.rules
http://www.malwaredomainlist.com/hostslist/ip.txt
http://rules.emergingthreats.net/open/suricata/rules/rbn.rules
http://www.mtc.sri.com/live_data/attackers/
http://intel.martincyber.com/ip/
https://reputation.alienvault.com/reputation.generic
https://www.openbl.org/lists/base.txt
http://www.blocklist.de/lists/ssh.txt
https://palevotracker.abuse.ch/
http://www.malwaregroup.com/ipaddresses
http://www.ciarmy.com/list/ci-badguys.txt
http://www.malware.com.br/cgi/submit?action=list
http://www.autoshun.org/files/shunlist.html
Abusechweb http://dnsbl.abuse.ch/webabusetracker.php
Arbor http://atlas-public.ec2.arbor.net/public/ssh_attackers
Autoshun http://www.autoshun.org/files/shunlist.csv
Badguys http://www.t-arend.de/linux/badguys.txt
Blacklisted http://www.infiltrated.net/blacklisted
Brawg http://www.brawg.com/hosts.deny
Danger http://danger.rulez.sk/projects/bruteforceblocker/blist.php
Denyhost http://stats.denyhosts.net/stats.html
Dshield http://www.dshield.org/ipsascii.html?limit=5000
Dynastop http://dynastop.tanaya.net/DynaStop.BleedingThreats.conf
Emergingthreats http://www.emergingthreats.net/rules/bleeding-compromised.rules
Evilssh http://vmx.yourcmc.ru/BAD_HOSTS.IP4
Geopsy http://www.geopsy.org/blacklist.html
Haleys http://charles.the-haleys.org/ssh_dico_attack_hdeny_format.php/hostsdeny.txt
Kidsclinic http://www.kids-clinic.jp/uni/ipaddress/new_log
Kolatzek http://robert.kolatzek.org/possible_botnet_ips.txt
Malekal http://www3.malekal.com/exploit.txt
Maldom http://mirror1.malwaredomains.com/files/domains.txt
Mdl http://www.malwaredomainlist.com/mdl.php?colsearch=All&quantity=All&search=
Prometheus http://downloads.prometheus-group.com/delayed/rules/modsec/domain-blacklist.txt
Skygeo http://sky.geocities.jp/ro_hp_add/ro_hp_add_hosts.txt
Sshbl http://www.sshbl.org/list.txt
Stopforumspam http://www.stopforumspam.com/downloads/bannedips.csv
Surriel rsync://psbl-mirror.surriel.com/psbl/psbl.txt

References:

17 September 2014

Repost: Three new videos showcasing Volatility 2.4 features

The Volatility team have published three videos showing off new
features in the recently released Volatility 2.4 version. These videos
were originally shown at Black Hat Arsenal this past summer.

The first video shows how to locate and extract rootkit components from
process and kernel memory and then gather context for IDA:

http://www.youtube.com/watch?v=LVJ5mpZZdY4

The second shows how to uncover a number of artifacts of OS X user activity:

http://www.youtube.com/watch?v=1pZkNRdjWHQ

The last shows how to defeat True Crypt no matter how the user
configures the volumes or settings:

http://www.youtube.com/watch?v=A2d2OFGSnKU


13 September 2014

Firefox Forensics


The most prevalent software applications in use today are probably Web browsers. They are used for viewing, retrieving, traversing, and presenting information resources obtained from the Web. Although browsers are complex software applications, they have common functionality regarding their main components. A simplified overview of their high level structure is as follows:
  • User Interface - the entire browser display except for its main window.
  • Browser Engine - takes the marked up content (XML, HTML, etc.) and formatting information (CSS, XSL, etc.) and displays it on the monitor’s screen.
  • Rendering Engine - responsible for displaying the requested content.
  • Networking - used for network calls (HTTP, etc.).
  • UI Backend - used for drawing widgets such as windows and combo boxes.
  • JavaScript Interpreter - software which interprets/executes JavaScript.
  • Data Storage - a persistence layer consisting of the data that the browser stores on the computer hard drive.
When a URL is entered into the address bar, the browser communicates with a name server to resolve it into an IP address. This allows the browser to connect to the appropriate Web server using HTTP. Once connected, HTTP commands then direct the Web server to retrieve and transmit data back to the browser. The browser reads the HTML and displays the information resources (HTML document, a .pdf file, an image, a video, etc.) which were identified by a Unified Resource Identifier (URI). The browser then saves the Web documents in its cache using Web caching technology. Caching of Web objects reduces the bandwidth usage and server load and allows the browser to retrieve the same Web page much faster when it is visited at a later time. It also allows recently viewed Web pages to be viewed offline and copied although some of the features such as Flash animations and “real time” objects found on the Web page may not function.

