Josh Moulin - Mozilla Firefox Deleted URLs in Places - Sqlite

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.
;)"*( 6")( <4%( = 26 =>

?2.0 12@)"# A B!BCDBCCBED'!B<DFBC '(9(GH(5D IJ=I ?2.0 12@)"# A B!BCDBCCBED'!B<DFBC '(9(GH(5D IJ=I
!""#$%

u8Ls vlslble wlLhln Lhe places.sqllLe daLabase flle when vlewlng Lhe flle ln hex vlew LhaL are noL vlslble when
vlewlng Lhe flle ln SCLlLe Manager or l1k's vlewer. 1he u8Ls seen ln hex vlew are relevanL Lo Lhe
lnvesLlgaLlon.

&$"' !)*+,-.'/+)%

aLh for Mozllla lnformaLlon (Wlndows x): C:\uocumenLs and SeLLlngs\user\AppllcaLlon
uaLa\Mozllla\llrefox\roflles\unlquevalue.defaulL\

CS: Wlndows x S 3, 32 blL

llrefox verslon: 13.0.1

WlLhln a vlrLual machlne runnlng Wlndows x S3 a clean lnsLallaLlon of Mozllla llrefox 13.0.1 was lnsLalled.
1he places.sqllLe creaLed upon lnsLallaLlon of llrefox was deleLed, whlch forces llrefox Lo creaLe a new
daLabase upon Lhe nexL Llme Lhe program ls run.

1he llrefox add-on SCLlLe Manager was downloaded and lnsLalled. Cnce lL was lnsLalled lL was launched by
golng Lo 1ools>SCLlLe Manager:

1o obLaln a basellne, llrefox was launched and Lhe places.sqllLe daLabase was rebullL. SCLlLe Manager was
launched Lo vlew Lhe defaulL enLrles ln places.sqllLe. 8y defaulL llrefox lnsLalls flve bookmarks, whlch can be
seen below:

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( I 26 =>

SCLlLe Manager shows Lhe above bookmarks wlLhln Lhe places.sqllLe flle:

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( K 26 =>
As an overvlew, SCLlLe Manager ls a greaL Lool for vlewlng Lhese daLabase flles. 1o search records, cllck on Lhe
8rowse & Search" Lab. AlLhough you can dlrecLly query Lhe SCLlLe Lables Lhls way, unless you are famlllar
wlLh SCL searches, l recommend exporLlng Lhe daLa and uslng Lxcel.

1o beLLer search and revlew lnformaLlon, exporL Lhe daLa Lo a CSv flle. Cnce you cllck Lhe LxporL Wlzard"
Lab, make sure Lo check Lhe box llrsL row conLalns column names" and Lhen selecL how you wanL Lo exporL
Lhe daLa. Cnce you have selecLed Lhe approprlaLe seLLlngs, cllck Ck" and you should recelve a dlalog box
sLaLlng LhaL your records have been exporLed.

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( L 26 =>

navlgaLe Lo your newly creaLed CSv flle and open lL wlLh Lxcel:

Above ls Lhe sLandard Lxcel vlew of a CSv flle. When worklng wlLh a large amounL of daLa, Lhere are a few
Lrlcks you can use Lo make daLa managemenL easler. 1hls lncludes hlghllghLlng Lhe Lop row, cenLer and bold
Lhe fonL on Lhe flrsL row, lnserL grldllnes, and Lhen freeze Lhe Lop row and add fllLerlng Lo Lhe Lop row. Also,
conslder hldlng any columns or rows LhaL are noL appllcable Lo your lnvesLlgaLlon:

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( M 26 =>

8y uslng fllLerlng (lndlcaLed by Lhe dropdown arrow Lo Lhe rlghL of each headlng ln Lhe Lop row), lL ls posslble
Lo qulckly sorL by Lhe relevanL lnformaLlon wlLhln each column. See below:

1hls flle wlll now have Lo be saved as an Lxcel workbook slnce Lhls flle ls no longer compaLlble Lhe CSv formaL.

8elow ls a vlew of Lhe places.sqllLe flle whlle vlewlng lL ln l1k. noLlce Lhe same lnformaLlon ls seen below as
whaL we have seen ln Lhe SCLlLe Manager. AfLer revlewlng Lhe enLlre flle, no oLher enLrles were locaLed.
!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( N 26 =>

noLe - Lhe places.sqllLe flle ls locked by Lhe flrsL appllcaLlon LhaL accesses lL. 1hls ls lmporLanL Lo noLe durlng
LesLlng because lL wlll alLer Lhe normal operaLlon of llrefox. lor example, lf Lhe places.sqllLe flle ls open wlLhln
l1k lmager and Lhen llrefox ls opened, llrefox wlll acL normal, however no daLa ls acLually recorded ln Lhe
places.sqllLe flle slnce l1k lmager has locked lL.

ln an aLLempL Lo repllcaLe Lhe lnlLlal problem of havlng u8Ls vlslble ln Lhe places.sqllLe flle buL noL wlLhln
llrefox, SCLlLe Manager, or l1k's parsed vlewer, Lhe followlng sLeps were Laken:

1. llrefox was launched
2. 1he followlng u8Ls were vlslLed:
a. Coogle.com
b. Cnn.com
c. lacls.com
d. WhlLehouse.gov
3. SCLlLe Manager was launched
4. 8evlewed enLrles wlLh Lhls Lool

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( O 26 =>

1he enLrles ln my hlsLory maLch exacLly whaL l navlgaLed Lo. now l opened SCLlLe Manager and revlewed LhaL
lnformaLlon:

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( P 26 =>

SCLlLe Manager showed Lhe exacL same lnformaLlon as expecLed. When vlewlng Lhe places.sqllLe flle ln l1k
lmager, Lhe four enLrles were also seen. 1he enLlre places.sqllLe flle was vlewed and no abnormal enLrles were
locaLed.

1he lAClS.com u8L beglns aL declmal offseL 64308. 1hls ls lmporLanL, keep noLe of Lhls for laLer.

nexL, llrefox was re-launched and all lnLerneL hlsLory was cleared. 1hls was accompllshed by checklng all
avallable boxes and selecLlng LveryLhlng" from Lhe dropdown menu:

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( > 26 =>
WlLhln llrefox, all of Lhe hlsLory enLrles are now gone:

SCLlLe Manager was opened nexL Lo see whaL enLrles lL saw:

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( =J 26 =>
?2.0 12@)"# A B!BCDBCCBED'!B<DFBC '(9(GH(5D IJ=I
SCLlLe Manager also does noL show any lnformaLlon for Lhe u8Ls afLer Lhe hlsLory has been deleLed. nexL,
l1k lmager was launched and Lhe places.sqllLe flle was added as an lndlvldual flle:

WlLh Lhe excepLlon of a few byLes of daLa, all areas LhaL used Lo conLaln Lhe u8L's l had vlslLed had been
overwrlLLen wlLh zeros. AL offseL 64308 where my cursor was (shown above ln small red box), you can see
LhaL lacls.com ls gone.

1he nexL LesL was checklng how rlvaLe 8rowslng mode ln llrefox would affecL Lhe enLrles ln Lhe places.sqllLe
flle.

1he followlng was done for Lhls LesL:

1. ueleLed places.sqllLe flle Lo force llrefox Lo bulld a new one.
2. Launched llrefox.
3. 8rowsed ln normal mode Lo Lhe followlng webslLes:
a. CompuLer-forenslcs.sans.org
b. lacebook.com
c. ?ouLube.com
d. ?elp.com
4. rlvaLe 8rowslng mode was Lurned on and Lhe followlng slLes were navlgaLed Lo:
a. ?ahoo.com
b. 1wlLLer.com
c. Llnkedln.com
d. Amazon.com
3. llrefox was closed.

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( == 26 =>
llrefox was re-launched and Lhe places.sqllLe flle was vlewed wlLh Lhe SCLlLe Manager add-on. See below:

As expecLed, all of Lhe webslLes LhaL were vlslLed ln normal browslng mode are shown and none of Lhe
webslLes vlslLlng ln rlvaLe 8rowslng mode are vlslble. llrefox was closed and Lhe places.sqllLe was vlewed ln
l1k lmager.

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( =I 26 =>
ln l1k lmager, Lhe u8Ls vlslLlng ln normal mode are vlslble as Lo be expecLed. lL ls also lnLeresLlng LhaL Lhe
new u8Ls overwroLe Lhe same locaLlon of Lhe old u8Ls LhaL were deleLed when Lhe hlsLory was cleared. ?ou
can see below aL offseL 64308 yelp.com now resldes Lhere (where lAClS.com once dld):

1he enLlre places.sqllLe flle was vlewed ln hex for any oLher remnanLs or evldence of Lhe webslLes vlewed ln
rlvaLe 8rowslng mode and noLhlng was locaLed.

AL Lhls polnL lL has been deLermlned LhaL Lhe u8Ls found ln Lhe orlglnal lnvesLlgaLlon musL noL have been from
a rlvaLe 8rowslng mode and Lhe hlsLory musL noL have been cleared from llrefox before Lhe forenslc
examlnaLlon was conducLed. 1he only Lhlng lefL Lo check was how bookmarks lnLeracLed wlLh Lhe places.sqllLe
flle.

lL was deLermlned LhaL when a bookmark ls creaLed ln llrefox durlng normal browslng mode, lL does make an
enLry lnLo Lhe places.sqllLe daLabase. 1he orlglnal four u8Ls were navlgaLed back Lo and bookmarked.

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( =K 26 =>
See Lhe naLlve llrefox vlew below:

1he SCLlLe Manager shows Lhe followlng lnformaLlon:

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( =L 26 =>

l1k lmager shows Lhe followlng:

1he bookmarks sLarL aL declmal offseL 38686.