Web browser is an essential application program for accessing the Internet. If a suspect uses the Internet as a source of information, the evidence related to the crime would be saved in the log file of the Web browser. Therefore, the forensics examiner need to investigate the Web browser’s log file. However, the impediment of web browser forensics in the future is many of the artifacts of forensics interest probably will continue to change with each release and it will present a difficult technical challenges. 
 
Although the version changes, there remain several constants which facilitate the investigators. Due to the majority of the forensic information pertaining to the different versions of browser which normally resides in two directories which locate in the individual user accounts. 
 
In Firefox, the information reside in the following directories: 
 
Windows XP:
C:\Documents and Settings\[User]\Application Data\Mozilla\ Firefox\Profiles\xxxxxxxx.default\
C:\Documents and Settingd\[user]\Local Settings\Application Data\ Firefox\Profiles\xxxxxxxx.default\Cache\


Windows Vista, Windows 7, and Windows 8:
C:\Users\[User]\AppData]Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\Cache\
C:\Users\[User]\AppData\Roaming\Mozilla\Firefox\Profiles\xxxxxxxx.default\


Linux:
~/.mozilla/firefox/xxxxxx.default/
~/.cache/mozilla/firefox/xxxxxx.default/Cache/

Mac OS X:
~/Library/Application Support/Firefox/Profiles/xxxxxxxx.default/
~/Library/Application Support/Mozilla/Extensions
~/Library/Caches/Firefox/Profiles/xxxxxxxx.default/Cache/


Cache Location:

The Firefox cache contains both information about the various cache entries(metadata) and the cached items themselves (data) which can be of immense forensic importance. 
 
Windows Vista 7 and 8:
C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\Cache
• C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\jumplistCache
• C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\OfflineCache
• C:\Users\[User]\AppData\Local\Mozilla\Firefox\Profiles\xxxxxxxx.default\startupCache


Windows XP:
C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Mozilla\Firefox\Profiles\%PROFILE%.default\Cache\
 
Linux:
~/.cache/mozilla/firefox/xxxxxx.default/Cache
~/.cache/mozilla/firefox/xxxxxx.default/OfflineCache
~/.cache/mozilla/firefox/xxxxxx.default/safebrowsing
~/.cache/mozilla/firefox/xxxxxx.default/startupCache
~/.cache/mozilla/firefox/xxxxxx.default/thumbnails

Mac:
~/Library/Caches/Firefox/Profiles/xxxxxxxx.default/Cache/

There are four primary internal files beside the cache directory:
  • _CACHE_001_ : stores small metadata and data entries in 512-byte blocks.
  • _CACHE_002_ :stores medium-sized metadata and data items in 1024-byte blocks.
  • _CACHE_003_ : stores large metadata and data items in 4096-byte blocks.
  • _CACHE_MAP_ : contains the index to both the metadata and the data and links them together.  

Additionally, there may be any number of external directories/files which are used to store very large metadata items or data.

Viewing the Cache:
With the Firefox browser running, entering “about:cache” into the address field and pressing the Enter key on the keyboard will load the “Information about the Cache Service” screen. Information concerning the memory cache device, disk cache device, and offline cache device will be displayed and appear as follows:

 

Both “List Cache Entries” are hyperlinks. Clicking on either one will cause the cached files or objects to be displayed along with their original link location URLs. For instance, clicking on the link under “memory cache device” will display information regarding the key, data size, fetch count, last modified, and expires that is stored in memory. The information is searchable. Clicking on any of the entries will display the “Cache entry information” screen for that entry and provide a wealth of potential forensic information such as:
  • Key - the URL.
  • Fetch count – number of times accessed.
  • Last fetched – yyyy-mm-dd-hh:mm:ss.
  • Last modified – yyyy-mm-dd-hh:mm:ss.
  • Expires – yyyy-mm-dd-hh:mm:ss.
  • Data size – size of the file.
  • File on disk – none.
  • Security - document does not have any security information associated with it.
  • Client – HTTP.
  • Request method – GET (may or may not be present)
  • Response head – HTTP, server information, etc. (may or may not be present).
  • Charset - (may or may not be present).
  • Charset source - (may or may not be present).
Likewise, clicking on the link under “Disk cache device” and clicking on any of its entries will provide similar information. Clicking on one of the key entries should open the URL or provide other pertinent information. Note that the “File on disk” may point to the directory where it is stored on the hard drive!
The free Firefox add-on, CacheViewer, provides a GUI front end instead of having to use “about:cache.” In addition to providing a searching capability for both memory and disk cache files, it includes a sorting functionality to sort the key, size, MIME type, device, and last fetched columns. An additional feature is a preview pane for images and the ability to copy them for later examination. For instance, searching for “.jpg” will provide a list of all the URLs that contain a .jpg and clicking on one of the “key” URLs will display that .jpg image in the preview pane. Right clicking on the key URL will also provide “Open in Browser” and “Save as” functionalities for that .jpg. Alternately, the free standalone utility MozillaCacheView can be used to read the cache folder on a live system or pointed to the location of an external cache. It provides forensic information such as the URL, Content Type, Fetch Count, Last Fetched, Cache Name, Server Name, Server Time, and so forth. The information can be exported to a CSV/Tab-Delimited File or viewed as an HTML Report.
 
The majority of potential forensic information stores the SQLite Relational Database Management System (RDMS). Firefox typically includes a lot of SQLite databases, each of which performs a different function such as storing bookmarks, cookies, places visited, searches, and so forth. The database files are as follows:

1. addons.sqlite
There are six tables in the file. They are addon, sqlite-sequence, developer, schreenshot, compatibility_override and icon. The addon table cointains information such as the name of each add-on, version, creator, creatorURL, descriptions, fullDescriptions, developer comments, eula, homepageURL, supportURL, contributionURL, contributionAmount, averageRating, reviewCount, reviewURL, totalDownloads, weeklyDownloads, dailyUsers, sourceURL, repositoryStatus, size and updateDate. 


2. content-prefs.sqlite
There are three tables in the file, “groups,” “prefs,” and “settings.” A User can set site-specific preferences for browsers and content settings (page style, text zoom, etc.). Those preferences can remain persistent across browsing sessions and page visits. Along with browser history, this is an indicator of intentionally visited sites and not accidental or casual visits. The sites visited are maintained in the “groups” table.

3. cookies.sqlite
.When a user try to remove the cookies sometimes the cookies may and may not all be deleted. The alternative cookies storage location, the persistence and process of cookies can have an effect upon whether a cookie is deleted or not. The moz_cookies is the only tables in the cookies.sqlite. Therefore, data which useful can be found in the “baseDomain,” “host,” “lastAccessed,” and “creationTime” columns.
4. downloads.sqlite
Firefox stores a list of all files downloaded in the “moz_downloads” table which is used to populate the popup download queue. They remain in the table as long as the User does not clear the queue. Valuable forensic information can be found in the table. The names of all the files downloaded, their source, downloaded destination, and the start and end times of the download are all recorded. If the data in the “currBytes” and “maxBytes” columns is the same, that is indicative that the download completed successfully.

5. extensions.sqlite

The file stores data about installed extensions :
 
6. formhistory.sqlite
It contains all the historical data for every form that a user ever filled out while online is maintained in the file. 
7. permissions.sqlite
Permissions.sqlite contains a history of the permissions that are assigned to various sites. The data is stored in the file’s only table, “moz_hosts” and the sites are listed in the “host” column.
8. Places.sqlite
Places.sqlite contains a list of all Web sites visited, bookmarks, and attributes for those sites. Forensically, it is probably the most important file for investigators to examine. A User’s entire Web history, including all bookmarks, their properties, and favorite icons are maintained in the file. This information can be linked to the cookies.sqlite, formhistory.sqlite, and permissions.sqlite files to provide an overall view of a User’s Internet activity. The file contains thirteen tables:
  • moz_anno_attributes
  • moz_annos
  • moz_bookmarks
  • moz_bookmarks_roots
  • moz_favicons
  • moz_historyvisits
  • moz_hosts
  • moz_inputhistory
  • moz_items_annos
  • moz_keywords
  • moz_places
  • sqlite_sequence
  • sqlite_stat1
All bookmarks are stored in the “moz_bookmarks” table. The “title” column contains the name of the bookmark and the “dateAdded” column contains the timestamp information. Bookmarks can be linked to the URLs in the “moz_places” table since the “fk” column in “moz_bookmarks” contains the same values as those in the “id” column in the “moz_places” table.
Each time a User visits a Web page, an entry is recorded in the “moz_historyvisits” table. The date of the visit is recorded in the “history_date” column and how the User arrived at the site is recorded in the “visit_type” column. Values in this column can be very important forensically:
  • 1” the User followed a link.
  • 2” the User typed/allowed the autocomplete feature to complete the URL.
  • 3” indicates that the User clicked on an existing bookmark.
  • 4” an embedded URL.
  • 5” a permanent redirect.
  • 6” a temporary redirect.
URLs are maintained in the “moz_places” table under the “url” column. The “visit_count” column records the number of times each site was visited and the timestamp information for a site is recorded in the “last_visit_date” column. If the User typed the URL in the address bar, a value of “1” is noted in the “typed” column.