1o LesL how bookmarks lnLeracL wlLh rlvaLe 8rowslng mode, Lhe followlng was done:

1. llrefox was re-launched.
2. navlgaLed Lo Lhe followlng webslLes and bookmarked Lhem:
a. 8lng.com
b. Wordpress.com
c. Lbay.com
d. Apple.com
3. llrefox was closed and re-launched.
4. SCLlLe Manager was launched.

SCLlLe Manager showed Lhe followlng:

1hls shows LhaL even ln rlvaLe 8rowslng, lf a u8L ls bookmarked, lL wlll enLer Lhe u8L lnLo Lhe places.sqllLe
flle.

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( =M 26 =>

l1k lmager showed Lhe followlng:

1he blng.com bookmark enLry was also shown buL wouldn'L flL ln Lhe same screenshoL. 1he bookmark for
apple.com was locaLed aL declmal offseL 63143.

nexL, llrefox was re-launched and all hlsLory was cleared. 1he followlng bookmarks were vlslble:

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( =N 26 =>

nexL Lhe bookmarks were deleLed LhaL were creaLed whlle ln rlvaLe 8rowslng mode. 1he llrefox naLlve vlew
ls shown below:

When SCLlLe Manager was opened, Lhe followlng was seen:

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( =O 26 =>
ln Lhe bookmarks Lable, only Lhe four remalnlng bookmarks are shown.

Powever, ln Lhe moz_places Lable, all of Lhe bookmarks, lncludlng Lhe deleLed bookmarks can be found:

ln looklng aL Lhe places.sqllLe ln l1k lmager, all of Lhe enLrles lncludlng Lhe deleLed bookmarks were presenL,
alLhough some had moved poslLlon:

!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( =P 26 =>

Above shows remnanLs of Lhe u8L wordpress.com and blng.com. CffseL 63143 LhaL once had Lhe apple.com
u8L now shows Lhls:

?ou can see Lhe u8L for apple.com up above Lhe orlglnal offseL (hlghllghLed ln blue).

nexL, llrefox was re-launched and all hlsLory was cleared agaln. 1hls Llme lL ellmlnaLed all of Lhe deleLed
bookmarks from Lhe places.sqllLe daLabase. See below:

1he blue hlghllghLed area ls declmal offseL 63143 agaln, showlng LhaL all of Lhe old bookmark daLa ls now
overwrlLLen.
!"#$"#% '()(*($ +,-. /"*0"# 123"))4 !"5(627 8)49(.:.;)"*( 6")( <4%( => 26 =>

1he Lakeaways from Lhls are:

1. 8ookmarklng ln llrefox, even ln rlvaLe 8rowslng wlll creaLe enLrles ln Lhe places.sqllLe flle.
2. PlsLory ls overwrlLLen ln Lhe places.sqllLe aL Lhe compleLlon of a browslng sesslon ln rlvaLe 8rowslng
mode, or anyLlme a user cllcks 1ools>Clear 8ecenL PlsLory.
3. lf bookmarks are deleLed, Lhey are lmmedlaLely removed from Lhe moz_bookmarks Lable ln Lhe
places.sqllLe daLabase.
4. lf bookmarks are deleLed, Lhey remaln ln Lhe moz_places Lable ln Lhe places.sqllLe daLabase and are
avallable Lo be recovered unLll Lhey are overwrlLLen.
3. ueleLed bookmark daLa wlll be overwrlLLen lf Lhe user cllcks 1ools>Clear 8ecenL PlsLory afLer deleLlng
Lhe bookmarks.
ln Lhls parLlcular lnvesLlgaLlon lL was my oplnlon LhaL Lhe user had aL one Llme bookmarked Lhe u8Ls LhaL were
locaLed ln Lhe hex vlew of Lhe places.sqllLe flle buL noL vlslble ln SCLlLe Manager or llrefox's naLlve vlew. 1he
user deleLed Lhe bookmarks of Lhe webslLes ln quesLlon prlor Lo Lurnlng over Lhe compuLer, however dld noL
clear Lhelr recenL hlsLory afLer deleLlng Lhe bookmarks, allowlng Lhem Lo be recovered. 1hls flndlng may show
addlLlonal lnLenL, noL only LhaL webslLes of lnLeresL were once bookmarked by Lhe user, buL also Lhere was
some aLLempL Lo clean up" Lhe compuLer before Lhe examlnaLlon (especlally slnce many non-relevanL
bookmarks remalned and only a selecL few were deleLed).

ln Lhls parLlcular lnvesLlgaLlon, Lhe deleLed bookmark enLrles correspond wlLh Lhousands of deleLed lmages
recovered from unallocaLed space as well as orphan flles locaLed durlng Lhe exam.

Josh Moulin - Mozilla Firefox Deleted URLs in Places - Sqlite

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Josh Moulin - Mozilla Firefox Deleted URLs in Places - Sqlite

Uploaded by

Copyright:

Available Formats

!"#$"#% '()(($ +,-. /"0"# 123"))4 !"5(627 8)49(.:.

;)"*( 6")( <4%( = 26 =>

You might also like