9. signons.sqlite
The file contains three tables: moz_deleted_logins, moz_disabledHosts, and moz_logins. The moz_logins table is the repository for all the sites that a User has entered and saved their username and password. The information is usually persistent since many Users do not want to continually reenter their username and password each time they revisit the same site. The URLs are recorded in the hostname column. Although usernames and passwords are encrypted and maintained in the encryptedUsername and encryptedPassword columns respectively, they may be viewable in plain text in Firefox if no Master Password has been set. The table can be imported into an existing Firefox User’s profile on a forensic machine and the username and password possibly viewed by selecting edit → security-> Saved passwords . When the saved passwords dialog box appears, selecting show passwords the selecting Yes to confirm, then it should display the password and username as the following:
 
Time stamp information regarding when the username and password was created, last used, and last changed is stored in the “timeCreated,” “timeLastUsed,” and “timePasswordChanged” columns respectively. The number of times each site was visited is maintained in the “timesUsed” column.
 
 
10. webappsstore.sqlite
The file only contains one table, “webappstore2.” Firefox uses the table for storing its Web storage objects (software methodology/protocols used for storing data in a Web browser). Web storage types consist of local and session storage (somewhat analogous to persistent and session cookies respectively). Data is usually persistent and removing history, cookies, or form information may or may not remove the data.
 11. healthreport.sqlite


Some Caveats 

Much of this discussion and any potential forensic information contained in the Firefox database files are predicated upon the fact that the User did not change certain defaults in Firefox. For instance, Firefox automatically records browsing history. However, a User can browse the Internet and prevent Firefox from storing certain information by selecting the “Start Private Browsing” option from the main drop down menu. For that session, no additional data will be recorded in the history menu, no new passwords will be saved, no downloaded files will be listed in the downloads window, no data from forms filled out on-line will be saved, no cookies will be stored, any files opened in external applications will be cleared from the temporary folder, and no cached files will be saved. Any new bookmarks created, however, will remain. Most of this information would normally be stored in the various database files previously discussed. (Note: selecting this feature does not make a User anonymous. The sites visited and/or the IP provider can still track User activity). Selecting the “Stop Private Browsing” option from the main drop down menu will cause Firefox to begin recording any further browsing activity during that session.
Alternately, a User can permanently prevent Firefox from recording browsing history by selecting “Options” from Firefox’s main drop down menu and selecting the “Privacy” tab. The default is to “Remember history” and options are provided to manually “clear your recent history” and “remove individual cookies.” If the User selects the second option, “Never remember history,” Firefox will no longer record site visits and provides the User with the option to “clear all current history.” Additionally, a User can select a third option, “Use custom settings for history,” and then check “Always use private browsing mode” to prevent Firefox from tracking browsing history.
If the User manually chooses to clear all browsing history, then potentially valuable forensic information may be lost from many of the previously discussed database files. Fortunately for investigators, for convenience purposes, the overwhelming numbers of Users do not select the “Start Private Browsing” or the “Never remember history” options. Nor do they clear their history or cookies. If they did, then they would have to continually reenter their usernames and passwords, refill out on-line forms, and so forth each time they revisited the same site(s).


Source:
http://www.forensicmag.com/
http://www.dfinews.com
http://www.forensicswiki.org/wiki/Mozilla_Firefox 
http://www.symantec.com/connect/articles/web-browser-forensics-part-2
http://kb.mozillazine.org/Profile_folder_-_Firefox
http://kb.mozillazine.org/About_protocol_links
http://www.journals.elsevier.com/digital-investigation